P.F. Chang's post-breach move to manual processing is telling
It suggests the company still doesn't know what happened
CareerJournal - The decision by P.F. Chang's China Bistro to switch to manual payment processing after a recent data breach at the restaurant chain is unusual, security experts said this week. But it's understandable.
In a statement Thursday, P.F. Chang's confirmed that someone had broken into its payment systems and accessed credit and debit card data belonging to customers. The U.S. Secret Service alerted P.F. Chang's of the security compromise on Tuesday and a subsequent investigation uncovered the breach, the company said.
As a precautionary measure, P.F. Chang's has moved to a manual credit card imprinting system for all of its restaurants in the U.S. Customers can continue using their credit and debit cards as usual while the company conducts an investigation.
An FAQ with the statement noted that P.F. Chang's has provided manual credit card imprinters to all of its franchise operations in the U.S. to prevent any further compromise of customer information.
The decision stands out because few companies have resorted to manual processing after a breach, at least recently. Even companies like Target that suffered massive breaches have typically continued using their payment systems while working through investigations.
The P.F. Chang's move suggests the company is having a hard time figuring out what happened, said Mike Lloyd, CTO at security vendor RedSeal Networks.
"This reaction from PF Chang's is external evidence of an internal truth: modern business infrastructure is complicated," Lloyd said. "When bad things happen, it's hard to figure out what is wrong, where and why." Clearly, the company no longer trusts its infrastructure, he said.
Dwayne Melancon, CTO at Tripwire, said the restaurant chain's move make sense if it doesn't know which systems to trust. "After all, if you are not sure which of your data systems you can trust, why would you risk putting even more data into those systems?"
Moving to physical collection of card information can reduce access and opportunity, because the information is no longer accessible on an open network -- but only for the short term, Melancon said.
"The risk in paper-based collection is that many retailers no longer have effective processes or employee training designed to secure, monitor and control physical card slips," he noted. While a manual approach reduces one type of risk, it doesn't eliminate it entirely.
"It just moves the data protection problem to a different form," Melancon said. Since manual processing is not something that many at P.F. Chang's are likely to be familiar with, the company needs to have checks and balances in place to control the flow, access and processing of the physical pieces of cardholder data that are created, he said.
"The big challenge in restoring the confidence of customers, boards and internal confidence after a breach is your ability to recover and protect customer information. If it helps to step back and move to paper, then that is not a bad idea," Melancon added.
Mark Bower, vice president of product management and solutions architecture at Voltage Security, called the P.F. Chang's decision a potentially disruptive move for customers and the company. "Perhaps there is concern over repeat attacks. Maybe there are forensic or law enforcement investigation reasons," he said.
"Either way, what we often see is merchants who have suffered such a breach very quickly move to avoid the problem again by enhancing their payment processing systems" through various measures, he said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Feds declare big win over Cryptolocker ransomware
- Hackers hit more businesses through remote access accounts
- P.F. Chang's post-breach move to manual processing is telling
- Microsoft withholds monster IE update from Windows 8.1 dawdlers
- In baffling move, TrueCrypt open-source crypto project shuts down
- 'Oleg Pliss' hack makes for a perfect teachable IT moment
- Give IE the heave-ho until Microsoft patches zero-day
- Hackers find first post-retirement Windows XP-related vulnerability
- Researcher claims two hacker gangs exploiting unpatched IE bug
- Update: Third of Internet Explorer users at risk from attacks
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.