×

Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Clueless About Card Data Hack, PF Chang's Reverts To Imprinting Devices

Soulskill posted about 6 months ago | from the 40-year-old-technology-will-save-us dept.

Security 142

wiredmikey writes: After saying earlier this week that it was investigating reports of a data breach related to payment cards used at its locations, P.F. Chang's China Bistro confirmed on Thursday that credit and debit card data has been stolen from some of its restaurants. What's interesting, and somewhat humorous, is that the company said that it has switched over to manual credit card imprinting systems for all of its restaurants located in the continental United States. The popular restaurant chain said that on Tuesday, June 10, the United States Secret Services alerted the company about the incident. Admitting that it does not know the extent or current situation and impact of the attack, the company noted in a statement: "All P.F. Chang's China Bistro branded restaurants in the continental U.S. are using manual credit card imprinting devices to handle our credit and debit card transactions," the company said. "This allows you to use your credit and debit cards safely. If it's not obvious, anyone who has visited a P.F. Chang's and used a payment card in the last several months should monitor their accounts and report any suspected fraudulent activity to their card company.

Sorry! There are no comments related to the filter you selected.

Yeah (-1)

Anonymous Coward | about 6 months ago | (#47233289)

But do they run Linux? Propz to GNAA

Re:Yeah (-1)

Anonymous Coward | about 6 months ago | (#47233381)

No, they lun rinux.

I like chinese food (-1)

Anonymous Coward | about 6 months ago | (#47233297)

I like chinese food. my fave is orange chicken.

First Post... (-1)

Anonymous Coward | about 6 months ago | (#47233303)

On a subject nobody cares about.

Ahh... the sorrow

Never heard of dumpster diving? (0, Insightful)

Anonymous Coward | about 6 months ago | (#47233305)

Those imprint machines are far from safe. PF Changs should shutter the business until they figure this out.

Still beta? (0, Flamebait)

Anonymous Coward | about 6 months ago | (#47233313)

Why does Slashdot randomly serve up beta when I hit the site anonymously? Close the browser and hit it again, poof, beta is (usually) gone.

I thought we put this whole beta thing to bed months ago....why this nonsense?

more secure? (0)

Anonymous Coward | about 6 months ago | (#47233315)

So now I can physically steal boxes of credit card numbers with signatures right at the bottom?

My latest discover card doesn't even have numbers to print. It is a blank card

Re:more secure? (5, Insightful)

Anonymous Coward | about 6 months ago | (#47233389)

> So now I can physically steal boxes of credit card numbers with signatures right at the bottom?

Everybody understands physical security. Store the boxes in a locked closet in the managers office and the the number of people who have access is reduced to a handful of employees - all of which are also subject to our local legal system. Put the data on the network and the number of people who might have access to it is practically the entire internet, the majority of which are outside of US jurisdiction.

Re:more secure? (3, Insightful)

plover (150551) | about 6 months ago | (#47234619)

Physically, you can steal one box at a time, perhaps 1000 receipts. And the thief must be physically present, and risk his ass getting caught doing so.

Electronically, you can sit in Odessa, Ukraine, and steal 44 million accounts from every cash register at a major retailer. And the thief risks absolutely nothing, because his government is too busy fighting the Russian separatists who have taken over City Hall.

See the difference?

What about flat cards? (5, Informative)

Lab Rat Jason (2495638) | about 6 months ago | (#47233335)

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

Re:What about flat cards? (0, Redundant)

jrmcferren (935335) | about 6 months ago | (#47233359)

THIS is exactly why this isn't a perfect solution! Not only do they have to use ARU which is more costly per transaction, they would have to process it as card not present as they can't imprint on the card. If I had mod points I would mod the parent up.

Re:What about flat cards? (0)

Anonymous Coward | about 6 months ago | (#47233607)

Who cares if it's not perfect. It's a workaround why they try to figure out WTF is going on.

Re:What about flat cards? (0)

binarylarry (1338699) | about 6 months ago | (#47234323)

jrmcferren is not in the sudoers file. This incident will be reported.

Re:What about flat cards? (1, Informative)

sribe (304414) | about 6 months ago | (#47233377)

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

Re:What about flat cards? (1)

Lab Rat Jason (2495638) | about 6 months ago | (#47233443)

Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

Re:What about flat cards? (1)

sribe (304414) | about 6 months ago | (#47233535)

Are you sure they aren't handing you a pre-made card? If you are opening a new account, they could give you any card (because your card number is not associated with your account number anymore) I agree the equipment isn't that expensive... but printing flat cards with the photo of your choice attracts more customers than embossed cards do. The cost of catering to the masses I'm afraid.

a) My name is embossed on the card.

b) What makes you think they couldn't print a photo on an embossed card?

Re:What about flat cards? (1)

gstoddart (321705) | about 6 months ago | (#47233763)

b) What makes you think they couldn't print a photo on an embossed card?

I should hope nothing ... I have one it my wallet.

Re:What about flat cards? (0)

Anonymous Coward | about 6 months ago | (#47233451)

Ok so? Unless the parent is the manager of the credit union, he can't just go and resolve that situation can he?

Re:What about flat cards? (0)

Anonymous Coward | about 6 months ago | (#47233455)

Nope. They stock embossed "blank" cards with nothing but that number, and then print the name on it in real-time.

Re:What about flat cards? (2)

EvilSS (557649) | about 6 months ago | (#47233477)

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch.

Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

Those raised numbers are going away. My credit union recently switched to flat cards from raised cards (raised cards were available instantly as well). Visa/MC wants to do away with imprints because they are a security risk (since they expose the entire card number on the receipt) so they dropped the embossing requirement a while back.

Re:What about flat cards? (1)

Jason Goatcher (3498937) | about 6 months ago | (#47233769)

Why print numbers on the cards at all, just put the relevant information on the card, and if the card can't be swiped then it can't be used. Way more secure, and only a little annoying when the machines won't work. Plus, if a server walks away with your card, their ability to commit fraud against you is vastly reduced.

Oh, and for online transactions, THEN you'd need to know the number, but you could easily store that separately somewhere in your house. That's way more secure than your wallet.

Re:What about flat cards? (4, Insightful)

gstoddart (321705) | about 6 months ago | (#47233907)

Why keep using ancient swipe technology?

Chip and PIN is a *much* better system.

Re:What about flat cards? (2)

NotQuiteReal (608241) | about 6 months ago | (#47234469)

It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

Re:What about flat cards? (1)

dj245 (732906) | about 6 months ago | (#47234785)

It's coming... Starting in Oct 2015 there will be "incentives" for vendors to have the means to accept them. It will still take a few more years, but it is coming.

Frankly it amazes me that it is so hard to find a chip and pin card in the USA now. I got a traveler-oriented credit card a couple months ago. When shopping around the chip and pin cards were really nowhere to be found, despite how useful they would be if I were to travel to Europe. It wasn't a feature high on my list though since I primarily travel to Switzerland and Japan, both of which seem to accept the chip less cards.

Re:What about flat cards? (1)

Ksevio (865461) | about 6 months ago | (#47234821)

I finally got one with a chip, but it's chip and SIGN, not chip and PIN so that kind of defeats the purpose and makes it useless in other countries.

Re:What about flat cards? (2)

Sylak (1611137) | about 6 months ago | (#47234913)

Chip & sig is being rolled out by some national banks right now. Expect Target to start taking chips soon, and Wal-Mart already does.

Re:What about flat cards? (1)

lag10 (667114) | about 6 months ago | (#47233545)

Uhmmm, my credit union prints their own cards right in the branch and hands them to you when you open an account. With raised numbers like a normal card. The card printers for making properly-embossed cards are not that expensive.

That may be the case, but it's a moot point considering that some cards received in the mail (such as Discover IT cards) are now switching to flat printed (unembossed) formats. It's no longer an issue of how expensive embossing machines are.

Here's an article on the subject from MSE Money: http://money.msn.com/credit-cards/4-ways-credit-cards-are-changing [msn.com]

Re:What about flat cards? (0)

Anonymous Coward | about 6 months ago | (#47234133)

FYI, the flat card printers are probably Zebra ones about $500-$800 each depending on options. Embossing card printers, last time we bought one, was over $6,000. I don't work for a bank/CU, but we use the printers for a custom loyaltay program.

Its just as easy to print on demand embossed cards as flat cards, it just costs more. I would estimate that only half of credit unions can on demand print cards.

Re:What about flat cards? (2, Informative)

ArchieBunker (132337) | about 6 months ago | (#47233425)

You're doing yourself a favor by not eating af PF Chang's.

Re:What about flat cards? (1)

Charliemopps (1157495) | about 6 months ago | (#47233499)

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

Re:What about flat cards? (1)

Ol Olsoc (1175323) | about 6 months ago | (#47234783)

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

My credit card company wont even except carbon printed bills anymore. I'm not sure how this is supposed to work.

MY credit card company doesn't accept anything. Now that's secure!

Re:What about flat cards? (1)

Wing_Zero (692394) | about 6 months ago | (#47235067)

We have a fallback manual Credit card machine where i work, used mainly for when the power goes out or the CC machine decides to take a dump (either can happen about twice a year) when the power comes back up, we can either

A) Manually enter the CC# into our cash till (type the cc info into the machine by hand) or
B) call our CC handler and read off the CC# over the phone.

either way, the customer sees it as a normal swipe transaction on their bill. I don't see either way being anything less than worse security than the standard way.

Re:What about flat cards? (1)

Em Adespoton (792954) | about 6 months ago | (#47233583)

My credit union prints their own cards... which don't have a relief on the printed data... so they can issue them directly from the branch. If you want relief on your card, you have to order it through the mail. So I guess I'm not eating at Chang's tonight

I was handling non-embossed cards 20 years ago -- you know what we did? WE WROTE THE NUMBERS IN. It's not that hard. And paper copy really is the most secure method -- until the slips go through processing, at which point the physical copies go who knows where, and the information still goes via the internet to a database.

The real reason for doing this is that this kind of processing was their cheapest option that contained minimal merchant liability.

Re:What about flat cards? (1)

iggymanz (596061) | about 6 months ago | (#47234601)

wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

Re:What about flat cards? (1)

plover (150551) | about 6 months ago | (#47234633)

wrong, your $5 an hour waiter makes 2nd copy of receipt for his friend to buy them both things, it's just 2nd tip.

Nope. The $5 an hour waiter uses the battery powered skimmer that he has in his pocket, and sells them to Jimmy the Sneak out the back door of the restaurant. Writing the numbers takes too long, and he could get caught.

Re:What about flat cards? (1)

iggymanz (596061) | about 6 months ago | (#47234807)

nonsense, no need for any tech, copy takes less than ten seconds. friend is the one who gets caught, if anyone gets caught.

Re:What about flat cards? (1)

whoever57 (658626) | about 6 months ago | (#47233681)

which don't have a relief on the printed data... .... So I guess I'm not eating at Chang's tonight

Why not? Just eat there and let PF Chang's sort out the problem that they created. You have a valid means of payment, which the restaurant states that it accepts. Let PF Chang's figure out how to process the card.

Re:What about flat cards? (1)

onkelonkel (560274) | about 6 months ago | (#47233729)

Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

Re:What about flat cards? (2)

Razed By TV (730353) | about 6 months ago | (#47234089)

A lot of chinese food isn't real chinese food. It's Americanized chinese food. Though I share your sentiment that Changs and Pei Wei seem to turn the "chinese" food experience into something else, and not in a good way.

Re:What about flat cards? (0)

Anonymous Coward | about 6 months ago | (#47234567)

Yep. PF Chang's and Pei Wei are owned by the same company.

Re:What about flat cards? (1)

Ol Olsoc (1175323) | about 6 months ago | (#47234801)

Cool, you could go get real Chinese food instead of this RedOliveLobsterGarden corporate pale imitation. (Try the Xiao Long Bao)

Yeah Chang's is the shits.

...and the glint of a solitary shaft of chromium steel.

Wow, I wonder how many people her will get that one? One of their best.

Re:What about flat cards? (0)

Anonymous Coward | about 6 months ago | (#47233831)

That's not your problem. Go to the restaurant, eat your meal, and when it comes time to pay, just hand over the card.

If they can't process it through no fault of your own and you don't have any other means of payment, what are they going to do?

Re:What about flat cards? (1)

reanjr (588767) | about 6 months ago | (#47234005)

The imprint is for convenience only. There's nothing stopping the merchant from just writing in the info in ink pen. This is perfectly valid and will be honored by the card processor. I suppose it MIGHT take a bit more time to get processed if they're using OCR or some such thing, but most likely they hire teams of data entry drones with mad 10-key skills.

It's written in by hand (5, Insightful)

SuperBanana (662181) | about 6 months ago | (#47234023)

The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

Re:It's written in by hand (0)

Anonymous Coward | about 6 months ago | (#47234895)

The slip's form fields align with a credit card, but that doesn't mean the waitstaff can't write it in by hand. Impressions just made it faster, and gave some limited proof of "card presence."

Also, why would you eat at PF Changs? PF Chang's is for people too afraid (to be polite) to step into the local Asian restaurants. It's overpriced low-to-mid-tier produce/meat with a sauce that came out of a can. If you're lucky, that can says "PF Changs teriyaki sauce", not "Sysco teriyaki sauce."

I once ate there and the waiter actually felt it necessary to tell us that "soy sauce is like salt for chinese food."

Stop eating at chain restaurants. They suck - the food's bad, they run the local non-chains out of business - and they prey upon people who want bland consistency. Live a little. Support the local economy. Etc.

I have to say that my waiter at PF Changs in Boston commented that soy sauce was like liquid salt. This was a totally unprovoked comment as I knew what soy sauce was and hadn't inquired about it. He also said that everything tastes the same because everything is fried in oyster oil. When I ordered a shot of bourbon before my meal, he said PF Changs wouldn't sell me a shot for any amount of money, but I could have it on the rocks. I also feel it is necessary to state that this was over 10 years ago, and my only visit to PF Changs.... and sorry for the unrelated comment.

Non-imprintable Cards (2)

coop999 (593964) | about 6 months ago | (#47233349)

One of my cards was reissued without raised digits on it about 3 years ago, so this plan might not work out so well for them. Also, I wonder how many of the 19 year-olds working there's minds just got blown by the swipe machine and now know why credit cards (used to) have raised digits.

Re:Non-imprintable Cards (-1)

Anonymous Coward | about 6 months ago | (#47233467)

um, that's more of a you problem and them. The vast majority of credit cards have raised digits.

Not Clueless (0, Insightful)

Anonymous Coward | about 6 months ago | (#47233363)

This response is not necessarily clueless. How much values does the chain derive from electronic processing? If it is less than the cost of securing their systems then going back to paper is a smart tactic.

There are lots of cases where sensitive records are needlessly computerized. For example, I just had a discussion with my local blood bank. They have federal requirements to record your identity in order to track you down if someone finds a problem with your blood. So they put it in a computer and when you ask about security they give you the same line that Target and PF Changs, and Neiman Marcus, and pretty much everybody gives you when you ask - that security is important to them and that they've taken precautions to protect it.

But the thing is, they don't need to computerize my identity. It is one of those write-once, read rarely pieces of data because the number of times they have to find someone because of bad blood is tiny compared to the number of donations they get. They could just write it down and file it in a literal filing cabinet and then give me a donor-id to use when making donations. Let the computers use the donor-id for scheduling and all the other stuff that happens frequently, but in that rare case when they have to actually find out who I really am, an extra 5 minutes to go look in the filing cabinet won't be a burden.

I'm not saying that all sensitive information should only be stored on paper, but I am saying we ought to be asking what info really benefits from being stored electronically and is the benefit really greater than the risks?

Re:Not Clueless (1)

Fallen Kell (165468) | about 6 months ago | (#47233413)

5 minutes to look in a filing cabinet? Are you kidding me? Do you know how many people would be in that filing cabinet? Something like 30-60 million, assuming they somehow know when to magically remove the ones who died.

Re:Not Clueless (-1)

Anonymous Coward | about 6 months ago | (#47233441)

I feel that you are an idiot.
Each local blood bank keeps their own records and they would sort them by donor-id.
This is not complicated.

Re:Not Clueless (1)

Fallen Kell (165468) | about 6 months ago | (#47233445)

Also, do you know how large that filing cabinet would even be? A cabinet with 18" deep drawers that is 18,182 feet high.

Re:Not Clueless (0)

Anonymous Coward | about 6 months ago | (#47233633)

> Also, do you know how large that filing cabinet would even be? A cabinet with 18" deep drawers that is 18,182 feet high.

Why do you think there would be just one filing cabinet? How do you think blood banks handled this requirement back in the 90s? Maybe you've never been to a blood bank, but it isn't like they are on the cutting edge of IT.

Re:Not Clueless (1)

Lab Rat Jason (2495638) | about 6 months ago | (#47233469)

Unfortunately this makes your Identity EASIER to steal... since filing cabinets' auditing systems are easy to bypass, and it's hard to know if the data has been accessed/stolen. The inside job is far too easy with this scenario.

Re:Not Clueless (0)

Anonymous Coward | about 6 months ago | (#47233515)

I disagree because while it may be technically easier to steal paper records from a filing cabinet, the number of people who have theoretical access to that cabinet is many orders of magnitude smaller than the number of people who have theoretical access to a networked computer system. Furthermore, you can automate an attack on networked systems, script-kiddee style. Physical records are not vulnerable to that sort of risk.

And last, but not least, while a theoretically perfect auditing system would give you intrusion detection on a computer, the problem here is that those rarely exist in practice and even when they do they still require interpretation. Target being a perfect example. In the real world, a cut padlock and an empty filing cabinet is a pretty straightforward clue that something was taken.

Re:Not Clueless (0)

Anonymous Coward | about 6 months ago | (#47233645)

Unfortunately this makes your Identity EASIER to steal... since filing cabinets' auditing systems are easy to bypass, and it's hard to know if the data has been accessed/stolen. The inside job is far too easy with this scenario.

Probably not. It probably makes cases of identity theft easier, but instead of getting information on thousands if not millions of people per theft, each case of identity theft would be for only a handful of people.

"Crooked wait staff puts two sheets in the imprint machine for 10 customers" compared to "hacker downloads entire database".

No imprint? (1)

Delarth799 (1839672) | about 6 months ago | (#47233369)

There are a lot of cards now with don't have the numbers imprinted on them. Am I going to have to manually write out my card information when I go there now because these incompetent people can't be bothered to hire a couple security people and fix the problem instead of making it inconvenient and no more secure for anybody. Also a credit card swipe is pretty much automatically processed, what kind of delay will be on the manual transactions?

Chip & Pin (4, Insightful)

Anonymous Coward | about 6 months ago | (#47233385)

I heard the USA will finally get proper Chip & Pin cards next year ?

I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

Re:Chip & Pin (1)

ArchieBunker (132337) | about 6 months ago | (#47233437)

I had the same problem but when using my card in Canada. Some places would read it but most would not. Called the credit card company to bitch and nobody knew what chip and pin was.

Re:Chip & Pin (1)

whoever57 (658626) | about 6 months ago | (#47233891)

Some places would read it but most would not.

I have been dealing with this in the UK for some time now. The card readers do actually have a slot for swiping cards -- it's just that the slot (on the side of the card reader) is so narrow that the cashiers don't know you can swipe a card through there.

On my last trip, I used my new Citibank chip and signature card and that seemed to work OK, although there were some surprised cashiers as the signature slip printed out.

Re:Chip & Pin (1)

ArchieBunker (132337) | about 6 months ago | (#47234709)

The ATMs give an error about my banking institution declining the transaction. Called card services a number of times and they claim no problems and don't see anything being declined. One certain ATM seems to work while most don't. Gas stations seem to read the card alright but then the grocery store couldn't. My bank's VISA card has more problems than my Mastercard. Seriously what the fuck?

Re:Chip & Pin (0)

Anonymous Coward | about 6 months ago | (#47235075)

America is technologically 20 years behind Europe, except for American banks, which seem to be 40 years behind.

Re:Chip & Pin (1)

EvilSS (557649) | about 6 months ago | (#47233509)

I heard the USA will finally get proper Chip & Pin cards next year ?

I visited the US recently and discovered the joy of swipe & signature on paper receipts... It really feels like 3rd world technology.

Chip yes, PIN... maybe. PIN is not going to be a requirement from the credit card companies in the US, it will be left up to the individual issuing banks whether to include it or not. Supposedly it's to do with "customer acceptance" but really it's some BS around PIN payment processing vs regular CC processing networks and fees and how the new Chip & PIN transactions would be handled.

Re:Chip & Pin (1)

farble1670 (803356) | about 6 months ago | (#47233751)

it's looking like chip & signature, not PIN. CC companies are worried that people will not remember their PIN and therefore spend less.

Re:Chip & Pin (0)

Anonymous Coward | about 6 months ago | (#47235103)

I cannot remember my signature. I seldom use it and I seem to have three different ones and cannot remember which one I used where.

Re:Chip & Pin (1)

reanjr (588767) | about 6 months ago | (#47234019)

Signatures are typically only for larger purchases. When you buy a pack of gum with a credit card, you almost never have to supply a signature. Also, in the US we buy packs of gum with credit cards, which is not really easy to do a lot of places outside of the US, with minimum purchases requirements.

Re:Chip & Pin (0)

Anonymous Coward | about 6 months ago | (#47234925)

And next will be RFID, because it turns out that Chip and PIIN takes too long to process and is too annoying for customers for small purchases. This is exactly the progression that happened in Canada. Now we're stuck with RFID enabled on most or all CCs. So has the security increased overall? I doubt it.

Poetic (-1)

Anonymous Coward | about 6 months ago | (#47233387)

The Olive Garden of Chinese food... So if I go there and eat a meal, and they can't figure out how to process my credit card, is my meal free? Then again, I don't think I want to eat anything made by people that don't know how to get paid.

Now That's Amusing (2)

vomitology (2780489) | about 6 months ago | (#47233393)

A company that didn't know it was breached, doesn't know the extent of the breach, and who's answer to the breach is to revert to 40-year old tech using the phrase "If it's not obvious..."

Illegal (1)

Anonymous Coward | about 6 months ago | (#47233423)

its illegal to use those devices in California. I thought the whole reason those were phased out was because they actually facilitated card theft...

Re:Illegal (1)

Isara (869637) | about 6 months ago | (#47234093)

they're not illegal in California, just antiquated. they were phased out because they're not as convenient and the security on them is minimal to non-existent.

Imprint is still allowed? (1)

Cmdr-Absurd (780125) | about 6 months ago | (#47233429)

I was under the impression (no pun intended) that the old-school imprint technique was declared unacceptable (in the PCI-DSS rules) a few years back.
Perhaps the rules for securing the imprints were just so cumbersome that it made using them completely impractical. I can't imagine fast food joints maintaining the physical security required for this.

Re:Imprint is still allowed? (1)

dave562 (969951) | about 6 months ago | (#47233475)

I was thinking something similar. Now instead of having a bunch of numbers easily accessible to thieves in a compromised POS system, they are simply going to be discarding a bunch of imprints covered in Chinese food waste.

Re:Imprint is still allowed? (0)

Anonymous Coward | about 6 months ago | (#47233489)

You're impression is wrong. The security codes (ex. CVV2), PINS, data on mag strip, etc... can not be stored ever. Name, card number and expiration can still be stored as long as it's protected following specific security requirements.

Re:Imprint is still allowed? (2)

Cmdr-Absurd (780125) | about 6 months ago | (#47233561)

A bit of googling does suggest that imprints can be still used. Still, I can't imagine the security requirements being met in a fast food environment.

Re:Imprint is still allowed? (1)

mirix (1649853) | about 6 months ago | (#47233517)

I haven't seen the desk-type imprint machine in ages. Must be 20 years, maybe 10 - 15 years in backwater areas.

Though the last time I got my car towed, the driver had some sort of miniature impression rig. Which still makes sense, if you're out of range of network and whatnot...

Also in Cuba, they had one down there. Which sorta makes sense too.

Re:Imprint is still allowed? (1)

nolife (233813) | about 6 months ago | (#47233553)

A lot of taxi drivers still do the old school impression method.

Re:Imprint is still allowed? (1)

hurfy (735314) | about 6 months ago | (#47233943)

nope, we still use one for two weeks at the fairgrounds. No, I don't want to buy a smartphone and a data plan for 10 days a year. If you can't manage to not lose a handful of reciepts how the heck would a business deal with cash?

I imagine they figured the loses from bad cards were acceptable given the circumstances. I can't see them imprinting and immediately running the card. In that case a dial-up swipe terminal makes more sense.

They probably aren't processing the cards at all yet. Otherwise they key them into a dial-up terminal, in which case swipe makes more sense, or key them into the insecure system by hand??? Little tougher on the cash flow but few people get upset if not billed right now ;)

The local grocery stores brought in a dial-up swipe terminal when they had the same issue. You only had one lane at the customer service counter for cards for a week!

Re:Imprint is still allowed? (0)

Anonymous Coward | about 6 months ago | (#47234963)

Stores still use them when the power goes out or if there's a problem with the processing system. It's better than telling people, sorry you can't buy anything right now. Wait around for an hour and maybe it'll work.

Paper is more reliable than electronics.

Secure against Cylons (2)

chiefcrash (1315009) | about 6 months ago | (#47233457)

You'll see things here that look odd, even antiquated to modern eyes, like phones with cords, awkward manual valves, computers that, well, barely deserve the name. It was all designed to operate against an enemy who could infiltrate and disrupt even the most basic computer systems. Galactica is a reminder of a time when we were so frightened by our enemies that we literally looked backward for protection...

mod uP (-1)

Anonymous Coward | about 6 months ago | (#47233491)

Never store sensitive data you don't need. (5, Insightful)

hey! (33014) | about 6 months ago | (#47233543)

Back in the 80s I worked for a company that did back office accounting systems. Then I moved to a large non-profit and was in charge of both back office and customer facing systems. This was when the Internet was for non-commercial traffic only, so "customer facing" meant a live operator at a dumb terminal hooked up to a minicomputer.

My new employer wanted me to develop a system that would among other things take credit cards from donors and volunteers. I was pretty confident on the technical end of things, but I wasn't sure about handing the financial data. So I called in a CPA friend I'd met at my prior job, and he looked over a the design documentation for the system to make sure everything was kosher.

"You can't store credit card information in the database," he said.

"Why not?"

"Because it's insecure," he said.

"But it's convenient," I said.

"That's the problem," he said. "Look, any of the operators will be able to look up credit card information on any donor. Some of these donors are rich. You'd be able to go on one hell of a shopping spree with just one of their credit cards."

"What if I make it harder to look up the data?"

"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions. And while you're keeping it around in case you might someday have a use for it, it leaves you wide open to theft. It'd be a disaster; customers won't do business with you because your reputation will be in the toilet. Get rid of it. Get it out of the database, any logs you have, and make sure it's not in any backup tapes."

And when I thought about it I realized he was right. There was no point in exposing my employer to risk for no real benefit. That's when I learned an important principle of security: don't hold onto sensitive data that you don't actually have a use for. I suppose you could generalize: don't keep sensitive data on any system where there is no compelling need to store it there.

Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world. But even though it is the *norm*, that doesn't mean you should automatically do it. There's actually a use in a web store for storing credit card data which offsets the risk (which you should still minimize). There's no reason for a restaurant to store credit card information -- that's just blind habit. Waiter takes the customer credit card, runs the transaction, and hands the card back to the customer, and then restaurant no longer has the data. You can't lose what you don't have.

Of course in this case it's probably not P.F. Chang's fault. They bought a POS system which left them open. It probably is all slick and really very helpful at keeping things moving, like maybe taking the customers card at the table. It'd be interesting to know how the POS system vendor screwed this up, because clearly they did.

There is no encryption or security architecture that beats not having the data.

Re:Never store sensitive data you don't need. (4, Informative)

gigne (990887) | about 6 months ago | (#47233635)

"Things have changed now; storing credit card data has come to be regarded as routine in the post-1 click, impulse buy Internet world."

Having intefgrated with several payment processing systems, I can tell you no one stores credit card information any more. At least in Europe. PCI-DSS regulations are very clear on this.

What we have now is a token we can use. The token is returned after a payment is made. You can keep this token int he DB to allow repeat purchases. This is similar to storing the credit card, but you can only re-use that token with the single payment processor company and give the original payee that money.

Pretty much useless for a criminal.

The liability for leaking a cc number is now with the payment processor, and they are generally held to a higher security standard than your average chinese retaurant chain.

Re:Never store sensitive data you don't need. (2)

stinerman (812158) | about 6 months ago | (#47233961)

I've worked with payment processing here in the States. You can store the number and the expiration date but not the CVV2. Of course, no CVV2 means higher processing fees, which means customers will ask for ways of storing the CVV2. We tell them that makes them non-compliant and they don't really care. They just want lower processing fees and pay lip service to compliance.

Re:Never store sensitive data you don't need. (0)

farble1670 (803356) | about 6 months ago | (#47233777)

"You can't store credit card information in the database," he said.

if you didn't know the answer to that, you really should not be writing such software.

Re:Never store sensitive data you don't need. (3, Insightful)

Anonymous Coward | about 6 months ago | (#47233837)

if you didn't know the answer to that, you really should not be writing such software.

GP knew to call someone in who was more knowledgable. If you didn't know to do that, then you really shouldn't be doing jack shit.

Re:Never store sensitive data you don't need. (0)

Anonymous Coward | about 6 months ago | (#47234187)

Maybe you should go back to the 80s and tell him that. Thanks for adding exactly nothing to this discussion.

Re:Never store sensitive data you don't need. (2)

farble1670 (803356) | about 6 months ago | (#47233827)

"Then it's not convenient anymore," he said. "Look, you don't actually have a use for this data once you've processed the credit card transactions.

your software should never even have the data at all. it should be coming off a card read encrypted and going straight to the payment processor in that fashion. if you ever keep unencrypted card data around, even if it's only in the memory of your device, it's trouble (that's how target got hit ... something was scanning their memory for things that looked like credit card data).

and there's a lot more to it than that, not the least of which is ensuring that the hardware itself cannot be tampered with / hacked to access the CC data prior to it being encrypted.

taking payments is a dangerous business. if you are small time it's safer to accept paypal for some other payment method that doesn't involve you handling customers' data.

Re:Never store sensitive data you don't need. (1)

hey! (33014) | about 6 months ago | (#47234947)

These were telemarketing operators who didn't have physical access to the credit card. Anyway, back in those days the data wasn't encrypted yet. So I fear I have led you to squander an insightful comment.

It's easy for an old timer to forget that people under the age of 40 have never ordered anything over the phone. At the time I'm talking about, the web was years in the future, and it was illegal to conduct commerce over the Internet (which we called "the ARPANet"). Most businesses ran entirely on paper, and most people had never seen a computer in person. Usually in the movies or TV they'd use a 7 track tape drive as the prop "computer", although those were obsolete even then.

So believe it or not, back then it was common to call a vendor on a phone, verbally tell him what you want, and then read off your credit card number and expiration date. This was simply the way you bought things if you weren't shopping at a bricks-and-mortar store (which we called "a store"). Nobody was worried about "identity theft" because thieves still dealt mainly in cash and transportable valuables and crooks were only just then cottoning on to the value of information.

You could also buy stuff by writing a letter to a vendor listing what you wanted and enclosing a check or money order (which was a check you got at the post office in exchange for cash and and extra nickel). Six to eight weeks later your stuff would arrive. For some reason it was always "six to eight weeks". That's how we used to buy stuff like propeller beanies and x-ray specs from poorly printed ads in the back of comics. The x-ray specs were a bust; all they'd do is make girls think you were creepy, which was actually kind of the point. You could also send away for itching powder and books of allegedly comical retorts you were supposed to use if somebody said something that made you feel bad and you couldn't think of anything original. "May the fleas of a thousand camels infest your armpits." That material killed -- usually the kid who tried to use it.

It was a simpler time. Kids couldn't get access to porn (which we called "dirty pictures") because they kept it on a shelf higher than we could reach. You had to know to sneak into the firehouse when the men were out on an alarm. We didn't have gaming consoles so we had to make our own fun. We'd go out in the healthy fresh air and throw rocks at each other. That was our version of a "first person shooter". Sometimes to fill up the time we'd have fist fights with kids who were a different race or religion from us. Or from the other end of the street. Or were just there. Believe me it kept you on your toes when you were walking home at night! But it wasn't hateful, it was just something to do when you don't have "Grand Theft Auto" to keep you distracted. The next day we'd be having a pickup baseball game (no adult supervision for *us*) down at the sandlot with the very same kids we'd just fought. We'd laugh, exchange insults, and swipe the other guys equipment when he wasn't looking, just as if nothing happened.

And I swear, every word I've written here is true.

Re:Never store sensitive data you don't need. (1)

grep -v '.*' * (780312) | about 6 months ago | (#47234487)

There is no encryption or security architecture that beats not having the data.

YES! I agree completely, because sometimes you just don't have the data.
--Your Friendly IRS branch audit store. Stop by and we'll check each other out!

After Non-Profit Application Furor, IRS Says It's Lost 2 Years Of Lois Lerner's emails [slashdot.org]

One. [slashdot.org] Two. [slashdot.org] Three. [slashdot.org]

Cash ... (2)

jamesl (106902) | about 6 months ago | (#47233591)

... is King.

And gone (1)

phorm (591458) | about 6 months ago | (#47235045)

Cash, when stolen, is gone. I'd rather not go back to the days of carrying a a hundred bucks or more in my wallet when going out for the night, walking back to my car in a dimly lit street surrounded by sketchy/drunk people.

Somebody steals my card - or card info - I cancel the card. It's done. I owe no debts so long as I watch my charges and report if something goes wrong

Somebody steals my wallet with my card. I cancel the card. It's done. I owe no debts so long as I report the card stolen

Somebody steal my cash.... the cash is gone, and I'm not getting it back.

So then what? (0)

istartedi (132515) | about 6 months ago | (#47233629)

Nobody handles cards like that anymore. So. Let's put an ad on Craigslist in the "gigs" section. Then we can have some guy who says he has a work permit (honestly) drive them over to his mama's house on the East side of town. He'll scan them with her XP machine so they can get onto the network.

Criminal System (1)

Tokolosh (1256448) | about 6 months ago | (#47233651)

Credit cards are a ponzi scheme, are not backed by any hard currency, cannot be used to pay taxes and are only used by drug dealers and money launderers. Oh, wait....

Re:Criminal System (1)

stinerman (812158) | about 6 months ago | (#47233963)

Of course they can be used to pay taxes. I paid the balance of my federal income tax using a credit card.

Yes, I know...

Here we go again (0)

Anonymous Coward | about 6 months ago | (#47233721)

All these breach reports create a fascinating story to me.

It's kind of like the old Bill Gates drop test. How large an amount of money would Bill have to accidently drop to be worth his time to lean down and pick it back up?

Solutions like 3C [github.com] could be rolled out very quickly and very inexpensively to eliminate credit card fraud. 3C can work with existing equipment so no new hardware is required in most cases. It would actually be easier than rolling out imprinting devices. And much more secure.

Chip-and-pin could be rolled out less quickly and at a higher cost, and not quite as secure, but could still be done relatively quickly if there was the will to do it. Again, chip-an-pin would be less work that rolling out imprinting devices, and would be much more secure.

Manual imprinting, aka... (1)

wonkey_monkey (2592601) | about 6 months ago | (#47233727)

...the clunk-a-chunk machine.

I know retro is in, but this is going too far.

Wait, what? (1)

gstoddart (321705) | about 6 months ago | (#47233733)

How the heck does old fashioned imprinting help me to use a debit card?

Do these people actually not understand any of this technology?

Re:Wait, what? (1)

hurfy (735314) | about 6 months ago | (#47233979)

Imprinting implies they are not billing the card immediately at all.

Not billing your debit card at the moment is only slightly more risky than real CC. They are more likely concerned with image and customer satisfaction atm.

Re:Wait, what? (1)

gstoddart (321705) | about 6 months ago | (#47234001)

Obviously, because it's paper. Which is not immediate.

But, I didn't think you could do a debit transaction with just an imprint. How do you know which account? You certainly don't have my PIN.

I'm skeptical this would even work. I've never heard of doing a debit transaction with an imprint ... it may exist, but that would surprise me.

Re:Wait, what? (0)

Anonymous Coward | about 6 months ago | (#47235041)

Most debit cards have a Visa or Mastercard logo on them.

When they are presented for payment at a restaurant, the server swipes the card and enters the amount of the bill. The bank verifies that there is enough money in the account. A receipt is printed. The receipt is given to the customer to add gratuity and signature. The server enters the full amount, including tip, in the POS system. The transaction is processed as credit through Visa or Mastercard. The amount is debited to your account, though is sometimes takes a day or two to clear. In most cases it's pretty much instantaneous.

In the case of taking an imprint, the transaction is still processed as credit, though I'm not sure how they verify that there are sufficient funds. Perhaps a phone call to the number on the back of the card. That's the way we did it back when I used imprint machines.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?