P.F. Chang’s Serves Up Delicious Lettuce Wraps and Your Credit Card Number

A recently discovered credit card breach at P.F. Chang’s may actually predate the much discussed Target, Neiman Marcus, Michael’s, and Sally’s Beauty Supply security breaches, which occurred beginning last November.

On June 11, 2014, a potential breach alert was issued by various payment processing systems, stating that P.F. Chang’s had learned of the potential breach the day before. I get these alerts through a payment processing alert subscription service. (My June 11 alert stated that no CAMS alert had been issued at that time, but please see the “What everyone else is saying” section below to read an update on that). That breach was confirmed by P.F. Chang’s on June 12, 2014.

P.F. Chang’s website is fairly sparse on information, but I’ve boiled down what is there below, followed by the answers to some of the questions that I asked of their representative, information currently available from industry experts, and some of my thoughts on possible preventative actions.

According to P.F. Chang’s:

  1. Both credit card and debit card data was stolen from “some” of their restaurants.
  2. As soon as they were alerted, they began an investigation with the United States Secret Service (fun fact: the Secret Service is a law enforcement agency created in 1865 to counteract the counterfeiting of money).
  3. P.F. Chang’s learned of the breach on June 10, 2014.
  4. They moved to manual imprinting in order to prevent further exposure.
    This doesn’t make a lot of sense to me. Many cards are flat and can’t be imprinted. Plus, a dial-up line is not better than using SSL Internet for a terminal.
  5. They do not yet know which credit or debit cards may be involved.
  6. Their only recommended course of action is to monitor your accounts and to report any suspected fraudulent activity to your card company.

I called the P.F. Chang’s extra assistance hotline with the following questions:

  1. Did the breach affect payments made online as well as in-store? They said they did not yet know the answer to that.
  2. Did the breach affect Pei Wei? Pei Wei is a U.S. fast-casual chain owned and operated by P.F. Chang’s. First, the person I talked to said that he thought that it did, but when he read the “official script,” I basically got the “currently under investigation” spiel. But, Krebs on Security spoke with the P.F. Chang’s spokesperson, who said that there were not any indications that the breach extended to Pei Wei.
  3. Should I replace my credit card? They didn’t have a clear answer on this either, although I was directed to call my bank and ask them for their recommendation.
    Note: replacing credit cards is very expensive for issuing banks. In the Target case, replacement is estimated at $10-$12 per card!

Also, they were quite insistent on getting my name, even though I declined providing my contact information because I get enough alerts on this as it is.

Here’s the stuff everyone else is saying:

  1. A CAMS alert was issued June 17 by Visa, which stated that the breach in question ran from September 18, 2013 through June 11, 2014. A CAMS alert is the alert that card associations (Visa, MC, etc.) send to the banks that issue their cards. A CAMS alert actually includes the specific card numbers thought to have been breached. These alerts do not usually name who the victim of the breach is (so it doesn’t actually say P.F. Chang’s) but it is pretty obvious who they are talking about, given the timing.
  2. There is not a known number of cards affected, but a conservative estimate would be around 7 million cards.
  3. The move to “knuckle busters” at every location may indicate that the breach was at all 211 locations; however, I think it could just as easily be a preventative move.
  4. The breach likely occurred at the point of sale (POS) terminals. This is also the case in the Target breach.
  5. The good news for issuing banks and consumers is that this breach may not require that cards be replaced, because many were already replaced as a result of the Target, etc. breaches. (Although that’s not confirmed yet).

Possible preventative measures for the future:

First, nothing I’m saying below is something that major retailers haven’t known about for a long time. For them, it’s simply a cost-benefit decision. T.J. Maxx is one of the earliest security breaches of a major retailer. A lawsuit in that instance brought about a $40 million settlement. Using that as a guidepost, large retailers simply figure potential breaches into the cost of doing business.

  1. Regularly changing the passwords on the systems that run the POS terminals. This shortens the window of time available for security breaches to occur, reducing the number of cards accessed. Obviously not a foolproof plan, because a hacker could install a backdoor, but a good practice nonetheless.
  2. Using chip and pin cards instead of magnetic cards. The plan is to move all Visa and Mastercards to this by 2015, but it hasn’t been done yet because of the cost of changing the POS terminals. This infrastructure change would cost criminals much more to get access to card numbers (and to forge cards), but is not foolproof.
  3. Tougher sanctions on merchants who allow their systems to be compromised and are found in violation of the PCI security standards. Merchants obviously object, but I think they need to bear some of the responsibility.

So, that’s the P.F. Chang’s breach in brief. You can watch their website for additional info, or sign up to get email alerts by calling 1-877-412-7152.