P.F. Chang’s Security Update
[Via PF Changs]
STATEMENT FROM RICK FEDERICO CEO OF P.F. CHANG’S JUNE 12, 2014
Scottsdale, Ariz. (June 12, 2014) — On Tuesday, June 10, P.F. Chang’s learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised.
At P.F. Chang’s, the safety and security of our guests’ payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang’s China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.
Maybe something I wrote about last year will provide a path to a solution that we can use on our own. It involves an iPhone, Touch ID, and iBeacons.
The attack on PF Chang’s looks very similar to what happened at Michael’s and Target – a store employee at some point put specific malware on a store’s computerized computer terminal, hidden from view.
This software collected unencrypted card information and sent it to the hackers. It is a simple variety of a sort of man-in-the-middle hack. They sit in the middle of all the communications between the store’s computer terminal and the credit card companies.
It can be hard to prevent this with thousands of people having access to the terminals. It is really little different from our viewpoint than the old days when a dishonest clerk would run the card twice in order to get a copy of the relevant information.
Just safer today for the dishonest employee. Let the computer do all the work.
One easy around this is to use encrypted smart cards. The credit card companies have been slow to do this in the US on their own.
But here is what I said Apple may be able to do, using the security of the newest iPhones to create a digital wallet:
Imagine you are at a restaurant and read to leave. You take your iPhone and hit the home button. The restaurant uses an iBeacon to send the bill to your iPhone. You hit pay and the credit card transaction is completed – assuming proper security can be created here.
No need to wait for the waiter.
All the pieces are in place for this. Apple has spent a year making sure of this, especially the security issues.
In particular, I would bet there will be an additional need to provide a fingerprint to pay the bill. Much better than any other sort of validation currently used for credit card transactions.
All transactions will be encrypted end-to-end and totally in our control. Much, much harder for hackers to get anything.
Can you imagine the selling point for any restaurant on this? Secure transactions. They never see the actual transactions, just confirmation it happened.
And Apple’s digital wallet will be much safer than carrying credit cards in our pockets, where they can easily be stolen. We only find out someone has the cards when mysterious transactions appear.
We all now pretty fast when an iPhone is gone. With TouchID, there is little chance anyone will be able to even get into the iPhone at all, much less the credit card numbers, which are encrypted in a secure enclave on the iPhone.
Even if somehow in the future they figure out a way, it will take time. We can easily inactivate the phone in the meantime,
It is coming. Just not soon enough for PF Chang’s