SoylentNews is people
SoylentNews
Submitted via IRC for BoyceMagooglyMonkey
The fast-food chain PDQ is telling its customers their payment card information may have been compromised for up to a year due to a point-of-sale data breach.
The Tampa-based chicken restaurant chain reported that between April 20, 2017 and May 19, 2018 payment card information was vulnerable due to malware being inserted into PDQ's system, possibly through a third-party vendor. The information exposed includes some or all of the following: names, credit card numbers, expiration dates, and cardholder verification value.
On June 8 it was discovered that some of the exposed information had in fact been taken and used by an unauthorized party. The company does not know how many customers were affected, but it is suggesting that anyone who used a payment card at a PDQ should keep an eye on the account to ensure it is not being used illegally.
Source: https://www.scmagazine.com/hackers-get-into-pdqs-hen-house-swipe-credit-card-data/article/775798/
(Score: 2) by MostCynical on Thursday July 05 2018, @10:58AM (4 children)
why is the Point If Sale terminal reading all the credit card information at all, let alone storing a full read of both sides of the card?
I can understand why web sites offer to store your data, so your next ourchase will be easier (yes, possibly for someone *else*), but why would a POS device store the data? Don't most banks just require a pass-through with a status return (Approved/Declined(possibly with reasons))?
...why?
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 1, Informative) by Anonymous Coward on Thursday July 05 2018, @11:10AM
Tampa-based restaurant chains may even use some offline POS [quoracdn.net] - mechanical and sturdy, the infor on the transaction can be scanned and OCR-ed later.
And those fields of the database are required!
(grin)
(Score: 1, Informative) by Anonymous Coward on Thursday July 05 2018, @11:24AM
This type of memory resident malware works one of two ways (depending on the POS system).
- Each register is PC based. The malware is loaded at boot. Any card-swipe data is routed trough the PC and is copied during the verification process.
- A PC based back office server processes all card requests for all registers. The rest of it works the same as the one above.
A few years ago there was one breach - I think it may have been part of the TJ Max breach - where fake techs came into the stores and replaced the card terminals with hacked hardware that captured card data. They would then come back to the stores and harvest the data while doing "security updates".
(Score: 2) by inertnet on Thursday July 05 2018, @02:44PM
Because it's a POS (piece of sh¡t).
(Score: 3, Interesting) by eravnrekaree on Thursday July 05 2018, @04:51PM
The best way is to move entirely to chip cards which add better security and prevent the POS from seeing the card number at all. The US has been slow to implement this, it did not start until a few years ago and STILL many retailers do not use it. Many retailers had a chip reader installed for 5 years and still to this day do not have it activated. Maybe they just need to stop issuing cards with magnetic strips