Manual Imprinter

Scottsdale, Ariz. (June 12, 2014) — On Tuesday, June 10, P.F. Chang's learned of a security compromise that involves credit and debit card data reportedly stolen from some of our restaurants. Immediately, we initiated an investigation with the United States Secret Service and a team of third-party forensics experts to understand the nature and scope of the incident, and while the investigation is still ongoing, we have concluded that data has been compromised. 
At P.F. Chang's, the safety and security of our guests' payment information is a top priority. Therefore, we have moved to a manual credit card imprinting system for all P.F. Chang's China Bistro branded restaurants located in the continental United States. This ensures our guests can still use their credit and debit cards safely in our restaurants as our investigation continues.

While researching POS RAM scraper malware, I came across an interesting sample: a RAR archive that contained a development version of a POS RAM Scraper malware and a cracked copy of Ground Labs’ Card Recon software. Card Recon is a commercial Data Leakage Prevention (DLP) product used by merchants for PCI compliance. It looks like the criminal gangs are using the RAM scrapers to dump memory, and (ironically) using DLP to find the cards. 

The criminals need to check and validate the data they have stolen, which they then sell in the underground carder marketplace. Selling bad data will damage their reputation and might even have nastier repercussions than merely losing credibility.
The malware will use the regex to capture data from the RAM and then use the function Luhn to validate the data. This function takes a string as input and returns a Boolean value: true or false. Invalid data is discarded, and the malware exfiltrates only valid results.
While this code is functional, it’s not particularly suitable for high-volume data collection: it’s just too computationally intensive. Using an offline DLP solution like the cracked Card Recon is ideal. If you recall the massive Target data breach from last year, pragmatically validating 70 million payment cards is best done outside any compromised network.

The PIN-protected card was not affected by the data breach Target announced in 2013. 

Beginning in early 2015, the entire REDcard portfolio, including all Target-branded credit and debit cards, will be enabled with MasterCard’s chip-and-PIN solution. Existing co-branded cards will be reissued as MasterCard co-branded chip-and-PIN cards. Ultimately, through this initiative, all of Target’s REDcard products will be chip-and-PIN secured.

After weeks of analysis, we discovered evidence confirming that systems of Michaels stores in the United States and our subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms. The affected U.S. systems contained certain payment card information, such as payment card number and expiration date, about both Michaels and Aaron Brothers customers. 

A total of 16 Hess gas stations are involved, including one in Fort Myers. We're talking about the Hess gas station located on 15260 McGregor Boulevard off Iona Road. 

That is a gap that tokenization is meant to fill. The technology works behind the scenes of a digital transaction: Customers still put in their card number, but software then transforms that information into a one-time token — a randomly generated code — that is sent through the payment-processing chain. Thieves who intercept the code can do little with it without the means to unscramble the token.