Chipotle warns customers of a possible payment card breach

Having just started to recover from a severe E. coli outbreak, Chipotle Mexican Grill is now under attack from a different kind of virus. The restaurant chain has recently warned customers that malware may have breached its point-of-sale (PoS) systems between March 24 and April 18, 2017.

In a statement, the company said it “immediately began an investigation with the help of leading cyber security firms, law enforcement, and our payment processor.” It believes the actions it has taken has contained the breach, and it has confirmed it has “implemented additional security enhancements.”

The company said it will not provide any additional commentary at this time, but it plans to notify “any affected customers as we get further clarity about the timeframes and the restaurant locations that might have been affected.”

The incident has reportedly sparked hope among some researchers that more stores and, in particular, restaurants – which are quickly becoming notorious for PoS breaches – will adopt EMV technology.

What is EMV technology?

EMV is a technical standard for smart payment cards, and cards that comply with the EMV standard are often called chip and PIN, or chip and signature. The system is more secure than magnetic stripes, as the information can’t be cloned onto another card and it requires two-factor authentication.

Chip and PIN is not commonly available in the US, despite the fact that it is already widely used in Europe, Latin America, Africa, and the Middle East, and it has been for over a decade. However, thanks in part to President Obama’s BuySecure Initiative, which was launched in 2014, it is slowly being adopted by more US merchants.

In 2015, Chipotle reportedly said it wouldn’t be upgrading its systems to accept EMV technology. Although no reason was given, the large costs in overhauling the infrastructure in its 2,000-plus locations was almost certainly a factor, as is the fact that chip and PIN payments take longer than swiping cards.

The time factor may appear negligible – typing in a PIN and having it verified only takes a few moments – but according to Absolute Software’s Richard Henderson, card swiping is incredibly lucrative to Chipotle. He claims that the company actively encourages customers to pay with cards “to speed up transactions and keep their long lines moving fast.”

As he said, “it’s no wonder they were targeted by cyber criminals.”

Protecting your PoS systems

Many retailers are now moving to install card readers that can handle transactions from more secure chip-based credit and debit cards, which are far more expensive for thieves to clone. Malware that makes it onto point-of-sale devices capable of processing chip card transactions can still intercept data from a customer’s chip-enabled card, but that information cannot later be used to create a cloned physical copy of the card.

With cyber criminals targeting PoS systems more and more often, it’s important for organizations to implement effective measures to control the risk of malware and other external threats. Ideally, this begins by creating a number of policies aligned to the PCI DSS.

Documenting your policies on these topics shows your commitment to protecting sensitive information, and it’s also a key requirement for PCI compliance.

For help creating or writing these policies, IT Governance offers a PCI Documentation Toolkit. It provides PCI-compliant tools and enables you to quickly and easily create your documentation, so you can produce a robust system to protect your payment card data.

Find out more about the PCI DSS Documentation Toolkit >>

Take a free trial >>