Jason’s Deli suffers POS breach affecting 2 million customers

Jason’s Deli has fallen victim to a point-of-sale (POS) breach, with 165 stores across 15 states affected. As many as two million customers are thought to be at risk.

In a statement, the Texas-based restaurant chain said criminal hackers accessed full track data from payment cards’ magnetic stripes. The information stored on the stripes varies depending on the card issuer, but it can include the cardholder’s name, payment card number, expiration date, cardholder verification value and service code.

Jason’s Deli recommends that anyone who visited an affected restaurant since June 8, 2017 checks for suspicious card activity. The organization has listed all potentially affected locations in its statement.

Preventing POS breaches

Like most POS breaches, this incident could have been mitigated, or prevented altogether, if Jason’s Deli had taken more care to protect its payment card systems. The company hasn’t revealed how its systems were exploited, but it’s typically because organizations have unencrypted systems or other basic security vulnerabilities.

Restaurants are notorious for POS breaches, partly because of the large number of card transactions they handle on a day-to-day basis. Last year alone, Arby’s, Shoney’s, Select Restaurants, Sonic, and Chipotle suffered POS breaches.

After the Chipotle breach, Absolute Software’s Richard Henderson claimed that the restaurant actively encourages customers to pay with cards “to speed up transactions and keep their long lines moving fast.”

As he said, “it’s no wonder they were targeted by cyber criminals.”

Businesses such as restaurants, which handle thousands of card payments, need to make sure they take POS security seriously, particularly if they encourage card payments. A simple vulnerability could quickly lead to widespread damage.

Cyber crime is a copycat industry, and the success that criminal hackers are having targeting restaurants (and also clothing stores and hotels) means it’s likely we’ll see more attacks like this.

If your organization accepts card payments, you need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It outlines best practices for everything from data encryption to network segmentation, helping you prevent payment card data breaches. However, even though poor security leads to reputational damage and the threat of fines or other enforcement actions, many merchants are not fully compliant.

You might think your organization meets the PCI DSS’s requirements, but maintaining compliance can be tricky, so you should frequently review your compliance posture.

Documenting your policies on the PCI DSS shows your commitment to compliance and helps you protect sensitive information.

You might think your organization meets the PCI DSS’s requirements, but maintaining compliance can be tricky, so you should frequently review your compliance posture. This doesn’t necessarily mean you have to outsource the task, but you’ll almost certainly benefit from our PCI DSS Documentation Toolkit.

This toolkit a gap analysis tool, which will help you to provide a breakdown of how progressed the organisation is towards achieving compliance and securing cardholder data.

The toolkit includes:

  • Helpful gap analysis and project tools to ensure complete coverage of the Standard
    • PCI DSS Charter
    • PCI DSS Compliance Program
    • Operational Security Policy Statement
    • Cryptographic Key Management
    • Cardholder Data Policy Statement
  • Guidance documents
  • PCI DSS staff awareness training

Take a free trial of the toolkit to view a full list of the documents and try them out.

Take a free trial >>

PCI DSS Documentation Toolkit