Did P. F. Changs replace a high tech security breach with a low tech security breach?

25aLast Wednesday my wife and I celebrated our 31st anniversary at P. F. Changs. We had a nice dinner and they ran our card through a manual imprint system. Today I noticed that they wrote my CVV on the receipt. That is not necessary if they were actually going to process my bill as a manual credit card transaction in which the card is present. By writing the CVV on the receipt that means that they plan to process the charge later as a card not present transaction. For those of you who have jumped through the PCI hoops, you have to wonder what measures they are using to protect these receipts since they now include the CVV. In the PCI world there are some pretty serious restrictions on keeping the CVV information secure. This is a dumpster diver’s gold mine.

Okay, I am really annoyed. What is the best way for a company to continue their business after a data breach without annoying their customers? There are some interesting comments over at Krebs on Security but I have my own recommendation. As a long time developer I look for a good manual procedures to automate. In this case we are going in the opposite direction. We are breaking up a good automated procedure into standalone parts. In this case I would recommend creating a corporate web app to process the credit card transaction that would be very similar to the model used by internet retailers. In fact I would not be surprised if a corporate developer does not already have one they used to get through credit card processing certification. In this case either the waitperson or some other designated person enters the sixteen digit credit card number and CVV to run the transaction. If the transaction goes through then you update the bill in the restaurant’s order system with the confirmation code or reference ID. Is this a little more work? Yes but we literally have millions of people who enter their sixteen digit credit card number and CVV every day without exposing themselves to credit card fraud. There are a whole lot less PCI compliance issues with this procedure than a manual imprint with the customer’s CVV on the receipt.