Back in January of 2016, the food chain Wendy’s made the news for a Point of Sale (PoS) data breach. As the details have slowly emerged, it has revealed several good and bad points about the way American retailer payments systems are changing. Not surprising to many, the US has the oldest and most mature system for payment cards. This has been good for the finance industry, and has allowed a mature market to realize significant gains in payment processing efficiency. It has also allowed the criminal element to figure out ways to fraudulently use that system against the general public.
European businesses came to the market later, and were able to adapt to newer technologies easier. As a result, they transitioned completely to a technology known as EMV (for Europay, MasterCard, and Visa). EMV cards stopped using the magnetic strip on the back and relied instead on an electronic chip that stored data in the memory of the card. The chip also made use of a cryptographic key to ensure the data exchanges could be done with enhanced security measures in place.
RELATED: That big security fix for credit cards won’t stop fraud
The US has had a unique relationship with this new payment technology. As we mentioned earlier, the American market is older and more mature. Businesses have a lot of money invested in PoS equipment and have been successfully using that equipment for years. The fees and the legal requirements have been understood and well known. As a result, businesses in the US have not been very accepting of newer payment processing technology. Business owners have been slow to see the benefit to their “bottom line” and have had to experience the costly lesson of a data breach to learn why change is necessary.
In an attempt to create the momentum for change, American companies Visa and MasterCard created a deadline of 01 October, 2015 for American merchants to adopt the new EMV payment processing system. This was to be an industry standard and an incentive to create the momentum to remove “obsolete” PoS equipment. This deadline did not have the force of law behind it, and banks had to issue new cards with the encrypted chips in order for them to be used at businesses. Banks have been slow to support the initiative. Only 25% were reported to have reissued cards by the end of 2015 (after the deadline passed). At the time of this writing, the author of this blog post still has one major card that has not been reissued by his (Oklahoma) bank.
RELATED: 8 FAQs about EMV credit cards
The restaurant chain Wendy’s is ranked as the third largest burger chain in the world. With 5500 locations in North America, the risk of a widespread breach of their Point of Sale (PoS) network is significant. Since January, when the story first broke, the restaurant has reported that it believes only 300 locations may have been effected. With similar stories from large retailers like Target and Home Depot, the expectation was a larger number of effected locations. One possible mitigating factor in this story, however, may be the use of EMV payment processing systems. The main processing system Wendy’s uses, Aloha PoS was not effected. Aloha is produced by NCR Corporation, and has been a leader in EMV technology.
Related: Wendy’s admits to payment card malware infection
Another issue in the US related to the adoption of EMV cards is the debate over chip and pin versus chip and signature. The underlying principle is to combine something you have (the card with the chip) and something you know (the Personal Identification Number or PIN). Businesses that apopt the newer EMV PoS equipment still have differing policies over which method they require. In Oklahoma, most only require chip and signature to complete a transaction. The addition of a PIN is voluntary and not very widespread. The argument is mostly kept to debates about anti-fraud efforts and not about counterfeiting. Many consider weak the argument that a signature is a good method for battling fraudulent purchases. Signatures are not checked, except to see that something is scribbled on the vendor copy of the receipt. It cannot be effectively validated as can a PIN.
RELATED: Wendy’s Credit Card Breach Across 300 Stores Caused by PoS Malware
In the case of the Wendy’s breach, malware was installed on the PoS equipment and utilized RAM (Random Access Memory) scraping techniques to collect and send card data to the criminal hackers. Cards that utilize EMV technology would be practically worthless to the hackers as they would not be able to exploit the encrypted data sent by the card’s chip. This would be the case even if the stores did not require a signature with the card and only used the chip data. The most likely scenario for the “less than 300” effected locations would be older readers that were using mag stripe data readers in their PoS equipment.
Finally, another step that payment processors can implement is tokenization of the data. In simple terms, this technique takes the Primary Account Number (PAN) information and represents it as a token. This token is then given an encrypted hash and sent over the payment network for processing. The purchaser is protected, the business is protected, and even if a hacker gets into the system,they can’t see any information that they can exploit. Not surprising, NCR Corporation is again one of the industry leaders in tokenization of payment data in their EMV systems.
RELATED: Tokenization momentum looks unstoppable
So while the 3rd largest burger chain has had to endure the pain of a PoS breach, it appears that Wendy’s was doing the right things. They were as much a victim of a financial industry slow to fully adopt newer technology as they were of outdated methods. Where possible, it appears that Wendy’s has tried to update and upgrade their systems. Indeed, it is steps like these, combined with staying current with industry sales trends that has helped them stay in business for 46 years.
Christoper Watson is an Information Technology professional with success in both public and private sector businesses. Technical and business experience is complimented with operational and strategic planning, international contracting work, leadership development and team building competency in challenging physical and political environments. Experience leverages strengths with technology services and providing timely and relevant information to senior executive leadership. Christopher is based out of the Oklahoma City office.