29 May How Payments & Co could have prevented Chilli’s card data breach
Restaurant chain Chili’s is the latest retailer to report a data breach involving point of sale (PoS) security.
Brinker International, which operates over 1,600 Chili’s restaurants globally, announced the data breach on May 12, after becoming aware of the security incident the day before. The company did not reveal how many customers have been impacted by the breach, though it did state that payment card information was stolen over a two-month period.
“Based on the details of the issue currently uncovered, we believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants,” Brinker International stated. “Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.”
The problem is typical among many American clients and repeated in every breach making it easier for the hackers to get hold of data. We believe our solution is unique and could have
The POS system is clear vulnerable and hold card data, we would address this issue by taking the POS and the network it traverses out of scope. Even if the network was hacked, there would be no card data to see.
By out of scope we mean, implement the technology that allows the system and networks the card data traverse not to be deemed in PCI scope. The only encryption methodology that is applicable in this scenario is P2PE – Point to point encryption.
Chillis’ issue is bigger than simply a POS system, we would address the challenge by the following:
- Develop a PCI compliance strategy for Chilli’s that reducing the likelihood of a breach occurring – this will not only make every payment channel and business unit at Chilli’s PCI compliant but also reduce the likelihood of a breach occurring. The strategy is based on a technical architecture and business process that is designed to reduce the likelihood of a breach occurring, reducing the PCI scope and reducing the cost of PCI compliance by up to 50%.
- Tracking all the merchant IDs and the Acquiring Banks used by Chilli, covering every business unit in every state and we can provide a global coverage per continent
- Identify every payment channel within Chillis – track every business unit with payment solution including every card payment method
- Implement change control so no merchant ID is issue without a risk assessment being carried out to select the appropriate service providers, products and solutions to be implemented
- Track every supplier used in the provision of payment services and link them to each payment channel identified and also ensure the solution they have architecturally reduces the likelihood of a breach occurring
- Ensure every supplier is PCI compliant – in this sense, we will treat all the suppliers as Chilli’s business units and fix their PCI compliance issue.
- Technologically make every payment channel PCI compliant and reduce their likelihood of a breach occurring – this will involve detailed analysis of (2) and (3) .
- compile a single repository of all the payment records onto a single dashboard and manage all changes to it in line with (4)
Ben Omoakin Oguntala
+44 7812 039 867