DARTMOUTH MASS. Not Your Average Joe’s, a 13-unit casual-dining chain based here, is redoubling the security of its data systems as it investigates the recent theft of thousands of credit card numbers and expiration dates. —
The incident highlights the importance of data security at a time when restaurant operators are grappling with the controversial Payment Card Industry Data Security Standards, or PCI DSS, that recently took effect as well as watching the continued fallout at TJX Cos. Inc., the Framingham, Mass.-based retailer whose T.J. Maxx chain is embroiled in numerous lawsuits over a data breach affecting between 45.7 million and 94 million customers. —
Not Your Average Joe’s issued a statement in late October alerting the media and customers that an individual or individuals had infiltrated the chain’s point-of-sale system, stealing credit card information from as many as 3,500 guest transactions and putting many customers at risk of credit card fraud. —
“We are shocked that this has happened and are taking the situation very seriously,” the statement, which also was posted on the company’s website, read. “We sincerely apologize to our customers for any inconvenience that this issue may cause them.” —
The U.S. Secret Service, which investigates bank fraud and counterfeiting, joined credit card companies in informing Not Your Average Joe’s in October that investigators had detected a pattern of data theft linked to the company’s 13 units in Massachusetts. The chain’s only unit outside of Massachusetts, in Leesburg, Va., was untouched by the crime. The investigation is ongoing. —
Company officials emphasized that investigators do not consider anyone on the chain’s staff a suspect. —
Not Your Average Joe’s posted a statement about the breach on its website in late October and issued news alerts through several mainstream media outlets, stressing that investigating authorities are confident the data stolen was limited to credit card numbers and expiration dates. As a result, company officials said, investigators do not consider the case an example of identity theft, where addresses, Social Security numbers, bank-account information or other data is illegally obtained and used for financial gain. —
Diana Pisciotta, a spokes-woman for the chain, said the company had already hired an electronic data security firm to strengthen what company executives had already considered a sound and secure POS system. —
“As soon as we were notified, we redoubled our security,” Pisciotta said. “We put in more redundancies and safeguards such that we feel confident that patrons can continue dining here and feel secure that their data is protected. —
“This is being handled as credit card fraud and not identity theft, at least not in the classic sense of what people think of as identity theft.” —
Pisciotta said the senior executive team was alerted earlier this month that the culprits had acquired the credit card numbers and expiration dates used in up to 1 percent of the 350,000 credit card transactions that were handled by the chain’s Massachusetts restaurants between early August and Sept. 29. Those alerts came first from the credit card companies and then the Secret Service, she said. —
Pisciotta said Not Your Average Joe’s had no way of knowing that its guests’ information was being used until the security investigators called. —
Pisciotta added that she did not know if the thief or thieves had to be on site to acquire the credit card information. —
“We’re really not clear what happened,” she said. “But we do not believe it is an issue of employee carelessness or illegal activity. I can tell you that from what we’ve seen, all of the investigation that is going on is external to the company at this point. —
“We value our relationship with our customers and want them to know we are doing all that we can to cooperate with the banks and the investigating authorities,” she said. —
The company set up a page on its website advising customers what steps to take should they notice unfamiliar charges on their credit card statements and ensuring patrons that it is safe for them to use their credit cards at the chain. —
The topic of data security, specifically the PCI DSS standards, was top of mind during the International Foodservice Technology Exposition, or FS/TEC, held last month in Atlanta. —
During one panel discussion, Nick Ibrahim, chief technology officer for Maryville, Tenn.-based Ruby Tuesday Inc., noted the importance of avoiding data breaches. —
“If you’re a chain, and you have a security breach, you’re done. [Card issuer] fines will be the least of your concerns,” Ibrahim said. “Fifty [percent] to 60 percent of the business in casual-dining restaurants is done through credit cards. Nobody can afford to have customers stop coming in because they’re afraid to use a credit card.” —
However, many operators have decried the PCI DSS standards, which were developed by five major credit card companies, including American Express, Discover Financial Services, JCB, MasterCard Worldwide and Visa International, as being too vague and costly to comply with. —
After examining the challenge of complying with the new standards, Ibrahim said 930-unit Ruby Tuesday had decided to eliminate card data storage in its restaurants and at headquarters. Among other things, the chain’s new security strategy includes the use of AES encryption, the routing of transaction data directly to the chain’s merchant bank to bypass middlemen credit card processors and the use of transaction authorization numbers made up of three hash marks and the last four numbers of the payment card used. —
“We took it to the extreme,” Ibrahim said. “We don’t keep any numbers in the system.” —