There’s more reported fallout from the databreach at sandwich-chain Jimmy John’s, with some 100 new restaurant victims identified and a confirmation from the chain that “an unauthorized person gained access to a user name and password that Signature Systems used to remotely access POS systems.” Of potentially even greater concern is that the POS system used by the chain, from Signature Systems, might have not been PCI compliant at the time of its installations.
“What’s more, the company that performed the security audit on (Signature Systems) — a now-defunct firm called Chief Security Officers — appears to be the only qualified security assessment firm to have had their certification authority revoked (PDF) by the PCI Security Standards Council,” reported Krebs On Security, which has been covering this breach closely.
Signature’s core product is called PDQ POS.
Following the initial breach reports that 216 of the chain’s stores had been breached through a remote access program, the company has confirmed that “the unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants. The malware was capable of capturing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card.”
The POS vendor, Signature Systems, then listed other “affected stores” beyond Jimmy John’s.
But when Krebs checked the PCI site, it found that the software’s approval ended last year, meaning that stores that installed it after that date would not have been compliant. It’s up to merchants to verify that any payment-touching systems used are compliant.
“According to the council’s records, PDQ POS was not approved for new installations after Oct. 28, 2013. As a result, any Jimmy John’s stores and other affected restaurants that installed PDQ’s product after the Oct. 28, 2013 sunset date could be facing fines and other penalties,” Krebs reported.
The situation is actually worse, as most PCI QSAs will insist that software must PCI compliant throughout its use, not merely at the time of installation. Otherwise, compliance could expire and merchants could still use the non-approved systems for years.