Signature Systems, the PoS system vendor that has been named as the likely point of origin of the Jimmy John’s payment data breach, has confirmed that the attacker(s) gained access to a user name and password the company used to remotely access POS systems.
“The unauthorized person used that access to install malware designed to capture payment card data from cards that were swiped through terminals in certain restaurants. The malware was capable of capturing the cardholder’s name, card number, expiration date, and verification code from the magnetic stripe of the card,” the company explained.
Apart from the 216 Jimmy John’s stores, another 108 restaurant locations – mostly mom-and-pop restaurants in New England and the Midwest (full list and period of compromise here) – have been affected at one point or another between June 16 and mid-September, when the last of the malware was removed from some of the PoS devices.
“The malware was designed to avoid detection by the anti-virus programs running on the point-of-sale systems,” the company pointed out, and shared that they were first alerted to a potential issue affecting one restaurant location on July 30.
“We have been working hard ever since to determine what occurred, block it from continuing, implement enhanced security measures, and notify the affected merchants,” they noted.
According to information gathered by Brian Krebs, the PCI Security Standards Council has approved the installation of Signature Systems’ PDQ POS system only until Oct. 28, 2013, so any of the affected restaurants that did so after that date will probably be fined.
Signature Systems is currently working on developing a new payment app that will feature point-to-point encryption aimed to thwart memory scraping malware.
Krebs also discovered that Chief Security Officers, the firm that audited the PDQ product, does not operate anymore and, before it closed down, had its certification authority revoked by the PCI Security Standards Council.