Chipotle Skips the Chips, Hit by Nationwide Cyberattack

From consumers fumbling to understand which way to swipe or insert their new chip-based credit cards to the transactional terminal seemingly taking forever to process their cards, the learning curve for using chip-readers has been steep. Those merchants who have skipped adoption of EMV technology altogether, however, should take notice of the situation Chipotle currently finds itself in.

Chipotle has confirmed the malicious, third-party operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017. While Chipotle likely uses the word "certain" to calm consumers*, a quick test of the restaurant's "locator tool" - which identifies specific locations that were impacted (and when) - indicates 48 states have been affected. Payments experts are saying that this public relations nightmare may have been prevented with EMV chip-reading technology, as "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device."

As Website Magazine readers likely know, there has been a spike in Web security incidents after the late-2015 switch to EMV, which made brick-and-mortar fraud more difficult. Even so, Manta reports that as of late-2016, 62 percent of small business owners still do not accept chip-based credit cards. It is unlikely, however, that most small businesses could withstand a major cybersecurity attack like Chipotle's.

* Note, Chipotle states, "There is no indication that other customer information was affected."