Looks as if the breach is with
the POS vendor and not necessarily Jimmy Johns.
“””
“We have determined that an
unauthorized person gained access to a user name and password that Signature
Systems used to remotely access POS systems,” the company wrote. “The
unauthorized person used that access to install malware designed to capture
payment card data from cards that were swiped through terminals in certain
restaurants. The malware was capable of capturing the cardholder’s name, card
number, expiration date, and verification code from the magnetic stripe of the
card.”
Meanwhile, there are questions
about whether Signature’s core product — PDQ POS — met even the most basic
security requirements set forth by the PCI Security Standards Council for
point-of-sale payment systems. According to the council’s records, PDQ POS was
not approved for new installations after Oct. 28, 2013. As a result, any Jimmy
John’s stores and other affected restaurants that installed PDQ’s product after
the Oct. 28, 2013 sunset date could be facing fines and other penalties from
the PCI Council.
“””
List of more stores affected: