Point-of-sale (POS) systems provider Signature Systems has admitted responsibility for the credit and debit card data breach that recently affected 216 Jimmy John’s sandwich stores, and has revealed that 108 other restaurants across America were also affected by the incident.

Last week we reported that the Illinois-based sandwich chain Jimmy John’s had confirmed a data breach involving customer debit and credit card data at 216 of its stores, after a hacker remotely installed card-stealing malware on to its payment systems. Signature Systems has now accepted blame for the attack. In a statement issued by about Jimmy John’s breach, Signature Systems also said that 108 other small restaurants were compromised in the attack.

The hacker was able to install the malware after gaining access to a username and password used by Signature Systems to remotely access the POS systems. The malware was designed to steal the cardholder names, card numbers, expiration dates and verification codes of credit and debit cards.

What’s more, Brian Krebs revealed earlier that Signature’s core product – PDQ POS – was not actually approved for new installations after October 28, 2013 by the PCI Security Standards Council. Any branch of shop or restaurant using Signature’s PDQ POS could therefore face fines and other penalties for non-compliance with the PCI Data Security Standard.

To make matters worse, Chief Security Officers – the company that performed the security audit on the PDQ POS – appears to be the only security assessment firm to have had its certification authority revoked (PDF) by the PCI SSC. Chief Security Officers is now officially defunct.

Click here for more information on the PCI DSS >>