Brian Krebs reports:
More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores.
[…]
The statement from Jimmy John’s doesn’t name the point of sale vendor, but company officials confirm that the point-of-sale vendor that was compromised was indeed Signature Systems.
Read more on KrebsOnSecurity.
Update: A potential class action lawsuit was filed in federal court in the Central District of Illinois on November 7, 2014. Curiously (to me, anyway), the complaint does not name Signature Systems or any point-of-sale vendor as defendants.
Perhaps one of the most damning allegations in the complaint, from my perspective, is this paragraph:
Equally troubling is that Jimmy John’s was utilizing a point-of-sale system that did not meet basic security requirements set forth by the PCI Security Standards Council. The Company used software developed by Signature Systems called PDQ POS. PDQ was not approved for new installations after October 28, 2013. Additionally, the Company that performed the security audit on PDQ, defunct firm Chief Security Officers, is the only qualified security assessment firm to have had their certification authority revoked by the PCI Security Standards Council.