Chipotle Mexican Grill order
Mobile Order Ahead

How Chipotle Rewards Customers, Not Hackers

Chipotle was among the first QSRs to launch mobile ordering in 2009 and recently expanded its digital offerings to include a loyalty program. But it’s seen its share of struggles with the offering, including a credential-stuffing attack that resulted in hundreds of dollars stolen from customers. In this month’s Mobile Order-Ahead Tracker, PYMNTS talks with Chipotle CTO Curt Garner on how the QSR is working to secure its fledgling rewards program and guard mobile ordering against fraudsters.

Chipotle Mexican Grill, one of the fastest-growing quick-service restaurants (QSRs) in the country, has had a bit of roller coaster ride in the past few years. Formerly a subsidiary of McDonald’s, Chipotle became fully independent in 2006, and by 2015 had more than 2,000 restaurants in the U.S., Canada and Europe. However, the chain was subsequently rocked by a series of well-publicized food safety concerns, including E. coli, salmonella and norovirus, resulting in a sales decline of 36 percent.

Despite these setbacks, Chipotle’s star looks to be on the rise again. Its Q2 2019 earnings report stated that the QSR’s stock has surpassed $750 a share for the first time since the 2015 outbreaks. Its most recent move to win customers back was the nationwide launch of Chipotle Rewards, its customer loyalty program that encourages customer returns by periodically offering them free burritos.

In a recent interview with PYMNTS, Chipotle Chief Technical Officer Curt Garner talked about the new rewards program, and how the chain is keeping it safe from hackers, fraudsters and other bad actors.

How Chipotle Rewards its Loyal Customers

Chipotle was one of the first QSRs to embrace digital ordering, rolling out its first iPhone mobile order-ahead app in 2009. Its restaurants were quick to adapt to the digital ecosystem, with the majority of locations having a second back-of-house kitchen dedicated to digital orders. However, it wasn’t until this past March that the QSR launched a corresponding loyalty program.

Like many of its competitors, Chipotle Rewards is a points-based system, with every dollar spent earning 10 points and 1,250 points earning the customer a free entrée. According to Garner, the chain experimented with a variety of rewards structures but settled on the points-based system due to its simplicity and ease of understanding by customers.

“People are very excited about the idea of bonuses and the chance to get points multipliers,” Garner said, “but foundationally, they really want to understand the basic tenets of the plan and not have to go through a long piece of small print.”

Similar systems are employed by Starbucks, Chick-Fil-A, Dunkin’ and many other QSRs in the mobile ordering scene. Chipotle, however, came up with a few innovations all on its own, according to Garner.

“Something that's unique to Chipotle was the idea of retro credit, so [customers have] 24 hours after ordering to enter receipt information into our system and get credit for the transaction,” Garner said. “There's social pressure in line at Chipotle during peak [hours], and people don’t want to stop at the register and go onto our app, and then register, and get a bar code to get the credit.”

Keeping Bad Actors at Bay

When it comes to securing its rewards program, Chipotle’s strategy is twofold, with both internal security measures and cooperation with third-party security firms. Artificial intelligence (AI) and machine learning play key roles in assessing risky transactions, as they can analyze thousands of transactions in a fraction of the time it takes a human analyst. In many situations, an AI can do the job all on its own.

“When you're looking at account takeovers, for example, it's predominantly automated bot attacks that have an identifiable signature,” Garner explained. “As a retailer, you can say there's no practical purpose why a customer would be trying to log on to your network using a bot. The security platforms that utilize AI and machine learning can also spot attack patterns as they try to morph into different vectors, and very quickly block those transactions as well.”

Many times, however, the AI is not completely sure of its analysis, and transfers it to a human analyst for further scrutiny. One particular red flag, Garner said, are orders from new or unrecognized devices, which the AI always subjects to additional scrutiny before determining whether to process the order.

The second major aspect of Chipotle’s rewards program security is partnerships with major payments providers and security firms.

“[We] utilize large third parties as part of our application stack, so that the information that we and our customers would be most concerned about is not present on Chipotle's system,” Garner noted. “That payment information from our app is tokenized and sent directly to banks, and never traverses the Chipotle network.”

In addition to keeping payment information off of the Chipotle app, third-party security firms subject the app to a stringent vetting process, employing white-hat hackers that attempt to break the company’s security protocols. Chipotle resubmits its app to the hackers every time the app is updated to ensure so vulnerable software can ever be present.

However, Garner could not comment on the exact nature of the third-party testing companies.

“It’s a company policy because if, for instance, somebody were to find some vulnerability in any third party or tool, we wouldn't want people to know that we're a part of their customer base and potential threat vector,” he explained.

However, even multilayered, redundant security measures like Chipotle’s aren’t entirely ironclad. A number of Chipotle customers took to Reddit and Twitter in April, saying that their accounts had been breached, and bad actors had ordered food under their names. Although Chipotle attributed to attack to credential stuffing — in which a hacker uses a bot to automatically enter usernames and passwords stolen from other websites to try to find matches — many guests said their Chipotle passwords were unique or they used guest accounts.

Whatever the case may be, it underlines the need for impenetrable security. If Chipotle wants to continue its profitable trends, additional measures may need to be taken before customers decide the risk of stolen data is too great.



The How We Shop Report, a PYMNTS collaboration with PayPal, aims to understand how consumers of all ages and incomes are shifting to shopping and paying online in the midst of the COVID-19 pandemic. Our research builds on a series of studies conducted since March, surveying more than 16,000 consumers on how their shopping habits and payments preferences are changing as the crisis continues. This report focuses on our latest survey of 2,163 respondents and examines how their increased appetite for online commerce and digital touchless methods, such as QR codes, contactless cards and digital wallets, is poised to shape the post-pandemic economy.