Jimmy John’s confirmed a data breach this week and disclosed that approximately 216 stores were affected.

The sandwich shop chain said the investigation is on-going, but it believes attackers stole log-in credentials from the company’s point-of-sale (POS) vendor and used them to access the POS systems at various locations, according to a press release. Only cards used inside the affected stores are at-risk, not those entered manually or online.

The stolen information includes card numbers, and in some cases, the card’s verification code, expiration date, and the cardholder’s name.

In response, Jimmy Johns has installed encrypted swipe machines, implemented system enhancements and reviewed its policies and procedures for third party vendors. It’s also offering complementary identity protection services.