Merchant Posts Fraud FAQ
Save Mart Updates Customers on Point-of-Sale BreachThe grocer says it's working with local law enforcement, the Secret Service and vendors to investigate the breach. An FAQ list also is posted on Lucky Supermarkets corporate page.
Save Mart, which operates stores under the brand names Lucky and Save Mart, earlier this month confirmed that at least 80 employees and customers had reported account compromises linked to tampered card readers discovered on self-service checkout terminals in at least 23 Save Mart and Lucky locations. In total, Save Mart owns and operates 234 stores in Northern California.
In its updated statement, Save Mart says: "Based on reports from our call center, it currently appears that there were fewer than 1,000 incidents of reported loss or attempted loss."
Save Mart also says this is not the first time one of its stores has been breached.
"In 2007, prior to our purchase of the [Lucky Supermarkets] store, an Albertsons store in San Leandro had a breach of their credit/debit card readers," the statement says. "Shortly after the purchase, law enforcement and card processors notified our company that there had been a confirmed breach of the systems in that store. We responded swiftly by notifying customers and re-inspecting all card readers in the chain. Following that assessment, we purchased and replaced in Spring of 2007 all credit/debit card readers in all check-lanes at the Albertsons stores we had purchased in early 2007."
In related news, the San Francisco Chronicle reports this week that several thousand dollars were stolen from a Comerica Bank account held by South Bay Blue Star Moms, a non-profit group that provides care packages to homeless veterans and active members of military serving overseas. The compromise is suspected of being linked to purchases made at one or more Lucky supermarkets in the San Francisco Bay area, where point-of-sale card readers and PIN pads allegedly were manipulated. South Bay Blue Star Moms discovered the fraud when unauthorized ATM withdrawals, each for several hundred dollars, showed up on the account. The withdrawals, conducted on Dec. 5 and Dec. 6, were made at ATMs in San Jose, Arcadia and Los Angeles, Calif.
Save Mart has been relatively reserved about the facts surrounding the card breaches. In the latest statement, the company says: "According to law enforcement officials, the scam relied on wireless technology that enabled perpetrators to remotely retrieve credit/debit card data. This is apparently more advanced than previous known attempts that required criminals to physically retrieve devices out of retailers' stores to obtain stolen information."
While stopping short of saying it will provide credit monitoring for customers impacted by the breach, Save Mart does say it will work with customers and banks to provide "appropriate protection measures" for fraud victims.
PCI and Merchant Compliance?
The Save Mart case raises questions about gaps in compliance with the Payment Card Industry Data Security Standard. [See Is PCI Effectively Preventing Fraud?.]
Jeremy King, European regional director for the PCI Security Standards Council, says version 3.1 of the PCI PIN Transaction Security requirements, released in October, include guidance for unattended terminals. Additionally, merchants have been advised in PCI's 'Skimming Prevention: Best Practices for Merchants' to invest in emerging technology designed to thwart skimming.
"This is why the PTS standard was created," King says. "We saw that the criminals were finding it easy to break into the terminals and capture the mag-stripe information. And the changes we have seen since the introduction of the standard in 2005 have been significant. ... The terminal manufacturers have done a lot to improve the security."
The problem is that merchants are not upgrading or replacing legacy terminals as quickly as manufacturers are releasing improvements. "They can't just buy these terminals and forget them," King says. "They do have to keep an eye on them. ... Legacy terminals are the real problem. Old equipment needs to be upgraded, to ensure compliance with PTS and point-to-point encryption.
PCI PTS: Were the Terminals Compliant?
The organization of the scheme rings similar to attacks that in May hit Michaels crafts stores in more than 20 states. Card-readers and PIN-pads located on cashier POS systems in 90 Michaels stores were swapped with readers and pads manipulated to copy and transmit card details. Unlike Save Mart, which identified the tampering during a routine maintenance check, the fraud at Michaels came to light when consumers reported fraudulent ATM and retail transactions to their financial institutions. Card issuers later tracked the fraud to Michaels.
King says POS fraud is definitely getting more sophisticated. International crime rings are targeting certain countries, like the U.S., where a particular POS device make or model is popular. "Regardless of what kind of terminal it is, I would suggest that the merchants check to make sure that it's PTS-PCI approved," King says.
Criminals also are targeting POS networks - a method that proved fruitful for the four Romanians indicted recently by the U.S. Department of Justice. The four have been accused of orchestrating a multimillion-dollar scheme that targeted networks run by Subway and 150 other unknown U.S. retailers. [See POS Fraud: How Hackers Strike.]
Investigators believe more than 80,000 U.S. consumers were compromised by the Romanians' war-driving - a hacking method that involves remotely scanning for open or vulnerable Internet connections to POS systems. Once a weak system was detected, they allegedly hacked internal computers and installed keylogging software onto the POS systems.
Pointing to the Romanians' hack, King says network vulnerabilities, coupled with skimming risks, make full compliance with the most up-to-date PTS version necessities. Point-to-point encryption is key.
"Network security: This is the core of what the PCI is all about," King says. "The standard is all about protecting the transaction across the chain."