Merchant Posts Fraud FAQ

Save Mart Updates Customers on Point-of-Sale Breach
Merchant Posts Fraud FAQ
Save Mart, the California-based supermarket chain, has issued a list of frequently asked questions for customers, noting that fewer than 1,000 cardholders may have been affected by the payments card breach discovered in late November. [See Fraud Scheme Hits Grocer.]

The grocer says it's working with local law enforcement, the Secret Service and vendors to investigate the breach. An FAQ list also is posted on Lucky Supermarkets corporate page.

Save Mart, which operates stores under the brand names Lucky and Save Mart, earlier this month confirmed that at least 80 employees and customers had reported account compromises linked to tampered card readers discovered on self-service checkout terminals in at least 23 Save Mart and Lucky locations. In total, Save Mart owns and operates 234 stores in Northern California.

In its updated statement, Save Mart says: "Based on reports from our call center, it currently appears that there were fewer than 1,000 incidents of reported loss or attempted loss."

Save Mart also says this is not the first time one of its stores has been breached.

"In 2007, prior to our purchase of the [Lucky Supermarkets] store, an Albertsons store in San Leandro had a breach of their credit/debit card readers," the statement says. "Shortly after the purchase, law enforcement and card processors notified our company that there had been a confirmed breach of the systems in that store. We responded swiftly by notifying customers and re-inspecting all card readers in the chain. Following that assessment, we purchased and replaced in Spring of 2007 all credit/debit card readers in all check-lanes at the Albertsons stores we had purchased in early 2007."

In related news, the San Francisco Chronicle reports this week that several thousand dollars were stolen from a Comerica Bank account held by South Bay Blue Star Moms, a non-profit group that provides care packages to homeless veterans and active members of military serving overseas. The compromise is suspected of being linked to purchases made at one or more Lucky supermarkets in the San Francisco Bay area, where point-of-sale card readers and PIN pads allegedly were manipulated. South Bay Blue Star Moms discovered the fraud when unauthorized ATM withdrawals, each for several hundred dollars, showed up on the account. The withdrawals, conducted on Dec. 5 and Dec. 6, were made at ATMs in San Jose, Arcadia and Los Angeles, Calif.

Save Mart has been relatively reserved about the facts surrounding the card breaches. In the latest statement, the company says: "According to law enforcement officials, the scam relied on wireless technology that enabled perpetrators to remotely retrieve credit/debit card data. This is apparently more advanced than previous known attempts that required criminals to physically retrieve devices out of retailers' stores to obtain stolen information."

While stopping short of saying it will provide credit monitoring for customers impacted by the breach, Save Mart does say it will work with customers and banks to provide "appropriate protection measures" for fraud victims.

PCI and Merchant Compliance?

The Save Mart case raises questions about gaps in compliance with the Payment Card Industry Data Security Standard. [See Is PCI Effectively Preventing Fraud?.]

Jeremy King, European regional director for the PCI Security Standards Council, says version 3.1 of the PCI PIN Transaction Security requirements, released in October, include guidance for unattended terminals. Additionally, merchants have been advised in PCI's 'Skimming Prevention: Best Practices for Merchants' to invest in emerging technology designed to thwart skimming.

"This is why the PTS standard was created," King says. "We saw that the criminals were finding it easy to break into the terminals and capture the mag-stripe information. And the changes we have seen since the introduction of the standard in 2005 have been significant. ... The terminal manufacturers have done a lot to improve the security."

The problem is that merchants are not upgrading or replacing legacy terminals as quickly as manufacturers are releasing improvements. "They can't just buy these terminals and forget them," King says. "They do have to keep an eye on them. ... Legacy terminals are the real problem. Old equipment needs to be upgraded, to ensure compliance with PTS and point-to-point encryption.

PCI PTS: Were the Terminals Compliant?

The organization of the scheme rings similar to attacks that in May hit Michaels crafts stores in more than 20 states. Card-readers and PIN-pads located on cashier POS systems in 90 Michaels stores were swapped with readers and pads manipulated to copy and transmit card details. Unlike Save Mart, which identified the tampering during a routine maintenance check, the fraud at Michaels came to light when consumers reported fraudulent ATM and retail transactions to their financial institutions. Card issuers later tracked the fraud to Michaels.

King says POS fraud is definitely getting more sophisticated. International crime rings are targeting certain countries, like the U.S., where a particular POS device make or model is popular. "Regardless of what kind of terminal it is, I would suggest that the merchants check to make sure that it's PTS-PCI approved," King says.

Criminals also are targeting POS networks - a method that proved fruitful for the four Romanians indicted recently by the U.S. Department of Justice. The four have been accused of orchestrating a multimillion-dollar scheme that targeted networks run by Subway and 150 other unknown U.S. retailers. [See POS Fraud: How Hackers Strike.]

Investigators believe more than 80,000 U.S. consumers were compromised by the Romanians' war-driving - a hacking method that involves remotely scanning for open or vulnerable Internet connections to POS systems. Once a weak system was detected, they allegedly hacked internal computers and installed keylogging software onto the POS systems.

Pointing to the Romanians' hack, King says network vulnerabilities, coupled with skimming risks, make full compliance with the most up-to-date PTS version necessities. Point-to-point encryption is key.

"Network security: This is the core of what the PCI is all about," King says. "The standard is all about protecting the transaction across the chain."

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years' experience, she covered the financial sector for 10+ years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.