QUINCY, Mass. — Stop & Shop Supermarkets here said last week that some of its customers' credit-card information was stolen after older PIN pad terminals at the checkout lanes in some stores had been tampered with.
The chain said it was notified of “possible fraudulent” purchases linked to credit and debit card data stolen from two of its stores in Rhode Island. The suspicious purchases took place at stores operated by other retailers, said spokesman Robert Keane. He declined to provide further details.
After being informed of the fraudulent activity, Stop & Shop, a division of Ahold, said it discovered tampering involving one electronic funds transfer (EFT) terminal (also called a PIN pad) in a store in Coventry, R.I., and another device at a store in Cranston, R.I.
“As a result of this tampering, account and PIN numbers associated with some credit and debit cards used in these two checkout lanes in early February were stolen,” the company said.
Since then, the chain has been working with local police departments and the U.S. Secret Service in an ongoing investigation, and has asked its payment networks and banks “to identify and protect affected customer accounts,” Stop & Shop said.
The chain also discovered evidence of tampering at three other Rhode Island stores — in Bristol, Providence and Warwick — and a store in Seekonk, Mass., but no fraudulent transactions have been reported in connection with those stores.
The PIN pads at the affected stores were removed from the POS, subjected to tampering and then returned to the POS, Keane told SN last week. He did not explain how the credit and debit card information was obtained from the terminals. Stop & Shop said it has not uncovered any involvement by Stop & Shop personnel in the tampering activity.
Following the discovery of the tampering, PIN pads at all 580-plus Stop & Shop and Giant of Landover, Md., stores were secured with a bolt so that they can't be removed from the POS, Keane said. (Giant is also a division of Ahold.) Stop & Shop also conducted an inventory and inspection of all EFT units in its stores.
Keane said that after learning of the possible fraudulent transactions, Stop & Shop contacted its payment processors. The processors alerted the banks funding the transactions, and the banks in turn contacted consumers whose credit or debit accounts may have been affected. Keane could not say how many consumers were involved. “They should have been contacted by now,” he said.
Stop & Shop has set up a toll-free number for consumers to call with questions. The company recommended that customers who used electronic payment cards in its Rhode Island stores and the Seekonk, Mass., store monitor their bank or credit card statements and contact the applicable bank or credit card issuer immediately in the event of any fraudulent transactions.
Keane noted that as soon as Stop & Shop found out about the security breach, the company let the public know about it. “It's important for people to know as soon as possible so they could check their statements.”
The security breach at Stop & Shop occurred at a time when retailers are under increasing pressure to secure consumer data according to standards established by the credit card associations. The standards were established to counter the growing sophistication of criminals who are intent on cracking corporate databases, which has led to several high-profile security breaches.
The PIN pads used by Stop & Shop were originally manufactured by IVI Checkmate, which was acquired by Ingenico, Atlanta, in 2001. These eNcrypt 2400 terminals, which are now more than six years old, do not comply with current industry security standards for transaction terminals, known as Payment Card Industry PIN Entry Device (PCI PED) standards, said Grant Drummond, director of marketing communications, Ingenico.
The terminals did meet “security standards in place when they were manufactured,” Drummond said. PCI PED certification makes terminals harder to tamper with, though “anything can be broken,” he noted. The majority of Ingenico's more recent i-series terminals have received PCI PED certification.
However, Stop & Shop's Keane told SN that “although our devices are older, they are not out of compliance with PCI. PCI added new requirements for devices manufactured after July 1, 2004.”
According to a Visa source, Visa assesses fines on merchant (acquiring) banks when merchants are not in compliance with security standards, and many banks pass along the fines to their merchants. He declined to comment on the Stop & Shop scenario.
Less than two weeks before Stop & Shop reported its security breach, VeriFone, San Jose, Calif., announced that Stop & Shop and Giant-Landover stores have selected VeriFone's MX870 payment terminals for use in their stores. VeriFone said in a statement that the chains plan “to install MX870s in all new and remodeled stores, as well as devise a strategy to replace older legacy EFT units over time.”
The MX870 terminals are PCI PED-compliant, said Pete Bartolik, a spokesman for VeriFone.