Michaels Stores Inc. said Wednesday that the PIN pad-tampering attack it disclosed last week is far more widespread than it originally believed, affecting at least 90 payment terminals in stores in 20 states.

The geographic reach of the intrusion suggests the work of a sophisticated organized-crime group, and it may serve as a wake-up call for merchants to take additional precautions, Julie Conroy McNelley, a senior risk and fraud analyst at Aite Group LLC, said in an interview.

"It is surprising that a large merchant like this was attacked, when most big merchants say they have taken steps to secure their terminals and are required to go through a great deal of security certification," she said. "But it shows you that there are still a lot of gaps out there."

The national crafts supply retailer on May 5 began notifying customers that fraudsters had tampered with payment terminals in the Chicago area. But on May 11, Michaels said fraudsters had tampered with approximately 1% of all payment devices deployed in its 964 U.S. stores.

Michaels has since disabled and quarantined all suspicious PIN pads and has removed an additional 7,200 from its U.S. stores, the Irving, Texas, company said in a press release. The company also expects to finish replacing PIN pads in all affected stores with upgraded terminals within the next 15 days. Michaels said it also is screening all PIN pads in its Canadian stores.

Until it installs the upgraded PIN pads, the company said it is processing only credit and signature-debit transactions on store registers. The company did not return calls for further comment.

In addition to the 14 stores in the Chicago area, fraudsters tampered with PIN pads at stores in Colorado, Delaware, Georgia, Iowa, Maryland, Massachusetts, New Hampshire, New Jersey, New Mexico, Nevada, New York, North Carolina, Ohio, Oregon, Pennsylvania, Rhode Island, Utah, Virginia and Washington, according to Michaels. (The retailer's stores in Arizona deploy PIN pads from VeriFone Systems Inc.)