As Michaels Stores Inc. continues its investigation into the payment terminal tampering that affected 80 of its stores, experts say other merchants are likely just as vulnerable and should be investigating their own hardware.
The tampering reportedly began as early as February or March, and in early May law enforcement officials and banks contacted Michaels about unauthorized automated teller machine withdrawals from the accounts of consumers who had made purchases with debit cards in its stores earlier this year.
On May 5 the Irving, Texas, crafts store chain revealed that crooks had tampered with at least 90 of its payment terminals in stores in 20 states. It also says some credit card account numbers may have been exposed in the attack.
At press time Michaels had not released details about how the breach occurred, but a spokeswoman said the number of affected customers' debit accounts was holding steady at "fewer than 100." She said that Michaels reached this figure based on reports from police and banks as of May 12, and that it could rise as more reports come in.
The company said it is working to replace all affected terminals by the end of the month and said all transactions conducted now at Michaels stores are safe.
But many questions remain for merchants whose payment terminals were supposedly designed to prevent such breaches.
All U.S. payment terminals certified by the Payment Card Industry Security Standards Council are designed to be tamper-resistant, the organization said. Moreover, the council's PIN Transaction Security standard dictates that all payment terminals have strong physical and logical security, including elements to determine whether someone has tampered with terminals, a council representative said.
In 2009 the council released recommendations and guidelines to guard against illegal skimming of card data from payment terminals, but the organization has acknowledged that thieves are constantly seeking new ways to steal data in the payment cycle.
While it is impossible to protect against unknown new tampering schemes, many merchants still lack basic processes to determine whether terminals have been tampered with, said Jose Diaz, director of technical and strategic business development for the data security company Thales e-Security Inc.
"Fraudsters have become very sophisticated at taking payment terminals apart and figuring out ways to capture payment card data and PINs," Diaz said.
Many merchants' terminals are not securely bolted to counters, so they are relatively easy to remove from the store overnight without detection, he said.
"Payment terminal security is a very comprehensive task, and it's more than just assuming the terminal cannot easily be broken into. The challenge is installing terminals in such a way, and in locations, that they cannot be accessed by criminals," Diaz said.
"And the other element is installing terminals in such a way that if they are attacked, it will be detected somehow by cameras or other security or tracking systems," he said.