The investigation continues into how thieves managed to steal funds from consumers’ debit card accounts by tampering with PIN-pad terminals at 80 outlets of Michaels Stores Inc., but payment-security experts say many merchants’ terminals probably remain exposed to similar sophisticated attacks.
The Irving, Texas-based crafts-store chain on May 5 revealed that crooks had tampered with at least 90 of its payment terminals in stores in 20 states (
The tampering reportedly began as early as February or March, and in early May law-enforcement authorities and banks contacted Michaels about unauthorized ATM withdrawals occurring from accounts of consumers who had made purchases with debit cards in its stores earlier this year.
Michaels has released no details yet about how the breach occurred, but a spokesperson tells PaymentsSource that the number of affected customers’ debit accounts is holding steady at “fewer than 100.” The company says it is working to replace all affected terminals by the end of the month and believes all transactions conducted now at Michaels stores are safe.
But many questions remain for merchants whose payment terminals supposedly were designed to prevent such breaches.
All U.S. payment terminals certified by the Payment Card Industry Security Standards Council are designed to be tamper-resistant, the organization says. Moreover, the council’s PIN Transaction Security standard dictates that all payment terminals have strong physical and logical security, including elements to determine whether someone has tampered with terminals, a council spokesperson tells PaymentsSource.
The council in 2009 also released recommendations and guidelines to guard against illegally skimming of card data from payment terminals, but the organization has acknowledged that thieves are constantly pursuing new approaches to stealing data at various points in the payment cycle.
Advanced data-encryption systems and upgraded payment terminals are useless against criminals who have devised new ways to capture data within terminals as cards are swiped, Jose Diaz, director of technical and strategic business development for data-security firm Thales e-Security Inc., tells PaymentsSource.
And while it is impossible to protect against unknown new tampering schemes, many merchants still lack basic processes to determine whether terminal tampering has occurred, Diaz says.
“Fraudsters have become very sophisticated at taking payment terminals apart and figuring out ways to capture payment card data and PINs,” he says. And while no expert can imagine what these criminals will think of next, “there is a major gap in the fact that most merchants lack solid processes for securing terminals so thieves can’t get their hands on terminals in the first place.”
Some merchants have “locked down” terminals to make them difficult or impossible to remove from stores, Diaz says. But many merchants’ terminals are not securely bolted to counters, so they are relatively easy to remove from the store overnight without detection, he contends.
“A lot of the security surrounding payment terminals has to do with protecting access to terminals after hours and by the wrong people,” Diaz says. He suggests merchants could “do a lot more” to ensure no one tampers with their terminals.
“Payment-terminal security is a very comprehensive task, and it’s more than just assuming the terminal cannot easily be broken into. The challenge is installing terminals in such a way, and in locations, that they cannot be accessed by criminals,” Diaz says. “And the other element is installing terminals in such a way that if they are attacked, it will be detected somehow by cameras or other security or tracking systems.”
Merchants have various means to secure equipment better in their stores. These include creating routines to check terminals to search for signs of tampering and training personnel to be aware of unusual activities surrounding payment terminals.
“It may be impossible to completely prevent fraud, but there is a lot merchants can do in their basic store setups and routines to prevent it,” Diaz says.
What do you think about this? Send us your feedback.
