Michaels Stores Inc. claims in mid-May it was partway through the process of upgrading the payment terminals in its stores to new, tamper-resistant models when a series of fraudulent debit card transactions pointed to criminals tampering with PIN pads at its stores.
The discovery of a major breach of the payment terminals has since snowballed into massive legal headaches and potential losses for the retailer, forcing Michaels in short order to replace more than 7,000 terminals nationwide.
What may be most unnerving for other merchants is that Michaels, like many other organizations, believed it was in compliance with generally accepted procedures to prevent such a security breach.
“Michaels undergoes a third-party security audit annually to make sure we are compliant with current requirements and standards, and have always been found in compliance,” a Michaels spokesperson told PaymentsSource via e-mail.
The retailer on May 25 announced that every U.S. store was equipped with “new, tamper-resistant payment card terminals,” noting it also has “implemented additional security measures to prevent this type of crime from reoccurring.” The company has not disclosed the brand of payment terminals involved in the breach nor which brands it deployed as replacements.
And while Michaels executives likely thought they reacted as quickly as possible to stanch losses from the tampering attack, attorneys planning class-action lawsuits are scrutinizing the timeline of the company’s actions, and their potential success in the litigation could escalate the company’s potential losses (
Michaels also noted in a May 26 quarterly Securities and Exchange Commission filing that other entities might seek damages, and payment card companies and associations also may impose fines. “We do not have sufficient information to reasonably estimate losses we may incur arising from the payment card terminal tampering,” Michaels said in the filing.
The sequence of events in the breach is likely to be crucial in determining the extent of losses and pinpointing Michaels’ liability, according to legal experts.
U.S. Secret Service agents on May 3 broke the news to store executives, who subsequently found that crooks had physically altered the payment terminals at about 8% of the company’s 964 stores nationwide, enabling them to skim sensitive data from customers’ cards, capture PINs and steal money directly from debit accounts.
Some 90 terminals at 80 Michaels stores spread across 20 states were involved, and at least 100 customers’ accounts were affected. Customers of at least a dozen different banks and credit unions reportedly lost funds when criminals used the stolen data to make unauthorized ATM cash withdrawals, but Michaels says that number may rise as more reports surface.
Credit card account data also may have been exposed, although Michaels has not reported any related fraudulent credit card transactions.
The Irving, Texas-based crafts-supply chain within two days of discovering the tampering notified customers of the breach and began replacing suspicious terminals at a breakneck pace, removing approximately 7,200 devices in its U.S. and Canada stores within approximately two weeks (
So far, Michaels has not disclosed details about how criminals broke into its in-store PIN-pads in regions as far-flung as the East Coast, Midwest and Northwest, but analysts say all signs point to an organized group of criminals. The company says it is working with law-enforcement authorities to apprehend the conspirators.
“That many terminals in that many states suggests a crew working together,” says Paul Martaus, president and CEO of Mountain Home, Ark.-based merchant acquirer consulting firm Martaus & Associates.
Martaus declined to speculate on the identity of Michaels’ merchant acquirer or payment terminal hardware suppliers.
In at least some of its stores, Michaels deploys VeriFone payment terminals equipped with PIN-pads, but the retailer declined to comment on its equipment and suppliers. VeriFone declined to comment on whether it supplies terminals to Michaels.
And while payments-industry insiders are curious to learn which acquirer handles Michaels’ payment card transactions, Martaus contends that detail ultimately may not be very relevant. “It’s probably one of the big merchant acquirers because this is a large, national retailer,” he says. “But such a breach would have less to do with the merchant acquirer and more to do with the (payment-terminal) hardware.”
Regardless of whether they were directly at fault for losses, any acquirer involved may fear “reputational risk” by its association with a company that experienced such a potentially costly breach, Eric Grover, a payments consultant with Intrepid Ventures, tells PaymentsSource via e-mail.
“The question is whether Michaels invested in tamper-proof payment terminals before they got broken into, and apparently they did not,” Martaus says. “For years processors have been advertising so-called tamper-resistant terminals, and while that’s a fine idea, who would think that a company like Michaels, which caters to people making relatively small purchases for crafts and hobbies, would need the heaviest guns to protect against a widespread payment-terminal attack?”
Not surprisingly, many observers are left to wonder what specifically defines a “tamper-resistant” terminal. Another burning question is whether vaunted new advanced data-encryption systems promising to protect data from the moment a card is swiped until the transaction is processed would protect merchants from an attack such as the one Michaels experienced.
All U.S. payment terminals certified by the Payment Card Industry Security Standards Council are designed to be tamper-resistant, the organization says. Moreover, the council’s PIN Transaction Security standard dictates that all payment terminals have strong physical and logical security factors, including “elements to determine whether someone has tampered with terminals,” a council spokesperson tells PaymentsSource.
The council in 2009 also released guidelines for merchants to guard against illegal skimming of card data from payment terminals, but the organization has acknowledged that thieves constantly pursue new approaches to stealing data at various points in the payment cycle.
Even in its May 26 SEC filing, Michaels said “improper activities by third parties, advances in technical capabilities and encryption technology, new tools and discoveries, and other events or developments may facilitate or result in a further compromise or breach of our payment card terminals or other payment systems.”
But speculation among analysts suggests Michaels fell short of providing the maximum protection for its payment terminals.
“Until further details are available, it is difficult to know exactly what happened. But it’s highly likely that the use of tamper-resistant terminals and ‘end-to-end’ data encryption would have prevented this specific breach,” Mike Kutsch, a principal with the consulting firm Payment Strategy LLC, tells PaymentsSource.
Card-skimming crimes that originated with unattended gas station payment terminals and ATMs are on the rise, but “widespread tampering inside an attended (retail) environment has not been common to date,” Kutsch notes.
Many merchants also routinely fail to use basic processes to determine whether terminal tampering has occurred, Jose Diaz, director of technical and strategic business development for Weston, Fla.-based data-security firm Thales e-Security Inc., tells PaymentsSource.
In many cases, merchants’ payment terminals are not security bolted to counters, so they are relatively easy to remove from a store overnight for tampering without detection, Diaz contends. “Payment-terminal security is a very comprehensive task, and it’s more than just assuming the terminal cannot easily be broken into,” he says “And the other element is installing terminals in such a way that if they are attacked, it will be detected somehow by cameras or other security or tracking systems.”
Attorneys stockpiling ammunition for at least three class-action lawsuits in the Michaels breach already are exploring Michaels’ data-security gaps and how they might have been prevented.
One lawsuit, filed May 26 in U.S. District Court in the Northern District of Illinois, seeks class-action status for any U.S. resident who made a purchase at any Michaels crafts-supply store nationwide using a debit or credit card swiped through a PIN pad on or after Jan. 1, 2011.
“Michaels’ lack of adequate security granted easy access to third parties who tampered with in-store PIN pads,” the suit states, enabling thieves to steal money from customers’ bank accounts. “In essence, Michaels’ security failure enabled cyber-pickpockets to steal customer financial data from within the retailer’s stores and subsequently loot the customers’ bank accounts from remote automated teller machines.”
The suit, filed by law firms Lite DePalma Greenberg LLC of Chicago and Faruqi & Faruqi LLP of New York, alleges Michaels was negligent and in violation of the Federal Stores Communications Act and the Illinois Consumer Fraud and Deceptive Practices Act.
Lawyers for Michaels customer Brandi Ramundo filed an earlier class-action lawsuit in the same federal court. That suit alleges that Michaels failed to use “commercially reasonable” security measures, such as ensuring the physical security of its checkout line terminals and “inspecting and testing” terminals to protect debit and credit card information during point-of-sale transactions.
Law firms Belongia Shapiro & Franklin LLP of Chicago and Bursor & Fisher P.A. of New York filed the suit on Ramundo’s behalf.
Details remain unexplained about the method criminals used to intercept card data from Michaels’ PIN pads, but the company faces potentially severe losses for failing to protect cardholder data. As other merchants work to close their own data-security gaps, uncertainties remain about commonly accepted measures for protecting payment card data.
What do you think about this? Send us your feedback.
