Data Breach at Several Stores in the Northwest

SPOKANE, Wash.–Customers are still worried about whether it is safe to shop at popular grocery stores across the Inland Northwest. Credit card hackers targeted URM supplied stores such as Rosauers, Super One, Yokes and others.

Store leaders said customers still need to check their card statements and call their bank if they see any unusual charges. Rosauers and some Super One Foods locations hope to have their regular credit card system working in the next several days.

Stores like Rosauers started using a dial-up phone line to let customers make secure charges on a credit or debit card. Rosauers and Super One are offering 10% off percent purchases through Wednesday.

Some impacted stores may still not be a safe place to use a credit card.

WATCH: URM stores upgrading security following credit card fraud attack

“We cannot guarantee that their credit cards used in our stores could not fraudulently be used in the future,” said CEO of URM stores Ray Sprinkle.

Cases of fraud have been reported as recently late November. The companies involved do not know when the attack happened so they still can not say how far back customers need to check for fraud. The company said they are working hard to figure out what went wrong.

“From a URM perspective, as we work with our member owners stores, that we are working very diligently around the clock to secure our system,” said Sprinkle.

It is unclear when customers will know for sure they can use their credit or debit cards again at all stores. Various law enforcement agencies were working to try to figure out how this happened.

WATCH: Credit card fraud victimizes URM shoppers across E. Washington

“The investigators are continuing to work as well as law enforcement, I don’t know how long that investigation will continue,” said Sprinkle.

Customers can use the dial up connection for a credit card and debit card. Staff said they can not say when the regular system will be back to normal.

Get a Free Quote For

Credit Card Processing:

Schnucks breach exposes 2.4 million cards

S t. Louis-based grocery chain Schnuck Markets Inc. confirmed on April 15, 2013, that approximately 2.4 million credit and debit cards used at 79 of its 100 store locations may have been compromised as a result of a breach of its POS network. The breach occurred between December 2012 and March 29, 2013. According to Schnucks, only track 2 card number and expiration date data were accessed in the breach affecting specific stores in Missouri, Iowa, Illinois and Indiana that Schnucks listed online.

The retailer became aware of fraudulent activity when notified by credit card companies on March 15, 2013, that banks had detected fraud on 12 cards used at Schnucks stores, the company stated. At that point Schnucks launched a forensics investigation through Mandiant Corp., which initially ruled out store employee or POS tampering before detecting indications of a cyber attack on March 28.

In a statement released March 30, Schnucks said it had “found and contained the issue behind the reports of unauthorized access to payment card information” and that it had “taken comprehensive measures designed to block any further access.”

After disclosing the cyber attack, Schnucks Chairman and Chief Executive Officer Scott Schnuck said, “We are cooperating with law enforcement, the Missouri Attorney General’s Office, and the credit card companies to determine the scope and magnitude of this crime and apprehend those individuals making fraudulent purchases.” He added that security enhancements were being implemented to block further attack activity.

Get a Free Quote For

Credit Card Processing:

Payment Card Industry Data Security Standard (PCI DSS)

Customers worry about theft of their data.
You should worry about business fallout.

More than 340 million computer records containing sensitive personal information have been involved in security breaches in the U.S. since 2005.1 Now criminals are shifting sights to small merchants because many have lax security for cardholder data. More than 80% of attacks target small merchants. If you are at fault for a security breach, business fallout can be severe:

Fallout from a data breach

As a small merchant, you face the potential of many negative forces from a breach of cardholder data:

  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost confidence, so customers go to other merchants
  • Lost sales
  • Cost of reissuing new payment cards
  • Legal costs, settlements and judgments
  • Fraud losses
  • Higher subsequent costs of compliance
  • Going out of business

What data thieves are after

The object of desire is cardholder data. By obtaining the Primary Account Number (PAN) and sensitive authentication data, a thief can impersonate the cardholder, use the card, and steal the cardholder’s identity.

Sensitive cardholder data can be stolen from many places:

  • Compromised card reader
  • Paper stored in a filing cabinet
  • Data in a payment system database
  • Hidden camera recording entry of authentication data
  • Secret tap into your store’s wireless or wired network

Defining “sensitive cardholder data”

Everything at the end of a red arrow is sensitive cardholder data. Anything on the back side and CID must never be stored. Everything else you store must be for a good business reason, and that data must be protected. PCI DSS explains how. Read more.

Types of Data on a Payment Card

Q: What is PCI?
A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.  Essentially any merchant that has a Merchant ID (MID).

Q: To whom does PCI apply?
A: PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply.

Q: What are the PCI compliance ‘levels’ and how are they determined?
A: All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (‘DBA’). In cases where a merchant corporation has more than one DBA, Visa acquirers must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, acquirers will continue to consider the DBA’s individual transaction volume to determine the validation level.
Merchant levels as defined by Visa:

Merchant Level Description
1 Any merchant — regardless of acceptance channel — processing over 6M Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2 Any merchant — regardless of acceptance channel — processing 1M to 6M Visa transactions per year.
3 Any merchant processing 20,000 to 1M Visa e-commerce transactions per year.
4 Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.

 * Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.


What does a small-to-medium sized business (Level 4 merchant) have to do in order to satisfy the PCI requirements?

A: To satisfy the requirements of PCI, a merchant must complete the following steps:

  • Identify your Validation Type as defined by PCI DSS – see below .  This is used to determine which Self Assessment Questionnaire is appropriate for your business.
  • Complete the Self-Assessment Questionnaire according to the instructions in the Self- Assessment Questionnaire Instructions and Guidelines.
  • Complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).  Note scanning does not apply to all merchants.  It is required for Validation Type 4 and 5 – those merchants with external facing IP addresses.  Basically if you electronically store cardholder information or if your processing systems have any internet connectivity, a quarterly scan by an approved scanning vendor is required.
  • Complete the relevant Attestation of Compliance in its entirety (located in the SAQ tool).
  • Submit the SAQ, evidence of a passing scan (if applicable), and the Attestation of Compliance, along with any other requested documentation, to your acquirer.
  • I’m a small merchant with very few card transactions; do I need to be compliant with PCI DSS?

All merchants, small or large, need to be PCI compliant. The payment brands have collectively adopted PCI DSS as the requirement for organizations that process, store or transmit payment cardholder data.

Q: If I only accept credit cards over the phone, does PCI still apply to me?
A: Yes. All business that store, process or transmit payment cardholder data must be PCI Compliant.

Q: Do organizations using third-party processors have to be PCI compliant?
A: Yes. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance.  However, it does not mean they can ignore PCI.

Q: My business has multiple locations, is each location required to validate PCI Payment Card Industry Data Security Standard Compliance?
A: If your business locations process under the same Tax ID, then typically you are only required to validate once annually for all locations. And, submit quarterly passing network scans by an PCI SSC Approved Scanning Vendor (ASV), if applicable.

Q: Are debit card transactions in scope for PCI?
A: In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.

Q: Am I PCI compliant if I have an SSL certificate?
A: No.  SSL certificates do not secure a Web server from malicious attacks or intrusions. High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI Compliance. 

  • A secure connection between the customer’s browser and the web server
  • Validation that the Website operators are a legitimate, legally accountable organization

Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees.  Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.

It is important to be familiar with your merchant account agreement, which should outline your exposure.


Evaluate with a Self-Assessment Questionnaire

Most small merchants can use a self-validation tool to assess their security for cardholder data. The tool includes a short list of yes-or-no questions for compliance. Click on the Self-Assessment Questionnaire number that best describes how you accept payment cards.

SAQ How do you accept payment cards?
A Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
B Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage.
C-VT Merchants using only web-based virtual terminals, no electronic cardholder data storage.
C Merchants with payment application systems connected to the Internet, no electronic cardholder data storage.
D All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ.




Get a Quick Quote:



Restaurant Chain Reports Credit Card Breach

Penn Station Inc. has confirmed that 43 of its 235 U.S. restaurants may have been affected by a payments breach that exposed credit and debit details.

In a June 1 statement and list of frequently asked questions posted on Penn Station’s corporate website, the restaurant Credit card breachchain identifies franchise locations in Illinois, Indiana, Kentucky, West Virginia, Michigan, Missouri, Ohio, Pennsylvania and Tennessee that may have been affected by the attack.

Details about the breach are vague; exactly how the card details were exposed is unclear.

Penn Station President Craig Dunaway says Penn Station learned of the breach after a customer called to report that his card had been compromised shortly after dining at one of Penn Station’s franchised locations. From there, Dunaway says Penn Station contacted its processor, Heartland Payment Systems.

“We’ve been working with Heartland to address the issue,” Dunaway says. “The key is to work with the Secret Service and get down to the bottom of what happened.”

Dunaway says he does not know the nature of the breach, and could not say if the card compromises resulted from tampered with POS devices or a network hack.

But industry experts suggest the breach is likely linked to either a processing hack or a point-of-sale scheme similar to the one discovered by the Michaels crafts store chain in May 2011.

Penn Station suspects the compromise dates back to March, based on a preliminary investigation, according to its FAQ posting. Debit and credit cards used during March and April may have been exposed.

“Upon learning of the possibility of unauthorized access to credit and debit card information, all of the individual owners of the Penn Station restaurants changed the method for processing credit and debit card transactions,” the FAQ states.

The investigation is ongoing, and Penn Station says it expects to update its list of affected locations if more are identified.

Penn Station says only account holder names and card numbers were breached. Whether PINs or card verification codes were part of that information has not been clarified.
What Type of Scheme?

Experts can only speculate, but Gartner analyst Avivah Litan says the scenario sounds like a POS-device swapping scheme – a scam that involves fraudsters physically swapping or trading a merchant’s POS device and/or PIN pad with a device manipulated to skim card and PIN details.

“It sounds a lot like Michaels,” Litan says. “Maybe they only hit 20 percent of the locations because Penn Station caught it early.”

John Buzzard, who monitors card fraud for FICO’s Card Alert Service, also says the breach sounds like a POS-device attack of some sort, but he says it’s too early to determine how those devices might have been targeted.

“It’s possible that a simple default admin password was never changed for the POS system at the affected locations,” he says.

Jason Malo, a research director at CEB TowerGroup who covers security and fraud, says the breach seems localized, and organized. “I don’t think it’s not a network breach,” he says. “By listing the stores that were affected, there’s a point-of-sale aspect to it, and that automatically makes you think there’s something that happened with the devices.”

Because only some locations in certain geographic markets were hit, Malo says the breach likely involved an organized effort coordinated among numerous players.

But Aite analyst Julie McNelley believes the compromise is more likely linked to a network hack, referencing Penn Station’s note about updating its payments processing procedures.

“This just further highlights how vulnerable merchants are and highlights the importance of upgrading to more current data security standards, such as tokenization and end-to-end encryption,” she says.
The Point of Compromise

Most breaches at merchant locations are reported by card-issuing banks to Visa and MasterCard, Litan says. After a number of fraud reports come in to the card brands, they trace the fraud back to identify the point of compromise.

But Litan says fraudsters have learned to expand their windows of compromise by only using cards from one or two card issuers at a time. “When only one or two banks report fraud, it takes longer for Visa and MasterCard to link the fraud to a larger compromise,” she says.

The Penn Station breach appears to have been detected relatively quickly. In the Michaels case, the exposure was traced back to December 2010, more than five months before the breach was discovered. In all, 90 individual PIN pads at stores in 20 states were identified as being sources of the Michaels breach.

Get a Quick Quote:

Visa Drops Global Payments After Breach

ATLANTA (AP) – Visa has dropped the card processor involved in a massive data breach from its registry of providers that meet data security standards.

Global Payments CEO Paul Garcia noted that the company continues to process Visa transactions, but that being dropped from the registry “could give our partners some pause Visa Drops Global Payments After Breachthat they’re doing business with someone who experienced a breach.”

Garcia said he expects to Global Payments to be reinstated once it has been issued a new report of compliance. But he declined to specify when that might be. He said the situation is “absolutely contained” but that the investigation is continuing and that parts of it still need to be resolved.

Global Payments says the data breach may affect less than 1.5 million credit cards from various issuers in North America. The company said that credit card data may have been stolen, but that cardholder names, addresses and Social Security numbers were not obtained.

The company said it will set up a website later Monday to help consumers who might be affected by the breach.

Both Visa and MasterCard say their own systems weren’t compromised.

Visa and MasterCard had said Friday that they notified their card holders of the potential for identity theft and illicit charges because of the breach.

Aside from the U.S., Global Payments provides its services to government agencies, businesses and others in Canada, Europe and the Asia-Pacific region.

The company said it continues to work with regulators, industry third parties and law enforcement to help in the effort to minimize the potential impact on credit cardholders.

Last June, hackers stole information for 360,000 credit card accounts at Citigroup. In the past year, there have been high-profile data attacks against the International Monetary Fund, National Public Radio, Google and Sony’s PlayStation Network.

For the three months ended Feb. 29, the company reported net income of $57.9 million, or 73 cents per share. That’s compared with $48.2 million, or 59 cents per share, in the year-ago period.

The company has not yet identified the size of the charge it will take as a result of the breach.