By Pat Pape, Contributing Editor.
Think you can’t find yourself in the middle of a lawsuit for a credit card breach? Think again.
Multiple class-action lawsuits have been filed against MAPCO Express, the 377-store convenience chain headquartered in Brentwood, Tenn., and Schnuck Markets Inc., a St. Louis-based grocery store operator with 100 outlets in the Midwest, as a result of malware attacks that exposed customer credit card data to hackers. The lawsuits charge that the retailers did not adequately protect customer accounts or notify the public in a timely manner.
The suits were filed after MAPCO announced that information about credit card purchases at its stores made on specific dates in March and April had been compromised. “We regret any inconvenience this criminal act by hackers may have caused,” said Tony Miller, vice president of operations. “Through our internal investigation and collaboration with forensics security firms, we have disabled the malware that was used in this incident while establishing additional safeguards designed to prevent this from happening in the future.”
Schnucks confirmed that malware discovered on the company’s network may have accessed credit information for transactions conducted from Dec. 1, 2012 through March 2013. Officials noted that at the time of its most recent audit in November 2012, the chain was in compliance with the Payment Card Industry’s (PCI) Data Security Standard (DSS).
“When there are breaches—and we’re seeing a number in the small-retail area—these retailers have had to deal not only with remediation and cleaning up the mess, but they’ve had shareholder lawsuits and consumer lawsuits, which take your mind off your business,” said Bob Russo, general manager of the PCI Security Standards Council.
Typically, national and regional store operators have been the targets of cyber-attacks because of their large databases. While small retailers may assume this means they aren’t vulnerable, experts in the field say that security—not size—is the only thing that can provide protection.
“What we’re seeing now in terms of these exploits isn’t all that sophisticated,” said Russo. “It’s like locking your door and then some bad guys come and jiggle your door knob. If it’s open, they’re going to come in and do something. If the door isn’t open, they’re not going to spend a lot of time trying to pick the lock. They’ll just move to the next house.”
Sunshine Gas Distributors of Doral, Fla., is a wholesale fuel business that also owns and operates more than 200 south Florida convenience stores. Company officials have seen credit card use increase since they launched the business with four outlets in the 1980s.
“Every year customers prefer to use their plastic more and more,” said Max Alvarez Jr., president of Sunshine. “We had an area of Miami where customers paid 80% cash and 20% credit cards, and today that very same area is 80-85% credit cards.”
Alvarez believes every retailer, regardless of size, is vulnerable. “In south Florida, we have intelligent criminals,” he said. “We’ve been hit by credit cards thieves before. It’s a cat and mouse game, and we have to stay one step ahead of the criminals.”
As a branded wholesaler, Sunshine takes a multi-faceted approach to data security. All sites are connected to a central network, and Sunshine works closely with the oil companies in its distribution network to meet PCI compliance standards. “Most of the requirements involve upgrading software and being sure we have compliant point-of-sale (POS) systems and dispensers,” he said.
The organization outsources its IT effort to G2 IT Solutions of Miami, Fla., and relies on MegaPath, a national company that provides data connectivity and network connectivity. “They make sure we have a secure connection and meet or exceed PCI compliance,” Alvarez said. “We do not store credit card information onsite. If thieves wanted to steal numbers, they’d have to do it while the transaction is taking place or where the transaction is processed.”
In addition to renewing security applications and replacing outdated hardware, retailers should take low-cost, common-sense steps to help prevent credit and debit information theft, according to Russell Gibson, manager of marketing technology services for Sinclair Oil based in Sinclair, Wyo.
Hackers typically steal credit card information, such as names and card numbers, from the store data system, while skimmers get that information, plus debit card details and pin numbers, by illegally installing a card-reading device inside or outside a fuel dispenser or on top of the card reader. A chip inside the device records transaction information and may even send information through the Internet to the criminal’s computer.
Installation of the illegal device can be done quickly—in as little as 90 seconds—by a criminal at the gas dispenser or by a phony service person claiming to be from a legitimate company, who shows up to work on the equipment.
“Don’t allow anyone to come into the store and work on anything unless you’ve called them,” Gibson said. “At Sinclair, we never send anyone out without notifying the merchant first.”
He also advises merchants to educate store associates to keep an eye on the gas pumps and be suspicious of anyone who stays there too long. “It’s usually done early in the morning, and often at the dispensers that are least visible to the cashier,” Gibson said.
Some companies place tamper-proof tape on the dispenser. If the dispenser is opened, the tape will be visibly disturbed. However, Gibson prefers locks that are exclusive to the individual dispenser. “If the dispenser has a generic lock and the dispenser technician has the key for it, you can bet thieves have those keys too,” said Gibson, who favors TuBar locks made by CompX.
As an added precaution, Gibson recommended having cashiers look at every dispenser when they relieve each other at the beginning of a shift. “Merchants that transmit highly encrypted transactions directly to the processor via the Internet are very hard, if not impossible to hack, making their biggest risk skimming,” he said.
Sinclair wants merchants to be proactive when it comes to security. The company will provide up to $250,000 in assistance with fines in the event a location suffers a breach, provided the merchant follows Sinclair’s protection guidelines. Through an insurance carrier, Sinclair also provides $25,000 skimming coverage per incident at no cost to branded merchants.
Do the Simple Stuff
The simple stuff is vital to repelling thieves, said Russo of PCI, adding that current research indicates that some store operators still fail to change default passwords that come with applications they purchase despite a decade of warnings.
“Compliance is a term with the connotation of a check-box mentality,” he said. “If you become compliant and you think that’s the end game or you’re all set for another year, you’re setting yourself up for failure. This is about ongoing security and making sure that after you achieve security, you maintain security.”
Compliance is not without its costs in both time and money. And every retailer must invest some of both to maintain a safe operation.
“We look at PCI compliance as the cost of doing business,” said Alvarez. “If we’re going to accept credit cards, we have an obligation to secure the customers’ transaction as much as we can, and there is a cost associated with that. We have to do everything in our power to make sure customers can feel secure in knowing their transaction is safe.”
The PCI Security Standards Council will publish version 3.0 of the PCIDSS and PA-DSS at www.pcisecuritystandards.org in November. The new standards become effective Jan. 1, 2014, but companies will have until January 2015 to implement them.