Stop and Shop PIN Pad Rigging Similar to Canadian Cases

Digital Transactions reports that the Stop and Shop data breach disclosed recently appears similar to a series of Canadian crimes that took place last year. In both cases, PIN pads were modified to capture card and PIN information.

Last summer, Canadian police arrested at least 10 people they said used rigged card terminals to intercept PINs as cardholders entered them at the point of sale as part of a scheme in which they stole $4 million (Canadian) from 18,000 customer bank accounts (Digital Transactions News, June 21, 2006). In what press accounts called one of the most technologically sophisticated cases of debit card fraud yet discovered, the suspects swapped their own card readers for those installed in some 42 retail locations in the Montreal area, then used Wi-Fi connections to send PINs and card numbers to a remote receiver. With that information, they were able to forge cards and loot the associated accounts through ATM withdrawals. Similar cases of tampering cropped up in other Canadian cities last year, as well.

What liability Stop and Shop may have to customers who are harmed by the data breach will turn in part on whether the company took appropriate security measures to protect the PIN pads. Digital Transaction also reports that the security standards for some PIN pads changed at the beginning of the year.

The perpetrators may have exploited an inspection loophole in point-of-sale systems that was closed in the recent update of the Payment Card Industry (PCI) data security standards promulgated by the leading payment-card networks. Under the old PCI standards, POS equipment that did not run on an Internet Protocol (IP) operating system did not require an assessment for PCI compliance, says Scott Laliberte, IT risk group director at Protiviti Inc., a Chicago-based security firm and PCI auditor.

If Stop and Shop's PIN pads did not run on IP, then it will be more difficult for potential plaintiffs to argue that the stores were not in compliance with industry security standards.