Today’s edition of the Official Merchant Services Blog will take a look into the newest data breach, involving NY-based Barnes & Noble Inc.
Barnes & Noble revealed last week a “sophisticated criminal effort” had taken place at 63 stores, resulting in hacked PIN pad devices putting some of its customers at risk. The company discovered the hacking in September, but did not disclose it until recently on the advice of federal authorities. Security experts at the FBI have admitted that immediate disclosure in data breaches can make it harder for investigators to find the perpetrators.
In response, the chain has ceased using all PIN pads in its stores, and it has identified the affected locations in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania and Rhode Island.
“The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores,” the company said in a news release, “was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases. This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”
Barnes & Noble said its customer database was unaffected, and that none of the compromised PIN pads were at its college bookstores. The company also said the breach did not affect e-commerce sales, customers who bought online or through company’s Nook e-reader and Nook mobile app remain safe.
The bookseller is also working with the payment card networks, banks, and card issuers to identify accounts that may have been compromised. The company expects to have to go through a re-validation process before it again is deemed to be Payment Card Industry (PCI) compliant.
Although unfortunate, this data breach could have been prevented by discontinuing the use of unnecessary equipment. PIN pads for terminal are no longer a cost benefit to a company, since the Durbin Amendment. Durbin makes PIN Debit rates the same as Swipe Debit rates (as long as the bank is large enough to qualify), essentially eliminating the need to a PIN pad altogether. Check out our blog post on the differences between PIN and Swipe Debit here. Fewer PIN pads would reduce tampering of terminals and theft of cardholders PIN numbers.
In the meantime, Host Merchant Services continues to offer the lowest PCI Compliance rates in the industry, as well as a vigorous PCI Compliance Initiative that seeks to inform and educate everyone interested as to the details of the process, step-by-step.