In this day and age, for every advance in technology, there is someone out there trying to exploit it.
Since the recent card skimming incident at Lucky's, we here at Oliver's Market have spent the aftermath revisiting our security measures, to ensure that we are keeping our customer's information safe.
Card skimming can take many forms but essentially involves attaching a device that will intercept and store information such as credit/debit card numbers and PINs. The device can then be physically retrieved, or as was the case with Lucky's Supermarkets, the information can be transmitted wirelessly to the thieves. The important thing to take away here, is that the perpetrators need physical access to the machine at some point in time. In this instance, the skimmers targeted Self-Service Checkout machines, because they were relatively unattended/unmonitored.
Several years ago, Oliver's, changed the way that we processed electronic payments. The old system involved a standalone computer that processed the transaction, and communicated with the appropriate entities. This was a security risk because the electronic payment information was stored on that machine, and someone with physical access could potentially remove the hard drive to access that info. The system that we switched to does not store any information locally, and transmits it directly to a processing service that has its own security measures. The benefit to this is that someone could steal our entire register system, and would get nothing, because there is no record of personal information there to steal.
Secondly, the ability to implement these schemes requires physical access to the machine, whether it be a computer, a pin pad, or ATM . At Oliver's we limit access to, and monitor computers that drive the transaction at the register and the “controller” machines that compile the information from each individual register. We also work on a relatively small scale, meaning that in terms of people that maintain the machines, there are only four. Myself, and three other individuals from an outside company. They are all known by face and name by our front-end staff, decreasing the possibility that someone gain the access necessary by posing as someone authorized to work on those machines.
The other vulnerability, is the pin pads where you can swipe your card and enter your PIN. It would be very difficult (though admittedly, not impossible) for someone to install a device without gaining the attention of our employees, who since the Lucky's incident are undergoing training to recognize and report any possible attempts at tampering. The pinpad technology used at Lucky's was Verifone Everest, which offered no tampering protection. Our pinpads, have three different levels of encryption as the data is being sent to payment processing. If someone were to try and open the pinpads, the unit will lock up, display a tampering warning, and delete the encryption keys so they cannot be stolen and used elsewhere.
There is one more security risk, and while out of our control to protect against, I feel is worth passing on to you. Some card issuers are now offering “smart” credit cards that allow you to “tap” your card against a terminal (pin pad, ATM, gas station pump, etc.) instead of swiping or inserting the card in some kind of slot. The problem with this convenience, is that it works because of an embedded RFID device (like the tracking chips available for pets). This means that someone with a reader device can be standing near you and read that information. And unfortunately, payment cards are not the only things that contain this technology. Some states (though currently not California) issue enhanced ID Cards/Driver's Licenses that contain RFID tags. Some of the newer passports are also embedded with these devices. If you are unsure, you can contact the issuer to find out if your card has this, and in some cases, request a card that does not.
There is one more way to protect yourself, and that is to purchase a RFID blocking sleeve. This is a small envelope that you slide your card or document into and effectively blocks the radio waves. There are a number of companies that sell these products online.
Unfortunately, no matter how secure, any system can be compromised. The only sure way to guarantee that your electronic payment card information is not at risk, is to not have one.
We do take our customer's security seriously, and are always looking at ways that we can safeguard against those that wish harm.
Please send any comments to: Michael Johnston