Schnucks customers who were victims of credit card fraud say they’re furious at the company for not warning people about the growing problem — and some say it’s testing long-standing loyalties.
“I don’t understand why Schnucks can’t put a sign at the door saying: ‘Use your credit card at your own risk. We’re still having a problem,’ ” said Mary Lowe, a Schnucks shopper who had unauthorized charges on two different cards, from two different banks. “They’re just letting people use their cards and not saying anything.”
Investigators, meanwhile, say they’re receiving more complaints, suggesting that any security breach at the company has yet to be patched. They advise customers to use checks or cash when shopping at Schnucks.
Schnuck Markets Inc. has said, in three written statements, that it is cooperating with investigators and has hired an outside forensics company, but has not responded to questions.
People are also reading…
Security experts said Thursday that it could be some time before the company will know what happened. The experts said they sympathized with the Maryland Heights-based chain, calling it a victim of shrewd hackers who are, increasingly, finding ways to breach security even as retailers scramble to shore up their payment systems.
In the meantime one local bank says a security breach is costing it thousands of dollars, though it is quick to stress that Schnucks may not be linked to all of the fraudulent charges that its customers are seeing.
“We’ve just had an enormous uptick in fraudulent transactions,” said Ken Witbrodt, chief executive of Montgomery Bank. “In a normal month, we have a handful — less than 10. In March, we’ve had almost 600 cards we’ve had to cancel and reissue.”
Witbrodt said the breach had cost the bank $60,000 so far. “The loss is 100 percent absorbed by the bank,” he added. “That’s why the transaction fees we charge are appropriate.”
The breach, experts said, is merely evidence that hackers are getting more and more sophisticated as they look for ways to compromise payment systems.
“It’s just a battle between the bad guys and the good guys, and it constantly evolves based on how good the security gets,” said Gary Palgon, vice president of product management and strategy at Georgia-based Liaison Technologies, which develops security systems.
In the past decade, credit card companies and banks have pressured retailers to improve security systems, developing standards the industry has worked to adopt, called the Payment Card Industry Data Security Standard, or PCI for short. Initially retailers balked at the standards, so banks started imposing fees for non-compliance.
But adhering to the standards is costly, so smaller regional chains have been slower to gain compliance than deep-pocketed big box chains. That has driven the hackers toward smaller operations, experts say.
“The larger enterprises have taken a lot of steps to improve security,” Palgon said. “The hackers are saying it’s too difficult to get into a Macy’s now.”
That is making supermarkets a ripe target. “Supermarkets are one of those industries with very thin margins,” Palgon said. “They don’t have a lot of money to spend, and they haven’t spent a lot of time and money to improve security as the should or could.”
The situation strikes some analysts as unfair and burdensome to retailers at large, and to grocery chains specifically.
“The banks have stacked the system. They’re shifted the cost to retailers, and it’s not right for retailers to take the hit,” said Avivah Litan, a security analyst with Gartner Inc., a technology research and advisory firm. “It’s very frustrating for grocery chains because their margins are so thin.”
Litan believes the problem won’t ebb until payment systems are overhauled and the American banking system adopts different security measures, such as the “chip and pin” system used in cards in Europe.
“It’s a terrible situation,” she said. “Everybody’s afraid they’re going to be next.”
Hackers, experts explained Thursday, typically break into databases where credit card information is stored. They then sell that information, usually online, where crime syndicates buy it and apply it to counterfeit cards.
The thefts are usually discovered by card-issuing banks, which have software that looks at anomalies in charging patterns. When those banks report changes, credit card companies then try to find common threads, creating a “watch list” of cards.
Some stores, however, are moving toward a system in which a person’s credit card information is immediately encrypted before it’s processed. That means that if a hacker breaks into a system, the information they gather there is useless to them.
“It’s just like a casino token or Disney dollars,” Palgon said. “You can’t use the information outside of their system.”
Palgon and other authorities say it’s very likely that Schnucks is compliant with the industry’s standards, though even those aren’t ironclad. It’s not clear whether the company uses an encryption system.
“I imagine they’re PCI-compliant,” Litan said. “I don’t think it’s a matter of security, because it’s very hard to secure your system against determined fraudsters.”
Under the standards, companies are required to undergo an immediate audit if there’s a security breach, and sometimes the outside auditor may caution a company not to say anything to the public or its customers about the nature of the attack.
“In times of crisis, you want to reassure customers,” said Andrew Koneschusky, a senior vice president with Washington public relations firm, Chlopak, Leonard & Schechter, which specializes in handling public relations in crisis situations. “Sometimes sounding alarm bells is counterproductive. What’s important is that the company gets to the bottom of what happened and when it does have the answers, it communicates them quickly.”
Still, customers say, Schnucks should at least warn them about the potential perils of using cards at its stores, and are saying the matter is forcing them to switch allegiances. Schnucks rival, Dierbergs, said it had received numerous calls asking about its security systems.
One Schnucks customer, unsatisfied with the company’s lack of response to questions about security precautions, wrote to Dierbergs asking about its measures. Dierbergs responded, saying it had invested considerably in new security systems, including an encryption system.
“We have enjoyed the Des Peres Schnucks,” wrote Daniel Peters, in an email to Dierbergs. “Their offerings have been great, but they have not responded whereas you did and show that you are concerned. We will drive a little further down Manchester to the Dierbergs.”