Cost Plus Inc. announced yesterday that someone may have tampered with the payment-terminal PIN pads at eight of its Cost Plus World Market stores in Southern California between February and April. The Oakland, Calif.-based chain of nearly 300 furniture and home-decor stores says an unauthorized third party or parties may have acquired some debit card numbers and PINs used at the eight stores. Credit card transactions do not appear to have been compromised, the company says. Employees told Cost Plus loss-prevention managers in mid-June they found unauthorized debit transactions on their accounts, the retail chain notes on its Web site. Cost Plus says its merchant acquirer, which a spokesperson would not name, reported in late June and early July that other unauthorized debit transactions showed the stores were common points of compromise. Because of the compromise, the company is replacing older VeriFone Everest II PIN-entry terminals with newer VeriFone MX860 models at all of its stores and plans to complete the change by the end of August, a Cost Plus spokesperson tells CardLine. "The VeriFone Everest II model does not have a [tamper-resistant] mechanism to clear the debit key if it is opened and tampered with," the spokesperson says. Until the work is completed, Cost Plus has moved its payment terminals behind counters where cashiers, instead of customers, swipe cards. PIN pads will remain within customer reach. A VeriFone spokesperson says the company will not comment specifically about the Cost Plus announcement. But, he says, VeriFone launched its Everest II model around 1996, before the Visa PIN Entry Device security standard existed. VeriFone launched its MX860 model earlier this year, "so it meets all of the latest, more-stringent security standards and requirements," the spokesperson says.

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry