Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards.
A new warning sign at Giant Food checkout counters. Giant says the warning was prompted by a spike in credit card fraud.
I had no idea this was a new thing at Landover, Md.-based Giant, which operates 169 supermarkets in the Washington, D.C. metro area. That is, until I encountered a couple of large new “attention” stickers in the checkout line at a local Giant in Virginia recently. Next to the credit card terminal were big decals with the warning:
“Attention Gift Card Customers: Effective immediately, all purchases of Visa, MasterCard, American Express Gift Cards and all General Purpose Reloadable or Prepaid Cards may only be made with Cash or Bank Pin-based Debit.”
Asked for comment about the change, Giant Food released a brief statement about the policy change that went into effect in March 2016, but otherwise didn’t respond to requests for more details.
“Giant has recently made a change in procedures for purchasing gift cards because of a large increase of fraudulent gift card purchasing,” the company said. “Giant will now accept only a Bank PIN-based debit card or cash for all VISA, MasterCard, and American Express gift cards, as well as re-loadable and prepaid gift cards. This change has been made in order to mitigate potential fraud risk.”
It’s not clear why Giant is only just now taking this basic anti-fraud step. Card thieves love to pick on grocery and convenience stores. Street gangs involved in card fraud (and they’re all involved in card fraud now) often extract money from grocery, dollar and convenience stores using “runners” — low-level members who are assigned the occasionally risky business of physically “cashing out” counterfeit credit and debit cards.
One of the easiest ways thieves can cash out? Walk into a grocery or retail store and buy prepaid gift cards using stolen credit cards. Such transactions — if successful — effectively launder money by converting the stolen item (counterfeit/stolen card) into a good that is equivalent to cash or can be easily resold for cash (gift cards).
I witnessed this exact crime firsthand at a Giant in Maryland last year. As I noted in a Dec. 2015 post about gift card fraud, the crooks caught in the process of these cashout schemes usually are found with dozens of counterfeit credit cards on their person or in their vehicle. From that post:
“The man in front of me in line looked and smelled homeless. The only items he was trying to buy were several $200 gift cards that Giant had on sale for various retailers. When the first card he swiped was declined, the man fished two more cards out of his wallet. Each was similarly declined, but the man just shrugged and walked out of the store. I asked the cashier if this sort of thing happened often, and he just shook his head and said, ‘Man, you have no idea.'”
Meanwhile, every Giant I visit still asks me to swipe my chip-based card, effectively negating any added security the chip provides. Chip-based cards are far more expensive and difficult for thieves to counterfeit, and they can help mitigate the threat from most modern card-skimming methods that read the cardholder data in plain text from the card’s magnetic stripe. Those include malicious software at the point-of-sale terminal, as well as physical skimmers placed over card readers at self-checkout lanes — like this one found at a Maryland Safeway earlier this year.
In a recent column – The Great EMV Fake-Out: No Chip for You! – I explored why so few retailers currently allow or require chip transactions, even though many of them already have all the hardware in place to accept chip transactions. I suspect also that grocers are reluctant to introduce chip readers at self-checkout lanes, as more supermarket chains seem to be pushing customers in the self-checkout direction.
With all the fraud that is accompanying our cashless society – I see the circle turning 360 degrees – we will go back to a folding money, cash society.
Impossible to track purchases and much harder to counterfeit.
What’s Old is New Again! YMMV
Right now I’m reading Clive Cussler’s The Chase. Will we be going full circle to the days when people actually stole cash.
CASH IS KING!!!
If I get behind someone at a coffee shop and they hold up the whole line to buy a $1.50 cup of coffee with a cash card, and we all wait and wait while the poor barista has to swipe it, allow the paper to spool out and then find a working pen then watch some schlub sign their name I always say CASH IS KING!!! and admonish tat person for not having a few paper dolars on them.
Here’s to Samsung Pay! Works everywhere with no swiping and faster and safer than cash. Welcome to the Electronic Age.
Admonish me in public and I’m (at the very least) giving you the finger.
Now I’m going to assume here you’re referring to cases where the admonishment is unwarranted. Because otherwise you had better be eating that most deserved of humble pies. I’m sure you understand.
Yes – because YOUR inability to pay with cash (for whatever reason) is why the people who carry cash have to wait for you to play the cash-less game.
You are #1 – but only in your world. For the rest of us, you are a PITA!
I’ve had the same $20 bill on me since last October. I never use cash. 2% back on my Citibank Double Cash cc adds up over time.
I am not against cash, I just don’t use it except in taxi cabs.
360 degrees would leave us exactly where we are now
Nice one, now there’s an astute observation!
I think intent was clear either way. 180 degrees from where we started (paper currency to cashless society) – finish the rotation to arrive back at cash.
360 From a Cash-based society, would bring you back to Cash.
Furthermore, Chip cards in US are a joke – Absolutely ZERO gain in fraud protection, and in-fact, far less effective than PIN Debit.
The main reason that Giant probably did this was simply that they have not installed / enabled the chip readers at the terminal. Mag swipes mean they are liable for the loss. Bank Debit with pin, means the money is known good and they are guaranteed payment. It is all about loss management.
It was known that mag stripe card present fraud was going to go up with the EMV shift..
Great article as always.
I can’t tell you how many retailers I frequent who have installed the chip reading hardware, but for some obscure reason haven’t yet enabled them. I guess it would hurry them along if they were made accountable for ensuing CC fraud instead of the banks.
Evidently, many merchants have not been able to turn on their chip readers because of a huge backlog in getting them certified. http://www.nytimes.com/2016/03/23/business/chip-card-payment-system-delays-frustrate-retailers.html
and who controls the certification process? Why would they be in a hurry if they are making more money from merchants NOT being “certified”? EMV wasn’t about protecting the consumer. It was about transferring the liability.
Jonathan @NC3mobi
Indeed. And that’s why there is now a class-action suit against the issuers.
Apparently quite a few merchants had chip-readers installed by the deadline but the issuers are foot-dragging about certification. So the merchants are eating tens of thousands of dollars in fraud losses. Now they’ve decided to do something about that.
Sadly gift cards are used in the telephone scheme to get your grandchild out of jail. In the case of a recent friend that fell for this scam they went to the local Jewel Foods where they bought $3,000 worth of cards. Good news was the grocer was suspicious and called the police. No money was lost.
Oddly in this case, if the were required to use cash or debit cards, the funds could have been hard to be recover for the “victim”.
Marty Acks
“Good news was the grocer was suspicious and called the police. No money was lost.
Oddly in this case, if the were required to use cash or debit cards, the funds could have been hard to be recover for the “victim”.”
Why? Cash would negate the grocer’s suspicions?
Actually, this is probably not due to fraud risk (alone) but rather from people buying huge numbers of these gift cards with credit cards in order to rack up credit card points and rewards. With a good card, your net is at least 2%.
With merchant fees of 2-3%, this is hugely expensive for the vendor. Lots of supermarkets have been doing this recently.
Except a lot of the cash gift cards carry transaction fees that completely offset the credit card points earned by the card holder. Retailer gift cards are a different story, but they are limited purpose.
Yep, this is definitely one reason (in addition to fraud). Those who are skilled at credit card manufactured spending can do pretty well. I’m surprised Krebs hasn’t mentioned this on any of his blog posts of credit card fraud via gift cards.
What if the gift card is part of a larger purchase of various grocery item? Will this be an excuse to run the transaction as debit and save on the interchange?
If they don’t switch to chip enabled terminals that are working, they should take the risk and loss
I use Samsung Pay.
Yes!
Frazier has it spot on. Prior to the EMV liability shift, the Issuer would have been on the hook for the fraud as long as the card was swiped and the merchant got an approval code and a signature. As of the October 1 liability shift, if an EMV issued card is processed via mag stripe and is later determined to be counterfeit – the merchant is automatically on the hook for the loss with no recourse.
Pardon a small nitpick for the cliché artistes among us: if we’re going back to the old ways of doing things, we’re doing a 180. We’re not going “full circle” or doing a “360,” as completing either simply puts us back on our original course… for better or for worse…
Well, since we are being nit picky, we should at least be accurate. Starting with cash, then to all this card and tech stuff and then back to cash would be a 360, but it all depends on your starting point, no?
“Starting with cash, then to all this card and tech stuff and then back to cash would be a 360, but it all depends on your starting point, no?”
And every fan of Isaac Asimov knows that “A circle has no end.”
The Chip technology you are championing has two fundamental flaws:
1. Thieves can still manufacture mag only cards from a stolen chip card, change one byte on the mag strip and the card will process as mag only and the banks will approve the transaction.
2. The Chip does not encrypt. Unless the retailer also implements P2PE all of the sensitive data can still be stolen just likj it was at Target.
EMV terminals are also susceptible to Samy Kamkar’s Jedi wave. See http://nc3.mobi/references/2015-unknown/#20151124 for links to his site and watch as he waggles a finger and convinces the terminal “this isn’t the card you’re looking for” and “you’ve already paid”
Jonathan @NC3mobi
I would disagree on #1 if the card processor is checking for validity via CVV1. Changing any part of the card sequence will alter CVV1, which would result in a denial.
“Citing a recent and large increase in credit card fraud, Washington, DC-area grocer Giant Food says it will no longer allow customers to use credit cards when purchasing gift cards and reloadable or prepaid debit cards.
I had no idea this was a new thing at Landover, Md.-based Giant, which operates 169 supermarkets in the Washington, D.C. metro area. That is, until I encountered a couple of large new “attention” stickers in the checkout line at a local Giant in Virginia recently. Next to the credit card terminal were big decals with the warning:
“Attention Gift Card Customers: Effective immediately, all purchases of Visa, MasterCard, American Express Gift Cards and all General Purpose Reloadable or Prepaid Cards may only be made with Cash or Bank Pin-based Debit.””
This is a sorely needed first step. I’m a detective with the D.C. Police and people have no idea how much time we spend chasing leads connected with credit card theft (i.e. robberies where wallets are taken, car break-ins where wallets are taken). Fairly high on the list of the priorities of guys who do the card fraud/theft are gift cards and metro fare cards. Gift cards are easily re-sellable; metro paper fare cards were also re-sellable but the plastic cards can easily be shut off.
The next step is to pressure all retailers to adopt this policy regionally/nationally, especially among the main sources of fraudulent charges connected to street-level theft and fraud (CVS/Walgreens/Target). In an ideal world we’d do chip and pin which would almost completely cut off a huge source of illicit cash connected with theft and robbery, but that’s not going to happen any time soon.
Thanks for your comments. I spoke with a local NoVA officer and separately a detective, and their opinions echoed yours, although one officer thought that gift cards should be entirely banned from sale. I’m kinda in agreement with that. Now when I see those huge displays everywhere, I think “Money laundering central, servicing criminal enterprises throughout the nation.”
Yeah, Giant’s policy is a step in the right direction.
It took me three weeks to get reimbursed from a $200 fraud purchase at WalMart
Which could have been avoided if the cashier simply asked for ID. If you buy six pack of beer you must show an ID even though your obviously over 40. I think the insurance companies that pay for store loses should demand ID checks for amounts over $50. And raise the premium rates through the ceiling if their shoppers catch a store not checking Id. How about finger prints like when cashing a check at a bank?
2 things – while EMV does add some additional security, skimming is still quite possible. The new vector is just to move the skimmers to the EMV slot. Since the magstripe still appears on all US-based chip cards, you can still skim the card info during an EMV dip, by moving the skimmer to the dip slot, similar to ATM skimmers.
Second, I can tell you first hand why so many retailers haven’t implemented EMV: cost. We did the analysis, and our fraud per year number is way below the implementation costs – and I mean WAY below. So our position has been not to spend the money to implement EMV, and eat the fraud costs because of it, as that is a much smaller number. For other retailers that is going to be a different cost benefit analysis, but if you don’t sell reloadable gift cards (or implement a policy like this one to not allow buying with a CC), and you don’t sell high dollar items that are easy to flip for cash, it isn’t worth the cost.
The implementation costs for EMV, much like E2E encryption, are ridiculous. You have a recurring licensing fee from the manufacturer of the PIN pad devices for each device, and that is IF you already have hardware to support EMV, which for many retailers isn’t the case. Or you have older hardware that does support EMV, but the hardware is already maxed out and you would have to remove 1 feature from the hardware just to accommodate EMV. If a retailer has to replace the hardware, you are talking about anywhere from $200-$1000 per lane per store in hardware alone, not counting the costs to send out someone to replace them all. Even if you have all the hardware in-place, and can eat the EMV feature license cost, you still have to spend the money with your POS integration partner to do all the POS software work to even handle EMV, since the transaction occurs in a different way, and completely different data is sent to and from the POS. As is the case anytime you are working with a vendor on software customization, the integration costs are nothing to sneeze at.
While I absolutely would rather have EMV turned on in my stores, rather than nothing, the costs don’t make sense for many of us. We have basically decided to skip EMV and go straight to planning for E2E encryption, and duping that same money it would take to implement EMV into E2E, as it is a much much more secure solution for protecting CC data.
If you ever want to do an article on the why’s of what retailers are doing in this arena, or want a retail security perspective, drop me an email BK.
And your explanation is precisely why Giant’s policy is a decent one, although it would be better to have it mandated by law. Depending upon an internal EMV cost/benefit analysis by each and every retailer does not in any way account for the external soft costs to the customer or for law enforcement followup, or for the criminal activities that are actually abetted by the use of pervasively insecure credit card systems.
The idea that retailers are also maintaining huge front-and-center displays of money laundering “gift card centers” is doubly damning. The margins on those things must be very impressive, because all retailers know the extent to which gift cards are now being used by organized criminal networks. It’s the wild west, and retailers are looking only at their cost/benefit analyses.
And this is part of the problem. If some merchants choose to not implement EMV because it would cost them more than the fraud, you could still have skimmers or malware on your POS terminals, which would allow the crooks to capture the credit card numbers of your customers. And while there is fraud involved, there is no cost to you, so you write it off as something you don’t care about. But to the customer who gets their card skimmed, it can be a pain in the neck.
So for this reason, cash is king – if you don’t have an EMV slot or support something like Google Pay, then you get cash from me.
Similar signs – though not explicitly mandating cash or debit cards – appeared at DC-area Safeway self-checkout terminals about six weeks ago, merely a week after I was personally hit for fraudulent gift card purchases at two local Safeway stores.
Funny, I’m generally on the lookout for skimmers, but hadn’t been at Safeway because “Who would put a skimmer on a Safeway self-checkout terminal?” But after being hit, and reading here on Krebs about the skimmers found at a Gaithersburg Safeway in December (?), I’m now checking everything, every time, everywhere.
As for the humongous gift card displays found at almost all large retail operations, I now see them as nothing less than money laundering centers in service to organized crime. They really ought to be banned by law. Giant’s policy is actually a good step in the right direction. Safeway’s policy is a bit lame by comparison, although one Safeway manager – not at the one where I was hit – told me that he personally scrutinizes and approves any gift card purchase of more than $500.
Oh, I did file two separate (and detailed) police reports the day after it happened, and as I said the signs went up within a couple days. In boldfaced red print at every self-checkout terminal and later replaced with permanent signs at every terminal.
My DC-area Giant store hasn’t allowed credit for purchase of visa/mx/amex gift cards for years. Tried a handful of times, no dice. I’m one of those crazies into manufactured spending (several credit cards with grocery stores as a bonus category).
I can’t even begin to not see why the homeless man wouldn’t realize that pulling multiple cards from his wallet after being declined once or twice could possibly be viewed as suspicious…
This has been going on in the SF Bay Area since 2008. Retail didn’t want to do anything about it since if the card swiped it was the bank’s loss. Banks wouldn’t cooperate with anyone (not even law enforcement) for “privacy” reasons. Millions and millions of dollars were added to the coffers of various gangs and organized crime groups. Maybe the chips will help…probably not.
Stop & Shop and Giant is part of Ahold Company and have posted such requirement. You should know that Stop & Shop was supposed to go the dip & possibly tap & pay method on April 1st (as of now it is still in the swipe mode)at least in the area which I know for a fact would never happen because of the backlog even though Shaws have use the same set of POS but have swipe/dip/ tap enabled.
I have always tell people that I don’t shop at store that do not use the tap & pay method as the credit/debit cards still have a mag stripe that can be stolen. Until the mag stripe is gone, I would not use unless absolutely necessary. Rather than be safe than sorry.
Rather be safe than sorry.
This is wrong