Hy-Vee warns of security problem with credit card readers

MARSHALL — Hy-Vee is warning customers about what it says is a security incident involving payment card systems.

The Iowa-based grocery store chain said in a news release Wednesday that it launched an investigation after it detected unauthorized activity on some of its payment processing systems — activity that the company thinks has stopped.

Company officials think the problem doesn’t involve payments systems used inside its grocery stores, drugstores and convenience stores, but rather card payments at Hy-vee restaurants, fuel pumps and drive-thru coffee shops.

“We want to make customers aware of an investigation we are conducting into a security incident involving our payment processing systems that is focused on transactions at some Hy-Vee fuel pumps, drive-thru coffee shops, and restaurants, as well as to provide information on the measures we have taken in response and steps customers may consider taking as well,” said the news release.

The Independent reached out to the manager at Marshall Hy-Vee and was directed to the corporate public relations person, Christina Gayman.

Gayman said the matter is being addressed at the corporate level because Hy-Vee does not have a specific location yet where the problem took place.

“The investigation is ongoing and we are working to determine the geographic location,” she said.

Gayman said a customer did not call attention to any irregularities but rather it was noticed in-house.

“We do not have customers who have reported anything wrong,” she said. “This was self-identified and self-reported.”

The company is investigating the data breach.

“After recently detecting unauthorized activity on some of our payment processing systems,” the news release said, “we immediately began an investigation with the help of leading cybersecurity firms. We also notified federal law enforcement and the payment card networks. We believe the actions we have taken have stopped the unauthorized activity on our payment processing systems,” the Hy-Vee statement read. “Our investigation is focused on card transactions at our fuel pumps, drive-thru coffee shops, and restaurants. These locations have different point-of-sale systems than those located at our grocery stores, drugstores and inside our convenience stores, which utilize point-to-point encryption technology for processing payment card transactions. This encryption technology protects card data by making it unreadable.

“Based on our preliminary investigation, we believe payment card transactions that were swiped or inserted on these systems, which are used at our front-end checkout lanes, pharmacies, customer service counters, wine and spirits locations, floral departments, clinics and all other food service areas, as well as transactions processed through Aisles Online, are not involved.”

Hy-Vee also said the investigation is in its earliest stages and will provide information and locations when available.

The company urges customers to always monitor payment card statements for any unauthorized activity.

The company is based in West Des Moines and operates more than 240 retail stores in eight Midwestern states: Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, South Dakota and Wisconsin.