Macy’s: POS “Formatting Flaw” Caused Debit Card Snafu

Written by Evan Schuman and Fred J. Aun
February 25th, 2009

Macy’s is now blaming a POS system “formatting flaw” for the holiday payment horror where 8,000 in-store customers’ debit cards were charged multiple times for single transactions.

The retailer initially suspected that one of its third-party payment card processors caused the problem. But in mid-January, company officials said no outside entities were to blame. Instead, they attributed the incidents to a problem with a gateway that takes debit card transactions from the POS network and coordinates them before sending them on to payment processors.

At the time, Mike Gatio, president of Macy’s credit and customer services division, said an even more vexing failure occurred in an application that was supposed to keep an eye out for identical sales tickets that are processed multiple times. Gatio said the company needed to do a full-fledged “post-mortem” on the problems.

That end-of-the-line diagnosis apparently pointed to the previously unmentioned formatting flaw.

“As we investigated the cause of the gateway issue, we discovered a formatting flaw in the software that runs our point-of-sale register system,” said Jim Sluzewski, the Macy’s VP for corporate communications, on Tuesday (Feb. 24). “This is proprietary software that we developed in-house to run our POS system. At a certain level of transaction volume, the formatting flaw caused our system not to recognize messages coming back into Macy’s gateway from our banks that a debit transaction had been approved. Absent that approval, the transaction was not accepted and the customer was asked to re-swipe their debit card–which led to the double debits when these additional transactions also went through successfully.”

Pressed for clarification of the “formatting flaw,” Sluzewski declined to elaborate. “We just don’t have the time or ability to go into a lot more detail,” he said. “It was a situation in our system, we fixed it and we are going to leave it at that.”

The Great Debit Vs. Credit Card Debate

The lack of new details makes determining precisely what happened difficult, especially when dealing with a phrase as vague as “formatting flaw” somewhere within the POS. What role did the high holiday rush traffic play? Was the system so overloaded that response times were too slow? Or was it more of a programming error, such as assuming that when more than X number of transactions are processed during any one-hour period, presume it’s an attack and suspend authorizations? No way to tell.

But the incident did serve to remind the retail community of how much more dangerous debit cards are, compared with credit cards. When a credit card sustains bad charges, it can often be credited back quickly with little to no impact on the consumer.

If the same situation happens with a debit card, it immediately impacts the consumer’s bank account, potentially emptying it out and causing a large number of checks to bounce, which can cause major financial problems for that consumer. And yet, debit card protections are no stronger than those for credit cards, despite their infinitely greater risks.

In the Macy’s Dec. 20, 2008, debit card debacle, the glitch did not affect shoppers using debit cards to make online purchases. Also, it was limited to PIN debit transactions, ignoring signature debit transactions.

Hundreds of Macy’s stores were involved in parts of Alabama, Georgia, Kentucky, Louisiana, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, West Virginia, Illinois, Indiana, Kansas, Missouri, New York, Ohio, Pennsylvania, Michigan, Minnesota, North Dakota, Ohio, South Dakota and Wisconsin.

Why Didn’t The System Work?

Volume played a major role in the problem as transactions became backed up in the processing system. Sluzewski, in January, said signals sent by the banks to acknowledge transaction approvals were not recorded by the Macy’s system, prompting store associates at POS stations to ask customers to swipe their debit cards repeatedly.

Within a half-hour of noticing the first incident, Macy’s began shifting stores to an alternate gateway that was operating properly, and the shift of all stores was completed in less than two hours, said Macy’s officials. In mid-January, Gatio said his “immediate concern” was why the automated reversal system didn’t work, as designed, to prevent double (and several triple) charges. The system was supposed to automatically send a credit to the bank for the second debit.

Sluzewski stressed that the malfunctions “happened for only a short period when our internal alarms were tripped and we began shifting transaction volume away from the gateway in question. It affected only this one gateway because it had the highest level of volume on that day.” The spokesman also pointed out that Macy’s has “corrected the software formatting issue and the system has been working well.”


One Comment | Read Macy’s: POS “Formatting Flaw” Caused Debit Card Snafu

  1. personal loan Says:

    Merchants needs to call their terminal provider to prevent things like this from happening. Sometimes it’s the terminal that has the problem that’s why debit cards was double billed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.