OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.

According to Gartner's Litan, OfficeMax officials' outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.

Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam's Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.

In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.

"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.