They ask for e.g. first, third and fifth characters of a password that must be between eight and twelve alphanumeric characters, and the dropdowns to make the selection are lower case only.
This means they're storing the password unhashed, at best locally encrypted but decrypted to check the user login.
While I suspect that this is true, I don't think it has to be true.
Step 1 - user choses password.
Step 2 - generate hash in normal way and store it.
Step 3 - generate error correcting check digits such that the password can be recovered from any three characters in known positions. (any three characters in known positions must be both necessary and sufficient - designing such an ECC is left as an exercise)
Step 4 - store the check digits but throw away the password.
Step 1 - user enters three characters
Step 2 - error correct the password
e.g. __p_pp__+CCCCC -> PPpPppPP
Step 3 - hash the corrected password and test against stored hash.
Obviously this isn't very secure - it's susceptible to a brute force attack that only requires guessing (any) three digits correctly once an attacker has gained access to the hash and the check digits.