Top Stories


California Gov. Schwarzenegger’s Veto Statement On Data Breach Bill

October 14th, 2007

To the Members of the California State Assembly: I am returning Assembly Bill 779 without my signature.

Protecting the personal information of every Californian is very important to me and I am committed to strong laws that safeguard every individual’s privacy and prevent identity theft. Clearly, the need to protect personal information is increasingly critical as routine commercial transactions are more and more exclusively accomplished through electronic means.

However, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers. In addition, the Payment Card Industry has already established minimum data security standards when storing, processing, or transmitting credit or debit cardholder information.

This industry has the contractual ability to mandate the use of these standards, and is in a superior position to ensure that these standards keep up with changes in technology and the marketplace. This measure creates the potential for California law to be in conflict with private sector data security standards.

While I support many of the provisions of this bill, it fails to provide clear definition of which business or agency "owns" or "licenses" data, and when that business or agency relinquishes legal responsibility as the owner or licensee. This issue and the data security requirements found in this bill will drive up the costs of compliance, particularly for small businesses.

I encourage the author and the industry to work together on a more balanced legislative approach that addresses the concerns outlined above.

Arnold Schwarzenegger …


Wondering Why You’re Seeing This Newsletter? The RSAG Transition

September 20th, 2007

This is Evan Schuman, editor of StorefrontBacktalk and the retail technology editor for eWEEK. We were a content partner for the Retail Systems Alert Group and had helped them with content for events, panels and the newsletter.
In theory, you were a subscriber to some of their newsletters. Well, in mid-June, RSAG closed its doors. To try and continue the content you had asked for, we’re offering our weekly newsletter that looks at retail technology and E-Commerce issues. There is no sponsorship, no bias and lots of analysis (and bad jokes, from time to time) about what we see happening.
Hope you stick around. It’s our job to try and make sure the content is useful. (If you don’t like it, our unsubscribe link is quite effective.)…


Checkpoint Systems Has Merged RFID/EAS Product In Wings

April 29th, 2007

Looks like Checkpoint Systems has a merged EAS tag/RFID product in the pipeline, according to this intriguing story in RFID Journal. When they are formally introducing the merged unit is a bit unclear. The story says it was introduced on Friday, but I am guessing it will be introduced on Monday in Orlando at the RFID Journal Live conference. (Not that it matters to anyone, but I like to get this trivia precise.)

What does matter is that the new merged line–reportedly to be called Evolve–wants to connect the dots between EAS theft deterrent system and an RFID in-store inventory package. On the least-impact side, it could be a convenient way to handle two tasks with one unit. On the most-impact side, it could truly push to the next level the ability to track products throughout a store and beyond.

“To deploy such a system, Checkpoint would need to develop a means by which the EPC encoded to the labels would be generated, managed and shared with supply-chain partners. The required RFID hardware infrastructure would also need to be put in place at manufacturing and retail warehouses and facilities,” the RFID Journal story said. “To leverage the RFID tags for inventory tracking inside retail stores, interrogators would be needed in the back rooms and possibly on store shelves and at point-of-sale terminals as well.”…


SEC Statement On CVS Settlement

February 18th, 2007

COMMISSIONERS: William E. Kovacic, Chairman
Pamela Jones Harbour
Jon Leibowitz
J. Thomas Rosch
In the Matter of )
a corporation, ) CONSENT ORDER
The Federal Trade Commission (“Commission”) has conducted an investigation of
certain acts and practices of CVS Caremark Corporation (“proposed respondent”). Proposed
respondent, having been represented by counsel, is willing to enter into an agreement containing
a consent order resolving the allegations contained in the attached draft complaint. Therefore,
IT IS HEREBY AGREED by and between CVS Caremark Corporation, by its duly
authorized officers, and counsel for the Federal Trade Commission that:
1. Proposed respondent CVS Caremark Corporation is a Delaware corporation with its
principal office or place of business at One CVS Drive, Woonsocket, Rhode Island,
2. Proposed respondent admits all the jurisdictional facts set forth in the draft complaint.
3. Proposed respondent waives:
(a) Any further procedural steps;
(b) The requirement that the Commission’s decision contain a statement of findings
of fact and conclusions of law; and
(c) All rights to seek judicial review or otherwise to challenge or contest the validity
of the order entered pursuant to this agreement.
4. This agreement shall not become part of the public record of the proceeding unless and
until it is accepted by the Commission. If this agreement is accepted by the Commission,
it, together with the draft complaint, will be placed on the public record for a period of
thirty (30) days and information about it publicly released. The Commission thereafter
may either withdraw its acceptance of this agreement and so notify proposed respondent,
in which event it will take such action as it may consider appropriate, or issue and serve
its complaint (in such form …


SEC’s Analysis of CVS Settlement

February 18th, 2007

Analysis of Proposed Consent Order to Aid Public Comment
In the Matter of CVS Caremark Corporation, File No. 0723119

The Federal Trade Commission has accepted, subject to final approval, a consent agreement from CVS Caremark Corporation (“CVS”).

The proposed consent order has been placed on the public record for thirty (30) days for receipt of comments by interested persons. Comments received during this period will become part of the public record. After thirty (30) days, the Commission will again review the agreement and the comments received, and will decide whether it should withdraw from the agreement and take appropriate action or make final the agreement’s proposed order.

The Commission’s proposed complaint alleges that CVS is in the business of selling prescription and non-prescription medicines and supplies, as well as other products. It operates, among other things, approximately 6,300 retail pharmacy stores in the United States (collectively, “CVS pharmacies”) and online and mail order pharmacy businesses. The company allows consumers buying products in CVS pharmacies to pay for their purchases with credit, debit and electronic benefit transfer cards; insurance cards; personal checks; or cash.

The complaint alleges that in conducting its business, CVS routinely obtains information from or about its customers, including, but not limited to, name; telephone number; address; date of birth; bank account number; payment card account number and expiration date; driver’s license number or other government-issued identification; prescription information, such as medication and dosage, prescribing physician name, address, and telephone number, health insurer name, and insurance account number and policy number; and Social Security number. The company also collects and maintains employment information from its employees, which includes, among other things, Social Security numbers.

The complaint further alleges that CVS engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for sensitive …

Rhode Island Attorney General The Latest Headache For TJX

February 5th, 2007
In the almost daily saga of the TJX data breach, the attorney general for Rhode Island has launched an investigation into what executives at the $16 billion retail chain knew and when did they know it. The investigation--technically, a Civil Investigative Demand (CID) on the authority of both Rhode Island's Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005--will likely begin in earnest with its first meeting with TJX officials on Feb. 12 at the Attorney General's office in Providence, said Edmund Murray Jr., a special assistant attorney general who is in charge of the probe.Read more...

Full Text Of Cambridge Univ. Report On Veri?ed by Visa and MasterCard SecureCode

February 3rd, 2007
Full text service

It’s 2 AM. Do You Know Where Your E-Mails Are?

December 21st, 2006
One of the nation's largest investment firms had disciplinary complaint filed against it this week because, at best, it wasn't sure what E-mail was backed up. The worst case scenario has Morgan Stanley telling investors that their E-mail records were destroyed in the New York City terrorist attack, while they knew the backup records of those transactions were intact. Although the central facts of the case are in dispute--Morgan Stanley's position is that the existence of the backup tapes was disclosed while the National Association of Securities Dealers says the disclosure was not made--the big-picture message is Morgan Stanley wasn't really sure what E-mail copies existed, what time period they covered and where they were.Read more...

IBM Patent: Storing Data in an Interactive Network

October 23rd, 2006

Visa Statement On New PCI Procedures

July 22nd, 2006
Visa U.S.A. announced today that it is expanding the criteria of its merchant validation levels for compliance with the Payment Card Industry Data Security Standard (PCI DSS). Visa's move is designed to decrease the risk of data compromises by shifting higher-volume merchants across all payment channels into a more rigorous compliance validation category. "Protecting the environment is critical to ensuring the future growth of electronic payments," said Mike E. Smith, Senior Vice President, Enterprise Risk and Compliance, Visa U.S.A. "Extending more rigorous validation requirements to additional merchants better reflects the security risks present in the marketplace."Read more...

Aberdeen: Major RFID Hurdles Remain

July 18th, 2006

A new report from industry analyst firm The Aberdeen Group does not bring a lot of optimistic news for RFID proponents, with predicted trouble for finding sufficiently-experienced RFID personnel, migrating to new data-collection methods such as mobile and biometrics as well as predicted major hiccups with efforts to scale RFID to the next level.

One bright note: the survey finds that users no longer see cost as the single most important factor. That’s significant because it’s the first time in the years that Aberdeen has conducted this study where interviewees did not choose cost as the most important issue when making RFID decisions.

Report author John Fontanella, Aberdeen’s Senior VP and service director for supply chain and retail research, said one of the most troubling findings in the survey of RFID users was that most companies were doing the absolute minimum to comply with mandates. In other words, they weren’t leveraging what they are required to do for a major customer and using it to improve their own operations.

“Most are giving no thought beyond just satisfying the immediate need of collecting the data. The slow adopter is trying to meet whatever mandate they’ve been given. Some 99 percent are only adopting because they have to, because someone is telling them to, whether it’s DOD, Wal-Mart, whoever,” Fontanella said. “Now that the information is collected and paid for, it’s time to start turning that RFID data into something much more positive, to get a much better return on their investment.”

Not all companies, though, are passing up the opportunity, he said. After Wal-Mart started forcing various suppliers to deliver, some suppliers decided to “do what I have to do to meet the mandate” and “they were forced to automate the tagging process. But they then that as the opportunity to …

Tracer Utility Is Likely Culprit In Visa’s Fujitsu POS Security Alert

March 20th, 2006
A commonly used testing utility is apparently behind the security alert that Visa issued late last week claiming Fujitsu retail point-of-sale software may have a problem. Shortly after Visa--the owner of the world's largest electronic payments network--issued an alert warning retailers about security problems with POS software issued by Fujitsu Transaction Solutions, Fujitsu officials said the alert was inappropriate.Read more...

Stock Exchange CIO: Real-Time Means Real-Time

August 12th, 2005

At a time when IT executives are finding users less and less tolerant of network delays, CIO William Morgan has perhaps the least tolerant set of users in the world.

Morgan runs technology operations for the 215-year-old Philadelphia Stock Exchange, the nation’s first stock exchange. But its age doesn’t make its daily load any easier, with networks having to handle 120,000 messages per second and peaks of 200,000 messages per second.

But because it is a financial exchange, any delay?even a half-second?is not acceptable.

“We measure transactions in milliseconds these days. This business can’t tolerate delays: We’re pricing customer orders,” Morgan said. “It’s survival for us.”

In recent years, financial activity has pushed that IT demand much higher. “If you go back five or six years, probably the number [of messages per second] was 10,000 or less,” which is one-twelfth today’s volume, Morgan said.

Morgan delivers that real-time speed with some homegrown applications sitting atop Sun Microsystems Solaris 10 servers, Stratus fault-tolerant servers in a Nortel network.

The CIO argues strongly for using as much standardized software as possible; the exchange’s Web site runs on Windows, and e-mail is using Microsoft Outlook.

“We use the standard Windows environment for all that, but not for our trading. On the trading side, there simply aren’t many packages,” he said.

“There are many for broker dealers, but a select for exchanges. There aren’t that many exchanges and, because of the custom nature of each exchange’s business, it’s very hard to find an off-the-shelf” package.

Having the network deliver all of those messages per second?Morgan’s people stress test their system with 200,000 messages per second?is only part of the battle.

After the messages are delivered, they have to be stored, catalogued and archived. These days, that’s about one-half billion messages every day.

All things …


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.