Evan Schuman's StorefrontBacktalk

"None of our internal systems will even have access to cardholder data," said McDonalds CIO David Weick. In the U.S., he said, the typical McDonalds brings in about $2.1 million to $2.2 million in revenue per store. "So any solution that I come up with needs to fit within a P&L that starts with a $2.1 million or $2.2 million revenue line. If I come up with something that is way out of line, I have the franchisees who are there to tell me and to describe for me the economics of their business and whether or not it fits," Weick said.Read more...

In the memo, Britton said that the chain disregards its own policies. "What is the first thing we do when a customer comes in to our humble box brandishing a competitor's as asking for a price match? We attempt to build a case against the price match. Trust me, I've done it, too." In a deposition, Best Buy officials tried to blunt the significance of that memo by testifying—and I couldn't make this up—that the employee was just kidding.Read more...

The controls, policies and procedures used by most of the companies we've talked to are mainly aimed at after-the-fact forensic analysis of log data, rather than real-time alerting and event management. Read more...

On the one hand, the deal would initially seem to make little sense for Amazon, as it takes away much of the spontaneity, speed and convenience of an online brand. But this program isn't about saving money or boosting convenience. The only way this makes sense is giving the program credit for being the only way to make online purchases that are—in theory—absolutely safe. If Amazon, Amazon's card processor or Western Union is breached, there's no private financial data exposed. If any of those businesses has a glitch and tries to overcharge the consumer, the consumer is completely safe as there exists no more money to access.Read more...

This incident was limited and the damage seems to be minimal. But the bigger issue is why has this hole not been adequately plugged by now? Was this sloppy work done by the online equivalents of the guys that dump credit card files in front of the store when a location is shut down? Or is this problem hitting those who are otherwise security sensitive? Read more...

Visa issued a statement "clarifying" their original position, despite the fact that their original position was quite clear. What was so confusing about Visa's original statement that "Heartland will continue to serve as a processor in the Visa system"? Did people think that Visa would tell retailers that a vendor "will continue to serve as a processor in the Visa system" and then turn around and fine—or decertify—them for doing so?Read more...

The Form 10-K also listed a wide range of agencies probing the breach, including what a few whose Heartland probes had not been public. The list now includes the Federal Financial Institutions Examination Council, the Federal Trade Commission, the Louisiana Department of Justice Office of the Attorney General, the Canadian Privacy Commission and quite a few state Attorneys General.Read more...

When Heartland announced in November that it was acquiring Chockstone, it issued a statement that “Terms of the agreement were not disclosed.” Why do publicly-held companies try such things? They know they’ll likely have to disclose it at SEC filing time.

This week, that filing time came and the Breach Boys had to report that they had dropped some $4.1 million in cash for Chockstone, including $1.6 million in goodwill and $2.4 million in intangible assets. They also took on some $200K in short-term capital lease obligations and about $300K in long-term capital lease obligations.…

The decision by U.S. District Court Judge Alicemarie H. Stotler raises issues of how strictly retail laws should be interpreted when it comes to E-Commerce issues, many of which couldn't have been imagined when the laws were written.Read more...

Could these be coincidences? Might they indeed be isolated debit card incidents? Absolutely. But this also might be an initial heads up that the debit card system relied on by major retailers today has inherent flaws. What happened, with both Macys and Best Buy, with software specifically designed to look for and prevent these kinds of multiple identical charges? What about the systems at the card processors and the banks?Read more...

In addition to monitoring--audio, video and even key logging--call center employees, call centers are sometimes classified as "sensitive areas" (per PCI 9.1.1), but GuestView PCI Columnist David Taylor argues that that has caused some companies to build walls and erect partitions to physically isolate the call center or those specific agents who have privileged access to card data or other confidential data, an approach that may cause as many problems as it fixes.Read more...

ABI Research Senior analyst Mark Beccue said North American mobile commerce totaled about $346 million last year and is expected to hit $577 million this year. "Then, you're going to get a big jump by year-end 2010, reaching $2.09 billion," Beccue said. The analyst pointed out that even if it doubles in size as predicted, mobile commerce will remain a drop in the bucket compared to all types of E-Commerce. He said E-Commerce in North America alone was a $204 billion industry last year.Read more...

The Visa move is interesting, but it appears to be much less about protecting data and card accounts than protecting Visa's public persona. If the suspension prevented Visa transactions from going through Heartland, that would have sent a very loud message. But that didn't happen. What has happened with Visa are some delicious attempts at rewriting history. In presentations that have been given this month by two top Visa data risk executives, Eduardo Perez and Hector Rodriguez, Visa's party line is now "As of today, no compromised entity has been found to be compliant at the time of the breach." And it shall forever be so.Read more...

New stats coming from research at RISNews.com are suggesting that, as suspected, homegrown packages are losing their home. IT execs saying that their "preferred IT deployment philosophy" is "deploying packaged applications with few modifications" came in at 53.8 percent, almost twice as popular an answer as "best of breed" at 28.8 percent. Even though RISNews has seen that trend for years, the difference had never been so stark. While the packaged response has been right around today's 53.8 percent figure for years (ranging no farther than from the low- to mid-50s), best-of-breed has suddenly plummeted. It was at 46 percent in 2006, 45 percent in 2007 and 47 percent in 2008, before plunging to 28.8 percent this year.Read more...

Even more cynically, is it possible that those execs know that surveys like this tend to impact CEO/CFO expectations and, therefore, they'll give the answers they want their CFOs to believe? Even if the execs are being straight with the survey takers—and that the survey takers are being straight in reporting all of the collected data without sanitation—we have to wonder what was behind those answers.Read more...

The researchers predict the U.S. digital signage market — including hardware, software, installation, and maintenance — will grow by about 33 percent this year. "This report was done in the fourth quarter of 2008," noted ABI Research analyst Zippy Aima. "At that time, the economy was not in as dire straits as it is now. We might have to revisit some of the numbers, but despite that fact, we are seeing very promising growth."Read more...

Surveys show the public's lack of enthusiasm for mobile device-based shopping held steady between late 2007 and late 2008. "Consistent from year to year, a little over one-half of all respondents are not interested in using their mobile phones to make purchases," ABI Senior Analyst Jeff Orr said. "Transaction security was cited by 71 percent of mobile phone users as a major concern preventing wider uptake."Read more...

As GuestView PCI Columnist David Taylor points out, data security is mostly about FUD. The more you scare people about unknown risks (of breaches, fraud, data loss), the more they tend to spend to guard against these risks. But given the high level of fear that already exists in the SME environment about going out of business, even the loudest and most well justified pitches don't even make the radar screen.Read more...

The IHL Group, which conducted the independent research, had expected to find the economic disaster was giving low-cost Linux a boost, but found the opposite, said IHL President Greg Buzek. "This aggressive pricing and packaging of the operating platform not only took share from Linux, but also took a heavy toll on other legacy operating systems as retailers sought replacements as part of their PCI DSS compliance initiatives."Read more...

In a Japan-only (for now) rollout, Sony is including a TV remote control with its new line of HDTVs, but this is no ordinary remote control. With a built-in RFID tag reader, it’s designed to talk with consumer’s cellphones and authorize purchases.

Initially, the devices are to be used to pay for very TV-related items such as video-on-demand, ringtones from a music show and other multimedia features. But the next phase could include any purchases, whether it’s a barbecue grill from the Home Shopping Network, a washing machine from Amazon (as seen through the TV’s Web connection, courtesy of a built-in Ethernet port) or groceries from the local Wal-Mart (to be picked up later). Of course, that’s in Japan. Here in New York metro, I’m happy if my Treo can actually connect two phonecalls in a row.…

Some of the state legislation doesn't even limit itself to dictating what retailers must do while operating in their states but are setting new rules protecting the residents of that state when they happen to be shopping out-of-state or online. Do they expect cashiers at Wal-Mart to ask what state a customer lives in and then, based on the answer, change the way they handle a credit card payment?Read more...

The few details that have been released raise more questions than they answer, but it also provides crucial clues as to what really happened.Read more...

Unfortunately, opines GuestView PCI Columnist David Taylor, it does not go nearly far enough.Read more...

Multiple federal units are investigating the Heartland data breach, company CFO Robert Baldwin told investors Tuesday (Feb. 25). Among them are the U.S. Department of Justice, the Federal Trade Commission and U.S. Treasury Department’s Office of the Comptroller of the Currency (OCC).

Although the specific details surrounding the breach are still unclear, it has now impacted more than 500 financial institutions, according to Bank Info Security, and resulted in at least three arrests of people accused of using some of the data taken. It’s not clear precisely what the Feds are investigating or whether they are even involved in the same probe. The SEC might be looking at early CEO stock sales while Justice could be looking to catch more suspects, and both Justice and OCC might be simply trying to better understand the relative security of payment systems today.…

According to TJX's earnings statement issued Wednesday (Feb. 25), the chain had set aside significantly more money than it ended up needing to deal with the 2006 breach, thereby allowing the company to reallocate cash for other purposes and add about $18 million to the year's net income.Read more...