Evan Schuman's StorefrontBacktalk

What all three chains had in common: They were following industry norms, and they were the first big player to get caught doing it.Read more...

That's so fast that a phone or tablet could easily be stolen, stripped of data and returned before its owner even notices it's missing. Worse still, employees aren't inclined to report a missing device instantly. That's just human nature. They'll probably go looking for it first—and if that search lasts as little as 10 or 15 minutes, the passwords and other security-related data on it could be long gone.Read more...

MasterCard’s display card—which shows a dynamic one-time password, sort of a more secure card verification code to discourage counterfeiting—is moving from its European and Asian trials to the U.S. That said, MasterCard officials were vague about when it would happen.

No matter when MasterCard deploys, it’s going to be up to the bank folk as to who is going to use the code and when. Committing will be not easy, given the higher costs, in terms of both the plastic manufacturing and the more elaborate systems needed to take advantage of the security. Without at least Visa’s involvement—and potentially at least one other brand, but Visa and MasterCard alone will actually be quite sufficient, market-wise—it’s unlikely to gain enough share to justify the retail IT changes needed for deployment. Still, given the huge costs to retailers of bogus payment cards (a common end-result of identity theft), this move is a baby step in the right direction. And a very small baby, at that.…

U.S. merchants will want to monitor this program and see both how it develops and how it might be adapted for the U.S. market. On the one hand, TIP could prove an incentive to move the U.S. to the EMV standard for all payment cards. On the other hand, PCI Columnist Walt Conway worries about a darker scenario, in which the U.S. market becomes an isolated island in the PCI world where only its merchants are required to validate their compliance annually. Such a situation would be unfortunate for PCI and payment security in general, generate widespread U.S. merchant resentment and reinforce the incorrect view in some parts of the world that PCI is just a U.S.-focused standard. Read more...

The majority—if not the vast majority— of recent StorefrontBacktalk stories will still be available to read for free. So will our highly moderated discussion forums, which won't waste your time with spam and vendor pitches. But readers who aren't Premium subscribers will only be able to see the very beginning of Premium stories and columns—and they won't have any access at all to the Premium forums, private discussion groups, monthly reports or the archives of StorefrontBacktalk stories that are more than 30 days old.Read more...

Gap announced Wednesday (Feb. 9) that it is expanding its European E-Commerce site to ship to eight new countries. But the new customers in Austria, Estonia, Finland, Luxembourg, Malta, Portugal, Slovakia and Slovenia will have to pay in British pounds—even though all eight countries use the euro, along with seven other European countries served by www.gap.eu. It’s not as if Gap doesn’t know what a euro is; the company owns stores in France.

It’s easy to understand why Gap would rather expand its U.K.-based E-tail operations instead of opening up shop on the Continent. Labor costs, tax issues and IT centralization are high on the list of reasons. But forcing customers to use somebody else’s currency seems like cutting one corner too many. If companies in China and Japan can each sell to customers in the other country—and in the customer’s local currency—why can’t Gap work out how to do the same thing?…

Andy Orrock, a payment consultant who tracks these types of payment issues, said his reading of the Shell details is that it appears to be "a file-based screw-up, meaning that we're probably talking about credit and offline [PIN-less] debit. Somehow, somebody [at Shell] injected a file into the system twice," he said. The problem with that, though, is the same issue raised in the store-and-forward concerns. "Somewhere along the line, these systems are supposed to have duplicate file-checking," Orrock said. "How robust of a duplicate file check do they have in place?"Read more...

Retail IT spends lots of time and effort trying to get employees to use secure passwords. It's harder to keep customers in line, but they can at least be prodded to choose longer, harder-to-guess passwords. Still, that's all wasted effort if the fallback security challenge question is ludicrously simple to guess. Favorite sports team? Favorite restaurant? Favorite band? Favorite vegetable? There's some security there. But favorite ice cream flavor? Way too easy.Read more...

Alas, the program is not being offered for U.S. retailers. Even though such an exclusion requires little explanation beyond the obvious (no U.S. retailer is using EMV in meaningful numbers, nor have any said they would any time soon), Visa took the opportunity to not-so-subtly attack Congress and the White House for new payment card regulations.Read more...

The units, which JCPenney is calling Findmore, are also integrated with CRM databases, identifying customers' loyalty accounts by matching their payment cards. The chain was careful to avoid PCI issues by not directly storing the card numbers. "Once the customer gives the credit card information to JCPenney, it is immediately translated to a JCPenney internal ID and stored on database in the translated format. The credit card number is not stored in the rewards system," said Kate Coultas, a JCPenney corporate communications manager.Read more...

Apple's patent application makes clear it's mainly aimed at iPhone abuse that would void the phone's warranty. But it's just as clear that the abuse-detection system could go much further than that. If Apple decides to use it to bolster the security of the iPhone and iPad for mobile payments, that could make the iPad much more secure for retailers as an in-store payments device used by employees—and make the iPhone a much safer way for customers to make mobile payments.Read more...

The Council is in a very difficult position (between a ROC and a hard token place?), especially because it must give as much attention to political issues as it does to technological ones. In this case, the politics are not of the Washington, D.C., sort, but of the industry. Specifically, how to deal with the concerns of the many mobile application developers whose apps now cannot even be considered for PCI validation, especially when they complain of their rivals, who happened to have slipped in but PCI closed the evaluation door. Should the few already approved applications be delisted, so that all mobile applications can be evaluated at the same time, using the exact same criteria? Is that the fair approach?Read more...

The problem with these multi-function printers is that—in some cases—they store credentials, including usernames and passwords, in cleartext, pens PCI Columnist Walt Conway. That is, this critical information is not securely stored on the device. That means a hacker can access the printer's address book to extract usernames and passwords. If one of these passwords is for a domain administrator, for example, the hacker can access potentially all other folders, files and servers in that domain. Imagine the cyberthief using these credentials to look at files with names like "payroll backup" or "corporate travel cards," and you begin to get the picture.Read more...

The information that an AT&T outage not only existed but was the cause of Shell's system failure was "poor information, poor communication from our teams internally," Shell spokesperson Theodore Rolfvondenbaumen said on Friday (Feb. 4).Read more...

First Data circulated a confidential memo on Monday (Jan. 31) that said it was reversing 401,120 transactions—totaling $12,135,608.19—of Shell's retail transactions from the weekend. First Data was asked to "post the reversals to the cardholder accounts impacted as soon as possible in order to limit negative impact." (Guess "negative impact" means customers screaming at call center reps.)Read more...

To be fair, the Indiana grad students also make suggestions for how smartphone makers can lock down their phones to avoid these types of problems. But it's frustrating to realize that while banks, card processors and smartphone vendors are deadlocked as they dither about who will get what piece of the action in mobile payments, others are taking smartphones seriously as tools for stealing payment-card information. At this rate, thieves will be highly experienced in stealing card numbers from smartphones long before the payments industry finally decides on divvying up the money and gets around to looking at security.Read more...

The Center for Science in the Public Interest (CSPI) argued that when "Safeway learns that recalled products have been sold in its stores, it has a duty to disclose to customers that they face serious health risks or even death if they eat the recalled products. Safeway chooses not to notify its customers who purchased recalled products, thereby putting them at risk." Safeway, understandably, has a very different view. Safeway argues that there are good reasons for the industry to not standardize on such CRM-based alerts.Read more...

The distributed nature of the payment application environment is similarly complicated. For example, student finance, athletics and the alumni association each has unique business needs. Each organization might develop its own systems or contract with specialized third-party vendors for business and payment applications. The applications may be outsourced or run on departmental servers that may or may not be under control of IT and network administration.Read more...

When the site crashed, it posted an apology message for visitors: "We're sorry. Due to a system issue, you may be experiencing an interruption in customer service. The issue is affecting Discover's automated phone system, as well as Discover.com." Systems weren't restored until Friday about 5 PM New York time.Read more...

"To the hacker," the homepage missive began. "If you are reading this, our Web team would like to say that your talents are formidable. We would like to offer you a job, were it not for the fact that your morals are clearly not compatible with ours or our customers." This is right out of a spy movie, where the hero always compliments his abductor before insulting him. ("This is a brilliantly hidden lab and your guards are impressive. But I can't join your plot of evil because you're a low-life scum. Sorry about that. Continue the torture, please.")Read more...

That's not the only irony surrounding the Amazon glitch, which essentially meant that all Amazon passwords more than three years old were relatively easy for a thief to guess. It appears that Amazon really did try to improve its password security, and made newer passwords much more secure. But there was nothing Amazon could do to solve the problem for longtime customers.Read more...

It's called Beyond The Story because our discussion forums thus far have been limited to comments on individual stories. And we policed those comments strictly, making sure that they were indeed about the story they were attached to and that they were non-promotional, non-offensive and respectful. (Well, as respectful as IT professionals debating RFID, PCI, CRM and Mobile are likely to get. We don't seek miracles here.)Read more...

The idea is to have a more secure cash drum, one that would destroy all of the money it's holding if anyone attempts to steal that money. It uses special ink and the vendor says "the money will be stained for more than 20 percent of the surface. It is impossible to undo the staining." Can you imagine the fun meeting with your bank or insurance people—or your CFO—and explaining how an IT glitch just destroyed money coming from a store? Wincor-Nixdorf assures IT that "the concept is designed in a way that a mishandling is not possible and, therefore, the risk of mis-triggerings is reduced to a minimum." A minimum, eh? Quite comforting. Who pays for the lost money if it glitches?Read more...

The latest PCI compliance reports (data current as of Dec. 31, 2010) show little change for Level 1 and Level 2 merchants, with each group holding at 96 percent. Level 1 had been at 96 percent for months, but the number of retailers in that group jumped from 358 to 377 (since the prior report in June 30, 2010). Level 2 had been at 95 percent, so the 96 percent figure reflects a slight increase. The number of merchants in Level 2, however, dropped from 894 to 881. So if even a few of those 13 retailers had been non-compliant, that could explain the bump up to 96 percent.

As before, Visa has not released figures from Levels 3 and 4, continuing to label them both as “moderate” with no explanation. …

Retailers today are inundated with ads and news releases proclaiming that various security products will make a chain out-of-scope. It’s a claim that we all know is false. But during times of stress, it’s so very tempting to want to suspend all that we know and believe it.

In this week’s StorefrontBacktalk security podcast, we explore this issue. How far can such products go? Is there such a thing as accepting payment cards and being out-of-scope? (Hint: No, there isn’t.) To hear the podcast, please click here.…