Evan Schuman's StorefrontBacktalk

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.Read more...

The change was for several reasons, including "some functionality in the Fujitsu software that we really liked and needed" that wasn't offered by NCR and testing that showed Fujitsu's software on NCR self-checkout units performed about 20 percent faster than when NCR's own software was loaded on its units, said Cara Kinzey, Home Depot's Senior VP of IT. Read more...

"We consider CVS and (Walgreens) to be the most advanced, as they have already implemented chain-wide computer synchronization, advanced inventory management and pharmacy workflow optimization systems," said Deborah Weinswig, from the Citi investment research and analysis group. "The warehouse clubs are considered to be the least sophisticated of the group. However, BJ and (Costco) have fewer inventory management needs as a result of their unique business model."Read more...

The lawsuit, filed Tuesday (Jan. 19), hit Heartland hard for its "lack of Payment Card processing system security; its desire to use a 'lowest bidder' system of selecting its outsourced IT 'auditors'; its reliance on a 'snapshot' telling it that, at one identifiable point in time, its system supposedly complied with the bare minimum industry standards; its startlingly poor IT oversight in general; and (Heartland's) complete and utter disregard of the oversight responsibilities they had to their fellow members of the Associations that allowed the intruders to make trip after trip in and out of the Heartland Payment Card processing system." The lawsuit also referenced Heartland's initial response to the attack. "Thirteen months later, the 'clean up' efforts would be seen for what they were—worthless." (Pause. But other than that, Mrs. Lincoln, how was the play?)Read more...

The mobile retail world has now neatly morphed into three categories: consumer-used (with true M-Commerce, mobile research from home and on the road, etc.); retailer-used (for price checks, inventory inquiries, in-aisle supply chain inquiries, etc.); and consumer-in-store (2D barcodes, price comparisons, SMS communications with the chain, watching demos, mobile research from within the store, direct payment, etc.). To make matters worse, some applications sit in multiple categories, such as a retailer-used device that is temporarily given to a consumer for checking online inventory or seeing a demo.Read more...

Maybe tokenization and end-to-end encryption are just two closely related approaches that can, when properly implemented, accomplish the same thing: minimize your total PCI scope. One thing is for sure, though: Either way, you will need to bring your checkbook.Read more...

But Grooms added: "You should try and fail really small. You test, take some risks, adjust and go back. But you really can't take that long. You can't take three years to develop an app. You must launch and learn." Roberts took the opportunity to tweak his own wording. "Fail is such a strong word," he said. "I prefer to think of it as a sub-optimal business case outcome."Read more...

On the Best Buy side, though, many attendees at the National Retail Federation (NRF) conference were wondering whether the change would have much of an impact at all. One attendee compared the move to a hypothetical apparel retailer that is furious about children working in overseas sweatshops. To put an end to it, the apparel retailer would tell the supplier, "That's it! No more. I want you to take the pink frilly tuxedos with the Mod Squad characters sewn into the chest and get them out of here and don't bring me any more pink frilly tuxedos with the Mod Squad characters sewn into the chest until your suppliers have changed their practices. You can bring me lots of other clothes, but I am now drawing the line at pink frilly tuxedos with the Mod Squad characters sewn into the chest. It's for the children."Read more...

According to a copy of a report that Discover prepared about its initial trial results, 69 percent of those participating in the Zip trial wanted the sticker hidden. "The pilot management team was impressed by the creativity demonstrated by participants in finding various ways of hiding stickers under the phone’s protective case ("skin”), under the battery cover and other unseen yet convenient locations."Read more...

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside – or even outside – their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. PCI Columnist Walt Conway can think of several merchants he works with that will be looking at these devices very seriously. But, he argues, the PCI implications are complicated.Read more...

But the bleeding won't stop there. HPS has yet to reach agreements with Discover, MasterCard or others. The Visa agreement, described in a filing with the Federal Securities Exchange Commission (SEC), calls for HPS to take out a $53 million loan to help it pay $59.22 million to Heartland Bank and KeyBank National Association, two of its sponsor banks. Visa will pay back to the banks $780,000 in fines it collected from them after the breach.Read more...

There's an interesting provision that turns a programmer into a criminal if the program permits usage beyond the Nebraska limits. "Intentional or grossly negligent programming by the programmer that allows for the storage of more than the age and identification number shall be a Class IV felony." Turning a careless programmer into a felon? I can just see new indemnification clauses being demanded by every programmer who is being aggressively recruited. What about shareware or freeware? Good luck tracking down which open-source programmer wrote that particular portion of a Linux program. ("Hey, Brenda, what's the term for grossly negligent programming in Nebraska?" "An Oracle upgrade." Rimshot.)Read more...

There is only one thing that is faster than a cyberthief grabbing stolen card data: A lawyer suing that breached retailer. Only 13 days passed from the Dec. 15, 2009, announcement of a breach at social networking application development site RockYou until a lawsuit against RockYou was filed. The case, filed in U.S. District Court in San Francisco by RockYou user Alan Claridge, asserts that RockYou failed to use even rudimentary security to protect the personally identifiable information (PII), including E-mail addresses, of millions.

“RockYou stored users’ PII in an unencrypted database with poor network security,” Claridge said. “RockYou’s willful failure to secure its users’ sensitive PII led to multiple security breaches that exposed 32 million users to identity theft and other malicious conduct. Although security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ PII by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills” to access.…

But as long as you're coming, we'd love to ask you to drop by some of the StorefrontBacktalk events and do what our readers do best: yell at us. The first shouting opportunity will be at the RetailROI event at the Marriott East Side (Lexington and 49th) on Saturday at 2:45 PM. This charity event (www.retailroi.org) is designed to raise money for global orphan care and adoption support. But to do that, we get geeky for awhile. Our panel is on retail security and it starts at 2:45 PM and features the CIO of the world's largest restaurant group: Delaney Bellinger from Yum Brands (Pizza Hut, KFC, Taco Bell and Long John Silver's, among others). Also on the panel are two of our esteemed columnists (Franchisee Columnist Todd Michaud and PCI Columnist Walt Conway) plus Mark Rasch, the former head of the U.S. Justice Department's high-tech crimes division.Read more...

But Conway sees the data discovery prediction the most significant. "If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1). If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search."Read more...

The controversy involves Visa forcing chains to accept more expensive signature—as opposed to the more retail-friendly PIN—authorization. Best Buy is still accepting Visa magstripe cards plus other brands' contactless offerings. "After several discussions with Visa produced no agreeable changes," the chain started removing its acceptance of Visa contactless cards in October, completing the cutoff in November, said one Best Buy executive involved in the decision. The cutoff happened store by store along with POS upgrades. "Our decision was based on the costs associated with requiring contactless debit transactions be processed as signature debit."Read more...

In tracking PCI issues within various major chains, we have seen that the differences in perception can be staggering. In an attempt to get a handle on where most companies stand, we’re putting out a small survey on usage and challenges.

As a thank you for retailers involved in PCI completing the survey, we are offering them a free autographed copy of Hacking Exposed: Network Security Secrets, which Amazon has labeled a best-seller.

[SURVEYS 2]

The denial of a preliminary injunction ruling wasn't entirely a surprise, as reports of Heartland's apparently contradictory statements had already surfaced. But when U.S. District Court Judge Mary Cooper issued a ruling in the case on December 23 that dismissed so many of Heartland's claims against VeriFone, that was a bit startling.Read more...

In what’s being described as a delayed Y2K programming issue, the move to 2010 has apparently shut down some 30 million cash and credit cards since New Year’s Day, according to data available Tuesday (Jan. 5) from the country’s three largest banking associations, according to this Wall Street Journal story. The problem was tied to a chip in the smarts that wasn’t able to properly process the year 2010.

Interestingly enough, U.S. retailers were, for the most part, spared this problem for their domestic stores because smart cards are still a minority of the cards in use. See? Being backward can have its advantages. It reminds me of a conversation I had at a restaurant tradeshow in mid-December 1999, where I was seated with the CIOs of several huge restaurant chains. When asked if they feared the weeks-awayY2K moment, all said they didn’t. “Yeah,” I agreed. “Most upgrades have cleaned up the issue.” No, you don’t understand, the CIOs said. “We’re not worried because most of our stores are still using DOS.”…

John Verdeschi, the senior business leader for fraud management at MasterCard Worldwide, said he had heard "no complaints" about the timing from retailers. "We didn't hear that as a specific issue," he said, adding that the PCI SCC's new training program was the only reason for the deadline change. Another element of the December 13 change is a little less cut-and-dry. Until about three to four months ago—Verdeschi described it as "August or September"—MasterCard had posted on its site a description of the rules for which PCI level (1, 2, 3 or 4) it would consider retailers. MasterCard described parity with any "competing payment brand," wording that it had used since 2005. But in "August or September," Verdeschi said, that wording was removed.Read more...

"Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited," said Target spokesperson Amy Reilly. "A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved."Read more...

As a philosopher might say, the only safe way to delete a file is to have never recorded it. As silly as that may sound from a data security perspective, it shouldn’t be dismissed. Consider this scenario: A chain notices a PDA app that uses geolocation to match consumers with local happy hours. (For those outside the U.S., it’s a time when bars tend to heavily discount alcoholic beverages.) It throws the app onto its mobile site as a service for customers and thinks nothing of it.

As a matter of policy, the chain decides that it will not use any of that information for marketing or anything else. Fair enough. But what if local law enforcement chooses to subpoena those records so that it can know who frequents happy hours a lot. And if it can tap into real-time data, police could try and catch people in the act. And, maybe some civil attorneys try to subpoena the documents as well, for some automobile accident cases. That’s the subject of our column this week on the McAfee security blog.…

The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to, for the first time, mirror whatever level Visa has determined. The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer's own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses. "A bunch of Level 3 and Level 4 merchants just became Level 2s," said one QSA. "With this reciprocity gotcha, MasterCard giveth and MasterCard taketh away."Read more...

The chain, which has stores in 48 states in the U.S., lost its data connectivity on December 10 when the service provider made a modification that went awry. "It was an inadvertent switch to dynamic IP from fixed IP," said CIO Ray Hamilton. "That shouldn’t happen, and it took us a couple of days to resolve."Read more...

Weak security at RockYou.com, a social networking application development site, allowed unauthorized access to more than 32 million user log-in credentials stored in an unencrypted database, according to the site’s chief technology officer. The SQL injection flaw allowed access to those credentials, and because “the user names and passwords are by default the same as the user’s Webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security,” said Amichai Shulman, the chief technology officer at Imperva, a data security vendor that detected the problem and alerted RockYou officials, but not before the data theft had happened.

RockYou publicly acknowledged the breach Wednesday (Dec. 15), warning users to change their log-in credentials for other “online destinations” if they are the same as those used for RockYou.com. In a Venturebeat.com story on the incident, RockYou CTO Jia Shen said the problem involved RockYou’s legacy widget applications, a part of the site now closed, and he admitted the passwords had been retained unencrypted. Gartner Security Analyst Avivah Litan said retailers should view the case as a warning about the potential pitfalls of the single ID movement. “This just proves the theory that if you use an aggregator and have single sign-on to multiple sites, all it takes is a break-in to compromise your access to everything else,” Litan said. “Everybody should take a pause on these single-user schemes.”…