Evan Schuman's StorefrontBacktalk

It boggles his mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies--my firm included--are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.Read more...

Consider this example: A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.Read more...

The government was asking a federal judge for more time to investigate before a sentencing hearing, said the memo from Assistant U.S. Attorneys Stephen P. Heymann and Donald L. Cabell. "The government has been given no prior notice of either of these assertions, the defendant's intended reliance on expert testimony to support them or that the defendant was undergoing a psychological forensic examination." Read more...

Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs mislead the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not. She listened to recordings of an analyst call to conclude that, in full context, the processor's security claims were technically true.Read more...

From a non-IT perspective, the move would certainly discourage consumers from accepting—or even pursuing—instant credit, which has been a wonderful thing for merchants. It's unlikely that shoppers will be thrilled when asked by gum-chewing, teenage POS jockeys to whip out paystubs or a copy of last year's 1040s. Consider an analogy: The police chief who lives next door has a town ordinance passed requiring you to store in your basement a ton of heroin and cocaine that the police department has just seized. Read more...

Gonzalez agreed to plead guilty to his role in attacks on Heartland, Hannaford and 7-Eleven in a document signed at 10:14 AM New York time on Dec. 2.Read more...

Still, the Shopper app, published by ReachEverywhere, suffers a variety of odd restrictions, such as limiting the recall data to two food-oriented agencies—the U.S. Food and Drug Administration (FDA) and the U.S.. Department of Agriculture (USDA)—while excluding recall-friendly agencies that would impact far more products, such as the U.S. Consumer Product Safety Commission (CPSC). It also only flags recall problems when the purchase is being made. So a customer who buys a product that gets recalled an hour after the purchase is completed will, by design, not be notified. Read more...

The four-month-long trial that began in November is significantly limited in scope, involving only BlackBerry devices. And it doesn't even involve BlackBerries with payment chips installed. Instead, the effort involves NFC payment chip stickers attached to the backs of the smartphones.Read more...

Today’s smartphones certainly promise more convenience and functionality. But for IT, these devices promise new nightmares about protecting the data they store. It’s not merely contact data, but files, slides, traffic history, E-mail records, chat transcripts and almost anything else that can be done on a desktop and synched to a smartphone. Then there’s the Grand Poobah of data protection night terrors: Geolocation.

Geolocation is the phone’s capability to tell any app on that phone—or anyone at all, really—the exact location of the phone virtually every minute it has power. Such data is relatively small in size and yet—tied into various other data points (especially time and date)—could be monstrously helpful to some while being stunningly destructive to others. But fear not, IT execs are thinking, there’s no way such data could ever get out to unauthorized places, right? Sprint this month proved otherwise, as we discuss in this week’s Guest Column on McAfee’s Security Blog.…

All told, one sensitive document created on a company desktop machine may, in a matter of minutes, be unintentionally copied in 10 locations: an employee’s desktop; the LAN server that backs it up; a PDA; the carrier/vendor server that synchs the PDA data; a memory stick; the home computer the employee used that memory stick in; the personal external backup drive connected to that employee’s computer; an offsite backup service the employee uses; the shadow copy on that employee's work desktop machine; and the shadow copy on that employee's home desktop machine. And it can get a lot worse.Read more...

What many franchisees have not discovered, pens Franchisee Columnist Todd Michaud, is that the advanced integration between POS, inventory systems and video surveillance systems can be used to catch these types of activities and dramatically improve the top and bottom line. If you really want to be depressed, go to Google and type the words: “working at BRAND_NAME steal” or “how to steal from BRAND_NAME” or other variations of the same. What you find may be surprising. Many people have actually posted how-to guides for the best way to steal from a certain brand as an employee.Read more...

Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.Read more...

The case involves four Louisiana restaurant groups—doing business as Crawfish Town USA, Don's Seafood and Steakhouse, Picante’s Mexican Restaurant, Mel’s Diner Part II and Sammy’s Grill—suing their POS vendor, Radiant Systems (which owns the Aloha POS systems used by these chains), along with systems integrator Computer World (not to be confused with the publication Computerworld). But when you drill into the details of the lawsuit, it gets more interesting. One of the key accusations against Computer World is that it used vendor default passwords for systems with many of these restaurants, for easier remote administration. The lawsuit correctly points out that PCI bans retailers from using such vendor default passwords. But that's the key. It's the retailers that are not permitted to use these defaults. Was integrator Computer World, in this scenario, acting as an agent of the POS manufacturer—as a reseller—or as an agent of the retailer--as an integrator?Read more...

It’s one of the oldest pieces of security guidance: The biggest threats are always from a company’s employees, not from intruders. But popular perception has never supported this truth because outside intrusions are comparatively highly publicized while internal threats are generally dealt with secretly, with a termination and an offer to avoid prosecution if the thief remains silent.

But T-Mobile this month reminded us of how serious an internal threat can be. In what U.K. authorities are dubbing one of the biggest data breaches in that country’s history, a resourceful (although ethically challenged) T-Mobile employee is accused of taking millions of pieces of customer data and selling it to company rivals. This situation is the subject of StorefrontBacktalk’s security column this week on the new McAfee security blog.…

Evidence of data theft at a Spain-based credit card processing company prompted the recall in November of more than 100,000 cards in Germany. UK cardholders were told to watch for unauthorized activity, but the authorities did not reveal any details about the breach–including the processor’s name. The Daily Mail reported that the “criminals are understood to have stolen card details and then used them to buy goods online.” In a November 19 statement, Germany’s Central Credit Committee (ZKA) called the recall a “precautionary measure and routine operation” and said the card exchange was nearly complete. It said: “All German banks and savings banks have significantly tightened monitoring of the affected cards, which further limits any potential abuse.”

Cards issued by DKB-Bank, Barclays and Karstadt-Quelle are among those at risk, but neither Visa nor MasterCard reported any breaches of their systems. The BBC reported that Visa Europe was “aware of a possible card data security issue in Spain,” but revealed nothing further. The processor is reportedly being investigated for fraud, so the incident may be an inside job rather than the work of hackers or skimmers.…

Conway's concern is the almost inevitable fourth quarter 2010 PCI train wreck as the new rules collide with human frailty and the calendar. The result may be that even some Level 1 merchants and processors don’t get their assessments (and ROCs) completed on schedule.Read more...

Restaurants are, by their nature, very different from most other retailers (to the extent that they are considered retailers at all). They tend to attract a strongly local customer base, so if another restaurant is just a few ZIP codes away, it's not likely to be too competitive. That could make the downside of such a program—giving dollars away to rivals—less of a problem. But the radical idea of such a joint gift card does address the fear of bankruptcy, which is what the Connecticut Attorney General stressed when his office announced the Connecticut card.Read more...

MasterCard is offering two types of the new mobile Chip Authentication Program (CAP), an SMS version and a downloadable app for smartphones. Both options present single-use passwords in a fashion similar to the home-based card readers usually supplied to consumers by banks to authenticate card-not-present transactions. With the SMS version, the one-use password is sent within a text message to a user's cell phone when the consumer reaches the point in the checkout process where the site asks for the secure code. Smartphone owners using the installed MasterCard app have their one-time-use passwords displayed after they enter a PIN.Read more...

"This reflects the importance that government places on safeguarding personal data effectively and processing it responsibly and lawfully," said the U.K. Ministry of Justice. "Increasing the sanctions faced by data controllers through financial penalties should contribute to increased compliance with the data protection principles and greater confidence for data subjects that their information is being handled correctly."Read more...

That includes gaining access to the keys, but it also includes access to token lookup tables or any other way to get back to the original data. That means you need to be just as concerned with social engineering attacks, malicious insiders and phishing as you do with hackers stealing encryption keys. Read more...

Isn’t it wonderful how many security vendors are so altruistic that they leap to the microphone to point out the failings of their industry? Somehow, though, solely to advance reality and context, they volunteer that this particular shortcomings don’t apply to their product or service.

That vendor helpfulness—especially when it comes to helping retailers navigate the treacherous PCI out-of-scope minefield—is the subject of StorefrontBacktalk’s security column this week on the new McAfee security blog.…

At its simplest, out-of-scope means beyond jurisdiction; it means that whatever is being discussed no longer falls under the rules and requirements of PCI. One critical problem is that the brands and the PCI Council giveth and they can taketh away. In other words, if you've started sharing some, for example, tokenized data with marketing because a temporary out-of-scope ruling makes you comfortable doing so, you find it almost impossible to undo should that ruling be reversed. Put more philosophically, you won't likely be able to get the clear-text toothpaste back into the "they're going to fine me from here to Shanghai, aren't they?" tube.Read more...

(For those who watch our coverage closely, we said last week that we were upgrading this particular food fight from bizarre to surreal. This week, it gets kicked up to borderline psychotic. If Heartland and VeriFone get any worse, we're going to have to hit an unabridged thesaurus somewhere.) On Wednesday (Nov. 11), Heartland issued a statement saying that on Monday (Nov. 9), a federal judge "granted Heartland Payment Systems’ application for an order to show cause against VeriFone Holdings Inc." The headline on this release said "Federal Court Grants Heartland Payment Systems’ Application For An Order To Show Cause Against VeriFone." Sounds like Heartland won that hearing, right? Not quite. Not at all, in fact. Heartland was asking U.S. District Court Judge Mary Cooper to issue a temporary restraining order against VeriFone and the judge refused.Read more...

With all of the recent fuss about PCI requirements and how to protect payment cards, many companies have opted to take a far too narrow view of data protection. The PCI rules are absolutely designed to only apply to payment cards. But the same common-sense security guidelines will also dramatically help the security of CRM databases, personnel files, E-mail servers, payroll details and even the full contents of your Web site.

In this week’s Guest Column on the new McAfee security blog, a reader describes a run-in with a nervous customer who had lost a ton of data because he hadn’t been doing a backup. Why? It didn’t include payment data, so he ignored all of the PCI guidelines he was following elsewhere in the system. So what was so important about this non-PCI-oriented data? “It’s the flight maintenance records for our entire fleet of aircraft.”…