Evan Schuman's StorefrontBacktalk

The case against Shahin Abdollahi, a.k.a. Sean Holdt, is that he supposedly used the systems he sold to Subways around the country to fraudulently load value onto giftcards. The indictment then claims that Abdollahi either used the giftcards himself at Subways thousands of miles away or sold them as discounted cards on eBay (NASDAQ:EBAY) and Craigslist. For that added touch of chutzpah, the indictment alleges, Abdollahi and a co-conspirator "sometimes registered [the giftcards] online with Subway" and that was done "to keep track of the fraudulently loaded cards in case of loss or theft." After all that work, you certainly wouldn't want a card to be lost due to carelessness.Read more...

U.S. and Chinese paper mills say they will eventually fill the shortfall from the U.S. exit of Koehler, which has been providing about 40 percent of POS paper. But in the meantime chain execs may be expecting IT to keep stores from running out of paper. Strange as it sounds, it is IT's problem—and the second-easiest option is digital receipts.Read more...

When LinkedIn premium customers Katie Szpyrka and Khalilah Wright learned that the website operator had been hacked, and that 6.5 million stolen LinkedIn passwords had been posted on the Internet (together with the user's e-mail address), they went to sue LinkedIn for failing to provide adequate security and appropriate encryption for these passwords. Because users frequently use the same passwords for multiple accounts, stealing their LinkedIn passwords and E-mail addresses might expose a host of other accounts to compromise. Read more...

What's interesting here is why Genesco thinks it will get to take Visa to court: A month before Visa notified the acquirers of the assessment, Genesco signed a separate agreement with one of the acquirers, Wells Fargo (NYSE:WFC), in which the bank actually signed over its right to sue Visa to Genesco.Read more...

No security system is perfect, so the existence of a break-in—on its own—doesn't prove that security procedures were not followed nor that they were not appropriate. The case—heard in U.S. District Court for the Northern District of California in San Jose—raised several other arguments for customer seeking compensation for the breach, and the court shot them all down. To start the proceedings, the customers had to make a case for how they lost money as a result of the breach, given that it appears none of their personal information was ever used by the thieves.Read more...

That is already the law outside the United States and Canada, writes Legal Columnist Mark Rasch, and it may already be the law in those two holdout countries. It's a matter of interpretation.Read more...

That's a rather perplexing utterance. Given that the chain said data-capturing software was found in the POS systems of some 19 stores, it's pretty easy to declare the security of every card used in those machines during that timeframe was compromised. That's not to say that the thieves successfully captured that data in a usable form or that they have actually tried to use that data yet. But in terms of the data being compromised, that debate was pretty much over when the software was found.Read more...

The program, called ezeClick, was developed by the Amex India group and is being closely watched by Amex corporate. "We let each market develop what they need and what they think will work for them," said American Express Spokesperson Jim Tobin. "I assume it will start showing up in other markets."Read more...

The debate surrounds the Seattle-based retailer's use of a vendor called Euclid, which captures information from the Wi-Fi signals of both customers and passersby. Is it legal? There is no specific U.S. law on whether MAC addresses are "personal information" entitled to legal protection. Moreover, U.S. law regarding things like access to cell phone records and cell phone usage probably don't apply to the Wi-Fi portion of the device. So although it may constitute an unlawful "trap and trace" or "pen register" to capture a cell phone number or IMEI of a cell phone, these laws likely don't apply to capturing the MAC address of a Wi-Fi-enabled device. Put simply, your iPad or Wi-Fi-enabled iPod isn't a phone, nor is the non-phone portion of your iPhone, Blackberry, Android or Windows mobile device.Read more...

That means when a retailer's social media presence is under attack, the difference between being down for more than an hour (like Burger King) or just 10 minutes (like Jeep) can be a matter of setting up the equivalent of a kill switch—and that's going to take some work.Read more...

Abu Dhabi is going to an E-Commerce-friendly street address system. The capital of the United Arab Emirates announced on Sunday (Feb. 17) that, over the next 30 months, every building will get a number and every street will get a unique name (in many cases a much shorter name, in part to satisfy the needs of online forms), along with a short postal code. Currently, streets may be known by multiple names. For example, 7th Street is also Zayed the First, but it’s commonly known as Electra. And although the street Abu Dhabians call “Bank Street” is lined with banks, it’s formally named Khalid bin Waleed Street. Even some new glass-and-steel hotels have addresses like “Between the Bridges.”

Although local couriers are currently able to navigate the city to make deliveries, U.S.-style addresses should simplify things for E-tailers using addresses or postal codes for things like payment-card verification. It’s also a useful reminder for E-tailers that online forms designed for U.S. addresses aren’t necessarily going to work well in the rest of the world. With its population of 2.4 million people and a per capita income just below that of the U.S., Abu Dhabi is hardly a little desert oasis. But having three names for every street may not be so bad—just ask anyone who has tried to find an address on Peachtree in Atlanta.…

This lesson has been reinforced at least three times in the past few weeks in separate PCI Security Standards Council (PCI SSC) guidance documents. One question is whether merchants—particularly small and midsize merchants—will ever hear this advice. As a QSA, PCI Columnist Walter Conway occasionally gets the impression that clients might not spend more time researching their next smartphone, laptop or sailboat than they do reviewing service provider contracts and service-level agreements (SLA). It is particularly important for merchants to realize the source of the advice. It comes not from the PCI SSC staff but from active PCI practitioners with first-hand experience. Read more...

Shoppers do the darnedest things, such as taking home packaging with attached EAS labels and then throwing it into the microwave oven. We’re not just talking about reheatable soups but about things like hamburger meat, complete with the styrofoam and ultra-meltable shrinkwrap plastic. Although the molten plastic is poisonous and smells awful, the EAS tag can catch fire. (Note: Fire, plastic chemicals, styrofoam and plenty of radiation is a recipe for a new microwave—and possibly a new kitchen.)

“Typically, people are trying to defrost beef, chicken, etc., in the original package after it is frozen and it’s difficult to remove the plastic,” said George Cohen, a spokesperson for EAS vendor Checkpoint. Checkpoint on Tuesday (Feb. 19) rolled out what it says is a microwave-safe EAS label. That may sound like a great idea, but when you’re faced with an EAS tag or label that refuses to stay deactivated, the idea of frying it in the breakroom’s microwave oven was always a nice failsafe.…

The recommendations, of course, also offer the generic list of best practices for mobile device security (such as strongly encouraging full-disk encryption), which is certainly a handy checklist for chains just starting to seriously explore mobile payments. One key point of the report is to acknowledge the very complex nature of mobile systems, which have far more players than traditional fixed POS systems. For example, the report speaks of the desirability of lab validation for mobile devices and why it's simply—and regrettably—not practical.Read more...

Linda Genesta was a long-time eBay seller. For 18 years, beginning in 1999, she sold what she described as "high-end, high-quality, imported authentic European and American antique and vintage textiles, fabrics, pillows and trims," Everything was fine until July 2008, when eBay allegedly removed Genesta's items from the marketplace, alleging "unspecified 'misrepresentations'" in violation of its Terms of Service. As a result, Genesta says, she is effectively "out of business."Read more...

Never mind the physician-heal-thyself aspect of this incident (which is a little tough for us because, well, Bit9 did do exactly what it tells its customers not to). More to the point, it's another sign that retailers need to stop trusting security and start thinking securely.Read more...

Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it delivers security edicts in a vacuum, with minimal regard to how different types of merchants function in the so-called real world. Such critics were given three golden examples this month. The examples, in the areas of cloud guidance, P2PE validations and Windows XP end of life, illustrate the types of collisions that are inevitable when committees seeking ideal security approaches run into chains with razor-thin margins (or losses), workforce reductions and store closings. Put more bluntly, it’s the age-old battle of the ideal versus the pragmatic.

This is explored in StorefrontBacktalk‘s February monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.…

Everyone knows the standard advice when someone—especially someone who works in IT—is about to be fired or laid-off, all of their passwords and systems access are shut off right before they’re told. You never know how people are going to react. Perhaps it’s time to expand those HR termination rules to also cut-off access to all company social tools, including Facebook (NASDAQ:FB), Twitter, Google+ (NASDAQ:GOOG) and LinkedIn (NYSE:LNKD). That’s a rule 257-store British entertainment chain HMV probably wished it had.

In late December, the chain was in the process of telling employees about extensive layoffs when one of those employees—someone who had password access to the company’s Twitter feed—began sharing her thoughts, such as: “Sorry we’ve been quiet for a long time. Under contract, we’ve been unable to say a word or, more importantly, the truth.” Then this matter-of-fact tweet: “We’re tweeting live from HR where we’re all being fired. Exciting.” One of her last tweets before all tweets from the company went silent was this delightfully predictive one: “Just overheard our Marketing Director (he’s staying, folks) ask, ‘How do I shut down Twitter?'” The best ideas always seem to come just a little too late.…

One gem tells retailers they need to "obtain the details of the CPS's [cloud service provider's] compliance validation." This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed." Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.Read more...

In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.Read more...

That's right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.Read more...

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.Read more...

Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.Read more...

On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant. Read more...

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without

that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?…