Evan Schuman's StorefrontBacktalk

But there’s more to the challenge than semantics, argues PCI Columnist David Taylor. A lot more.Read more...

But worst of all, from Lawhorn's perspective, the display told passersby that the order confirmation board (OCB) was quite completely connected to the store's LAN and POS, which is enough to tell someone that it's worth trying to hack into. And with a relatively unprotected network connection plugged into the behind-the-store box, that's not an especially daunting task.Read more...

EBay's PayPal group went dark worldwide for all users for an hour Monday, starting at about 1:30 PM (New York time). Many users were unable to make purchases for a much longer period, until the final users were restored by about 6:30 PM. Ebay said the cause of the outage was an "internal network hardware issue" and that EBay was "looking into how to address our affected merchants." If EBay wants to compensate—or, more precisely, console—merchants who were scared POSless on Monday, forget about compensation checks. Instead, do two things. Read more...

It would be nice to be able to remotely—and automatically—lock or unlock all doors throughout a retail chain at designated times, potentially leveraging RFID and wireless network access. Nice, that is, for bad guys who want easy access to your warehouse and other secure areas. At least that’s the premise of one researcher who cracked an electronic access system at the network control level and opened a door with a spoofed command sent over the network. As a nice touch, he also bypassed the audit log so the system wouldn’t see that someone opened the door.

What enabled it all was a system programmer who used predictable TCP sequence numbering, according to this nicely done story in Wired. “The problem occurs between the door controller and the server, which communicates with a persistent TCP session with ‘very, very predictable sequence numbering.’ Essentially, it increments by 40 for each new command,” the story said. “This means an attacker on the network can, while conducting a man-in-the-middle attack, intercept a ‘door unlock’ command and easily guess the next sequence number. Then, any time he wants to open a targeted door, he can sniff a packet to determine the current sequence number and send an ‘unlock’ command into the session with the next sequence number and the IP address of the administrator, fooling the system into thinking it’s a legitimate command. The command could remotely unlock one door or all the doors on an entire facility.”…

Actually, the need for this emerging payment “channel” and the specific payment platforms, software and services to be PCI compliant should be obvious, Taylor said. After all, the PCI standards have been around for about 5 years, so one would assume that PCI compliance would be “built in” to mobile payment products and services.Read more...

An intriguing blog discussion over at the Verisign security site, with the suggestion made that MasterCard has rapidly started upping its fines for PCI compliance issues. As the post asks, “Who poked MasterCard hard enough to wake them from hibernation?”

“MasterCard traditionally fined post-breach and, in some cases, we learned that MasterCard would fine merchants small, but consistent amounts to get the attention of accountants and finance gurus inside the company,” the post said, adding that times have now changed. ” So Level 1 merchants are being fined, at most, $25K more from MasterCard than from Visa, and Level 2 merchants are being fined a whopping $315K more from MasterCard. If your company is actually made up of multiple Level 2 retailers, this potentially means that you could owe double, triple, or more. MasterCard rolled out another change to acquirers as well and will require newly boarded Level 1 & 2 merchants to provide a compliant ROC from a QSA before they are allowed into the network. So those Level 2 merchants that have been changing processors every year, it finally caught up to ya.”…

The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.Read more...

The core of the bill is where things get a bit dicey. It requires retailers to notify consumers impacted by a breach "without unreasonable delay" but it doesn't say how much time retailers can take. Without that specific, it would seem difficult to enforce the law. Even worse, the exemptions for notification are so broad as to make it unlikely that any retailer would actually be impacted. For example, the bill provides a blanket exemption as long as a chain "provides a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation or damage national security." The Secret Service then has to perform a review to determine if it's a warranted claim. The problem is that the claim that something might impede a criminal investigation is so broad as to be meaningless.Read more...

This technique of analyzing the light-reflection has a few potential advantages, such as bokodes are much more difficult to fabricate, meaning it will be much more difficult for thieves to use consumer-grade printers to make fake stickers or to print bogus codes on product containers. Also, it can trump RFID tags in a few ways, both for security and supply-chain efficiency.Read more...

"Our goal is to have it be completely comprehensive, for both online and offline," said Zoe Strickland, the Wal-Mart VP who serves as the chain's Chief Privacy Officer. "We need to govern all the different ways that we collect and use information. Privacy is not just about using the Web site. It's everything that happens when you're interacting with the company." The new policy opens the doors to consumers being able to examine their full customer files. Or does it? Read more...

In those mandatory situations, who owns that data? Given that there are no laws or even strict guidelines today about such capabilities, what's to stop a retailer from using the data for one legally mandated purpose—such as collecting state taxes—and then using it for an unrelated purpose, such as marketing or sales? Let's look at a few non-intuitive examples: Live streaming of a blacked-out sporting event, selling age-restricted content, export restrictions, state taxes and an insurance company monitoring driving speed.Read more...

Marketing will also share in the pain, as the typical—albeit unauthorized—assumptions that tracking a credit card of customer #1234 pretty much tracks customer #1234. That assumption—and all of the data decisions that hang off of that—would be tainted.Read more...

The mandate is being criticized by the Internet & Mobile Association of India (IMAI), which issued a statement asserting the measure will do little to prevent online fraud, since it will pertain only to payment cards originating in India. What it might do more effectively is make life hard for India's online retailers, said the group. "India is in an evolutionary stage in E-Commerce and this RBI directive may end up being the biggest deterrent to E-Commerce in the country, rather than an enabler," said the IMAI statement.Read more...

"Despite the recent progress, (self-checkout) remains a niche product in all but a handful of countries, and it still has a long way to go to reach the level of penetration achieved by traditional assisted point-of-sale terminals," said the report. It said stores in North America have about 80 percent of the world's self-checkout kiosks, about 74,000 units as of the end of 2008. "Western Europe was home to 15,000 machines and Asia Pacific 3,000 while the other regions contained no more than 700 machines between them," said Retail Banking. "Retail Banking's research also revealed that in 2008, a total of 22,800 global self-checkout shipments were made, up 19 percent on the year before."Read more...

But if there's any area where retailers would want more security standardization rules—or at least much more specific and realistic rules—it's clearly wireless security. To be fair, that's a very tall order and the nature of both wireless security and the PCI Council virtually make it impossible.Read more...

Although it's certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.Read more...

The move is part of a plan to move the state stores from IBM software over to an Oracle package and the contract anticipates--and prohibits--the kiosk company from making money from combining the payment card data and blood-alcohol levels and selling. (A little blackmail potential? If it weren't for that prohibition, it has all the potential for a nice business plan.)Read more...

A statement from Visa said that a "temporary programming error at Visa Debit Processing Services caused some transactions to be inaccurately posted" and that the glitch "has been corrected and erroneous postings have been removed. "It simply posted the wrong amount into online statements and it was corrected within hours," one Visa official said, adding that the specific amount varied slightly from consumer to consumer, but that they were all "equally large amounts" and were "in some cases identical amounts."Read more...

Pretty darn basic, actually. For example, at the live SME-oriented seminar, after listening to three different speakers discuss why PCI compliance is so important to data security and minimizing brand damage and the risk of a security breach, Taylor had two, not one, but two separate people come up to me and ask “What is PCI?” Both persons apologized for their “dumb” question, but it got Taylor thinking about other dumb questions that illustrate why we have a long way to go before we will be able to impress upon the SMEs of this world that PCI is worth paying attention to. A few examples....Read more...

Following word of a “if breached, we’ll cover some of your costs” program from Heartland, fellow payment processor Mercury Payment Systems has launched its own program, one featuring $40,000 of reimbursement from any of its retail customers that are breached. Mercury officials stress that it’s far from a reaction to Heartland, as Mercury started its program in late June and Heartland is only promising it for later this year.

The Mercury program is limited to retailers who “have successfully completed their SAQ and quarterly scans and remedied any highlighted issues,” said Kim Mackay, Mercury’s VP of marketing. “This is as much as 15K towards a 3rd party forensic audit and as much as 25K toward fees and fines. Although 40K doesn’t sound like much, our research has shown that our typical (Level 4) merchant would be covered. And this is regardless of whether they use our PCI program or someone else’s from a list of approved ASV’s.” Will this soon become a processor must-have? …

Just a few weeks after it roughed up Level 2 merchants with demand for on-site assessments, a dustup with MasterCard was causing confusion about their remote key injection policy. A Gartner report this week–carried by Computerworld–said that MasterCard was rejecting it.

MasterCard indeed changed its policy regarding using remote key injection to install new encryption keys on point-of-sale (POS) systems, but the change was only to ban when the hardware is not already PCI compliant. If it’s PCI compliant–which many are–then it’s not an issue. “Our customers and vendors can use Remote Key Injection services to upgrade the terminals if those services meet all aspects of the PCI Pin Security Requirements,” said a MasterCard clarifying statement issued Friday (July 10).…

The kiosk program raises key issues about data protection and ownership when the data-using firm goes out of business or even just modifies its business. There is also the semantic issue of the privacy value of wiping data in two places if it also exists in a third.Read more...

It just means, writes PCI Columnist David Taylor, that the nature of the standard, current metrics, software tools, reporting and established business procedures haven’t been adapted to incorporate the types of controls and reporting that PCI enables. In short, merchants have focused most of their effort (and spending) on getting compliant, but hardly any effort has been focused on the “business by-products” of compliance, such as fraud reduction. Read more...

But July has chosen to remind us of these sad realities anyway, with a very successful DOS attack on government sites, a processor that knocked retailers offline because of a building fire and, oddly enough, Michael Jackson's passing. Jackson's passing sent scores of news sites crashing, but for reasons that frighteningly mirror circumstances the large retailers will face in late November.Read more...

The marketing reality is that almost every processor and security vendor today is hawking some version of something they're calling end-to-end encryption, forcing Heartland to do something flamboyant to get some attention. It's easy to nitpick the offer as not going far enough—to truly make the investment riskfree, why not offer to cover legal fees, court costs and the inevitable investigative and forensic costs?—but the more germane point is that it's farther than anyone else in the space has yet gone.Read more...