Evan Schuman's StorefrontBacktalk

Retailers started using the credit card numbers to identify purchases with specific consumers, given that they had to store them anyway. It turned out to be a convenient link into CRM systems, especially for customers who weren't using the traditional retailer-issued loyalty card. Read more...

Retailing's most powerful lobby—the National Retail Federation (NRF)—is launching a campaign to change the way that credit cards and retailers interact. Conceding that the Payment Card Industry (PCI) procedures have simply not been effective at stopping massive retail breaches, NRF CIO David Hogan has been pushing for a radical change in tactics, one that will require Visa, MasterCard and AmericanExpress to change procedures.

"It is unlikely PCI will ever be able to keep pace with the continually-evolving sophistication of the professional hacker, or anticipate every possible variation of future attacks," Hogan said in a letter to Bob Russo, the head of the PCI Security Council. "We believe the time has come to rethink the assumptions behind PCI."

In a sign of the times for beleaguered RFID, when $8 billion apparel and home furnishing chain Dillards announced Tuesday that it was beginning an RFID pilot, it spent most of its short statement detailing various restrictions on its trial efforts. It’s sort of like announcing a brand-new hire by telling employees all of the things you won’t permit the new person to do.

The item-level RFID/Electronic Product Code (EPC) trial will feature “tags designed to be removed at the time of purchase. They are not required in the event that the customer wishes to return the garment. No link will be made between the garment information held by the tag and the customer’s personal information,” said the retailer’s ultra-happy news release.…

The TJX hearings in the U.S. House of Representatives have been delayed again—I’ve lost count of how often they’ve been postponed—and are now penciled in for November.

Various hot issues of the day have been pushing it back, suggesting that House leaders don’t consider the world’s worst data breach that big of a deal. But the proposed TJX settlement highlights the critical need for federal legislation to address the data breach problem.…

When U.S. District Court Judge William G. Young last week told lawyers that he had some serious concerns about the proposed TJX settlemenT, he also took issue with part of the initial proposed settlement that would allow for consumers to turn the vouchers into cash by selling them.

In a courtroom exchange with TJX attorney Harvey J. Wolkoff, Wolkoff tried to argue to the judge that EBay is an easy way for a consumer to turn the vouchers into cash.

Replied Young: “Too hard for me, Mr. Wolkoff. Too hard for me. These are consumers. People know how to cash checks. Saying ‘Go to eBay and negotiate it’ won’t cut it.” Read more.…

Were one of a mind to argue that identity theft is not a big deal and true victims are hard to find, it's probably not a good idea to make that case in New York's City Hall these days.

The Manhattan D.A. announced Tuesday that New York City Mayor Mike Bloomberg had his identity grabbed and placed on some bogus checks totaling $420,000, written to be drawn on the Mayor's personal bank account at the Bank of America.

The Gap re-learned two security lessons on Friday: make sure outside vendors comply with your security policies and beware the laptop's ability to make unecrypted data so easy to take.

The Gap reported that personal data (including Social Security numbers) of some 800,000 job applicants was stolen "from the offices of an experienced third-party vendor that manages job applicant data for Gap Inc.. Gap has a stated policy against storing non-encrypted data and "contrary to (Gap's) agreement with the vendor, the information on the laptop was not encrypted."

The federal judge overseeing the consumer portion of the TJX case is concerned about the proposed settlement and wants to see TJX vouchers replaced by cash.

U.S. District Court Judge William G. Young told attorneys late Thursday that he “had a lot of questions and concerns” about the settlement, which provided for wronged consumers to be given $30 TJX vouchers, according to Thomas G. Shapiro, an attorney representing some of the consumer plaintiffs who was present in the courtroom. Read more.…

When one PCI audit firm released its annual summary of PCI audit weaknesses, a comparison with the prior year showed retailers are still struggling with the same issues.

For 2007, the most frequently-failed credit card security requirements are regular testing, secure applications, protecting data and enforcing unique user IDs, according to a summary of the audits from Verisign. What's more interesting, though, is how little that list has changed from the prior year. Regular testing in 2006 was number two instead of number one and protecting data was number one instead of number three.

Visa on Wednesday introduced what it said was its smallest payment device ever. The Visa Micro Tag is a contactless fob designed to hang off of a keychain.

Visa has waived the requirement to have an account number embossed or printed on the device, in an attempt to boost security. The new payment device will be issued as companion devices to existing credit, debit and prepaid cards, Visa said.…

TJX is still retaining customer data for far too long—18 months—and for the wrong reasons, although it's current wireless efforts appear adequate, according to a report issued Tuesday by the Office of the Privacy Commissioner of Canada and the office of the Information and Privacy Commissioner of Alberta.

Even after deciding in September 2005 to move to WPA, the report said, it didn't complete the rollout until mid-January 2007, which was the exact point when TJX announced to the world the largest retail data breach ever.

The Canadian privacy officials were not pleased with TJX's encryption efforts. "There were flaws. TJX relied on a weak encryption protocol and failed to convert to a stronger encryption standard within a reasonable period of time," the report said, adding, "While TJX took the steps to implement a higher level of encryption, there is no indication that it segregated its data so that cardholder data could be held on a secure server while it undertook its conversion to WPA."

When TJX announced Friday night that it had worked out a settlement for all of the consumers lawsuits that had been filed against it, it provided an anticlimactic ending to much of this databreach saga.

But in many ways, this resolution—with a settlement offer that will cause TJX very little material pain—was inevitable. Despite the background of the most massive databreach in retail history, where credit card data of some 46 million consumers fell into unauthorized hands, TJX had virtually nothing to fear from the U.S. judicial system. Read more.…

With a $6.5 million check for attorney fees and limited $10/hour hassle reimbursements for customers, TJX announced a deal Friday to make all of their consumer lawsuits go away.

The details from the show the $17 billion retailer's attempts to address consumer injuries. But given the huge scale of this breach, the compensation to any one consumer is likely to be minimal.

TJX has agreed to compensate consumers for any time they lost "as a result of the intrusion," but those calculations will assume a rate of $10/hour. Read more.

Only TJX could take a lawsuit settlement from the worst retail data breach ever and try and turn it into an upsell situation.

TJX's multi-part settlement of all of the consumer lawsuits against it for its massive data breach is a fascinating denouement to the TJX saga. What makes this latest twist so delicious is that TJX has played this debacle the way a retailer should, assuming the retailer is Niccolo Machiavelli.

When admitting to a massive databreach impacting some 46 million of your customers and when also conceding by implication that much of it was your fault given inadequate security measures, most companies would be chagrined, embarrassed and perhaps even a little bit ashamed. But not our heros.

There are some errors that are too delicious to not share and also too wonderful to even need any sarcastic comments. (This is said by someone who believes that one should never be stingy with sarcasm.)

It seems that TJX, in an SEC filing this week, dubbed themselves “in bold capital letters at the top of the filing: The Perfect Company,” according to this Boston Globe story with one of my favorite headlines ever.(“TJX Cos. to SEC: Perfect We Are Not”)

Said TJX senior excuse maker Sherry Lang: “The leading financial services vendor who handled the filing of this form has admitted that the error occurred at its facility and they are looking into it. A corrected Form 8K will be filed shortly.”…

One of the Miami residents charged with trying to sell stolen TJX credit card data has been sentenced to five years in prison and ordered to pay $600,000 in restitution, the Florida state Attorney General announced Thursday.

Irving Escobar and several others were charged with using counterfeit credit cards that they manufactured using the stolen data from the TJX breach. "Authorities believe Escobar and his codefendants acquired the stolen data and used it to re-code the counterfeit credit cards which were then used to purchase the gift cards," according to a statement from the AG's office.

The implantable RFID chip story is getting more frightening, with the Associated Press now reporting a series of tests showing cancers being caused by the implants.

This is potentially significant as Applied Digital has been working aggressively to implant these chips as widely as possible. Although this isn’t likely to have a huge impact on traditional retail RFID efforts, any reliable reports of cancer-causing agents are going to raise questions. With tags being sewn into the layers of clothing, will the cancer reports become more widespread?…

In another unintended consequence example, contactless payment and mobile payment efforts seem to have stunted the growth of retail biometrics. Is this a marketing fault or the death of an idea that never had much of a chance?

A few years ago, retail biometrics had what seemed to be a very bright future. They promised superior security and a permanent CRM association. If that customer switched credit cards, moved to another state, changed their name and changed cellphone companies, the fingerprint would still allow all purchases to be associated with an individual customer.

Retailers of all sizes need to intensify their data security protections, but different kinds of threats merit different kinds of defenses.

With all of the PCI and data breach talk these days, it's easy for retailers of all sizes to be on edge. Although it's undeniable that merchants and all sizes need to protect themselves, different issues threaten Wal-Mart and Phil's Bait Shop.

Larger retailers can be seen as the better targets in the Willy Sutton School Of Thought (when asked why he robbed banks, the legendary holdup man is said to have replied, "That's where the money is"). But smaller merchants can be attractive for the opposite reason, namely that they are likely to have less sophisticated defenses. The term cyber thief today actually describes bad guys in three very distinct groups.

Consumers spent more than $137 billion in retail self-checkout in 2006, with increased self-checkout use in do-it-yourself stores, superccenters and warehouse clubs mostly responsible, according to an IHL study released Thursday. That's 24 percent more than was self-checkouted in 2005, IHL said.

The study also reported consumer resistance to the machines starting to dilute, with 44 percent saying they "really like self-checkout" and "only nine percent say they will not use the technology," IHL said, citing its 1,000-consumer survey conducted in the Spring/Summer of 2007.

Visa’s partial authorization pre-paid approach got a huge boost on Thursday, with Shell Oil and its 6,000 gas stations (I wanted to say “service stations” but who are we kidding?) publicly committing to the service.

The partial payment tactic is designed for customers making a purchase that is larger than the dollars remaining on that card. Traditionally, such a payment is rejected, potentially losing the sale.

With Visa’s partial approach and Shell, the gas pumps would be programmed to only dispense as much product as the customer has on the card. (They’ve automated the old Vaudeville sales joke. “How much is it?” “Depends. How much do you have in your wallet?”) This doesn’t work for all products, but it should work well with gasoline sales.…

PCI deployment isn't perfect, but it's quite impressive how far it's come given the mammoth obstacles. As its most public face, Visa has taken a lot of the criticism, but it also deserves much of the credit.

As a group, humans are a tough audience. Cruelly and quixotically, the more difficult and massive the task, the quicker we are to point out the shortcomings rather than praise the accomplishments. Please don't get me wrong. There are plenty of issues with PCI deployment today. But let's not be too quick to attack the very good for not achieving the unattainable perfection.

U.S. postal inspectors are investigating if there is a Ukranian connection to the TJX data heist, according to this Boston Globe story. The 24-year-old suspect was arrested weeks ago in the Turkish resort city of Kemer, according to this Associated Press story.

It’s not news that authorities have suspected Eastern European cyber thief syndicates as being involved in the TJX incident, given it’s massive scope (info from more than 45 million cards taken), sophisticated methods and long (multi-year) duration. But the investigators have identified a specific Ukranian–Maksym Yastremskiy–as having “sold card numbers through online forums hosted overseas, sometimes in Cyrillic or that were password protected. He is likely the largest seller of stolen TJX numbers.”

Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded, the story said. …

The love-hate relationship that is the American retailer-bank-credit-card marriage is nothing if not complex. There are few partners that ignite such wrath and venom within retailers than their credit card partners and their—well, let's just say "generous"—interchange fees. On the flip side, the banks and credit card firms seeing themselves as having to pay the PCI piper whenever there's a data breach, even if—from the bank/card perspective—that breach was the fault of the reckless retailer.

But like so many business relationships, hatred can be trumped by only one thing: greed. Which is the most terrifying? The prospect that a retailer may no longer be able to accept major credit cards or that the banks and card companies will lose all of that revenue to alternative payment vendors?