Evan Schuman's StorefrontBacktalk

In the ongoing sage of the TJX breach, the Wall Street Journal today quoted police sources that law enforcement “looking for a possible TJX link in a spate of recent arrests involving credit-card fraud in Alabama, North Carolina and Virginia.”

This comes on the heels of Florida giftcard arrests tied to TJX data. The Journal also quoted an unnamed TJX spokesperson saying: “While we cannot confirm that the data involved with the Gainesville arrests came from TJX, we continue to cooperate with law enforcement.” Yes, it’s not one of the more informative quotes, but it’s the first we’ve seen of TJX even acknowledging that Florida exists.…

More TJX rumors flying around. This one–which seems only a little wackier than some of the stranger rumors–has that the TJX data breach was launched via job-application kiosks.

The story ran in Dark Reading. I mostly note it because the writer–Kelly Jackson Higgins–is a very top-notch pro whose work I knew years ago.

Like any good reporter, she both reports the kiosk theory and lays out the theory’s weaknesses, including methods for getting the data to be returned to them. Interesting reading. …

The names of the states investigating TJX, the status of congressional hearings and a federal confirmation are among the latest developments in this huge data breach.

Beyond Massachusetts (who is in charge of the probe) and Rhode Island (which had launched its own probe before giving up and joining the group), states participating include: Alabama; Arkansas; Arizona; California; Colorado; Connecticut; Delaware; Florida; Washington, D.C. (OK, so it's not really a state. Sue me);hawaii (Probe 'em, Danno); Illinois; Maine; Maryland and Michigan. To read the full story--and to see the full list of cooperating states,

The Federal Trade Commission has confirmed that it has been investigating the TJX data breach that the retail chain disclosed last month, but released few details, according to a story in today's Boston Globe.

U.S. Rep. Edward J Markey (D-MA), a senior member of the House Energy and Commerce Committee, issued a statement supporting the government probe, as congressional leaders debate whether to hold their own hearings. One Congressional aide said on Tuesday that initial interest to hold House hearings has given way to letting the FTC conduct its own probe and to wait and see what it comes up with.Read more...

Our Week In Review audiocast returned this week, courtesy of guests from Forrester Research, IHL and the Retail Systems Alert Group. This week’s show was hosted by eWEEK.

Topics included the latest from the TJX ongoing saga and Forrester’s predictions of the top E-Commerce trends for 2007.…

MasterCard has now confirmed that TJX had not been compliant with PCI rules at the time of its massive data breach, according to an employee of a MasterCard PR agency.

Specifically, the agency person said that MasterCard has now “confirmed that TJX’s acquiring bank had identified them as not yet compliant.” This follows a report Monday from ePayNews.com, which added that MasterCard “understands that TJX was actively working toward compliance.” The story suggested–and the MasterCard source confirmed–that the acquirer was Cincinnati, Ohio-based Fifth Third Processing Solutions, which is apparently TJX’s sole acquirer in the U.S..

The suggestion that TJX had not been PCI-compliant at the time of the breach is hardly news–with widespread reports raising questions about both inadedquate encryption and improper data retention–but MasterCard publicly confirming it is is unusual.…

The Rhode Island Attorney General’s office is launching a formal investigation of TJX’s data breach, including what caused it, why it wasn’t detected more quickly and why the announcement of it was delayed, the AG’s office announced on Monday.

The investigation—technically, a Civil Investigative Demand (CID) on the authority of both Rhode Island’s Deceptive Trade Practices Act and its Identity Theft Protection Act of 2005—is expected to officially begin with its first meeting with TJX officials on Feb. 12 at the Attorney General’s office in Providence, said Edmund Murray Jr., a special assistant attorney general who is in charge of the probe. To read the full story, please click here.…

Financial analyst firm CL King & Associates has downgraded TJX (to neutral from strong buy) as fallout from the security data breach and the company’s vague answers continues. “Based on our diminished EPS outlook for FY07, we believe an investment in TJX Cos. is likely to be dead money at this point,” said the firm’s research advisory.

Much of the firm’s concerns are about when the next shoes may drop, especially anything involving the cost of paying for all of these unknowns. “Regarding FY07 expenses related to the data breach, the company stated it is not yet able to reasonably estimate the losses it may incur. Management stated it is unlikely to be able to reasonably estimate such losses at the time earnings are released in FY07,” the advisory said. “The ongoing expense issue includes legal costs, exposure to credit and debit card companies and banks, related fees and expenses, and other possible liabilities.”…

The attribution in this Chosun Ilbo (a major Korean newspaper) story is a bit thin--as in "The credit card industry announced Sunday," which suggests the image of a stunningly crowded podium--but the essence of the story is still an interesting way to start the week. It reports that the "private data of around 10,000 Koreans who use credit cards associated with Visa, MasterCard and American Express was stolen" in the TJX incident.

"The credit card industry announced Sunday that an intruder had gained access to the databases of TJX Companies and stole sensitive information of about 40 million card users including 10,000 Koreans," said the newspaper's online story. To read the rest of the story, .

The Massachusetts Bankers Association has now confirmed TJX-related fraudulent credit/debit card purchases in Florida, Georgia and Lousisiana plus in Hong Kong and Sweden. “Thus far, nearly 60 banks have reported into the MBA that they have been contacted by the card companies about compromised cards, and these banks are notifying customers and in many cases reissuing new cards,” the association said.

The ABA has been lobbying for rules that would require the disclosure of a retailer’s name when they “caused a data breach,” as a way of both discouraging retailers from being cavalier about security as well as protecting their member banks from being blamed for something they didn’t do. They also are trying to force retailers to pay for the damage if its’ caused by that retailer’s reckless security procedures.…

TJX is learning that the trickling out of bad news is a great way to keep a negative story alive and to send distrust as high as possible. Remember that mid-December unauthorized access that it didn’t report until mid-January? Turns out it had taken place almost seven months earlier, back in May 2006. I guess they wanted to make sure the thieves had plenty of time before the public was alerted.

“We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred,” TJX spokeswoman Debra McConnell was quoted as saying in a Computerworld story.

Meanwhile, in Pennsylvania, regulators there have decided that the credit card theft was, ironically, too big to require consumer disclosure. “Under a new state law that took effect in June, businesses are required to notify Pennsylvania consumers by letter, telephone or e-mail if sensitive personal data is lost or stolen, exposing them to the risk of identity theft,” reported the Pittsburgh Post-Gazette. “But the AG’s office, which enforces the statute, said yesterday that personal notice is not required if more than 175,000 consumers are involved or if the cost of notification would exceed $100,000.”…

Two days after confirming that driver’s license data was intercepted during a major intrusion last month, TJX officials have been directly accused of retaining “unnecessary” personal data, possibly in violation of PCI rules.

“We think it’s a little odd that (TJX) would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary,” said Daniel J. Forte, president of the Massachusetts Bankers Association. Forte’s group is lobbying for a state law change that would force retailers who are recklessly lax in their security procedures to pay for the cost of repairs.

“When a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards. However, there is no guarantee that the full amount will be reimbursed,” Forte said. “Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”…

To be fair, after more than a year, 552 vanity TLDs (out of 1,930 applications) have actually made it through the process to the point where there are no objections and they don't match other applicants. That includes retail-related terms like .camera, .clothing, .market, .markets, .pharmacy, .shoes and .toys, along with 23 actual retailer names. They're ready to start getting their contracts. Everybody else still has hurdles to climb.Read more...

Also on Friday, Visa and MasterCard sued a group of merchants and trade groups who have opted out of the settlement—but that's less impressive than it looks. The card brands' suit is a mirror image of the lawsuit that Target and 16 other retail chains filed last Thursday (May 23), which claimed the card brands' entire rule structure violates antitrust laws. The card brands are asking a court to declare that its rules don't violate antitrust laws.Read more...

The problem comes down to the fact that anyone can object to a TLD that has special significance beyond being a trademark, and far more objections have been filed over the nearly 2,000 applications for the new TLDs. In .amazon's case, there's a South American river with the same name (what a coincidence, huh?)—and several South American countries believe that's a good reason for Amazon not to get control of .amazon. Read more...

Customer service is one of the hardest things to reliably, consistently, accurately and—here's the hardest one—meaningfully measure in retail. Other top customer service performers according to the survey are, in order: PetSmart, BJ's Wholesale, Walgreens, AutoZone and Home Depot. Weak performers include: JCPenney, Marshalls, Gamestop and 7-Eleven. (Note: JCPenney has the distinction of being the retailer that suffered the largest drop in customer service ratings from last year to this year. JCPenney dropped 6 percent. The biggest retail gain during the same period? Office Depot (NYSE:ODP), which boosted its score by 11 percent.) Read more...

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without

that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?…

But Zaxby's doesn't operate any of the stores—they're all franchisees, putting both the company and the franchisees in a worst-of-both-worlds situation.Read more...

The ongoing saga of Card Activation Technologies (CAT)—the gift card patent owner that has been suing many of the nation’s largest retailers including RadioShack, 7-Eleven, Nordstrom, Macy’s, Starbucks, JCPenney, Sears, OfficeMax, TJX, McDonald’s and Walgreens—took another bad turn for CAT as a federal appeals panel upheld on Monday (Dec. 10) a federal court that had ruled against CAT. CAT has previously said that all of its survival hopes are based on a successful appeal. The financially strapped CAT’s only choice now is to try an appeal to the full circuit or even to appeal to the U.S. Supreme Court directly, both of which would be considered long shots.

Still, CAT attorney Mark Peterson said his client has about 30 days to decide its next move. The case that the Third Circuit sustained included a memorable line from Kent A. Jordan, who was serving as trial judge but who is primarily a member of the appellate panel. Jordan referred to one CAT claim, involving granting another party more time to amend a complaint, with the comment that “it takes some chutzpah to mount those objections.” It’s likely to take more than chutzpah for CAT to mount another appeal.…