Evan Schuman's StorefrontBacktalk

Old breaches never die, they just—well, they never die. A small bank in Illinois on April 1 announced that some customers’ payment card information had been compromised at card processor Heartland Payment Systems. Yes, that Heartland. And yes, that breach—the one in 2008. “MasterCard and Visa, along with the FBI and Secret Service, have been investigating the incident for several years, and although the security breach is reported to have occurred between May 2008 and November 2008, the compromised information is only now being used to conduct fraudulent transactions,” Freestar Bank President Scott Bauknecht told a local newspaper.

That means that, more than two years after the breach was closed and the first arrests were made in the Heartland case, the thieves are still working their way through the trove of stolen card numbers. Holding onto the numbers that long is a gamble for the thieves, of course, because many of the cards could expire or be canceled over that much time. Then again, after two years without any fraudulent activity, banks and retailers will almost always assume that a card number hasn’t been stolen. That assumption may not be safe again for a long time.…

Meanwhile, Sprint—which was left out of ISIS' announcement of its formation in November—now says it was originally part of the group, but left. Although ISIS member Discover was originally presented as the only payments network ISIS needed, it now appears that Discover may not have an exclusive deal with ISIS after all. All this confusion comes in the face of one clear fact: Mobile operators should have the easiest time doing true mobile payments. When will they get their collective act together?Read more...

Epsilon is merely the latest in a series of publicized, highly embarrassing incidents for retailers where they are taking a consumer black eye for breaches, ethically questionable activities or gaping security holes that were entirely handled by third parties. Whether it's supply-chain management holes perpetrated on a multi-billion-dollar retail chain, SEO efforts against JCPenney or data-backup screw-ups that crippled the American Eagle Outfitter's site for eight days, retail IT execs are learning that as long as they are going to be blamed for what third-parties do in their names, they might as well take a much more active role in beefing up protection of all customer data.Read more...

The breach at the chain, The Briar Group (The Lenox, MJ O'Connor's, Ned Devine's, The Green Briar and The Harp), impacted at least 125,000 MasterCard and Visa customers, the state filing said. Other security naughtiness alleged: using the default usernames and passwords from its Micros POS systems, opting to not change network passwords "for more than five years," allowing those username/password combos to be "used system-wide for all users" and then not changing passwords after employees quit or were fired.Read more...

If the accusations are true, then the network engineer certainly engaged in decidedly naughty behavior. But in terms of engaging in proper security procedures—especially if there was any payment-card data lurking in those servers—there's plenty of black coal to go around. Gucci's IT staff was "tricked" into activating a VPN token for a non-existent employee? That must have been some trick. How difficult is it to look up an employee and verify with a known manager that he/she needs that access and, by the way, actually exists?Read more...

As a QSA, PCI Columnist Walt Conway argues that he would pay particular attention to patches the vendor identifies as critical, because those have to be installed within 30 days. Will you be able to see a log or other evidence that the patches were installed on all in-scope systems? Another example is your internal and external vulnerability scans. You need to have the CSP provide reporting each quarter on both your complete internal vulnerability scans and your external scans, which an ASV must perform. Read more...

The CIO at apparel chain Ann Taylor—Mike Sajor, who was recently promoted from serving as the chain's CTO—argued that the very nature of mobile devices will force a lot of good things. But as much as it will help retailers, it will also force their hands.Read more...

With all of the recent mobile payment activity as a backdrop, the recent freeze on any mobile security decisions from the PCI Council becomes even more frustrating for retailers. But the frustrations from the PCI delay are matched by a baffling lack of any public activity at all from ISIS, the joint mobile payment effort from AT&T, Verizon and T-Mobile that was announced back in November. Note to ISIS: When BlackBerry passes you by in momentum, it’s a really bad sign.

It’s hard to find a less aggressive pace set by any mobile player than the one owned by Research In Slow Motion, but ISIS is managing it. It’s like a new Aesop’s Fable: The Turtle and The Tortoise. Meanwhile, New York drug store chain Duane Reade has been toying with Device Fidelity systems to turn phones into contactless payment devices—but the phone is just decorative. All of the processing is performed by the chip, which slides into a phone slot. It’s in a phone, but it could just as easily be on a transistor radio or, for that matter, a pair of ski gloves. It’s essentially the old sticker contactless payment shtick, just done with some mobile props.…

That's not a done deal by any means. But PayPal has already said it plans to get its payment system into brick-and-mortar stores by the end of 2011, and earlier this month hired a former gift-card executive, Don Kingsborough, to make that happen. Getting 180 friendly retailers to sign on will make it much easier to break the plastic monopoly on in-store payments—something no other alternative payments system has been able to do.Read more...

Some cynical sorts might say that the paper receipt requirement's purpose is similar to the rebate form, namely to reduce the monies that are due by making consumers give up to avoid the hassle. With a time-unlimited return, the passage of time makes it increasingly unlikely that the receipt will be retained (and that the consumer would be able to find it). This raises the disturbing question of whether there's much of an incentive for IT to do away with the paper receipt. How will mobile impact all of this? The idea of printing a receipt from a mobile device seems Victorian quaint. Would John Lewis accept a receipt image displayed on a mobile device?Read more...

Retailers have always longed for consumers’ phone numbers, but consumers know that a phone number is very hard to take back once given. Unless customers change their number, they’re giving merchants access for a very long time. With mobile growth today and the ability to also text, never has the divide been more pronounced: retailers want to collect this info more and consumers are resisting giving it out more.

A startup called KipCall might—just might—have a possible way around this impasse, where it uses a Facebook API to hide consumers’ numbers and gives them a way of shutting out retailers the instant they feel like it. When consumers want to be left alone by a chain, they simply “unfriend” that merchant and the retailer has no way to reestablish contact. If this approach works—and it’s a fairly big if—it might greatly help retailers get phone contact information, because consumers would have less reason to fear handing over their number. There’s one catch: If the consumer opts to purchase anything from that retailer directly from a mobile device, there’s a good chance the customer’s actual phone number will be seen, thereby undercutting the whole exercise. Still, it’s a creative way to deal with this impasse.…

Wal-Mart's initial move will include 23 Pennsylvania stores, using the state's own self-serve wine kiosks. These kiosks have had mixed results, with some wine enthusiasts pushing back against the machines. But those are not legal issues and, believe me, these machines offer enough such issues to keep entire law firms gainfully employed.Read more...

In short, in the hands of an evil-minded competitor (in retail, are there any other kinds?), that Google-provided password could do a huge amount to slow down a rival, in addition to knowing inventory shipment plans so they can be countered. It represents a critical security breach—and one that started with the simple decision to put a confidential manual in a Web site subdirectory. That single password—which was printed in that Google-available PDF—unlocked a third-party's servers and revealed a supply-chain security hole large enough to drive a fleet of Mack trucks through.Read more...

Tesco made an interesting move last month in its long-running battle with rival ASDA, when it promised customers to compare what they paid at Tesco against ASDA’s prices and to then refund the customer double the difference. That campaign, launched on February 28, was indeed quite bold.

But the more-than-5,000-store chain learned the classic lesson that no retail deed ever goes unpunished. This week, just one month after the promotion’s launch, the chain lowered its £100 refund limit to £20 after being hit by customers who were gaming the system. (No one anticipated that?) “A very small number of customers have used Price Check just to hunt down products which a competitor has on promotion and to make some money by using our guarantee. We commend their ingenuity, but this isn’t why we set up the system,” said Tesco spokesperson James Wiggam. Wiggam said the chain doesn’t expect this setback to undermine the program in any meaningful way because, he said, “Fewer than one in 5,000 customers have been awarded vouchers over £20.”…

"A big thing to think about is how you are going to train your in-store personnel and educate them on the mobile strategy and the mobile app. We found many customers walking into restaurants, asking our personnel how to use the iPhone app. That can get lost in the mix," Concors said. "How are you going to redirect those consumers to the right level of support when those things come about? There's no way you are going to train all your personnel how to troubleshoot an iPhone app. In 99.99 percent of cases, there's no problem with the app itself. It's because the person doesn't understand or there's a problem with their phone or there's a problem with the network. If there's a problem with the app, we will see it across the board."Read more...

On Tuesday (March 22), payment processor First Data rolled out a mobile service that nicely illustrates the problem. A program dubbed mVoucher (for mobile vouchers) is a service to support gift cards, prepaid value cards and coupons for mobile users. Why couldn't most large retailers do it themselves, given that the functionality here is not overly complex? The answer is that they can. So why might they not? Simply put: the POS fear, when mobile is involved. It's an interesting twist on the age-old FUD (Fear Uncertainty and Doubt) selling tactic. But in this case, the vendor isn't spreading FUD about its products. It's relying on retailers already having FUD about connecting mobile with POS, creating an opportunity for an outsourced service that might not have otherwise existed.Read more...

Disruption just isn’t what it used to be. On Monday (March 21) consulting giant Deloitte issued a report on what it calls 10 “disruptive and emerging technologies” that will be a big deal to big companies over the next 18 months. The list includes cloud computing, software as a service (SaaS), visualization, analytics, social computing, mobile applications, ERP—wait, these are disruptive and emerging? Some of them emerged and did their disrupting decades ago. At this point, they’re about as disruptive as a cash register or a credit card.

It’s always hard for consultants to strike a balance, looking for the sweet spot in technology and trends that all their potential customers haven’t already adopted but are far enough past bleeding-edge status that they’re not a wild-eyed gamble. This time, Deloitte missed that sweet spot by about five years—this list isn’t even interesting. But we’ll be watching closely for next year’s report to see if that newfangled E-mail thing makes Deloitte’s list.…

Is this what we've come to? You have to wonder what would have happened if Pugh had tried robbing a Safeway. By the time he'd finished filling out the application for a Club Card, he'd be halfway to jail.Read more...

The food allergy example is probably the most extreme, because it literally can threaten the life of the consumer. It also is the most difficult retail customization to deliver, because it requires full cooperation from every supplier—something that is virtually impossible. Also, the whole idea of customization puts the burden of delivering on the retailer.Read more...

But instead of trying to shore up the popular but aging SecurID system, there's a better way for RSA to go: It could just publish the hashing algorithms and convert its SecurID users to mobile devices that could be updated on-the-fly at any time. That would eliminate all the advantage gained by the thieves who stole RSA's secrets, while making things more secure for SecurID users.Read more...

That's got to be galling for Apple, which made a big display of licensing 1-Click from Amazon a decade ago. But it's frustrating for all E-tailers, who thought they would only have to pay 1-Click tribute once, to Amazon. Now it looks like they may have to buy the same rights twice—unless Amazon (which isn't named in last Monday's lawsuit) can win its fight to be the only 1-Click game in town.Read more...

"I am reminded of the ill-fated Barbie Doll that whined: 'Math class is tough.' The maker pulled it from the market after numerous well-justified complaints. Maybe it's the old mathematics teacher in me, but I am wondering if we need a new Barbie that says, 'PCI is tough!'"Read more...

If your call center records phone calls and you ask customers for the security code from the back of their cards, you need to stop the practice and make sure your voice recording software cuts out and does not record the SAD. For many call centers that means upgrading or reprogramming their voice recording application or changing their process (for example, substitute address verification). Once you stop recording, the next step is to purge all SAD from the existing recordings.Read more...

The punitive response options from the PCI Council were designed for chains that violate current PCI guidelines, in that those businesses engaged in explicitly forbidden behavior. But the rules have no standard way to deal with new technology. A new payment system, unanticipated by the rules, is neither PCI Approved nor PCI Rejected. It is, frankly, PCI Limbo.Read more...

Sean Bunner, HSN's Operating VP, echoed Kinzey's sentiment. "It's such an early channel to get so granular. There's some overall trend stuff we're more interested in, like 'what category of merchandise are they purchasing?' From what we've seen, mobile is significantly different than Web or, for us, TV," he said. "But even within mobile, between mobile Web and apps. You see pretty significant shifts in categories, so we then have to get into CRM activity to see 'Why is that?' Do you want to merchandise that store differently?"Read more...