Evan Schuman's StorefrontBacktalk

"Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited," said Target spokesperson Amy Reilly. "A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved."Read more...

The chain has thus far avoided some of the read-rate accuracy problems that have plagued other trials (A&P last month swore off scanning directly from cell phone screens due to concerns about inaccuracies), pointing to an approach that determines the make, model and carrier of a phone before trying to scan. It then adjusts the scan parameters to be the most effective for that particular device. But 7-Eleven is also running smack into the delicate ethics issues around mobile marketing, where chains need to collect phone numbers and E-mail addresses to begin. In this case, for example, many of the consumers being targeted are children, officially as young as 16 and potentially as young as 14. Those youngsters are mixed with a target group of young adults, as old as 24.Read more...

Kathleen Edmond, the chain's Chief Ethics Officer and an attorney, thinks it's not only realistic, it's indeed about survival and profit-retention. A common theme among Edmond's examples is that even a moment that seemingly serves the interests of both the buyer and the seller may be unethical and ill advised. "If you're going to use someone's lack of sophistication in a way to benefit you and they've not objected, that doesn't mean that it's the right thing to do," she said. "There were throngs of people signing up for mortgages that were not good for them." Was it ethical for banks to approve loans to consumers if the banks knew that it was unwise in those cases?Read more...

As a philosopher might say, the only safe way to delete a file is to have never recorded it. As silly as that may sound from a data security perspective, it shouldn’t be dismissed. Consider this scenario: A chain notices a PDA app that uses geolocation to match consumers with local happy hours. (For those outside the U.S., it’s a time when bars tend to heavily discount alcoholic beverages.) It throws the app onto its mobile site as a service for customers and thinks nothing of it.

As a matter of policy, the chain decides that it will not use any of that information for marketing or anything else. Fair enough. But what if local law enforcement chooses to subpoena those records so that it can know who frequents happy hours a lot. And if it can tap into real-time data, police could try and catch people in the act. And, maybe some civil attorneys try to subpoena the documents as well, for some automobile accident cases. That’s the subject of our column this week on the McAfee security blog.…

The first MasterCard change made this month was pushing the Dec. 31, 2010, deadline back six months, to June 30, 2011. But MasterCard has also made two other key PCI changes. It has redefined what Level a retailer is (Level 1, 2, 3 or 4) to, for the first time, mirror whatever level Visa has determined. The last of the changes is to allow Level 1 and Level 2 retailers to perform their own assessments—using the retailer's own salaried audit staff—as long as those audit staffers have passed PCI-approved training courses. "A bunch of Level 3 and Level 4 merchants just became Level 2s," said one QSA. "With this reciprocity gotcha, MasterCard giveth and MasterCard taketh away."Read more...

The chain, which has stores in 48 states in the U.S., lost its data connectivity on December 10 when the service provider made a modification that went awry. "It was an inadvertent switch to dynamic IP from fixed IP," said CIO Ray Hamilton. "That shouldn’t happen, and it took us a couple of days to resolve."Read more...

Weak security at RockYou.com, a social networking application development site, allowed unauthorized access to more than 32 million user log-in credentials stored in an unencrypted database, according to the site’s chief technology officer. The SQL injection flaw allowed access to those credentials, and because “the user names and passwords are by default the same as the user’s Webmail account—such as Hotmail, Yahoo or Gmail—this is a major lapse in security,” said Amichai Shulman, the chief technology officer at Imperva, a data security vendor that detected the problem and alerted RockYou officials, but not before the data theft had happened.

RockYou publicly acknowledged the breach Wednesday (Dec. 15), warning users to change their log-in credentials for other “online destinations” if they are the same as those used for RockYou.com. In a Venturebeat.com story on the incident, RockYou CTO Jia Shen said the problem involved RockYou’s legacy widget applications, a part of the site now closed, and he admitted the passwords had been retained unencrypted. Gartner Security Analyst Avivah Litan said retailers should view the case as a warning about the potential pitfalls of the single ID movement. “This just proves the theory that if you use an aggregator and have single sign-on to multiple sites, all it takes is a break-in to compromise your access to everything else,” Litan said. “Everybody should take a pause on these single-user schemes.”…

It boggles his mind that millions of dollars are spent each year to “secure” database lookup (authorization) and database write (settlement) transactions. Tokenization and encryption should have been required years ago. Although not all techies agree that this approach is best, I think we all agree that it is much better than nothing. But too many companies--my firm included--are going to have to spend too much money to implement such daydream adventures, so we keep living with a broken system. Unfortunately, this broken system has left franchisors with no “good” options.Read more...

Consider this example: A merchant shows its QSA its Web application firewall (WAF) and asks the QSA to mark it compliant with PCI Requirement 6.6. But the QSA probes deeper, and he finds that the WAF is in “learning” mode, which means it is letting everything through. Indeed, the WAF has been in learning mode since it was installed after the last assessment a year ago, meaning it is pretty useless from a security point of view and definitely not meeting the intent of the requirement.Read more...

The government was asking a federal judge for more time to investigate before a sentencing hearing, said the memo from Assistant U.S. Attorneys Stephen P. Heymann and Donald L. Cabell. "The government has been given no prior notice of either of these assertions, the defendant's intended reliance on expert testimony to support them or that the defendant was undergoing a psychological forensic examination." Read more...

Kroger nearly scraped the bottom of the barrel during the comparison, landing in the eighth place from the bottom of Sitemorse's list with a yawn-inspiring average response time of almost 1.5 seconds. How bad is that speed. "The general view of Sitemorse is that anything more than 250 milliseconds—a quarter of a second—is failing," a Sitemorse statement said.Read more...

Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs mislead the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not. She listened to recordings of an analyst call to conclude that, in full context, the processor's security claims were technically true.Read more...

From a non-IT perspective, the move would certainly discourage consumers from accepting—or even pursuing—instant credit, which has been a wonderful thing for merchants. It's unlikely that shoppers will be thrilled when asked by gum-chewing, teenage POS jockeys to whip out paystubs or a copy of last year's 1040s. Consider an analogy: The police chief who lives next door has a town ordinance passed requiring you to store in your basement a ton of heroin and cocaine that the police department has just seized. Read more...

Gonzalez agreed to plead guilty to his role in attacks on Heartland, Hannaford and 7-Eleven in a document signed at 10:14 AM New York time on Dec. 2.Read more...

It’s been almost two years since Sears become the first U.S. retailer to embrace 2D barcodes, a move that launched a tidal wave of, well, pretty much nothing. This week, Google said it was trying to breathe life into these barcodes by mailing 200,000 2D barcode stickers to small businesses throughout the country. Such a move could allow these mom-and-pops to offer in-depth marketing information to anyone at the click of a smartphone.

The Google initiative, first reported by Techcrunch, is proactive and therefore feels much more powerful than Microsoft’s efforts to market its “Tag” code idea. And Google is sweetening the potential adoption-rate odds by giving away 40,000 Quickmark 2D barcode reader apps for the iPhone. Just like contactless, which is also suffering from a heart-pounding string of apathy, 2D needs three things to happen in parallel if it is to succeed: A huge number of places that are showcasing 2D barcodes; a very strong percentage of consumers carrying phones that can easily read 2D barcodes; and plenty of publicized incentives to get those consumers to use the 2D barcodes from those retailers. The phones are well on their way, and Google’s initiative seems like a good faith effort to jumpstart the other two points.…

Still, the Shopper app, published by ReachEverywhere, suffers a variety of odd restrictions, such as limiting the recall data to two food-oriented agencies—the U.S. Food and Drug Administration (FDA) and the U.S.. Department of Agriculture (USDA)—while excluding recall-friendly agencies that would impact far more products, such as the U.S. Consumer Product Safety Commission (CPSC). It also only flags recall problems when the purchase is being made. So a customer who buys a product that gets recalled an hour after the purchase is completed will, by design, not be notified. Read more...

The four-month-long trial that began in November is significantly limited in scope, involving only BlackBerry devices. And it doesn't even involve BlackBerries with payment chips installed. Instead, the effort involves NFC payment chip stickers attached to the backs of the smartphones.Read more...

Today’s smartphones certainly promise more convenience and functionality. But for IT, these devices promise new nightmares about protecting the data they store. It’s not merely contact data, but files, slides, traffic history, E-mail records, chat transcripts and almost anything else that can be done on a desktop and synched to a smartphone. Then there’s the Grand Poobah of data protection night terrors: Geolocation.

Geolocation is the phone’s capability to tell any app on that phone—or anyone at all, really—the exact location of the phone virtually every minute it has power. Such data is relatively small in size and yet—tied into various other data points (especially time and date)—could be monstrously helpful to some while being stunningly destructive to others. But fear not, IT execs are thinking, there’s no way such data could ever get out to unauthorized places, right? Sprint this month proved otherwise, as we discuss in this week’s Guest Column on McAfee’s Security Blog.…

All told, one sensitive document created on a company desktop machine may, in a matter of minutes, be unintentionally copied in 10 locations: an employee’s desktop; the LAN server that backs it up; a PDA; the carrier/vendor server that synchs the PDA data; a memory stick; the home computer the employee used that memory stick in; the personal external backup drive connected to that employee’s computer; an offsite backup service the employee uses; the shadow copy on that employee's work desktop machine; and the shadow copy on that employee's home desktop machine. And it can get a lot worse.Read more...

What many franchisees have not discovered, pens Franchisee Columnist Todd Michaud, is that the advanced integration between POS, inventory systems and video surveillance systems can be used to catch these types of activities and dramatically improve the top and bottom line. If you really want to be depressed, go to Google and type the words: “working at BRAND_NAME steal” or “how to steal from BRAND_NAME” or other variations of the same. What you find may be surprising. Many people have actually posted how-to guides for the best way to steal from a certain brand as an employee.Read more...

Problems at the Walgreens site began at 1:09 P.M. (New York time), according to site monitoring company AlertBot. The site remained either offline or slow to respond until about 2:16 P.M. But even after it came back to life, the site suffered sporadic similar issues throughout the afternoon.Read more...

Most companies issue their employee road warriors with corporate travel cards. Companies also issue purchasing or procurement cards that their staff use to buy everything from office supplies to store fixtures. Most of these cards are American Express, MasterCard or Visa branded. Companies store the PANs in databases that are accessible to travelers and others who use the data for expense reporting and tracking. In my experience, the PANs get printed on hardcopy reports. The question for IT execs is, do you need to include these cards in your (merchant) PCI scope? The surprise answer is that it depends on where you store the cardholder data and, interestingly, on which brand of card you choose.Read more...

Buying items on Tesco.com, the E-Commerce site of the $84 billion, U.K.-based supermarket chain, is a bit like being a virtual marionette operator. When a Web shopper places an order, Tesco employees actually grab shopping carts and pluck items from shelves as they stroll up and down aisles in Tesco stores. Most of those online order fulfillment missions are currently conducted in busy, public Tesco markets also occupied by meandering shoppers. But Tesco is so pleased with its use of customer-free “dot-com store” installations–facilities nearly identical to its regular markets, except that are for use only by Tesco.com order-fillers–the chain plans to erect a large network of them, according to the Daily Telegraph of London.

It said Tesco now has two so-called “dark stores” up and running, one in Surrey and another in Kent, and plans to open a third, next year, in Middlesex. Laura Wade-Gery, Tesco.com CEO was reported as saying the company intends to open one new online order fulfillment store yearly “for the foreseeable future” and expects the employee-only structures will be handling 15 percent of online order fulfillment by 2014. Tesco currently processes 475,000 online orders weekly and operates a 2,000-van fleet for home deliveries, said the Telegraph.…

A J.C. Penney representative on Wednesday (Dec. 2) night blamed the glitch on high traffic. "Due to the overwhelming customer response to our Cyber Monday deals, the checkout portion of the site slowed down Monday night into early Tuesday morning and, in some cases, customers were unable to complete their orders," said J.C. Penney spokesperson Tim Lyons. "To make up for any inconvenience this caused our customers, we extended the Cyber Monday pricing and ‘free shipping on $25 or more’ offer through Tuesday night."Read more...