By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering “Trick or Treat?”

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn’t like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as “minor changes.” Read more.

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to “deputize” internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT. Read more.

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let’s say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday. The chain limits the offer to the Boston area through area code and other data.

But it just so happens that there’s a huge convention in San Jose that day of the Society Of People Who Live In Boston. Your San Jose locations get flooded with people asking for their free gift, leading to a lot of baffled employees and angry customers. This observation comes courtesy of a colleague who has far too much time on his hands to think up such things.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars “but not tens of millions.”

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption (”customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network”), host and network intrusion prevention systems (”to proactively prevent malware from being installed in our systems”) and better payment segmentation. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.

A difficult to duplicate RFID chip? That’s the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or “voiceprint,” which can’t be cloned and can be used to authenticate the chip, according to this RFID Update story.

“Each voiceprint is unique but falls within a defined band so separate readers do not have to be developed for each chip,” the story said. “However, MEMflakes can’t be read with RFID readers currently on the market.”

Although contactless payment has tremendous potential to advance payments and set the stage for mobile commerce, it’s suffering from benign neglect from both retailers and the card brands—and banks, too. That according to a new contactless payment report from analyst firm Javelin Strategy & Research.

The key argument of the report is that none of the three groups of companies involved—the card brands, the issuing banks and key retailers—is spending the dollars to create true incentives to make contactless payment work, said lead report author Bruce Cundiff, who is Javelin’s director of payments research. “There is no effective value proposition for merchants and for wireless carriers,” Cundiff said. Read more.

One of the most annoying parts of many a casual restaurant outing is at the end, when you just want to say “Check, please” and all wait staff seem to sense this and decide instead to join the Waitress Relocation Program.

Microsoft has decided to help (OK, they smelled money in those missing food servers) and created a device that permanently sits on the table. Redmond is backing this hardware that can take payment, print out a receipt and do it all without having to catch anyone’s eye. It allows the tip to be added (minus a deduction for subjecting you to the machine), and it can show various promotions. (OK, so having mandatory TV commercials when you’re dining out is probably not a good thing.) It also has a button to summon a manager if there’s an issue.

A DVD rental kiosk outfit has rolled out a kiosk that keeps track of orders and awards free videos for frequent shoppers. The idea of a kiosk that has a long-term memory and an active CRM component is a wonderful next step (OK, a baby step) for intelligent kiosks.

The new units from DVDPlay use E-mail addresses in lieu of a loyalty card. “By entering an E-mail address during the rental process, the stand-alone DVD rental machine’s patent-pending software recognizes the number of customer rental transactions and, after every tenth rental, generates a promotional code for a free movie that is automatically sent to the customer’s E-mail account,” said a statement issued by the company.

RFID vendor Mojix has rolled out a new RFID system that it says can read passive, Gen2-standard tags from 600 feet away; cover 250,000 square feet of area; and pinpoint tag location in 3D, according to this intriguing RFID Update story.

The move is interesting, because it shows a vendor’s willingness to play with the assumed RFID rules to try and generate a little retail ROI. The story quotes company officials saying that the claims are based on advances in digital signal processing, RF antenna design and computational processing power. Mojix’s STAR 1000 differs from traditional RFID systems by using separate components to power and read tags. “There is no rule of physics or regulation that says the receiver and transmitter have to be in the same housing,” said Kevin Duffy, Mojix senior vice president of sales and marketing.

A group of 109 McDonald’s restaurants in the Salt Lake City region are doing a mobile commerce trial, with participating consumers getting free iced coffee. Although those 109 stores are barely one coffee bean’s worth, given the $22.8 billion chain’s 31,377-store network, the trial is interesting both for its capabilities and for how much data-control McDonald’s was willing to give up.

McDonald’s is launching iced coffee as part of some new menu options and “part of our objective was to create additional awareness,” especially among the younger consumers who McDonald’s assumes will be receptive to a mobile coupon campaign.” Read more.

Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption.

Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more.

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system. Read more.

Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Whether it’s leaving firewalls in learning mode or having database access controls that all but ignore the activity of authorized users–who may be capable of nastiness few cyber thieves could dream of–it’s an amazingly risky approach. Read more.

Amazon.com on Wednesday rolled out a new service called TextBuyIt, which allows consumers to comparison shop online working solely with fast text messages. But the move may not sit well with other retailers, who could see this making it easier to find better deals elsewhere, especially in bookstores.

The service can also support Web searches—but that’s hardly new—and is being positioned by Amazon as an easier way for consumers to make Amazon purchases. The transactions can be almost solely done via text, with an old-fashioned phonecall used to verify the purchase. Read more.

Was the Hannaford data breach isolated or was it part of a sweep of similar penetrations? A Vermont ski resort is reporting an almost identical breach of card information in transit in February and an official there was told by law enforcement “that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.”

Those new details–courtesy of a Computerworld story–suggest that this might soon become the norm. The Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February. “We can tell you that this was a real-time theft,” said Okemo spokeswoman Bonnie MacPherson. “The information was being taken as the cards were being swiped.”

TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world’s worst payment data breach, which impacted some 100 million cards.

Participants “must agree not to seek or participate in any other recoveries that may be available to issuers and must also release MasterCard, TJX and TJX’s acquirers from all legal and financial liability associated with the TJX data breach, ” a joint statement said. Those banks have 30 days to whether to accept the offer.

Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them.

This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it. The program is expected to deactivate the last of its fobs by July. There are many reasons the fob may have died, but at least Amex—with six years of fob effort under its payment belt—can’t be accused of not giving the fob enough time to work. Read more.

The Hannaford data breach included payment information that was partly encrypted and partly clear text—and it was all transmitted over a private fiber-optic cable, according to a Hannaford official quoted in the Wall Street Journal.

This information—on top of the reports that Trojan Horse software was installed on 300 servers in 300 Hannaford stores–is painting a picture of a retailer that seemed to be following accepted security procedures. The story reported that the cyber-thief created software “intercepted the information as it went back and forth over a cable to a transaction processor in Denver. It was then transmitted to an Internet service provider somewhere outside the U.S.,” according to Hannaford marketing VP Carol Eleazer, who added that “it took a team of about 30 forensics experts and information technologists more than 10 days of round-the-clock troubleshooting to discover the malware.”

The data breach at Hannaford involved a Trojan Horse that was installed on servers at every one of its 300 grocery stores, according to Hannaford officials. The software intercepted card data at the POS and then periodically transmitted them “to an unnamed offshore Internet service provider.”

Those details come courtesy of a letter sent by Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Governor Deval Patrick’s Office of Consumer Affairs and Business Regulation, according to Hannaford officials and a report in The Boston Globe, which quoted from the letter. The chain decided to replace all of the servers to make absolutely certain the malicious programs were removed from the network.

In the multi-year databreach at TJX—the worst in credit card history—the retail chain “created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text,” according to a complaint issued Thursday by the U.S. Federal Trade Commission.

That report also found that TJX “did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks” and that it failed to “use readily available security measures to limit access” and cited one crucial example: not “using a firewall to isolate card authorization computers.” Read more.

The retail move to embrace 2-D barcodes that began with a Sears trial in December and strong interest from BestBuy, the Gap and Target is inching forward, with a 500-store trial starting Thursday in San Francisco.

The trial, involving CitySearch, Antenna Audio and Scanbuy, is a fairly basic mobile integration effort. “More than 500 restaurants, shops and businesses reviewed by Citysearch are placing printed bar codes in their windows, and people who have Scanbuy software loaded on their phones can simply take a picture of the code and their phone’s Internet browser will immediately take them to the restaurant’s corresponding Citysearch page,” said a statement from the group.

Next Tuesday, it’s likely Washington state will have a new RFID law on its books, one that will be the first in the nation to make malicious stealing of data via RFID a crime. But the bill is a far cry from what’s the bill’s assemblyman sponsor had envisioned—and what he says he will still fight to get.

The bill had been pushed by Assemblyman Jeff Morris. The final version of the bill—which Morris said he expects Washington Governor Chris Gregoire to sign into law on Tuesday—makes anyone guilty of a Class C felony if they “intentionally scan another person’s identification device remotely, without that person’s prior knowledge and prior consent, for the purpose of fraud, identity theft or for any other illegal purpose.” Read more.

Just three months after filing for Chapter 11 bankruptcy protection, Pay By Touch officially pulled the plug on its remaining biometric transaction customers Thursday morning.

Pay By Touch (officially Solidus Networks Inc. doing business as Pay By Touch) issued a statement on Thursday that it “regretfully announced today that it will no longer process biometric transactions on behalf of its merchant customers and consumer membership base, as 11:59:59pm March 19, 2008.” Read more.

Guest Columnist David Taylor argues that PCI is a lot more necessary than some have recently suggested.

For those who contend that PCI’s only purpose is to transfer risk from the card brands to the retailers, Taylor writes, “I’ve worked with a number of retailers on PCI projects over the past few years and, believe me, retailers already own the risk of a breach. It’s their brand on the line and they don’t need the card brands or their acquiring banks to tell them that.” Read more.

Guest Columnist Ed Adams argues that PCI has a long way to go and that the PCI Security Council isn’t helping very much.

“The PCI Security Standards Council is made up of seemingly smart folks from the credit card brands and security industry. Unfortunately, this group of misfits is saddled with a myriad of competitive conflicts of interest and, worst of all, a complete misunderstanding of how to best protect card data and consumer identity,” writes Adams. Read more.

Shortly after reports surfaced that the Hannaford grocery chain had been PCI compliant at the time of its data breach attack, the Web has been crawling with those questioning the value of PCI, even as the confusing preliminary details of the breach are being sorted out.

As one who has frequently used this column to point out the many flaws within PCI, please allow me to stand up and say to those PCI critics: What planet are you from that tolerates only perfect security systems? Do they conclude from one successful burglary of a house protected by a top-notch burglar alarm and high-security deadbolts that burglar alarms and deadbolts are worthless? Read more.

As details of the Hannaford data breach trickle out, the familiar data breach pattern of apparent inconsistencies has emerged.

For example, Hannaford’s people have been stressing to reporters that they were PCI compliant and, indeed, that they not only were certified compliant in Spring 2007, but that they were re-certified compliant in February 2008. But that raises more troubling questions than it offers comforting assurances. As a Level 1 retailer, Hannaford is only required to undergo a PCI assessment once a year. If they were compliant in the Spring—regardless of which month it was—it seems eyebrow-raising that they would have sought another assessment so soon. Read more.

One of the non-intuitive truths about marketing is that marketers love to suggest the opposite of what they know to be true. This was illustrated this week when a contactless payment organization leapt to attack the Associated Press for pointing out that contactless technology exists in credit cards as well as building access cards.

You don’t address security concerns by pretending they don’t exist. You acknowledge that everything is relative and that weaknesses are there but there are advantages, too. Read more.

At long last, this week finally delivered a wireless security report with some good news. Due to airport wireless security holes big enough to fly a Boeing 747 through, the report discovered one airport with an unencrypted wireless baggage handling network that could allow bored travelers to hack into it and reroute other people’s luggage for fun.

“Since Bernie ordered me to accompany him on this stupid trip to Philadelphia and we sit here in a five-hour connecting flight delay in Chicago, it’s the least I can do to thank him by giving his luggage a much-deserved holiday in Hong Kong,” deviously thinks Brad, the junior LAN administrator with far too much time on his hands. Read more.

About one month into a major near field communication (NFC) trial, officials at fast-food chain Jack In The Box discovered a problem they hadn’t anticipated: cashiers didn’t know how to ring up a sale when the customer presented their cellphone as payment.

“We need to do a little more training,” said Michael Verdesca, the chain’s VP for systems development. Read more.

Hello, blog readers! We’ve been approached by a company that wants to create a 3-D environment for StorefrontBacktalk, complete with avatars for all readers. Before we explored this more seriously, we wanted to ask our readers whether we should proceed. Therefore…

Near Field Communication (NFC) is running into the exact same kind of tech hurdles that has slowed down RFID, according to a new report from the Venture Development Corp., which cited a lack of supporting infrastructure, standards problems and a “complex ecoysystem of stakeholders.”

VDC “believes that NFC may take root first in niche vertical applications rather than hypervolume consumer applications like contactless payment,” said this RFID Update story.

The Metro Group’s RFID trial efforts have been well-known, but this is an interesting International Herald-Tribune story discussing some of the privacy debates within Europe on their efforts.

The piece quotes a Metro person as saying that a recent European Union effort to force the tags to be deactivated at POS as the kiss of death for consumer-facing RFID. “If we have to deactivate at the check-out, then the technology is going to stay within the logistics process - to say where is a box or where is the pallet in the distribution center. It won’t come on consumer items. They’re going to kill the technology with that.”

Are we looking at a near future where consumers’ purchase profiles will be used by law enforcement to track down fugitives?

The potential is absolutely there, with retailers collecting molecular mountains of shopping history—sometimes more than a decade’s worth—and law enforcement seeking creative ways to find criminals (or people they think are criminals) who are quite determined about not being found. Read more.

When retailers started making card-swipes a customer function, it saved a few seconds of a cashier’s time. But are retailers paying for that efficiency boost with a higher risk for fraud? The head of the National Retail Federation’s fraud prevention effort says yes.

“In today’s environment, the card is swiped by a consumer and it’s never seen by the cashier,” said Joe LaRocca, the NRF VP for loss prevention. “There’s no way to see the information on the plastic,” he said, and therefore no way to verify identity.” Read more.

A pair of companies is pushing an approach where hotel guests could use their electronic room key to also open vending machine snacks, which would then be automatically charged to the guest’s room.

The new approach, from Cstar Technologies and Fastcorp, would theoretically make such purchases easy to order repeatedly, offering revenue and margin that could more than compensate for reductions in “honor bar” purchases.

Global RFID revenue is expected to hit $1.2 billion this year and $3.5 billion in the next four years, according to new Gartner projections. This year’s figures represents an almost 31 percent increase from last year.

Gartner reported that the leading segments were discrete manufacturing (21 percent), national and international government (20 percent), transportation (20 percent) and then retail (14 percent).

There’s a very wise business adage that instructs customers to not judge a vendor by the mistakes that it makes nearly as much as by how it deals with mistakes once it makes them.

Last week, StorefrontBacktalk ran a story chastising a security vendor, Shift4, for having issued a news release that said retailers using its products wouldn’t have to worry about PCI requirements because they would be excluded. The vendor on Monday issued a news release, apologizing for the earlier one and corrected the record. But the core question–about it’s encryption approach–still stands. Read more.

RFID-tagged products will have to be deactivated at the POS throughout Europe, if draft guidelines proposed this month by the European Commission are approved.

A public consultation is being launched into the “soft law” guidelines that EU Information Society and Media Commissioner Viviane Reding hopes will be adopted by the European Union executive to be applied in all the bloc’s 27 member states, according to this Reuters story. The guidelines are “tentaitively scheduled to be adopted before the summer of 2008,” the Commission said in a statement.

There can indeed be too much of a good thing, especially when the good things are being sent as cellphone text messages. That’s one of the lessons that the world’s largest retailer learned in December when it trialed an opt-in mobile consumer program.

One person working on the trial—sworn to secrecy by Wal-Mart—said the group initially tried cramming in a lot of sales info into each text message. This was done on the theory that it would increase the probability of hitting on an item that particular consumer would want. “We were sending 10-15 in about three or four text messages,” the manager said. “We learned that three messages is where the consumer says, ‘I’ve heard enough from you, Mr. Retailer,’.” Read more.

Contactless cards—which have been pushing accelerated checkout as both a consumer and retail benefit—are running into isolated problems with both. I’ve been trying to disprove these concerns and have been failing miserably.

Taking some cabs in New York City this month, I was thrilled to see the contactless devices in the backseat, only to be told by three different cabbies to not use them because customers were complaining about getting double-billed. This week, visiting three different grocery chains in New Jersey, tried unsuccessfully to use my contactless card there. The first time, a cashier looked at me as I asked about using my contactless card. Read more.

Sometimes, people who spend most of their working hours trying to get technology to do magical things lose sight of the many psychological dynamics. In short, employees and consumers rarely see things the way technologists do, which can cause some wonderful disconnects in the field.

Retailers and telcos and others are watching test markets such as New York City and seeing how many consumers are using contactless payment. Their assumptions are based on the number of contactless cards in the population. But if that population doesn’t realize that they have a contactless card, there’s nothing valid that can be concluded when those people do not use them. Read more.

These days, retail’s data breach du jour is some manager’s laptop getting stolen.

Breach letters are being sent out so frequently that I wonder if it’s going to pique the business interests of Hallmark. A card for every occasion, when you care enough to breach the very best. Perhaps a merger with their Get Well cards? “Sorry to hear that you’re not getting around these days…. [open card] …. but your CVV sure as heck is. Call 1-800-DATA-OOPS for your free year of credit monitoring, courtesy of your neighborhood retail chain.” Read more.

In very early January, residents of New Hampshire couldn’t pull out of their driveways without running into a presidential candidate. That’s how it is today with retail IT executives and vendors selling PCI compliance packages.

But, for better or for worse, that’s not a long-term situation. Like the presidential candidates who had to fly South for the winter (or fly the coop entirely), these compliance salesfolk have a limited lifespan. Within the next year or so, retailers are going to shift from trying to become PCI compliant to having to maintain PCI compliance. Read more.

The major credit card brands—and the banks they work with—do a fine job talking up security when they’re at podiums or writing news releases. But when it’s a choice between consumer security and lower transaction fees? Faggedaboutit. Fees win out every time.

At least that’s one of the core conclusions from a report released Thursday from technology analysis firm Gartner Inc. Read more.

In a move that researchers said might set up low-cost, high-volume RFID tags that could replace barcodes, the European Holst Center said Wednesday that their 64-bit, inductively-coupled, passive RFID tag achieved a record 780