It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

For e-tailers who still think that Web video may be a fad, consider this stat: In March 2008, U.S. Internet users watched 11.5 billion online videos. That’s a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.

In March, Google Sites once again ranked as the top U.S. video property with more than 4.3 billion videos viewed (38 percent share of all videos), gaining 2.6 share points versus the previous month. YouTube.com accounted for 98 percent of all videos viewed at Google Sites. Fox Interactive Media ranked second with 477 million videos (4.2 percent), followed by Yahoo Sites with 328 million (2.9 percent) and Viacom Digital with 249 million (2.2 percent).

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it’s not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.

To state the obvious: It’s getting consumers to use them. I say it’s obvious, but one wouldn’t guess that based on what the vendors were saying this week. Read more.

With the nation’s largest casino town as its backdrop, IBM and NCR gambled that the ho-hum growth in self-checkout can become a winner if the systems are moved away from the front-of-the-store checkout lanes and moved back toward the deli, bakery and even in the middle of the cereal aisle. All in all, I’d rather take my chances at rolling a 10 the hard way.

Las Vegas was hosting the 2008 Food Marketing Institute and Marketechnics show, which felt like self-checkout central this week. Read more.

Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.

The story began on May 8 when a woman visited a Baltimore Home Depot to buy a few odds and ends, including plants, pots and tile sealer. Read more.

With its sites being unavailable for barely one hour over four months, MySpace has the best uptime of any major social networking site and Twitter (more than 37 hours of downtime during the same period) has the worst. Those stats come courtesy of Pingdom’s periodic uptime surveys, which tracked some 16 social networking sites from January 1 through April 30 of this year.

Not only was Twitter’s 37 hours and 16 minutes of downtime the worst in the group, it was almost double the amount of downtime from the second worst-performing site (Reunion.com, with 18 hours and 55 minutes of downtime). But even Twitter’s numbers amounted to an uptime that sounded good: 98.72 percent. Pingdom’s Peter Alguacil said those percentages can be misleading. Read more.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups.

The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe’s and Wal-Mart. The most prominent retailer who has fought such efforts is Target, whose legal battle continues. Read more.

As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let’s say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday. The chain limits the offer to the Boston area through area code and other data.

But it just so happens that there’s a huge convention in San Jose that day of the Society Of People Who Live In Boston. Your San Jose locations get flooded with people asking for their free gift, leading to a lot of baffled employees and angry customers. This observation comes courtesy of a colleague who has far too much time on his hands to think up such things.

This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. You really should read the details in this story in New York’s Saratogian newspaper, but the essence is that a woman walks up to an ATM at a Hannaford’s grocery store. (Just what Hannaford needs right now. More police-oriented publicity.)

She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves. Turns out that she worked for the ATM company, but the story asks why no one bothered to ask her what she was doing. Indeed, it’s a fine question. How many retailers have strict file access procedures, but would likely let a stranger plug a laptop into equipment without any questions? No, please, don’t answer that question. It’s too depressing to hear.

With an eye on retailers having to juggle payment systems between many varied environments–far beyond merely online and in-store–a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface, which it has dubbed “the first service-oriented architecture service interface schema and technical specification for the retail industry.”

“By making existing POS transaction functions available as SOA Services, RTI will enable the business logic behind these services to be easily reused for other customer and associate touch-points such as self checkout, fuel at grocery stores, kiosks, shop on the web, store within a store, portable shopper, mobile line buster and other complementary store solutions,” said a statement from the NRF’s Association for Retail Technology Standards (ARTS). Execs with Big Lots and BJ’s Wholesale Club represented retailers in a committee dominated by tech vendors.

With a privacy invasion trial about to begin, Best Buy’s IT department will be conducting more frequent remote audits of the chain’s Geek Squad tech support department.

“Using powerful mainframes at Best Buy’s headquarters in Richfield, the company now scans several hundred Geek Squad computers each night to see if customer data is stored appropriately,” said a story in the May 1 edition of the Minneapolis Star-Tribune. “Previously, these audits were done only several times a year.” Best Buy is also setting up a system where customer files can only be viewed by the file names, without personal content. In addition, the retailer has now banned thumb drives by its Geek Squad technicians.

Microsoft is “leaning toward going hostile in its pursuit of Yahoo,” with an announcement “likely” on May 2, according to a report in that day’s edition of The Wall Street Journal.

Although such a move would not likely have a direct impact on the IT side of E-Commerce with major retailers, it could sharply impact tens of thousands of smaller merchants that rely on Yahoo to sell their wares.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

British retailers are seeing a resurgence in cash purchases, mostly due to a weak economy and consumers who are “nervous about borrowing or spending on debit cards,” according to a new report from the British Retail Consortium (BRC).

The British retail group used the opportunity to beat up banks and card brands for overly high interchange fees. (Then again, retail lobbying groups need no special occasion to make such points, as they often volunteer them when asked about the weather.) But the question remains whether the consumer reactions that are pushing cash usage in the U.K. are likely to be replicated in other parts of the world. Read more.

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars “but not tens of millions.”

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption (”customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network”), host and network intrusion prevention systems (”to proactively prevent malware from being installed in our systems”) and better payment segmentation. Read more.

Pizza Hut is taking the “other people who bought also liked” approach mastered by Amazon.com and is trying to apply it to pizza and breadsticks and their Web site.

The new feature—dubbed Virtual Waiter and introduced by the fast-food chain on April 24—is based on “technology that gathers data from millions of online orders and suggests menu items that best match customers’ orders.” But a demo showed that the technology was much more sophisticated than that suggested. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.

Police near Canton, N.Y., are investigating a payment card data breach at a local retail chain that sounds oddly similar to the Hannaford and other related recent breaches. Is this a coincidence or a gang focused on retail data?

The new information on the Canton WiseBuys breach has the data being grabbed during a system changeover between December 5 and December 20, 2007, according to this WWNYTV story.

We’ve been seeing a bizarre trend this national recession. It seems to be hitting hard the companies that expected to be hit, the ones that cut back spending in anticipation of the downturn. Lo and behold, after cutting back on customer service and marketing programs, they see revenues fall. Did they correctly predict the sales drop or did they unintentionally cause the sales drop?

This question comes to mind when looking at some recent earnings reports. Wal-Mart’s been faring well, but it points to increased grocery and other low-cost items, suggesting that they may be taking sales away from higher priced grocery rivals. That might be a recession sign. But this week’s Amazon figures raise questions about such analysis. Read more.

GuestView Columnist David Taylor this week argues that one of the hardest parts of extending PCI controls to other confidential data is the application of Identity and Access Management (IAM) that crosses applications and platforms, without encountering the “analysis paralyses” that comes with trying to implement Single Sign-on.

Because many organizations create policies specifically to comply with PCI standards, there are some policies that specifically single out cardholder data for special protection. These need to be rewritten to reference a data classification policy. If that doesn’t exist, then it needs to be created, and some examples of data in the “confidential class” other than cardholder data need to be provided. Read more.

The E-Commerce folk over at the National Retail Federation–Shop.org–are not so quietly putting out feelers for a new VP gig to pull in other e-tailers.

The position details are what would be expected–overseeing research, coordinating with government lobbyists, developing best practices, etc.–but if there are any readers who want to try and shape how E-Commerce players are treated, it might be interesting. Scott Silverman, Shop.org’s executive director, is begging for interested folk to drop him a line at hr-shop@nrf.com.

China POS shipments soared some 19 percent last year, figures that show China’s retailers quickly becoming some of the biggest POS purchasers in the world, according to a new global POS report from consultancy IHL Group. How fast are China’s retail purchases growing? Last year was the first time China blew past Japan in POS purchases and it also had more than 25 percent more shipments than Germany, said IHL President Greg Buzek.

One key reason is that retailers in China tend to have much smaller real estate footprints. That delivers a lot more retail locations, each of which is quite small. Buzek puts the number of today’s Chinese retail locations at 12 million, compared with 2.1 million in Japan, 363,000 in Germany and 2.25 million retail outlets in the U.S.

If there’s one thing that the last year of credit card catastrophes has made undeniable it’s that mixing credit cards, retailers, banks and card brands is unpredictable and a lot more complex than anyone wants to believe. Whether it was last year’s TJX revelations about how bad security can get (TJX to the SEC: The bad guys were able to get a copy of our encryption key, but not to worry. They grabbed the data before we had a chance to encrypt it, so the joke’s on them) or this year’s Hannaford details, where a PCI-compliant retailer lost data in transit while it was flowing through a secure private pipe, almost every assumption today is being challenged.

With that in mind, StorefrontBacktalk has been asking retailers, lawyers and other experts (and gadflies) for their favorite credit card security issue brain teasers. How many can you figure out? (No, there are no right answers, other than accepting cash.) Read more.

One of the most annoying parts of many a casual restaurant outing is at the end, when you just want to say “Check, please” and all wait staff seem to sense this and decide instead to join the Waitress Relocation Program.

Microsoft has decided to help (OK, they smelled money in those missing food servers) and created a device that permanently sits on the table. Redmond is backing this hardware that can take payment, print out a receipt and do it all without having to catch anyone’s eye. It allows the tip to be added (minus a deduction for subjecting you to the machine), and it can show various promotions. (OK, so having mandatory TV commercials when you’re dining out is probably not a good thing.) It also has a button to summon a manager if there’s an issue.

The National Retail Federation’s Shop.org is lobbying the U.S. Federal Trade Commission to not flag consumers when their shopping behaviors are being tracked online, arguing that it would merely serve to frustrate those consumers.

In considering voluntary guidelines for E-Commerce behavioral advertising, the FTC is considering asking sites to display a “pop-up” notification whenever information is collected. Wrote Shop.org: “We all know how frustrating pop-ups can be when you are simply trying to read the latest headlines on a newspaper website. Now transfer that experience to a retail website where customers have come to expect a seamless experience from homepage to checkout. These types of ‘hiccups’ could be devastating.”

A DVD rental kiosk outfit has rolled out a kiosk that keeps track of orders and awards free videos for frequent shoppers. The idea of a kiosk that has a long-term memory and an active CRM component is a wonderful next step (OK, a baby step) for intelligent kiosks.

The new units from DVDPlay use E-mail addresses in lieu of a loyalty card. “By entering an E-mail address during the rental process, the stand-alone DVD rental machine’s patent-pending software recognizes the number of customer rental transactions and, after every tenth rental, generates a promotional code for a free movie that is automatically sent to the customer’s E-mail account,” said a statement issued by the company.

RFID vendor Mojix has rolled out a new RFID system that it says can read passive, Gen2-standard tags from 600 feet away; cover 250,000 square feet of area; and pinpoint tag location in 3D, according to this intriguing RFID Update story.

The move is interesting, because it shows a vendor’s willingness to play with the assumed RFID rules to try and generate a little retail ROI. The story quotes company officials saying that the claims are based on advances in digital signal processing, RF antenna design and computational processing power. Mojix’s STAR 1000 differs from traditional RFID systems by using separate components to power and read tags. “There is no rule of physics or regulation that says the receiver and transmitter have to be in the same housing,” said Kevin Duffy, Mojix senior vice president of sales and marketing.

Blockbuster is trying to acquire Circuit City–a chain that is reporting twice its annual revenue–by offering a 50 percent per-share premium, Blockbuster announced early on April 14. Blockbuster’s statement said it has been talking with Circuit City for months, but “Circuit City has failed to provide the due diligence necessary to allow Blockbuster to make a definitive proposal.”

In a thinly veiled threat of a potential hostile takeover attempt, Blockbuster’s statement said “Blockbuster is making its proposal public because it believes the shareholders of Circuit City should have the opportunity to participate in determining the destiny of the company.” Read more.

Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant.

The $4.8 billion automotive aftermarket parts chain—which dubs itself the nation’s second largest such chain, with 3,261 stores in 40 states, Puerto Rico and the Virgin Islands—said the breach appears to have impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, New York, Virginia and Indiana. Read more.

A group of 109 McDonald’s restaurants in the Salt Lake City region are doing a mobile commerce trial, with participating consumers getting free iced coffee. Although those 109 stores are barely one coffee bean’s worth, given the $22.8 billion chain’s 31,377-store network, the trial is interesting both for its capabilities and for how much data-control McDonald’s was willing to give up.

McDonald’s is launching iced coffee as part of some new menu options and “part of our objective was to create additional awareness,” especially among the younger consumers who McDonald’s assumes will be receptive to a mobile coupon campaign.” Read more.

Saying only that a TV station’s news coverage of its data breach was too “aggressive,” the Hannaford grocery chain has canceled its commercials from the Portland, Maine, CBS affiliate. The station, which announced Hannaford’s decision on its own news site, said the chain declined to cite any errors or problems with the coverage.

This is a baffler. You have a media outlet in your community that is saying accurate but not nice things about you. What’s the response? Make sure you give up the one way you can give your side of the story by pulling your ads.

I always get in trouble when I say this, but a better approach is to pull your ads from media that are already saying your side of the story for free and use that money to buy twice the ads on the other sources. That way, you get your message aired where it needs to be heard most. But that’s a lot less fun than punishing people who stay stuff you’d rather not be said.

Focusing on recent improvements in refrigeration technology, the 115-store Piggly Wiggly is pledging to radically revamp its stores. The grocery chain is shaking up product positioning issues—all frozen foods are kept together, for example—that have been considered sacrosanct for decades.

“When you enter the Piggly Wiggly at The Market Common, you don’t see check-out lines. You don’t go down five aisles to get ingredients for one meal,” said Piggly Wiggly CEO David Schools. A statement said the chain will now “arrange food items based on how customers naturally look for them. Fresh, frozen and canned vegetables and fruit, for instance, will be in the same location, as will cereal and milk. One stop stations will offer complete meal solutions with items such as ground beef, hamburger buns, chips and beer grouped together for backyard grilling.” Will it work? Possibly. Then again, this is the same chain that strongly touted it’s support for biometric payment.

Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption.

Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more.

Home Depot CIO/EVP Bob DeRodes has resigned and will leave the $77 billion home improvement chain “at the end of the year,” according to a statement Home Depot issued Thursday. DeRodes will continue to run IT until he leaves, the statement said, as the chain starts a search for his replacement.

DeRodes joined Home Depot in February 2002 and the statement credited him with several major IT rollouts, including self-checkout, “continual point of sale upgrades,” BEAR, the Company’s back-end automated receiving system and an SAP Finance implementation that was considered at the time the largest ever. He was also credited with opening the Austin Technology Center in 2005, “which provided needed backup systems and security for the Company’s data management infrastructure.”

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system. Read more.

Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Whether it’s leaving firewalls in learning mode or having database access controls that all but ignore the activity of authorized users–who may be capable of nastiness few cyber thieves could dream of–it’s an amazingly risky approach. Read more.

A series of restaurant chains—including Subway, Tully’s and Brinker (Chili’s, Macaroni Grill, On The Border, etc.)—have been experimenting with a way to use regular credit and debit cards as loyalty cards.

Although the merchant behind the program—Chockstone—stresses a variety of security mechanisms, the nature of the program itself seems to fly in the face of PCI guidelines that discourage using credit card numbers for anything other than payment transactions, similar to the unsuccessful attempts to get American businesses to stop using Social Security numbers as defacto employee and customer identification numbers. Read more.

There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing.

Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers. I’m going to try and avoid using modern-day chains to illustrate good and evil. Regrettably, I think it’s a safe bet that I am about two sentences away from failing that effort. Let’s take TJX as an example. (Only one sentence. I was close, though.) Based on various SEC filings and court documents, it’s clear that TJX engaged in a wide range of security procedures that were, to be charitable, less than diligent. But, as we’ve pointed out many times, the millions in expenses that TJX has had to spend had absolutely nothing to do with any alleged security sloppiness. Read more.

Was the Hannaford data breach isolated or was it part of a sweep of similar penetrations? A Vermont ski resort is reporting an almost identical breach of card information in transit in February and an official there was told by law enforcement “that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.”

Those new details–courtesy of a Computerworld story–suggest that this might soon become the norm. The Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February. “We can tell you that this was a real-time theft,” said Okemo spokeswoman Bonnie MacPherson. “The information was being taken as the cards were being swiped.”

TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world’s worst payment data breach, which impacted some 100 million cards.

Participants “must agree not to seek or participate in any other recoveries that may be available to issuers and must also release MasterCard, TJX and TJX’s acquirers from all legal and financial liability associated with the TJX data breach, ” a joint statement said. Those banks have 30 days to whether to accept the offer.

Bankrupt Pay By Touch—officially using the name Solidus Networks—has sold off two key units for a total of $4.8 million.

Phoenix Check Cashing dropped $4.2 million to pick up Pay By Touch’s check-cash¬ing division, known as BioPay Paycheck Secure, according to The Nilson Report. Acculink paid $600,000 for ATM Direct, a unit trying to introduce PIN-based debit card payments for E-Commerce sites, the publication reported.

The Hannaford data breach included payment information that was partly encrypted and partly clear text—and it was all transmitted over a private fiber-optic cable, according to a Hannaford official quoted in the Wall Street Journal.

This information—on top of the reports that Trojan Horse software was installed on 300 servers in 300 Hannaford stores–is painting a picture of a retailer that seemed to be following accepted security procedures. The story reported that the cyber-thief created software “intercepted the information as it went back and forth over a cable to a transaction processor in Denver. It was then transmitted to an Internet service provider somewhere outside the U.S.,” according to Hannaford marketing VP Carol Eleazer, who added that “it took a team of about 30 forensics experts and information technologists more than 10 days of round-the-clock troubleshooting to discover the malware.”

The data breach at Hannaford involved a Trojan Horse that was installed on servers at every one of its 300 grocery stores, according to Hannaford officials. The software intercepted card data at the POS and then periodically transmitted them “to an unnamed offshore Internet service provider.”

Those details come courtesy of a letter sent by Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Governor Deval Patrick’s Office of Consumer Affairs and Business Regulation, according to Hannaford officials and a report in The Boston Globe, which quoted from the letter. The chain decided to replace all of the servers to make absolutely certain the malicious programs were removed from the network.

In the multi-year databreach at TJX—the worst in credit card history—the retail chain “created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text,” according to a complaint issued Thursday by the U.S. Federal Trade Commission.

That report also found that TJX “did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks” and that it failed to “use readily available security measures to limit access” and cited one crucial example: not “using a firewall to isolate card authorization computers.” Read more.

If there’s one thing that can be said about CFOs, they love their absolutes. They love absolute assurances that if they do X-and-Y, they’ll be protected against Z.

They like to buy liability insurance, buying into the line that shareholder assets will then be safe no matter what that boneheaded new Operations VP does in a year. They like Poison Pill plans, believing their lawyers that it will prevent them from ever being taken over. And, most recently, they are simply ga-ga for those who say that a PCI compliance letter means they are in a magical safe harbor, where they can do anything with their security that they want and be utterly immune from liability. Read more.

Was talking with the other day with a subscriber, who happens to head up security efforts for a Fortune 50 retailer. Is it coincidental, he asked, that Visa, Mastercard and the others just about always end up on the other side of the security argument? Could it truly be that they have some kind of a long-term strategic incentive to keep security looking good, but not too good? I was skeptical.

The security exec then asked an annoyingly thought-provoking question: What do you think would happen if retailers were given perfect encryption? Answering his own question (because I certainly wasn’t able to do it), he painted a picture of retailers who would use their perfectly-protected data and would confidently let it ride atop the public Internet. At that point, paying for the private security tunnels of a Visa or MasterCard would no longer be essential. Read more.

The retail move to embrace 2-D barcodes that began with a Sears trial in December and strong interest from BestBuy, the Gap and Target is inching forward, with a 500-store trial starting Thursday in San Francisco.

The trial, involving CitySearch, Antenna Audio and Scanbuy, is a fairly basic mobile integration effort. “More than 500 restaurants, shops and businesses reviewed by Citysearch are placing printed bar codes in their windows, and people who have Scanbuy software loaded on their phones can simply take a picture of the code and their phone’s Internet browser will immediately take them to the restaurant’s corresponding Citysearch page,” said a statement from the group.

Guest Columnist David Taylor argues that virtualization technology has been around for a while, although interest in it has largely been confined to the seriously geeky among us.

The primary benefits of virtualization are flexibility and scalability. It allows a company to “pool” computer hardware and create new applications, new servers, new networks, new data storage at the touch of a button and, in the process, reduce costs and administrative overhead. Read more.

When Starbucks used its shareholders’ meeting on Wednesday to roll out several new initiatives, the new coffee makers and blends got much of the attention. But two of the new plans—a revised CRM program and a new Web site—illustrate nicely how well Starbucks understands customer service and how it still hasn’t figured out the Web.

The change to the Starbucks Card Rewards program shows not just an understanding of customer service, but a realization that the best way to make a CRM program successful is to focus on benefits—true benefits—for both the customer and the retailer. Instead of merely tracking purchases and offering small discounts (adjusting the price of a cup of flavored coffee down from ludicrously overpriced to merely absurdly overpriced. Buy one more croissant and tomorrow you can enjoy a cup of Joe that is only insultingly overpriced), Starbucks is getting creative about rewards. Read more.

In a delicious game of “Now You See It. Now You Don’t,” a security vendor called Rapid7 had proudly told the world that Hannaford was a key customer. But when Hannaford’s breach was announced this week, all references to Hannaford quickly disappeared. And then reappeared. Company officials then stumbled over each other, offering contradictory explanations for it all.

The changing official explanations was deliciously chronicled by NetworkWorld. But the gold medal award for illustrating the actual disappearing acts with wonderfully annotated screen captures goes to the Attrition.org site. If you want ideas on how to not handle a perception crisis, you’ve got to read them both.