When Macy’s distributed a very cryptic statement on Dec. 23 that “some” debit card customers had been charged had seen “multiple” debits for single transactions, it went virtually unnoticed.

But questions quickly surfaced. For example, retailers have specific systems designed to catch multiple identical transactions from the same account. Why didn’t the Macy’s system catch anything until some accounts were charged two and even three times? One Macy’s manager familiar with the incident said it involved a Macy’s payment processor and that the connection with the processor “was experiencing a slowdown that day due to traffic or systems issues. When that slowdown occurred, that’s when the double charges occurred.” Read more.

Extensive analysis of a consumer’s Web interactions has been used for years to try and target sales pitches more effectively. But new research suggests that such analysis may pale in comparison to the next wave, where every digital comment made by consumers anywhere—in a product comment, an IM, on a social network site, in E-mail and via exchanges with a live chat tech support person, coupled with Web traffic analysis—can be mined for hints as to their emotions and other thoughts.

The science and technology of it is really not that far-fetched. The fact that so many consumers—especially younger consumers—today share so many of their thoughts and private moments in so many public settings alone would allow even a casual observer to learn quite a bit about someone. But it gets far worse. Read more.

Online retailers are relying too little on automation to thwart online fraud, meaning too many employee hours are spent reviewing orders that shouldn’t have raised any flags of suspicion, according to a new report from security vendor CyberSource.

In publishing the results of its 10th annual survey of E-Commerce fraud, the California company said E-tailers continue to lose 1.4 percent of their online revenue to fraud (the same rate of loss CyberSource has seen since 2006) and they compound those losses by failing to sufficiently trust fraud-detection technology. Read more.

Around this time of year, GuestView Columnist David Taylor starts to wax nostalgic about the good old days at Gartner when he used to make grand announcements about his vision for the future of technology.

To keep him off the streets, we’re letting him make more predictions. If you’re looking for comfort, you don’t want to Read more.

Dollar General, the $10 billion discount retail chain, on Wednesday (Dec. 10) agreed to install specially-designed POS units intended to safeguard the privacy of visually-impaired consumers in all of its 8,300 stores in the U.S. “in less than eighteen months.” The intent is to give those shoppers an alternative to touchscreen interfaces by offering tactile keys.

The chain, which has already installed the units in “several stores in Texas,” according to a Dollar General statement, follows similar actions by other national chains including Rite Aid, 7-Eleven, RadioShack, Safeway, Trader Joe’s and Wal-Mart. The most visible chain to oppose such efforts has been Target, which settled its efforts with a $6 million payment in September.

The economy sucks so GuestView Columnist David Taylor suggests that this would be an ideal time to shift budget away from regulatory compliance and spend it on something that will actually make money for your company, like direct mail advertising.

No, he doesn’t actually believe that, but he has the feeling that some executives are on the defensive when it comes to maintaining a focus on their areas during these dark times. Read more.

In a trial of new holographic magnetic stripes for its payment cards, Visa found the cards “emitted an electrostatic discharge that caused POS terminals to shut down,” according to a report in The Nilson Report, a respected credit card industry newsletter.

The report, which said the problems happened “on very few occasions,” is why Visa is not using the same kind holographic mag stripes as MasterCard and American Express, the newsletter said. The issue came up because Discover Card is now using the new technology on its cards, according to Discover rules that went into effect Oct. 16.

In a trial initially limited to the United Kingdom, Switzerland, Israel and Italy, Visa Europe is starting a trial this month of a card with an 8-digit alphanumeric display, 12-button keyboard and a long-life battery, according to a report in The Nilson Report, a respected credit card industry newsletter.

The card has the ability to offer reciprocal authentication, which is designed to allow consumers “making transactions via phone or the Web a way to identify the party on the other end before transmitting identifying credentials,” the report said. Such a card could be extremely useful to E-Commerce efforts to thwart phishing sites set up to harvest credit card data from unsuspecting consumers visiting look-alike fraudulent Web sites.

A group of credit card thieves in Seattle tried to maximize their profits by using their stolen credit card data to open a loyalty card account with Best Buy, where they could get could extra benefits along with their stolen products, according to a federal indictment filed Nov. 19. One had tried a similar rewards scam with a Home Depot reward card and a Sears gift card.

According to a probable cause document, the defendants’ lack of discretion may have done them in. Best Buy regional loss prevention officer Steve Castillo “noticed a strange pattern of purchase activity,” according to the federal filing. How strange? The reward card was linked to 77 different credit card accounts between April 2007 and June 2008. And it was used to make 125 separate credit card purchases totaling $252,000, the filing said. Read more.

Eduardo Perez of Visa has called its fines for non-compliance “nuisance” fines. In other words, the fines are not large enough to be a big financial burden to retailers but are large enough to get the CFO pissed off about having to pay them and maybe large enough to get a CEO to at least show up for a meeting to discuss PCI.

In theory, these fines are designed to drive greater security awareness. In reality, argues GuestView Columnist David Taylor, they seem to be merely driving fine avoidance. Read more.

PayPal has come up with yet another payment-related use of a cellphone: to authenticate a non-mobile E-Commerce transaction. Customers of the payment giant “can now choose to receive a unique six-digit security code via text message to their mobile phones prior to logging in to their accounts,” PayPal said in a Nov. 24 statement.

PayPal has already been using two-factor authentication with a physical device (the PayPal Security Key), but using SMS and mobile leverages hardware consumers already have. Consumers would have to use the codes in addition to their regular username/password combos.

The IT struggle with knowing where all payment data is—let alone trying to enforce rules that pretty much try and keep it there—was the topic of a StorefrontBacktalk podcast this week with our own PCI columnist, David Taylor, and security specialist J.D. Oder, the chief technology officer at Shift4.

Oder said most payment data security problems start with an employee error. These are typically employees who truly thought they were doing everything right, but they were undercut by a failed corporate infrastructure. Taylor’s approach was more basic: Retailers must put much less payment data into the hands of employees and return to a centralized approach, as painful as it will be and as backward as it will feel. To listen to these folks argue it out, please click here.

Amazon.com, which arguably has one of the most extensive retail CRM databases and purchase recommendation engines, envisions a Catch-22 future for gift cards. The key is making them more personalized, more customized. And yet, anything that hints of privacy violations is off-limits. It’s like a starving man being given the keys to a well-stocked food locker as long as he agrees not to eat anything.

Such is the plight of Michal Geller, Amazon’s director of consumer gift cards. Down the road, Amazon is toying with other ways to truly customize cards. But avoiding privacy issues, Geller said, is non-negotiable. “Anything related to privacy is off the table,” he said, forcing Amazon to focus on “some creative ways (that are) not creepy.” Read more.

As more retailers try to go where the customers are rather than getting them to come to the retailer, TiVo and Domino’s are taking the next logical step with a TV-as-E-Commerce-Device approach.

The trial is only available to a little more than one-fifth of TiVo’s 3.6 million subscribers (just those who pay for broadband TiVo) and is limited to those willing to pay cash. Still, the approach is quite interesting, at least for those who believe that convergence was a good idea ahead of its time. Read more.

The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computer that security managers would rather they didn’t. Envision buyers or sales people in hotel rooms late at night trying to kill time.

GuestView Columnist David Taylor asks if these people might be doing things (e.g., downloading malware) that could bring down your company? If they are not connected to the corporate network (and even if they are), you may not know about it until it’s too late, and the malware has already propagated throughout your network. Read more.

Along the road to PCI compliance, many retailers get off on the wrong exit ramp. One consultant argued that IT far too often leaves the financial folk—the comptroller, in particular—out of the decision process, along with the payment processor. Those are two players who you really want to keep involved. Another complained of retailers who use tokenization and then printed the token on receipts without realizing they were publishing part of their encryption key to the world. Then there are the distant expiration dates from the card brands. Read more.

Amidst an avalanche of hype about the desirability of gift cards this holiday season, the National Retail Federation on Tuesday (Nov. 18) predicted a six perfect drop in gift card sales this season, from $26.3 billion spent during last year’s holiday season to a projected $24.9 billion for this season.

The largest factor hitting gift cards will be the traditional complaint that they are seen as too impersonal (cash is impersonal, too, but there’s something about a stack of greenbacks piled in front of a cozy fireplace that is hard to resist. Maybe that’s just a New Jersey thing). Read more.

The Web is overflowing with analysis of the TJX data breach disaster, but this posting from Plausible Deniability does a better job than most. What’s intriguing is the possibility that some of the indicted suspects may have worked as code writers in the light of day for some major companies, including Morgan Stanley.

With so much security outsourcing today, it raises some uncomfortable questions about how much you really know about the security specialists you now have working in your computer room.

Equifax on Thursday (Nov. 13) announced an E-Commerce CRM and payment card that consumers can activate and deactivate based on how they feel about the site they are visiting.

The credit database giant argued that such a card could potentially reduce “the need for companies to retain customers’ personal identification information, which could also result in the reduction of risks posed by data breaches.” Although that theoretically could be the case, the only way such a card—dubbed the Equifax online identity card—will be successful is if it’s adopted by a large number of retailers. And each of those retailers would have to be willing to surrender one of their most precious pieces of data: customer history. Read more.

Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance.

But GuestView Columnist David Taylor notes some unusual phrasing and concludes that Visa wants to ease the compliance process to get more service providers outside the United States on board. Read more.

The defendant pleaded guilty to heading a conspiracy that netted more than $1million by using phony UPC labels to obtain products and then sell them on eBay, according to this story in The Register.

Tommy Joe Tidwell, 35, of Dayton, Ohio, pleaded guilty to three felony counts, including conspiracy to use unauthorized access devices, use of unauthorized access devices, and mail and wire fraud. The best part of the story, though, is that it shows the ineffectiveness of using ratings to sort out legit from non-legit sellers. “As was the case with an airport baggage handler charged with stealing passengers’ stuff, Tidwell’s eBay account enjoyed a stellar reputation. Out of 522 comments left, only four were negative, giving him a positive feedback rating of 99.2.”

Federal prosecutors have apparently accused a New York man of providing a sniffer program to help the TJX cyberthieves steal payment data. The fact that 25-year-old Stephen Watt has been charged with unlawful access to computers, wire fraud, aggravated identity theft and money laundering is not in dispute, nor is the fact that he has been accused of delivering a sniffer program to accused TJX mastermind Albert Gonzalez.

But the feds have been vague about whether Watt was involved in the TJX data heist, even though the timing of the accusations would seem to place him in the middle of the largest payment card data breach ever, according to this Computerworld story. Watt allegedly provided a sniffer program that allowed Gonzalez and other gang members to identify and capture credit and debit card data traveling over the networks they had broken into. In January, Watt edited and modified a sniffer program dubbed “blabla” that was used by the gang and stored in a server with a Latvian IP address, according to the story.

MasterCard’s PayPass is ramping up its mobile program with an over-the-air provisioning service to supposedly make it easier for consumers to personalize their payment data on their mobile devices.

As long as a consumer has a phone using Near Field Communications (NFC), MasterCard says the program should work. “First, the PayPass application is securely transferred onto a secure area of the consumer’s mobile phone via the mobile network. Next, the PayPass application is personalized with the consumer’s individual payment account details,” a MasterCard statement said.

Without a doubt, the most popular strategy for dealing with PCI compliance and data security is avoidance, writes GuestView Columnist David Taylor. Not unlike the game of “hot potato,” which dates back to the pilgrims, the goal is to find someone who is willing to put up with the hassle of PCI compliance and then give that person all the credit card data.

Whether you call it outsourcing or tokenization, software-as-a-service, virtualization or even, gasp, cloud computing, it’s essentially a “risk avoidance” strategy. However, most of what we see is more avoidance than strategy. Read more.

When Costco on Monday (Oct. 27) announced that it would support—for the first time—customer comments on its products, the move was less noteworthy for the $71 billion chain’s late-to-the-party embrace than for what it says about the industry’s acceptance of a once much-feared feature.

Costco’s deployment of Costco Reviews went out of its way to avoid anything controversial or, for that matter, innovative or creative. Almost all of the functionality has been outsourced to an Austin-based social commerce vendor called Bazaarvoice, which will review all comments and post them within 24 hours, once any profanity or “completely inappropriate” comments are removed, said Ginnie Roeglin, Costco’s Senior VP for E-Commerce. Read more.

The position that there are far-reaching implications of the Payment Applications Data Security Standards (PA DSS) for the merchant community is hardly new, as they affect thousands of payment, infrastructure and business management applications.

But GuestView Columnist David Taylor argues that some concerns raised by Jake Star, technology VP at HEI Hotels and Resorts, take this to the next level: the old squeeze-play level. Read more.

Although there is little doubt that the United States is in for a very rough economic period over the next half-year or more, there is ample reason to believe that retail IT may escape mostly unharmed.

Let’s not get too optimistic here. “Mostly unharmed” doesn’t mean escaping untouched. But it does mean that when large companies—especially retailers—have to suddenly make do with a lot fewer people, they need that good ole IT magic more than ever. They need the efficiencies that IT promises and the employee-replacing devices that IT enables. Read more.

Technology that has been deployed to digitally watch—and analyze—how consumers interact with digital signage could also be used to interpret what they are doing while looking at a cereal shelf.

Are they ignoring the product or are they picking it up, reading the label and then quickly putting it back? Does the timing and eye movement indicate they were repulsed by the sugar content (near the bottom) or the low fiber count? Read more.

The group originally called the PCI Alliance, which changed its name to the PCI Security Vendor Alliance on Tuesday (Oct. 21), has changed its name again–this time to the Payment Card Industry Security Alliance (PCI SA). Mercifully, it never bothered to change its URL, so it’s still pcialliance.org.

“By removing ‘vendor’ from our name, we broaden our appeal to merchants as well as vendors, thereby making it easier for the two to work together on creating PCI compliance solutions and best practices,” said Alan Bird, president of the PCI SA. Yep. But also, the impression that a PCI Vendor group was simply trying to sell stuff was hard to shake.

E-Commerce customers who speak English are “the most frequent victims of identity theft, twice the rate of France, Germany and Spain,” according to a study released Tuesday (Oct. 21) by PayPal. The E-mail survey of 1,000 consumers was conducted this summer and examined six countries: the United States, Canada, France, Germany, Spain and the United Kingdom.

The survey touched on quite a few possible causes, but this was our favorite, even though it didn’t explain the language preference: “The survey found that about 40 percent of consumers in all six countries use social networking sites and some of these consumers display personal information that they also use for passwords.” I’m reminded of the line from Butch Cassidy and the Sundance Kid where Butch says he has no idea why he’s always broke, to which a colleague points out that he’s a really bad gambler, is always buying drinks for everyone, taking expensive vacations and is a soft touch. Butch replied: “Well, that might have something to do with it.”

A major Japanese mobile phone loyalty card trial slated to run from February through June of next year might prove to be a powerful prototype of how other countries might deploy mobile payment networks.

The trial features three retailers: a small technology café; a midsize, regional Tokyo-area chain; and one of Japan’s largest retailers–Bic Camera, whose revenue last year was roughly equivalent to $6 billion. The trial’s goal is to show that the consumer phones can hold the loyalty card data of more than 100 retailers, depending on how much data each retailer wants to store. Read more.

Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great, argues GuestView Columnist David Taylor.

What is even better, he says, is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage when prospecting for customers who are looking for a simplified, independent guarantee that their data will be secure when it’s entrusted to the service provider. In short, PCI is becoming a “security brand” with value in the marketplace. Read more.

It’s hardly a new payment card security threat, but what has become known as differential power analysis (DPA) is still very much a threat on most payment smart cards, according to a report in this week’s Nilson Report, a well-respected newsletter covering payment issues.

A DPA attack, as described in the report, takes advantage of the electrical impulses inherent in any smart card. “The silicon chips embedded in smart cards consume power whenever they process payment data and it is possible for criminals to measure these power fluctuations surreptitiously and then analyze them to decode the secret keys that secure the data,” the report said. Read more.

The last few weeks have not been kind to the product download efforts of retail giants. Last month saw Amazon inadvertently giving away tons of music and video downloads, courtesy of a glitch in Adobe’s encryption approach.

This month, it was the turn of Wal-Mart (or Walmart, depending on whether the reference is to online or a store. Of all of the people trying to derail merged channel efforts, Wal-Mart/Walmart’s branding people are the Supreme Emperors). Read more.

When supermarket chain Wegmans confirmed this month its first-ever self-checkout trial, it was billed as a customer service feature. That’s technically true, but only in a very roundabout way.

The implication in the customer service comment is that shoppers can get checked out more quickly with a self-service unit. That’s actually not often the case. Read more.

A report this week from The Wall Street Journal about a European “credit-card fraud ring that funnels account data to Pakistan” and “uses untraceable devices inserted into credit-card readers that were made in China” sparked a lot of retail interest, but it’s unclear how widespread or innovative the attacks were.

A U.K. tradegroup that often speaks for European retailers on payment issues has gone on the record, trying to tone down the crime reports, claiming there is no evidence linking these crimes to either Pakistan or China. Read more.

When GuestView Columnist David Taylor wrote last week about PCI 1.2 changes, he received quite an earful from readers that some changes are having an even more strict impact.

Specifically, we are hearing that assessors, fearful of having their work more closely reviewed, are being very “letter of the law” when doing their assessments. Read more.

Even though Calif. Gov. Arnold Schwarzenegger gets all of the publicity when he repeatedly vetoes the state’s payment card data protection legislation, similar data protection efforts in Nevada and Massachusetts have been much more quiet.

This comprehensive Washington Post story looks at some of the less well-known state law change attempts.

If you’re going to be in New York City on Wednesday (Oct. 15), you might want to drop by the StorefrontBacktalk panel on strategic kiosk use (yes, there is such a thing) at the Javits Center during the KioskCom/Self-Service Expo show.

We’re going to start things off by examining Home Depot’s kiosk approaches and concerns (one of our panelists has been working on it for months) and then debate the security risks of kiosks, the difficulties of POS (and back-office) integration and—for laughs—talk about some of the more futuristic robotic kiosks in the wings. It’s from 3:15 to 4:15 PM and we’d love to have you join us. Someone needs to ask probing questions. If you don’t, I’ll have to, and what fun would that be?

Japan’s NTT and three large Japanese retail chains—Bic Camera, Nojima and Runsystem—confirmed Thursday (Oct. 9) a trial that the group says will “securely integrate the reward cards of more than 100 retailers into a single mobile phone.”

NTT will run the contactless card trial—called Gyazapo—from February to June 2009. “Once a dedicated application is downloaded into the phone, (the system) enables loyalty points, ID photos and other membership information of multiple retailers to be registered under a single platform,” according to an NTT statement.

The Staples Canada trial with re-usable RFID active tags has worked out well and will be expanded to 10 more stores by the first week of December, but it’s the security arrangements around the devices attracting the most attention.

In an attempt to minimize fraudulent removals, the software has several rules. First, a button on the POS must be accessed to disassociate the tag from the item. Second, the tag cannot be disabled more than one foot from that POS unit without setting off an alarm. Read more.

Fellow blogger Steve Sommers, over at Shift4, has been following up some of his sharper comments from last week about PCI’s efforts to charge listing fees to get on the official list of PCI-compliant applications. He made such an elegantly clean argument on Tuesday, I felt the need to share.

“PCI’s justification for the fee is that they want to be self sufficient and independent for the card brands. This is good in theory if you ignore two glaring obstacles,” he wrote. “First, the card brands make up the entire executive committee. And two, a majority of the General Managers and Working Group Chairpersons (possibly all, some titles are missing) are people that represent the card brands.” I’ve disagreed with Sommers from time to time, but that’s a hard argument to ignore.

In 2006, T-Mobile lost “a storage device with 17 million mobile telephone data records” that included “names, addresses and cell phone numbers, (and) the data, in some cases, also included the date of birth or E-mail addresses,” T-Mobile said in a statement this week. Why are we just hearing about this now? T-Mobile never bothered to announce it until the data started surfacing on the Web and German media started reporting it.

“We are very concerned by the fact that the incident from 2006 is relevant once again. Until now, we were under the assumption that the data in question had been recovered completely as part of the investigations of the public prosecutors’ office and were safe,” said Philipp Humm, Managing Director at T-Mobile Deutschland. Not to worry, though. T-Mobile said that it has now “intensified their security measures.” The first example the company cited: “complex passwords have in the meantime become a technical necessity.” Gosh, it was probably a necessity in 2006, too.

Many retailers have done little to formalize their IT risk management process, and simplistic spreadsheets with arbitrary (or non-defensible) risk levels and a cute “stoplight” (i.e., red, yellow, green) summary are common, argues GuestView Columnist David Taylor.

Network segmentation is still not a requirement, for some reason, but it’s the single action that will save you the most money in the assessment. With the 1.2 version, there is increased focus on proving that the network segmentation is “adequate.” A network diagram is required as well. Read more.

When the PCI Council officially unveiled PCI 2.1 on Wednesday (Oct. 1), it included virtually no meaningful changes from what PCI had announced the key changes would be back in mid-August. But far from the mild tweak officials had described, the final PCI 1.2 version actually includes dozens of wording changes, most of which reflect technology changes since 1.1 was released two years ago.

Although saying that qualified professionals must do evaluations, it now specifically says that the tester is “not required to be a QSA or ASV.” Read more.

When a manager tries to connect a new kind of device to a network, IT is typically all over it, trying to discover potential security issues. But the much bigger risk is when a longtime network element, one that has been seen for years as innocuous and trivial, slowly becomes more intelligent and connected and quietly morphs into something that is anything but innocuous.

It happened five or six years ago when printers, faxes and scanners started getting direct access to IP—so a worker in Chicago could scan a document in and have it print out in the company’s Los Angeles and New York offices. These devices were getting smart (more CPU, RAM, hard disk) and connected. But few IT departments initially thought about the security such devices, and they became an ultra-easy way to sneak into the LAN and get access to something more valuable. Today, that identical scenario is starting to play out with kiosks. Read more.

Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved.

Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors, argues GuestView Columnist David Taylor. Read more.

A U.S. Patent for a payment card that can be turned on and off was issued last year with little fanfare, but its owners are now starting to shop it around to retailers and banks. The premise is that when the consumer turns off the card, neither the card nor its associated numbers can be used for any purchases.

If it works, this could represent a different payment data strategy, because it would make the card data useless to a thief. The full Patent description also discusses how a mobile phone can be integrated into the process for additional payment authorizations. That phone would alert the consumer if someone tried using the card. Read more.

Why do vendors—including some top-notch vendors—insist on taking something very good and trying to make it into something it’s not? Why bother? It’s as though the need to hype was some prenatal attribute their genes absorbed when their mothers saw too many used car commercials. We’re used to these sorts of stunts from Oracle and SAP, but this week it was IBM with its SecureStore rollout. IBM has for years done excellent work with security products and consulting.

And product bundling—especially when part of the bundle is services such as consulting and custom integration—is a perfectly respectable strategy that can be quite useful to end users. But IBM on Wednesday (Oct. 1) announced a very nice bundle of its security offerings while going out of its way to deny that it was a bundle, as though a bundle was somehow tainted and beneath the company. Read more.

Visa is running a mobile phone trial where consumers will be able to transfer money using their phones to any other Visa user. “The pilot, which is intended to begin by the end of 2008, is the first U.S.-based trial testing mobile money transfers between Visa accounts,” Visa said, but it has already been doing it in 13 countries in Europe, the Middle East and Asia.

Visa also said it will be working with cell phone maker Nokia to create a contactless payment phone that will include discounts and other ads from retailers and that it will be working to create mobile payment services for Google’s Android platform. Not all observers are favorably impressed.

As more details drip out from Forever 21’s data breach of almost 100,000 payment cards, the chain now says it had been certified PCI compliant, despite having stored complete card information from as far back as 2003.

“The files were inadvertently retained within other data files and this was not uncovered by the assessor,” a statement from the chain said. This is proving to be a frightening trend, with retailers believing they are compliant and much later on discovering various pockets of forbidden data scattered through their networks. One of the problems in this case—and it could be argued it’s a problem with PCI itself—is that it’s up to the retailer’s IT person to map out the networks for the assessor. Read more.

New information released by Forever 21 confirms that the almost 100,000 credit and debit cards accessed from the chain in a breach included transactions from 2003 through 2005, which were stored on a corporate data center, apparently in violation of PCI rules.

Unlike some of Forever 21’s fellow retail chain victims in the so-called TJX Breach case—including TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority and DSW—Forever 21 now says that wardriving was not involved in its breach and that the data was accessed directly from the corporate data center. Read more.

A second defendant in the so-called TJX Breach case—which also had at least seven other major retail chains as fellow victims—pleaded guilty Monday (Sept. 22), this time to charges of conspiracy, unauthorized access to computer systems, access device fraud and identity theft.

The accused, Christopher Scott, a 25-year-old Miami resident, pleaded guilty after prosecutors said they could prove that he was paid $400,000 for assisting a retail wardriving scheme. Scott’s plea follows the Sept. 11 guilty plea of fellow Miami resident Damon Patrick Toey.

A recent Best Buy incident raises an interesting security question: What call center verification methods should be used to authenticate customers before allowing them to cancel or change an order?

The story involves a Best Buy manager who supposedly couldn’t honor a buy-online-pick-up-in-store order, so he simply called customer service, pretended to be the customer and canceled the order. To make this work, the authentication details would have to include something that a store manager couldn’t find, such as a password. Read more.