By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering “Trick or Treat?”

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn’t like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as “minor changes.” Read more.

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to “deputize” internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT. Read more.

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

California authorities have arrested two men in connection with another retail card-reader switch scam, an effort that police say brought in about $225,000 from 222 victims who swiped their debit cards at a regional grocery chain.

The arrests were in connection with the debit-card thefts at California grocery chain Lunardi’s, where police say the pair swapped out part of the card-reader with a skimmer, according to this San Jose Mercury News story. It was unclear whether the data was collected by piggybacking on the store’s network, wirelessly or if thieves retrieved the data by re-swapping the machines later. The Lunardi’s store that was hit is based in Los Gatos. The paper also reported that a nearby Los Gatos Arco gas station suffered a very similar debit-card breach a couple of weeks earlier.

The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.

Theodore Karantsalis had filed the lawsuit for several reasons, but one was to prove that consumers would fare far better—faster, easier and more money—in small claims court than as one of many in some class-action litigation. Read more.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

GuestView Columnist David Taylor this week discovered that there’s a lot more than token opposition to tokenization.

One of the concerns is that companies have already spent money on encryption. The most popular reason for not implementing tokenization is that companies have already implemented data encryption and key management systems costing hundreds of thousands of dollars, and either they did not feel they needed tokenization or they were unwilling to be perceived by upper management as “changing course” by recommending the removal of the data they just spent all this money to protect. Read more.

Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups.

The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe’s and Wal-Mart. The most prominent retailer who has fought such efforts is Target, whose legal battle continues. Read more.

This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. You really should read the details in this story in New York’s Saratogian newspaper, but the essence is that a woman walks up to an ATM at a Hannaford’s grocery store. (Just what Hannaford needs right now. More police-oriented publicity.)

She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves. Turns out that she worked for the ATM company, but the story asks why no one bothered to ask her what she was doing. Indeed, it’s a fine question. How many retailers have strict file access procedures, but would likely let a stranger plug a laptop into equipment without any questions? No, please, don’t answer that question. It’s too depressing to hear.

Like it or not (place this father defiantly in the “not” category), children are using the Internet’s social network sites at a younger age, with retail marketers hovering close by. How young?

New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll. For 10-12-year-old girls, the figure is 27 percent, more than 2-and-a-half times the prior year’s 11 percent. In the 13-15-year category, boys jump to 46 percent and girls jump to 54 percent. Oddly enough, that 54 percent for 13-to-15-year-old girls actually dropped three percent from 2006.

With an eye on retailers having to juggle payment systems between many varied environments–far beyond merely online and in-store–a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface, which it has dubbed “the first service-oriented architecture service interface schema and technical specification for the retail industry.”

“By making existing POS transaction functions available as SOA Services, RTI will enable the business logic behind these services to be easily reused for other customer and associate touch-points such as self checkout, fuel at grocery stores, kiosks, shop on the web, store within a store, portable shopper, mobile line buster and other complementary store solutions,” said a statement from the NRF’s Association for Retail Technology Standards (ARTS). Execs with Big Lots and BJ’s Wholesale Club represented retailers in a committee dominated by tech vendors.

With a privacy invasion trial about to begin, Best Buy’s IT department will be conducting more frequent remote audits of the chain’s Geek Squad tech support department.

“Using powerful mainframes at Best Buy’s headquarters in Richfield, the company now scans several hundred Geek Squad computers each night to see if customer data is stored appropriately,” said a story in the May 1 edition of the Minneapolis Star-Tribune. “Previously, these audits were done only several times a year.” Best Buy is also setting up a system where customer files can only be viewed by the file names, without personal content. In addition, the retailer has now banned thumb drives by its Geek Squad technicians.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

British retailers are seeing a resurgence in cash purchases, mostly due to a weak economy and consumers who are “nervous about borrowing or spending on debit cards,” according to a new report from the British Retail Consortium (BRC).

The British retail group used the opportunity to beat up banks and card brands for overly high interchange fees. (Then again, retail lobbying groups need no special occasion to make such points, as they often volunteer them when asked about the weather.) But the question remains whether the consumer reactions that are pushing cash usage in the U.K. are likely to be replicated in other parts of the world. Read more.

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars “but not tens of millions.”

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption (”customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network”), host and network intrusion prevention systems (”to proactively prevent malware from being installed in our systems”) and better payment segmentation. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.

Police near Canton, N.Y., are investigating a payment card data breach at a local retail chain that sounds oddly similar to the Hannaford and other related recent breaches. Is this a coincidence or a gang focused on retail data?

The new information on the Canton WiseBuys breach has the data being grabbed during a system changeover between December 5 and December 20, 2007, according to this WWNYTV story.

A difficult to duplicate RFID chip? That’s the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or “voiceprint,” which can’t be cloned and can be used to authenticate the chip, according to this RFID Update story.

“Each voiceprint is unique but falls within a defined band so separate readers do not have to be developed for each chip,” the story said. “However, MEMflakes can’t be read with RFID readers currently on the market.”

GuestView Columnist David Taylor this week argues that one of the hardest parts of extending PCI controls to other confidential data is the application of Identity and Access Management (IAM) that crosses applications and platforms, without encountering the “analysis paralyses” that comes with trying to implement Single Sign-on.

Because many organizations create policies specifically to comply with PCI standards, there are some policies that specifically single out cardholder data for special protection. These need to be rewritten to reference a data classification policy. If that doesn’t exist, then it needs to be created, and some examples of data in the “confidential class” other than cardholder data need to be provided. Read more.

Although contactless payment has tremendous potential to advance payments and set the stage for mobile commerce, it’s suffering from benign neglect from both retailers and the card brands—and banks, too. That according to a new contactless payment report from analyst firm Javelin Strategy & Research.

The key argument of the report is that none of the three groups of companies involved—the card brands, the issuing banks and key retailers—is spending the dollars to create true incentives to make contactless payment work, said lead report author Bruce Cundiff, who is Javelin’s director of payments research. “There is no effective value proposition for merchants and for wireless carriers,” Cundiff said. Read more.

If there’s one thing that the last year of credit card catastrophes has made undeniable it’s that mixing credit cards, retailers, banks and card brands is unpredictable and a lot more complex than anyone wants to believe. Whether it was last year’s TJX revelations about how bad security can get (TJX to the SEC: The bad guys were able to get a copy of our encryption key, but not to worry. They grabbed the data before we had a chance to encrypt it, so the joke’s on them) or this year’s Hannaford details, where a PCI-compliant retailer lost data in transit while it was flowing through a secure private pipe, almost every assumption today is being challenged.

With that in mind, StorefrontBacktalk has been asking retailers, lawyers and other experts (and gadflies) for their favorite credit card security issue brain teasers. How many can you figure out? (No, there are no right answers, other than accepting cash.) Read more.

The PCI Security Standards Council on April 15 officially rolled out version 1.1 of the Payment Application Data Security Standard (PA-DSS). The specifics of the standard were spelled out last November and this is just the expected formal unveiling.

This fall, the group said it will maintain a list of validated payment apps. Also this fall, the group is likely to introduce an entirely new version of the PCI specification. But that version is not expected to have any impact on which apps are considered compliant.

GuestView Columnist David Taylor this week questioned why PCI doesn’t protect non-payment card information, such as Social Security numbers.

Any security consultant will tell you that it’s important to have a data classification scheme. Although it makes a nice spreadsheet, we have seen only a few leading-edge merchants and banks that actually attempt to enforce it and use it to drive access controls. Why? Taylor has concluded that it’s for a single strategic reason: “Data classification is boring.” Read more.

GuestView Columnist Joel Weise–the chief technologist for Sun Microsystems GSS Security Program Office–argues that although there are many qualified security assessors (QSAs), “a few who simply do not have the background and expertise in systems security manage to distort the original intent of PCI.”

“A good QSA would ask not only if an antivirus package existed or if a firewall appliance was installed or if a unique user ID policy was followed, but also how these were designed, architected, implemented, configured and monitored,” Weise wrote. “A good QSA would ask to what security policy must applicable operational procedures adhere and whether anyone looks at the alerts and logs generated by the antivirus or firewall products.” Read more.

As of June 17, anyone in Australia buying from eBay online will be told: “PayPal” or “Forget It, Pal.”

With the exception of in-person pickups and cash-on-delivery, plus a handful of large-ticket items (specifically cars, motorcycles, aircraft, boats, caravans, trailers, commercial trucks, services, real estate and businesses) for sale, sellers will be required to offer eBay-owned PayPal as a payment method by May 21, in anticipation of the June 17 ban on anything else. Said eBay: “If we think these changes will significantly improve the buyer experience, we may expand them to additional segments of sellers or categories.” Read more.

Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant.

The $4.8 billion automotive aftermarket parts chain—which dubs itself the nation’s second largest such chain, with 3,261 stores in 40 states, Puerto Rico and the Virgin Islands—said the breach appears to have impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, New York, Virginia and Indiana. Read more.

Guest Columnist David Taylor sees manual reviews as one of most serious threats to retail security. As one security manager put it: “We are so far behind in tracking down the alerts, we could have been breached a month ago and still not know it.” The heavy reliance on manual review of large volumes of security data is one of the major reasons why more security breaches of compliant companies are likely.

PCI DSS is famous for its level of detail, in laying out for merchants procedures for implementing and testing many different security controls. But PCI DSS does not tell merchants how they should actually manage all these alerts or which of these controls need to be integrated, and which of the procedures need to be automated. Read more.

Saying only that a TV station’s news coverage of its data breach was too “aggressive,” the Hannaford grocery chain has canceled its commercials from the Portland, Maine, CBS affiliate. The station, which announced Hannaford’s decision on its own news site, said the chain declined to cite any errors or problems with the coverage.

This is a baffler. You have a media outlet in your community that is saying accurate but not nice things about you. What’s the response? Make sure you give up the one way you can give your side of the story by pulling your ads.

I always get in trouble when I say this, but a better approach is to pull your ads from media that are already saying your side of the story for free and use that money to buy twice the ads on the other sources. That way, you get your message aired where it needs to be heard most. But that’s a lot less fun than punishing people who stay stuff you’d rather not be said.

The European Commission is cracking down on search engine data-retention, with a new proposed rule that search engines should delete personal data about their customers within six months.

The BBC News site said this recommendation is likely to be accepted by the European Commission and could lead to a clash with search giants like Google, Yahoo and MSN. “Google and MSN anonymise user data after 18 months, while Yahoo does the same after 13 months,” the BBC reported.

ISPs have been quietly expanding their use of deep-packet inspection. They are capturing everything a user does–to the point where “at least 100,000 U.S. customers are tracked this way, and service providers have been testing it with as many as 10 percent of U.S. customers, according to tech companies involved in the data collection,” said a new report in The Washington Post.

The service providers exploring and testing such services have largely kept quiet–”for fear of customer revolt,” according to one executive involved who was quoted in the Post story. Each company allows users to opt out of the monitoring, though that permission is buried in customer service documents.

Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption.

Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more.

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system. Read more.

Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Whether it’s leaving firewalls in learning mode or having database access controls that all but ignore the activity of authorized users–who may be capable of nastiness few cyber thieves could dream of–it’s an amazingly risky approach. Read more.

A series of restaurant chains—including Subway, Tully’s and Brinker (Chili’s, Macaroni Grill, On The Border, etc.)—have been experimenting with a way to use regular credit and debit cards as loyalty cards.

Although the merchant behind the program—Chockstone—stresses a variety of security mechanisms, the nature of the program itself seems to fly in the face of PCI guidelines that discourage using credit card numbers for anything other than payment transactions, similar to the unsuccessful attempts to get American businesses to stop using Social Security numbers as defacto employee and customer identification numbers. Read more.

There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing.

Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers. I’m going to try and avoid using modern-day chains to illustrate good and evil. Regrettably, I think it’s a safe bet that I am about two sentences away from failing that effort. Let’s take TJX as an example. (Only one sentence. I was close, though.) Based on various SEC filings and court documents, it’s clear that TJX engaged in a wide range of security procedures that were, to be charitable, less than diligent. But, as we’ve pointed out many times, the millions in expenses that TJX has had to spend had absolutely nothing to do with any alleged security sloppiness. Read more.

Was the Hannaford data breach isolated or was it part of a sweep of similar penetrations? A Vermont ski resort is reporting an almost identical breach of card information in transit in February and an official there was told by law enforcement “that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.”

Those new details–courtesy of a Computerworld story–suggest that this might soon become the norm. The Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February. “We can tell you that this was a real-time theft,” said Okemo spokeswoman Bonnie MacPherson. “The information was being taken as the cards were being swiped.”

TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world’s worst payment data breach, which impacted some 100 million cards.

Participants “must agree not to seek or participate in any other recoveries that may be available to issuers and must also release MasterCard, TJX and TJX’s acquirers from all legal and financial liability associated with the TJX data breach, ” a joint statement said. Those banks have 30 days to whether to accept the offer.

Bankrupt Pay By Touch—officially using the name Solidus Networks—has sold off two key units for a total of $4.8 million.

Phoenix Check Cashing dropped $4.2 million to pick up Pay By Touch’s check-cash¬ing division, known as BioPay Paycheck Secure, according to The Nilson Report. Acculink paid $600,000 for ATM Direct, a unit trying to introduce PIN-based debit card payments for E-Commerce sites, the publication reported.

Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them.

This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it. The program is expected to deactivate the last of its fobs by July. There are many reasons the fob may have died, but at least Amex—with six years of fob effort under its payment belt—can’t be accused of not giving the fob enough time to work. Read more.

The Hannaford data breach included payment information that was partly encrypted and partly clear text—and it was all transmitted over a private fiber-optic cable, according to a Hannaford official quoted in the Wall Street Journal.

This information—on top of the reports that Trojan Horse software was installed on 300 servers in 300 Hannaford stores–is painting a picture of a retailer that seemed to be following accepted security procedures. The story reported that the cyber-thief created software “intercepted the information as it went back and forth over a cable to a transaction processor in Denver. It was then transmitted to an Internet service provider somewhere outside the U.S.,” according to Hannaford marketing VP Carol Eleazer, who added that “it took a team of about 30 forensics experts and information technologists more than 10 days of round-the-clock troubleshooting to discover the malware.”

A new type of payment card forger is making the rounds, this time armed with a razor blade and very little money.

After the thief has been able to guess at random numbers and find a viable payment card, the culprit razors off the last few digits from a real payment card and KrazyGlues the guessed at numbers onto the card. He/she then scratches the magstripe to force the cashier to manually enter in the digits, according to this nicely-done story from the Oregonian newspaper.

The data breach at Hannaford involved a Trojan Horse that was installed on servers at every one of its 300 grocery stores, according to Hannaford officials. The software intercepted card data at the POS and then periodically transmitted them “to an unnamed offshore Internet service provider.”

Those details come courtesy of a letter sent by Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Governor Deval Patrick’s Office of Consumer Affairs and Business Regulation, according to Hannaford officials and a report in The Boston Globe, which quoted from the letter. The chain decided to replace all of the servers to make absolutely certain the malicious programs were removed from the network.

In the multi-year databreach at TJX—the worst in credit card history—the retail chain “created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text,” according to a complaint issued Thursday by the U.S. Federal Trade Commission.

That report also found that TJX “did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks” and that it failed to “use readily available security measures to limit access” and cited one crucial example: not “using a firewall to isolate card authorization computers.” Read more.

If there’s one thing that can be said about CFOs, they love their absolutes. They love absolute assurances that if they do X-and-Y, they’ll be protected against Z.

They like to buy liability insurance, buying into the line that shareholder assets will then be safe no matter what that boneheaded new Operations VP does in a year. They like Poison Pill plans, believing their lawyers that it will prevent them from ever being taken over. And, most recently, they are simply ga-ga for those who say that a PCI compliance letter means they are in a magical safe harbor, where they can do anything with their security that they want and be utterly immune from liability. Read more.

Was talking with the other day with a subscriber, who happens to head up security efforts for a Fortune 50 retailer. Is it coincidental, he asked, that Visa, Mastercard and the others just about always end up on the other side of the security argument? Could it truly be that they have some kind of a long-term strategic incentive to keep security looking good, but not too good? I was skeptical.

The security exec then asked an annoyingly thought-provoking question: What do you think would happen if retailers were given perfect encryption? Answering his own question (because I certainly wasn’t able to do it), he painted a picture of retailers who would use their perfectly-protected data and would confidently let it ride atop the public Internet. At that point, paying for the private security tunnels of a Visa or MasterCard would no longer be essential. Read more.

Guest Columnist David Taylor argues that virtualization technology has been around for a while, although interest in it has largely been confined to the seriously geeky among us.

The primary benefits of virtualization are flexibility and scalability. It allows a company to “pool” computer hardware and create new applications, new servers, new networks, new data storage at the touch of a button and, in the process, reduce costs and administrative overhead. Read more.

Social networking giant Facebook suffered a major privacy glitch this week, where strangers were able to download members’ supposedly private restricted photos.
The Associated Press broke the story this week. “The Associated Press verified the loophole Monday after receiving a tip from a Byron Ng, a Vancouver, Canada computer technician. Ng began looking for security weaknesses last week after Facebook unveiled more ways for 67 million members to restrict access to their personal profiles,” the story reported. “But the added protections weren’t enough to prevent Ng from pulling up the most recent pictures posted by Facebook members and their friends, even if the privacy settings were set to restrict the audience to a select few.”

Next Tuesday, it’s likely Washington state will have a new RFID law on its books, one that will be the first in the nation to make malicious stealing of data via RFID a crime. But the bill is a far cry from what’s the bill’s assemblyman sponsor had envisioned—and what he says he will still fight to get.

The bill had been pushed by Assemblyman Jeff Morris. The final version of the bill—which Morris said he expects Washington Governor Chris Gregoire to sign into law on Tuesday—makes anyone guilty of a Class C felony if they “intentionally scan another person’s identification device remotely, without that person’s prior knowledge and prior consent, for the purpose of fraud, identity theft or for any other illegal purpose.” Read more.

In a delicious game of “Now You See It. Now You Don’t,” a security vendor called Rapid7 had proudly told the world that Hannaford was a key customer. But when Hannaford’s breach was announced this week, all references to Hannaford quickly disappeared. And then reappeared. Company officials then stumbled over each other, offering contradictory explanations for it all.

The changing official explanations was deliciously chronicled by NetworkWorld. But the gold medal award for illustrating the actual disappearing acts with wonderfully annotated screen captures goes to the Attrition.org site. If you want ideas on how to not handle a perception crisis, you’ve got to read them both.

Just three months after filing for Chapter 11 bankruptcy protection, Pay By Touch officially pulled the plug on its remaining biometric transaction customers Thursday morning.

Pay By Touch (officially Solidus Networks Inc. doing business as Pay By Touch) issued a statement on Thursday that it “regretfully announced today that it will no longer process biometric transactions on behalf of its merchant customers and consumer membership base, as 11:59:59pm March 19, 2008.” Read more.

Guest Columnist David Taylor argues that PCI is a lot more necessary than some have recently suggested.

For those who contend that PCI’s only purpose is to transfer risk from the card brands to the retailers, Taylor writes, “I’ve worked with a number of retailers on PCI projects over the past few years and, believe me, retailers already own the risk of a breach. It’s their brand on the line and they don’t need the card brands or their acquiring banks to tell them that.” Read more.

Guest Columnist Ed Adams argues that PCI has a long way to go and that the PCI Security Council isn’t helping very much.

“The PCI Security Standards Council is made up of seemingly smart folks from the credit card brands and security industry. Unfortunately, this group of misfits is saddled with a myriad of competitive conflicts of interest and, worst of all, a complete misunderstanding of how to best protect card data and consumer identity,” writes Adams. Read more.