Evan Schuman's StorefrontBacktalk

It seems a failure in an Oracle backup utility coupled with the failure of IBM hosting managers to detect it and to verify that a disaster recovery site was operational were the key factors in turning a standard site outage at American Eagle Outfitters into an 8-day-long disaster, according to an IT source involved in the probe.

The initial problem was pretty much along the lines of what StorefrontBacktalk reported on Thursday (July 29), which was a series of server failures. But the problems with two of the biggest names in retail tech–IBM and Oracle–are what made this situation balloon into a nightmare.

Last week, we pointed to the bizarre story of Brian Maupin, the Best Buy associate who made funny videos on the side and who was almost fired for it. This week, Maupin tried to remind Best Buy that it should never torment a guy who buys pixels by the virtual barrel.

He posted a video about a guy who was called on the carpet by his boss, accused of having used Twitter to make vague innocuous comments that his superiors saw as vicious assaults on the corporate brand. How does Maupin dream this stuff up? Even though this video is not in any way related to Best Buy (cough), it’s actually quite funny.

Loyalty cards are usually a way of tracking customer preferences and pitching new purchases—that is, they’re all about CRM. But Tesco, the world’s third-largest retailer,is stretching the concept in a new direction. The U.K. grocer is testing a ride-sharing program that lets Tesco loyalty cardholders sign up online to share car trips to three North London stores. What’s interesting is that Tesco’s ride-sharing Web site doesn’t just push rides to Tesco. It also encourages riders to use the service for commuting, getting kids to school and going to sporting events and shows.

Those activities aren’t likely to directly increase Tesco’s sales. But carpoolers who decide they like the service will have Tesco’s name in front of them every time they book a ride through the system, which is run by a non-profit organization called Liftshare. Still, as an online marketing effort, the Web site for setting up rides is oddly low-key: Customers can’t even click on the Tesco logo to go to Tesco’s own site.

Sometimes, retail innovation is knowing when not to play. And for $1.3 billion Pier 1 Imports, it sometimes can mean knowing when to play again. But this time around, the home furnishings chain is only going so far—and it’s not nearly far enough.

Back in 2007, after years of E-Commerce activity, the retailer shut down all of its Web activity to pour its efforts into in-store. In six weeks, though, Pier 1 is returning to the Web: as a brochure site only. You can see, but you can’t buy, unless you drive to a store.

The beauty of social media done properly is its honesty. That’s why major companies love the idea of social media much more than actually doing it. Part of the social media challenge is letting your employees share their views, which will encourage your customers to share candid views right back. This exchange creates that much-discussed customer dialogue. The problem is your employees may say things that make you uncomfortable. That’s the whole point, as Best Buy discovered with its Brian Maupin video incident. Maupin is a very creative Best Buy employee who made a wonderfully funny series of videos, including this one about a customer trying to buy an iPhone.

Upon learning that the video pointed out key weaknesses in a product it’s trying to sell (even though Best Buy is never mentioned or referenced), ridiculed customers and used colorful language, Best Buy suspended the creator. But after a huge amount of media coverage, the retailer decided not to fire Maupin, who quickly issued a statement saying he may not take his job back anyway. The social media lesson, though, is key. It’s easy to put out promotional Tweets. But when your employees truly try to create a dialogue, you need to have the stomach for it.

Against a backdrop of years of vigilance in protecting consumer privacy, a newly public Amazon Patent application raises a wide range of privacy concerns. The Patent Pending envisions making gift recommendations to strangers, leveraging Amazon’s legendary database of consumer data. It speaks of using third-party databases, in addition to its own, to suggest gift ideas for–in an example the Patent Pending actually uses–”single Protestant Asian women between the ages of 25 and 35 with disposable incomes greater than $50,000.”

And because Amazon’s new invention would make specific gift recommendations for anyone who asked, it raises the question of how easily crooks could go on private-data fishing expeditions, trying one gift after another to uncover personal details about their targets.

At this early stage of retail mobile, one of the ongoing fears involves text messaging acceptance. Beyond the general belief that younger consumers will embrace texting and older consumers will be repelled by it, there’s the assumption that men would warm to texting at all ages, given the guy love of gadgets. New stats from eMarketer challenge that assumption.

With a sample size of 1,729 and a survey done by Harris Interactive on July 1, the youngest segment clearly—and expectedly—showed strong acceptance of text alerts, with 42 percent support, with men about 10 percent more supportive (44 percent) than women (40 percent). But the surprise kicks in with the next group.

Earlier this week (Jan. 20), StorefrontBacktalk unveiled a new site design (and lots of programming changes behind the scenes), and we wanted to quickly rattle off some of what we hope readers will consider improvements.

Among the changes are a centralized search box, new categories and comments that are much more easily accessible.

“Unprecedented” problems with the United States Postal Service’s popular Click-N-Ship service probably had many holiday shippers clicking and cursing throughout the week, but a USPS spokesman said the worst was over by Dec. 12.

Eduardo Perez of Visa has called its fines for non-compliance "nuisance" fines. In other words, the fines are not large enough to be a big financial burden to retailers but are large enough to get the CFO pissed off about having to pay them and maybe large enough to get a CEO to at least show up for a meeting to discuss PCI.

In theory, these fines are designed to drive greater security awareness. In reality, they seem to be merely driving "fine avoidance." Only a minority of organizations—about 15 to 20 percent, depending on the specific topic—has anything close to a "strategic" view of security. Of those organizations, most are focused on a common security infrastructure, increased centralization and improved responsiveness to threats.

The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computers that security managers would rather they didn’t. Envision buyers or sales people in hotel rooms late at night trying to kill time. Could these people be doing things (e.g., downloading malware) that could bring down your company?

If they are not connected to the corporate network (and even if they are), you may not know about it until it’s too late and the malware has already propagated throughout your network.

Online shoppers, faced with retail Web sites that crash, "hang" or stop processing purchases in the middle of a credit card transaction, will have an ally during this year’s holiday shopping season.

Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance. Sept. 30, 2009, is the date when "global merchants and service providers" (who operate in more than one of the Visa-defined regions) must attest that they do not store full magnetic stripe data (track data), security codes or PIN data after transaction authorization.

Sept. 30, 2010, is the date by which all service providers and Level 1 merchants have to submit reports on compliance.

We have previously argued that there are far-reaching implications of the Payment Applications Data Security Standards (PA DSS) for the merchant community, as they affect thousands of payment, infrastructure and business management applications. But some concerns raised by Jake Star, technology VP at HEI Hotels and Resorts, take this to the next level.

Star writes, in a letter sent to news media, that he has come across "a new way in which PCI is sapping our limited IT budgets. As a merchant, I’ve got to ensure that the point-of-sale applications I use are PCI certified. So I spent almost $1 million upgrading systems last year. The POS vendor has a .X release each year, so I have a combination of systems on version 1.1 and 1.2. This year, they released 1.3."

Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great. What is even better is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage when prospecting for customers who are looking for a simplified, independent guarantee that their data will be secure when it’s entrusted to the service provider.

In short, PCI is becoming a "security brand" with value in the marketplace.

I wrote in that there are changes in the PCI 1.2 standard that should increase the focus on risk assessment as part of an effort to be responsive to concerns about the perceived "checklist mentality" of the PCI standards. But in the last week I’ve been given an "earful" from merchants I’ve spoken with that the PCI SSC’s new Quality Assurance process is actually having the opposite effect.

Specifically, we are hearing that assessors, fearful of having their work more closely reviewed, are being very "letter of the law" when doing their assessments. There are several specific areas of security where this is affecting merchants, so we’ll offer advice about how best to address each of these problems, to avoid bloodshed between merchants and their assessors.

Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved. Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors.

Furthermore, because these applications are not generic "plug and play" software "modules," any changes will require changes to all custom code designed to integrate with ERP, sales audit, general ledger and other office management applications. In short, PA DSS is a much "bigger deal" than the 1.2 release of the PCI DSS.

The challenge of the week: What needs to happen to get smaller merchants to take PCI seriously and get them compliant with standards when they simply cannot afford 90 percent of the security products on the market?

I’ve come to the conclusion that there’s a technical approach that will address the lion’s share of the problem. Of course, like any former Gartner analyst, I felt the need to name it: "Remote Compliance Monitoring."

It seems clear that most retailers are adopting one of two distinctly different strategies when it comes to data security and compliance. Let’s label them Cost-Effective Compliance (CEC) and Compliance-Driven Security (CDS). Although both approaches are based on best practices and solid risk management principles, they lead to quite different spending patterns, technology decisions and business cultures.

Key questions include: Is one approach "better" than the other? Where does your company fit? What should you do next?

PCI DSS 1.2 CHANGES SUMMARY

FINAL

INTRODUCTION AND PURPOSE

The PCI Security Standards Council has announced that version 1.2 of the PCI Data Security Standards will be available for general use October 1, 2008. The purpose of this document is to provide high level guidance on the changes to be brought about with this key milestone standard revision. Version 1.2 is an update to the current version 1.1 and follows the established approved lifecycle process, which provides for revisions or new versions on a 24 month cycle. While version 1.2 will not introduce any major new requirements, it will include clarifying items designed to fulfill the following goals inherent to the PCI Data
Security Standard:

SUMMARY OF CHANGES

As noted above, the revisions to version 1.2 do not incorporate any new major requirements. Therefore the changes summarized below reflect the same six guiding principles and 12 requirements currently in force under version 1.1. Note that this summary of changes does not include all changes made in version 1.2. The PCI Security Standards Council reserves the right to make final revisions to version 1.2 prior to publication; this summary is for initial preview purposes only, and does not supersede PCI DSS v1.1. Once PCI DSS v1.2 is publicly released, PCI DSS v1.2 will be the official version and further guidance will be provided about effective and sunset dates.

Build and Maintain a Secure Network

Requirement 1: Install and maintain a firewall configuration to protect cardholder data

…

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

Based on the PCI Standards Committee’s official "hint" about what will be in the 1.2 release, it appears that clarifying when and how virtualized servers can be PCI compliant didn’t make the cut. But before the server and security geeks start lighting their torches and getting all "vigilante" on the card brands, let me tell you why I don’t think this will matter.

Virtualization saves money. As a technology, virtualization—particularly server virtualization—is saving retailers money on hardware and IT management. In a down economy, cost reduction trumps compliance. Where virtualized servers and PCI compliance come to blows is PCI DSS 2.2.1, which says only one primary function per server. Because some merchants, assessors and acquirers think "physical server" when they read this standard, some merchants have limited the deployment of server virtualization to the dev/test environment.

Other merchants are making sure not to deploy server virtualization in the cardholder environment. Still others are deploying virtualized servers for applications with credit card, SSN and other confidential data, but they are careful not to put applications with different "trust levels" for different levels of access controls on the same physical server. The point is that if you want to use virtualization to reduce your IT costs, you just need to be careful about what applications you put on what types of servers.

Proof that virtualization is secure. We recently did a Webinar on the topic of how to prove that virtualized servers are secure enough to pass PCI assessments. Based on interviews with more than a dozen PCI assessors for the PCI Knowledge Base, it’s clear that in more than 75 percent of the cases we’ve…

Guest Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

At this week’s National Retail Federation CIO conclave, NRFtech, the CIO of J.C. Penney presented the keynote, which focused on the top five priorities for the business and the technical implications of these priorities. PCI compliance, perhaps not surprisingly, was one of these top five priorities.

During the discussion, the CIO, Thomas Nealon, commented that one of the biggest challenges when it comes to PCI is explaining to businesspeople why it’s a priority. This is a common refrain among merchants of all types and sizes. Because there are a lot of examples of this in the Knowledge Base, I thought we could discuss some of them, so that others may be able to use them in their own companies.

…

Veri?ed by Visa and MasterCard SecureCode: or, How Not to Design Authentication
Steven J. Murdoch and Ross Anderson
Computer Laboratory, University of Cambridge, UK

http://www.cl.cam.ac.uk/users/{sjm217,rja14}

Abstract. Banks worldwide are starting to authenticate online card transactions using the ‘3-D Secure’ protocol, which is branded as Veri¬?ed by Visa and MasterCard SecureCode. This has been partly driven by the sharp increase in online fraud that followed the deployment of EMV smart cards for cardholder-present payments in Europe and else¬where. 3-D Secure has so far escaped academic scrutiny; yet it might be a textbook example of how not to design an authentication protocol. It ignores good design principles and has signi?cant vulnerabilities, some of which are already being exploited. Also, it provides a fascinating les¬son in security economics. While other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology they got the economics wrong, and their schemes have not been adopted. 3-D Se¬cure has lousy technology, but got the economics right (at least for banks and merchants); it now boasts hundreds of millions of accounts. We sug¬gest a path towards more robust authentication that is technologically sound and where the economics would work for banks, merchants and customers – given a gentle regulatory nudge.
Introduction
Card-not-present transactions take place over the Internet, phone, or post, where the merchant and point-of-sale are not in the same physical location as the card and its holder. Fraudulent transactions of this type now account for a large proportion of bank fraud losses. In the UK, for example, it increased 118% from 2003 to 2008, when it accounted for £328.4m of losses to banks and merchants – over half the £610m total for all bank card fraud [3].
This rapid increase has been driven by the deployment…

If you’re seeing this note on your copy of the newsletter, it means you were suggested by David Taylor—former Gartner analyst, current president of the PCI Security Alliance—as someone who might be interested in the latest trends and news from the payment security arena, especially as it relates to retail and to the banking worlds.

This is a new newsletter from StorefrontBacktalk.com, which is a blog that covers retail technology and E-Commerce trends. I’m the editor of the newsletter and I also serve as the Retail Technology Editor for eWEEK and am also the former News Editor for InformationWeek and TechWeb. I’ve also covered retail and technology issues for RISNews, Consumer Goods Technology, the New York Times, BusinessWeek, ABCNews.com, Reuters, National Public Radio and a host of other media.

When 60 Minutes did a segment on TJX’s security issues last month, the only media source it linked to for more information was StorefrontBacktalk. They’re hardly alone, insofar as StorefrontBacktalk.com has been repeatedly linked to from the Wall Street Journal, Yahoo News, ConsumerWorld, Fox News and PCMagazine plus BusinessWeek, The Washington Post, Wired Magazine, CNET, ComputerWeekly and TechTarget, plus quite a few links from the intranets at Procter & Gamble and Target. In the retail arena, we’re repeatedly linked to from NRF’s Smartbriefs, RetailWire, RetailForward and lots of other retail publications.

As a journalist, I can promise you an unbiased look at the various security trends. As a columnist, I can promise you a non-passive voice that will at least try and put these issues into broader context The newsletter is free and we will , with more than a dose of attitude. We’ll never sell your name, as that is, well, tacky. Dave Taylor will be writing a regular column for the newsletter, looking at a wide range of security issuies. Thanks! Hope…

IN THE CIRCUIT COURT OF COOK COUNTY, ILLINOIS COUNTY DEPARTMENT, CHANCERY DIVISION
CHRISTINE DESANTIS, individually and ) on behalf of a class of similarly situated individuals, ) )
Plaintiff ) No.
) JURY TRIAL DEMANDED
v. )
) SEARS, ROEBUCK AND CO., ) a New York Corporation )
) Defendant )

CLASS ACTION COMPLAINT
Plaintiff Christine Desantis, on behalf of herself and a class of similarly situated
individuals, brings this action against defendant Sears, Roebuck and Co. ("Sears"). Upon
personal knowledge as to herself and her own acts and upon information and belief as to all other
matters, Desantis complains as follows:
VENUE
1. Venue is proper in Cook County because Sears resides in Cook County and
because the wrongful acts arose here.

PARTIES

2. Desantis is a resident of New Jersey.

3. Sears is an Illinois corporation with its principle place of business in Hoffman

Estates, Illinois, located in Cook County.

SEARS’S UNSECURED "MANAGEMYHOME" WEBPAGE

4. In an effort to promote its website and increase sales, Sears has established a web-based system to allow customers to view their purchase history on-line at www.managemyhome.com ("Managemyhome website").

5. Sears’s system, however, is fatally flawed and was designed in such a way as to significantly compromise the private information of its customers.

6. Sears’s system works as follows: A user goes to Managemyhome website, creates an account and logs-in. The user then need only enter in publicly-available information (such as the name, phone number and street address) of a Sears customer in order to view the customer’s history of on-line and even in-store purchases. The Managemyhome website provides detailed histories of past purchases, including model numbers, purchase dates, warranty information, and protection plans.

7. Moreover, the Managemyhome website will provide purchase history of all residents of a particular address,…