|
As details of the Hannaford data breach trickle out, the familiar data breach pattern of apparent inconsistencies has emerged.
For example, Hannaford’s people have been stressing to reporters that they were PCI compliant and, indeed, that they not only were certified compliant in Spring 2007, but that they were re-certified compliant in February 2008. But that raises more troubling questions than it offers comforting assurances. As a Level 1 retailer, Hannaford is only required to undergo a PCI assessment once a year. If they were compliant in the Spring—regardless of which month it was—it seems eyebrow-raising that they would have sought another assessment so soon. Read more. |
By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering "Trick or Treat?"
That which keeps consumers satisfied seems to be part of an E-Commerce site's culture, as top (and bottom) players tend to show little movement, year to year. The latest results from measurement firm ForeSee Results seem to reinforce that.
From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to "deputize" internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.
It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster's restaurant chain. But according to a federal indictment and U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.
When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry's worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing. No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent.
NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.
Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle "to explore the growth of contactless payment systems and the implications for consumer protection policy."
Guess this is what the cliche-afflicted would call a "sign of the times." Macys is killing the Bloomingdale's catalog while Amazon.com is selling copies of Bloomingdale's 1886 catalog for $12. (Can you imagine the number of out-of-stocks in that thing?)
For e-tailers who still think that Web video may be a fad, consider this stat: In March, U.S. Internet users watched 11.5 billion online videos. That's a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.
Thanks in no small part to soaring traffic on YouTube, Google for the first time took the top slot in American consumer reach in April, besting Yahoo. But it took that top slot just barely, reaching 141 million Americans in April. Yahoo ranked second with 140.6 million visitors.
California authorities have arrested two men in connection with another retail card-reader switch scam, an effort that police say brought in about $225,000 from 222 victims who swiped their debit cards at a regional grocery chain.
With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it's not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.
With the nation's largest casino town as its backdrop, IBM and NCR gambled that the ho-hum growth in self-checkout can become a winner if the systems are moved away from the front-of-the-store checkout lanes and moved back toward the deli, bakery and even in the middle of the cereal aisle. All in all, I'd rather take my chances at rolling a 10 the hard way.
Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.
The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.
With its sites being unavailable for barely one hour over four months, MySpace has the best uptime of any major social networking site and Twitter (more than 37 hours of downtime during the same period) has the worst.
London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.
GuestView Columnist David Taylor this week discovered that there's a lot more than token opposition to tokenization. One of the concerns is that companies have already spent money on encryption.
Microsoft on Saturday (May 3) gave up its efforts to acquire Yahoo, declaring such an effort too expensive. "Despite our best efforts, including raising our bid by roughly $5 billion, Yahoo! has not moved toward accepting our offer," Microsoft CEO Steve Ballmer said in a letter to Yahoo CEO Jerry Yang.
Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups. The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe's and Wal-Mart.
As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let's say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday.
Like it or not (place this father defiantly in the "not" category), children are using the Internet's social network sites at a younger age, with retail marketers hovering close by. How young? New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll.
This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. A woman walks up to an ATM at a Hannaford's grocery store. She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves.
With an eye on retailers having to juggle payment systems between many varied environments—far beyond merely online and in-store—a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface.
With a privacy invasion trial about to begin, Best Buy's IT department will be conducting more frequent remote audits of the chain's Geek Squad tech support department.
Microsoft is "leaning toward going hostile in its pursuit of Yahoo," with an announcement "likely" on May 2.
GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments. Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives and encryption keys that are never changed. Fixing this stuff is not expensive, but it's not fun either.
Google says it has concocted a better way of searching for Web images, one that involves image-recognition to "see" what the image depicts as opposed to just reading the accompanying text. This technique, called Visual Rank, has tremendous potential to shake up E-Commerce, which heavily relies on product images.
Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."
Pizza Hut is taking the "other people who bought also liked" approach mastered by Amazon.com and is trying to apply it to pizza and breadsticks and their own Web site. The service initially sounded like an ordinary Web upsell package, but a demo of the service suggested it might be more sophisticated than that.
The E-Commerce folk over at the National Retail Federation—Shop.org—are not so quietly putting out feelers for a new VP gig to pull in other e-tailers.
Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam's Clubs by 2010.
A difficult to duplicate RFID chip? That's the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or "voiceprint," which can't be cloned and can be used to authenticate the chip.
EBay's PayPal is following the path set by other alternative payment players and is starting to appear in physical stores. It's not a huge chain, but it's a start. Moosejaw Mountaineering and its seven stores will now accept PayPal and the chain is also starting to use in-store kiosks to display online customer reviews.
We've been seeing a bizarre trend this national recession. It seems to be hitting hard the companies that expected to be hit, the ones that cut back spending in anticipation of the downturn. Lo and behold, after cutting back on customer service and marketing programs, they see revenues fall. Did they correctly predict the sales drop or did they unintentionally cause the sales drop?
Starbucks on April 23 cut back its financial projections for the year, citing continuing declines in its store traffic, especially in California and Florida. This is announced just a few weeks after Starbucks said it would shake up its Web presence.
China POS shipments soared some 19 percent last year, figures that show China's retailers quickly becoming some of the biggest POS purchasers in the world, according to a new global POS report from consultancy IHL Group.
One of the most annoying parts of many a casual restaurant outing is at the end, when you just want to say "Check, please" and all wait staff seems to sense this and decide instead to join the Waitress Relocation Program. Microsoft has created a device that permanently sits on the table.
The National Retail Federation's Shop.org is lobbying the U.S. Federal Trade Commission to not flag consumers when their shopping behaviors are being tracked online, arguing that it would merely serve to frustrate those consumers.
In case there are two or three of you who are still skeptical about whether Web video will have an impact, consider these new figures. In February, U.S. Internet users viewed more than 10 billion online videos, which represents a 3 percent gain versus January (despite February being two days shorter) and a 66 percent gain versus February 2007, according to ComScore.
GuestView Columnist David Taylor this week questioned why PCI doesn't protect non-payment card information, such as Social Security numbers. Any security consultant will tell you that it's important to have a data classification scheme. Although it makes a nice spreadsheet, we have seen only a few leading-edge merchants and banks that actually attempt to enforce it and use it to drive access controls. Why? Taylor has concluded that it's for a single strategic reason: "Data classification is boring."
The PCI Security Standards Council on April 15 officially rolled out version 1.1 of the Payment Application Data Security Standard (PA-DSS). The specifics of the standard were spelled out last November and this is just the expected formal unveiling.
A DVD rental kiosk outfit has rolled out a kiosk that keeps track of orders and awards free videos for frequent shoppers. The idea of a kiosk that has a long-term memory and an active CRM component is a wonderful next step (OK, a baby step) for intelligent kiosks.
Blockbuster is trying to acquire Circuit City--a chain that is reporting twice its annual revenue--by offering a 50 percent per-share premium, Blockbuster announced early on April 14.
As of June 17, anyone in Australia buying from eBay online will be told: "PayPal" or "Forget It, Pal." With the exception of in-person pickups and cash-on-delivery, plus a handful of large-ticket items, sellers will be required to offer eBay-owned PayPal as a payment method by May 21, in anticipation of the June 17 ban on anything else.
A group of 109 McDonald's restaurants in the Salt Lake City region are doing a mobile commerce trial, with participating consumers getting free iced coffee. Although those 109 stores are barely one coffee bean's worth, given the $22.8 billion chain's 31,377-store network, the trial is interesting both for its capabilities and for how much data-control McDonald's was willing to give up.
When Best Buy removed annual fees from its bonus card, the company yielded about 10 times the number of shoppers opting to sign up for its rewards program.
The European Commission is cracking down on search engine data-retention, with a new proposed rule that search engines should delete personal data about their customers within six months.
E-Commerce is growing sharply—much more rapidly than in-store sales. It grew some 21 percent, to $175 billion last year, crediting E-Commerce with six percent of all retail sales, according to new figures from Forrester Research.
With reports out this week that Boeing's much-celebrated upcoming aircraft—the 787 Dreamliner—would be again delayed because of technology problems, some wondered if the delays involved 
ISPs have been quietly expanding their use of deep-packet inspection. They are capturing everything a user does—to the point where "at least 100,000 U.S. customers are tracked this way, and service providers have been testing it with as many as 10 percent of U.S. customers, according to tech companies involved in the data collection."
The Web world defies prediction—or does it? Conventional wisdom would have the new up-and-coming retailers faring better online, while the old-style bigbox merchants lag behind. And yet, Starbucks has had far more online troubles than it should have while Sears is soaring online.
Focusing on recent improvements in refrigeration technology, the 115-store Piggly Wiggly is pledging to radically revamp its store. The grocery chain is shaking up product positioning issues—all frozen foods are kept together, for example—that have been considered sacrosanct for decades.
Home Depot CIO/EVP Bob DeRodes has resigned and will leave the $77 billion home improvement chain "at the end of the year," according to a statement Home Depot issued Thursday. DeRodes will continue to run IT until he leaves, the statement said, as the chain starts a search for his replacement.
With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.
Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It's not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.
A series of restaurant chains—including Subway, Tully's and Brinker (Chili's, Macaroni Grill, On The Border, etc.)—have been experimenting with a way to use regular credit and debit cards as loyalty cards.
Amazon.com on Wednesday rolled out a new service called TextBuyIt, which allows consumers to comparison shop online working solely with fast text messages. But the move may not sit well with other retailers, who could see this making it easier to find better deals elsewhere, especially in bookstores.
There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing. Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers.
TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world's worst payment data breach, which impacted some 100 million cards.
Although the coupon redemption rate has been steadily declining for at least 10 years, a new vendor survey suggests the recession may turn that around. Of the 1,529 U.S. consumers who responded, 67 percent said they are much more likely, or somewhat more likely, to use coupons during a recession, according to the survey performed by ICOM Information & Communications.
Bankrupt Pay By Touch—officially using the name Solidus Networks—has sold off two key units for a total of $4.8 million. Phoenix Check Cashing dropped $4.2 million to pick up Pay By Touch's check-cashing division, known as BioPay Paycheck Secure
Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them. This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it.
In the multi-year databreach at TJX—the worst in credit card history—the retail chain "created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text," according to a complaint issued Thursday by the U.S. Federal Trade Commission.
The security exec then asked an annoyingly thought-provoking question: What do you think would happen if retailer were given perfect encryption? He painted a picture of retailers who would use their perfectly-protected data and would confidently let it ride atop the public Internet. At that point, paying for the private security tunnels of a Visa or MasterCard would no longer be essential.
March 20th, 2008 at 10:29 am
FYI: PCI only requires that cardholder data be encrypted during transmission over “open, public networks”.
March 21st, 2008 at 3:25 am
Editor’s Note: That’s true. I believe the specific wording is: “If there is no external access to the merchant location (by Internet, wireless, virtual private network (VPN), dial-in, broadband, or publicly accessible machines such as kiosks), the POS environment may be excluded.”
In this instance, though, it wasn’t an issue. First, Hannaford’s payment authentications were indeed riding over the Internet, according to an official with that chain that we spoke with on Thursday. That’s not a surprise, of course, as the overwhelmingly majority (most likely exceeding 95 percent) of retailers use the Internet for such transactions and therefore are supposed to use encryption.
While looking into that, though, came upon an intriguing issue. Would PCI require that transaction authentications be encrypted if they were being sent in a VPN across that public network? One part of the PCI regs suggest that they consider a VPN a form of encryption. 2.3 says, in part, “Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS (transport layer security) for web-based management and other non-console administrative access.”
March 21st, 2008 at 7:13 am
Auditors I have spoken to say that encrypting over the VPN meets PCI compliance. There is no requirement to encrypt during transmision on the internal/private network.
March 21st, 2008 at 4:28 pm
To think that PCI compliance would have protected Hannaford is to think that having a bullet proof vest will keep you from getting shot. PCI will not deal with the kind of “designer malware” issues faced by Hannaford. PCI is designed to deal with absolute minimum baseline security controls, primarily at the network layer. If you achieve PCI compliance, you are doing security 101, nothing more. A serious adversary, such as the kind well-funded and professional “carder” gangs that hit many companies like Hannaford know PCI calls for certain network countermeasures. So, these gangs are going to design specific attacks that evade traditional perimeter security approaches. This stuff is really happening — we see it all the time with our clients in the government and financial services.
Retailers have to take matters into their owns hands and stop focusing on PCI as the sole measure of security or due diligence, if they want to get a grip on this situation. Retailers have to up the ante on monitoring their networks for signs of designer malware activity because the carder gangs already understand PCI controls and how to circumvent them. This requires a new kind of network monitoring and attention to operational security detail. Retail networks will never be secure — with any technology. But, the key is to detect these kinds of attacks within minutes, before keystroke loggers and command and control trojans are placed on POS systems and related servers by carder gangs.
March 25th, 2008 at 5:45 pm
PCI is an expensive farce, just as TSA is protecting us! It’s off the shelf software folks. Wake up!
If, IF, Hannaford was PCI compliant, all that did was make the hack that much more challenging thus interesting and fun to the perpetrator(s). Whether DSW, TJX, Hannaford, Ohio University or the US Government and if the truth be told Visa and MasterCard, these entities are, like every business, constrained in their data security efforts by budgets, personnel resources, time and then legacy technology. Hackers, on the other hand have no budget, can enlist as many personnel resources as may want to join in the challenge, have as much time as is needed, use global resources plus have the latest, even bleeding edge technology. The rest of us can’t win plus are only a millimeter ahead of the criminals.
I’m for data security however the PCI approach is really bassackwards with 99.99% of the resources focused on the wrong target.
Apprehend and appropriately punish the perpetrators in such as manner as to be so horrendous as to put the utmost fear of the consequences in others that they forgo such a crime. Punishment hidden is no deterrent, but that’s a whole different subject.
In order to apprehend the culprits those responsible must stop hiding behind the issue of national boundaries because these crimes are global in nature. Why? Because criminals know they can hide behind within their borders as long as they don’t commit a crime on people within that border. As with telemarketing scam in the US, they are never perpetrated within the state in which the criminals are physically located. WAKE UP!
I won’t even get into what I think should be the punishment once we catch the bastards.