By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering “Trick or Treat?”

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn’t like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as “minor changes.” Read more.

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

That which keeps consumers satisfied seems to be part of an E-Commerce site’s culture, as top (and bottom) players tend to show little movement, year to year. The latest results from measurement firm ForeSee Results seem to reinforce that.

Several of the top sites this year (Netflix, QVC, Amazon, DrsFosterSmith, Shutterfly and Newegg) changed only a few percentage points—and often less—from last year’s numbers. The percentage change for those at the bottom of the list (PCMall, PCConnection, Efollet, Bidz and Home Depot) is even smaller. ForeSee CEO Larry Freed said that a score of 80 percent or higher is “a really good score,” in the 70s “is in the average realm today” and anything below the 70s needs some serious work. Netflix came in at 86 percent, QVC at 84 percent and Amazon at 83 percent, while Home Depot and Bidz were both 69 percent, Efollet was at 68 percent and PCMall (the lowest) was at 67 percent.

From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to “deputize” internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT. Read more.

For e-tailers who still think that Web video may be a fad, consider this stat: In March 2008, U.S. Internet users watched 11.5 billion online videos. That’s a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.

In March, Google Sites once again ranked as the top U.S. video property with more than 4.3 billion videos viewed (38 percent share of all videos), gaining 2.6 share points versus the previous month. YouTube.com accounted for 98 percent of all videos viewed at Google Sites. Fox Interactive Media ranked second with 477 million videos (4.2 percent), followed by Yahoo Sites with 328 million (2.9 percent) and Viacom Digital with 249 million (2.2 percent).

Thanks in no small part to soaring traffic on YouTube, Google for the first time took the top slot in American consumer reach in April 2008, besting Yahoo.

But it took that top slot just barely, reaching 141 million Americans in April. Yahoo ranked second with 140.6 million visitors, followed by Microsoft Sites with 121.2 million visitors.

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

Guess this is what the cliché-afflicted would call a “sign of the times.” Macys is killing the Bloomingdale’s catalog while Amazon.com is selling copies of Bloomingdale’s 1886 catalog for $12. (Can you imagine the number of out-of-stocks in that thing?)

Current Bloomie’s owner Macys is killing the classic catalog “by early 2009″ to focus more on its Web site and “reduce redundancies” (corporatespeak for pinkslip panic). A Macys statement even came up with a politically correct reason to zap the catalog: “Eliminating the paper catalog is also consistent with our sustainability and environmental policies of communicating more with customers electronically and less in paper.”

California authorities have arrested two men in connection with another retail card-reader switch scam, an effort that police say brought in about $225,000 from 222 victims who swiped their debit cards at a regional grocery chain.

The arrests were in connection with the debit-card thefts at California grocery chain Lunardi’s, where police say the pair swapped out part of the card-reader with a skimmer, according to this San Jose Mercury News story. It was unclear whether the data was collected by piggybacking on the store’s network, wirelessly or if thieves retrieved the data by re-swapping the machines later. The Lunardi’s store that was hit is based in Los Gatos. The paper also reported that a nearby Los Gatos Arco gas station suffered a very similar debit-card breach a couple of weeks earlier.

With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it’s not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.

To state the obvious: It’s getting consumers to use them. I say it’s obvious, but one wouldn’t guess that based on what the vendors were saying this week. Read more.

With the nation’s largest casino town as its backdrop, IBM and NCR gambled that the ho-hum growth in self-checkout can become a winner if the systems are moved away from the front-of-the-store checkout lanes and moved back toward the deli, bakery and even in the middle of the cereal aisle. All in all, I’d rather take my chances at rolling a 10 the hard way.

Las Vegas was hosting the 2008 Food Marketing Institute and Marketechnics show, which felt like self-checkout central this week. Read more.

Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.

The story began on May 8 when a woman visited a Baltimore Home Depot to buy a few odds and ends, including plants, pots and tile sealer. Read more.

The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.

Theodore Karantsalis had filed the lawsuit for several reasons, but one was to prove that consumers would fare far better—faster, easier and more money—in small claims court than as one of many in some class-action litigation. Read more.

With its sites being unavailable for barely one hour over four months, MySpace has the best uptime of any major social networking site and Twitter (more than 37 hours of downtime during the same period) has the worst. Those stats come courtesy of Pingdom’s periodic uptime surveys, which tracked some 16 social networking sites from January 1 through April 30 of this year.

Not only was Twitter’s 37 hours and 16 minutes of downtime the worst in the group, it was almost double the amount of downtime from the second worst-performing site (Reunion.com, with 18 hours and 55 minutes of downtime). But even Twitter’s numbers amounted to an uptime that sounded good: 98.72 percent. Pingdom’s Peter Alguacil said those percentages can be misleading. Read more.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

GuestView Columnist David Taylor this week discovered that there’s a lot more than token opposition to tokenization.

One of the concerns is that companies have already spent money on encryption. The most popular reason for not implementing tokenization is that companies have already implemented data encryption and key management systems costing hundreds of thousands of dollars, and either they did not feel they needed tokenization or they were unwilling to be perceived by upper management as “changing course” by recommending the removal of the data they just spent all this money to protect. Read more.

Microsoft on Saturday (May 3) gave up its efforts to acquire Yahoo, declaring such an effort too expensive.

“Despite our best efforts, including raising our bid by roughly $5 billion, Yahoo! has not moved toward accepting our offer,” Microsoft CEO Steve Ballmer said in a letter to Yahoo CEO Jerry Yang. “After careful consideration, we believe the economics demanded by Yahoo! do not make sense for us, and it is in the best interests of Microsoft stockholders, employees and other stakeholders to withdraw our proposal.” Read more.

Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups.

The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe’s and Wal-Mart. The most prominent retailer who has fought such efforts is Target, whose legal battle continues. Read more.

As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let’s say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday. The chain limits the offer to the Boston area through area code and other data.

But it just so happens that there’s a huge convention in San Jose that day of the Society Of People Who Live In Boston. Your San Jose locations get flooded with people asking for their free gift, leading to a lot of baffled employees and angry customers. This observation comes courtesy of a colleague who has far too much time on his hands to think up such things.

This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. You really should read the details in this story in New York’s Saratogian newspaper, but the essence is that a woman walks up to an ATM at a Hannaford’s grocery store. (Just what Hannaford needs right now. More police-oriented publicity.)

She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves. Turns out that she worked for the ATM company, but the story asks why no one bothered to ask her what she was doing. Indeed, it’s a fine question. How many retailers have strict file access procedures, but would likely let a stranger plug a laptop into equipment without any questions? No, please, don’t answer that question. It’s too depressing to hear.

Like it or not (place this father defiantly in the “not” category), children are using the Internet’s social network sites at a younger age, with retail marketers hovering close by. How young?

New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll. For 10-12-year-old girls, the figure is 27 percent, more than 2-and-a-half times the prior year’s 11 percent. In the 13-15-year category, boys jump to 46 percent and girls jump to 54 percent. Oddly enough, that 54 percent for 13-to-15-year-old girls actually dropped three percent from 2006.

With an eye on retailers having to juggle payment systems between many varied environments–far beyond merely online and in-store–a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface, which it has dubbed “the first service-oriented architecture service interface schema and technical specification for the retail industry.”

“By making existing POS transaction functions available as SOA Services, RTI will enable the business logic behind these services to be easily reused for other customer and associate touch-points such as self checkout, fuel at grocery stores, kiosks, shop on the web, store within a store, portable shopper, mobile line buster and other complementary store solutions,” said a statement from the NRF’s Association for Retail Technology Standards (ARTS). Execs with Big Lots and BJ’s Wholesale Club represented retailers in a committee dominated by tech vendors.

With a privacy invasion trial about to begin, Best Buy’s IT department will be conducting more frequent remote audits of the chain’s Geek Squad tech support department.

“Using powerful mainframes at Best Buy’s headquarters in Richfield, the company now scans several hundred Geek Squad computers each night to see if customer data is stored appropriately,” said a story in the May 1 edition of the Minneapolis Star-Tribune. “Previously, these audits were done only several times a year.” Best Buy is also setting up a system where customer files can only be viewed by the file names, without personal content. In addition, the retailer has now banned thumb drives by its Geek Squad technicians.