Evan Schuman's StorefrontBacktalk

In last week’s lead story, PCI Columnist Walter Conway wrote a hard-hitting column questioning whether–under very limited circumstances–carelessly used encryption might actually weaken a retailer’s data security. In security circles, it’s heresy to question encryption and, predictably, the emotional reaction to the column was intense.

It’s not often that people challenge our technical conclusions while simultaneously questioning the marital status of our mothers. The column suffered from one key technical error, questioning how easy it would be to extract clues to an encryption key from encrypting the short payment card expiration date field. Walt admitted that error–and explained the context–in his column this week. (By the way, if anyone else wants to yell us at, this week has a column from Frank Hayes that questions the very premise of security passwords. Gluttons for punishment we be, a rare breed of journalistic masochists.) But there’s a bigger issue at play here, a long-standing technology frustration beneath the emotions.

It’s time to kill all the passwords. That’s the only real conclusion to draw from the work being done by Georgia Tech Research Institute researchers, who are using off-the-shelf graphics-processing cards to crack passwords by brute force. The time required to break an eight-character password: two minutes. A seven-character password–the minimum currently required by PCI-DSS for retailers to protect stored payment-card information–goes in seconds. One of the Georgia Tech researchers, Richard Boyd, called seven-character passwords “hopelessly inadequate.”

In short, password security is no longer security. The clock isn’t just ticking on every retailer’s favorite cheap authentication scheme, it has run out. The answer isn’t longer passwords; that’s just a stopgap, and even if it works, it won’t hold for long. Maybe Chip-and-PIN employee ID cards would do the trick. Even a mag-stripe-and-PIN approach could work. But whatever replaces passwords has to be cheap. And it must have a reasonable chance of keeping the bad guys away from information such as card data.

Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria—which one Austin detective said crafts a terrific baklava—that happens to use Heartland as its processor.

A preliminary investigation by the Austin Police Department Financial Crimes Unit—which knows its way around credit card theft—ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tino computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.

Sears and its Kmart subsidiary on Monday (July 19) agreed to write a $1.1 million check to various California law enforcement agencies to settle charges that the company repeatedly charged consumers much higher prices than advertised. Officials said the overcharges appeared to be human error–as opposed to a technology glitch. But the overcharges happened so often and in so many locations that they seemed to be systematic.

The frustration for other retailers trying to avoid Sears’ fate is that technology can only go so far and that without extraordinary vigilance, pricing errors are almost unavoidable. A relatively tiny number of chains in the U.S. have toyed with electronic shelf label (ESL) packages—including TJX, Wal-Mart, Albertson’s, BJ’s Wholesale, Costco, Kohl’s, Pathmark, A&P, Whole Foods, Waldbaum and Kmart itself—but few have been deployed in a meaningful way.

You have to wonder who is left among the U.S. entities that have not sued—and then settled with—TJX for its infamous data breach of more than 100 million card numbers. The latest to come up to the till: The Louisiana Municipal Police Employees’ Retirement System. But the settlement here—for $595,000—is not the interesting bit. Part of the deal was a change in an IT boss. The settlement specified that IT security efforts need someone to oversee operations. What was agreed? That the job be given to TJX’s own audit committee. The TJX board’s audit committee shall, through Dec. 31, 2015, “oversee security of [TJX's] computer system with respect to customer data, including [PCI] compliance,” the settlement said.

If you ever needed any proof of the strength of TJX’s legal position in these cases, you need look no further. When seeking an independent overseer, the best the plaintiffs could come up with was a committee within TJX’s own board? Setting aside the lack of independent perspective, this approach isn’t even a concession, given that the TJX board oversees such matters anyway. Want to freak out TJX investors? Tell them to imagine what this breach’s after-effects would have been had the attackers hit mobile transactions tied to debit cards. Were it not for zero-liability credit card programs, this legal outcome would be stunningly different.

Pushing the envelope is risky, but no one makes any progress without doing it. Google rediscovered that reality when it had to apologize this week after accidentally capturing a lot more WiFi data than it intended for the Street View feature of Google Maps.

The upshot: The search giant has now decided to end its entire WiFi survey. And that’s exactly the wrong lesson to learn from an incident like this.

One of the top ongoing concerns about PCI compliance—the absence of a true safe harbor—has been obliterated in the State of Washington, thanks to a new law signed by Gov. Chris Gregoire. Well, obliterated to the extent that it otherwise requires reimbursement of a financial entity’s reasonable actual costs “even if the financial institution has not suffered a physical injury in connection with the breach.”

The law specifies that the post-breach game won’t fly in the state of Washington: A retailer “will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment and if this assessment took place no more than one year prior to the time of the breach. For the purposes of this subsection, a [retailer's] security assessment of compliance is nonrevocable.”

Albert Gonzalez succeeded—for several years, at least—as arguably the world’s most effective cyberthief, breaking into many of the largest retail chains (Target, 7-Eleven, TJX, JCPenney, Sports Authority, etc.). His methodologies for breaking in were clean, but his methods of avoiding detection for years (despite extensive network activity and huge file transfers) and of cleaning up his tracks forensically kept the world’s top law enforcement agents stymied.

A post-conviction look at how Gonzalez was caught suggests a change in the type of retailers likely to be targeted and ways today’s largest chains can protect themselves. But it also raises questions about whether the very nature of such a large-scale a cyber-attack could ever succeed, assuming success is defined as both getting the money and not getting caught. Retailers are worried about protecting against similar attacks, but it’s not likely to be repeated—at least not in the same way.

With TJX having suffered well more than $47 million in out-of-pocket expenses from its infamous data breach (announced in 2006 but beginning as early as 2003), the $20 billion retailer is preparing to write still more checks. It has now set aside another $23.5 million for additional anticipated breach costs, according to its most recent 10-K statement filed to the SEC.

TJX has for years been the Poster Child for retail data breach. And to date, it is also the best example of how little material impact these breaches have.

Card Activation Technologies, the same POS patent holder that has sued dozens of major chains and settled with many of them (including Sears, OfficeMax, TJX and McDonald’s), has now sued 10 more chains for handling debit card transactions in a way that too closely follows its patent.

The new defendants are Nordstrom, JCPenney, Macy’s, Blockbuster, Lane Bryant, Fashion Bug, Cabela’s, Guess, Panera Bread and Starbucks.

As attorneys and retailers argued recently about the sentencing and secrecy of Albert Gonzalez’s criminal empire, various fundamental retail realities were forgotten.

Consider, for example, arguments on both sides that JCPenney and Wet Seal would have their stock prices seriously hurt if word of their involvement leaked out. The federal judge overseeing that discussion said any stock impact would be from the retailers’ own doing, but he neglected to point out that there is absolutely no reason to believe there will be any stock impact.

When two Boston-based federal judges sentence Albert Gonzalez Thursday (March 25) and Friday (March 26) for a rash of retail cyber-break-ins that he confessed to orchestrating, the exact sentence may be academic. The key legal argument is shaping up to be this question: “When a retailer is breached, what’s the most reasonable way to determine loss?” And the answer is proving to be as baffling—or contradictory–to the federal jurists as it is for most retail CIOs.

A new filing on Wednesday (March 24) from TJX had the chain refusing to offer the specifics behind its loss claims in an attempt to fight a federal subpoena. Attorneys on both sides raise some legitimate questions about how to fairly calculate the cost of a breach. Is it limited to what is taken or to what the thief attempts to take? Should the loss include what was actually—and successfully—accessed, or should it assume that when a card with a $10,000 limit is taken, a $10,000 loss—regardless of what the thief did—should be recorded? If class-action lawsuits are filed (and they will be filed), should the cost of lawyers and courthouse travel be included? What about payment for additional security? And perhaps a new POS system that includes that better security?

The U.S. Federal Trade Commission (FTC) on Thursday (Feb. 25) screamed “the Emperor has no clothes” by reporting to consumers that one of the largest firms issuing “Verified Secure Breach Protection” seals doesn’t really verify much at all. The practical impact of the ruling for E-Commerce sites is unclear, both because the FTC has little authority to enforce its rulings and because consumers have typically been impressively apathetic about security and privacy issues.

The settlement against five-year-old ControlScan said that “contrary to the statements” ControlScan made to retailers, the company “in many instances conducted little or no verification of the privacy and/or security protections for consumer information provided by companies displaying its Business Background Reviewed, Registered Member, Privacy Protected and Privacy Reviewed seals. Instead, in many instances, ControlScan provided the Registered Member seal to a company that failed to qualify for the Verified Secure seal because an electronic scan of its Web site identified an actual or potential severe vulnerability on the Web site and permitted the company to display the seal indefinitely while taking no action to assess whether the company was working to resolve any vulnerability identified by the Web site scan.”

As the sentencing day quickly approaches for Albert Gonzalez, cyberthief to the retail stars, the non-Sicilian Grepfather’s lawyer is busy making arguments to the court for his sentence to be as lenient as practical. But one recent document, while stressing that blaming the victim isn’t the point, comes pretty darn close to doing just that.

Much of this defense sentencing recommendation tries to argue down how many dollars Gonzalez’ activities have lost. Federal sentencing guidelines force judges to factor in how much damage the defendant’s actions have caused and use that to help calculate the length of the sentence. It starts by suggesting that TJX weathered the cyberattack remarkably well. “The government has (produced) no evidence regarding the extent to which the stolen TJX data was ever used to an individual cardholder’s detriment, as opposed to simply remaining on the server,” wrote Gonzalez defense attorney Martin Weinberg. “And, as to TJX, a telling (indicator) of the degree of damage it suffered is found in the fact that during one of the most devastating economic periods in the country’s history, TJX’s stock value rose 30 percent.”

Shortly after Heartland tried to sweep away most of the lawsuits against it with a series of recent negotiated settlements, a group of banks is trying to persuade other banks to reject the settlement offer and support a class-action lawsuit instead.

The lawsuit, filed Tuesday (Jan. 19), hit Heartland hard for its “lack of Payment Card processing system security; its desire to use a ‘lowest bidder’ system of selecting its outsourced IT ‘auditors’; its reliance on a ’snapshot’ telling it that, at one identifiable point in time, its system supposedly complied with the bare minimum industry standards; its startlingly poor IT oversight in general; and (Heartland’s) complete and utter disregard of the oversight responsibilities they had to their fellow members of the Associations that allowed the intruders to make trip after trip in and out of the Heartland Payment Card processing system.” The lawsuit also referenced Heartland’s initial response to the attack. “Thirteen months later, the ‘clean up’ efforts would be seen for what they were—worthless.” (Pause. But other than that, Mrs. Lincoln, how was the play?)

Years after it was breached by a member of Albert Gonzalez’s cyberthief gang, some 17 months after it’s name was quietly kept out of an indictment where it was referenced and five months after StorefrontBacktalk published its involvement, Target has confirmed that it was the victim of a data breach.

“Target was one of the companies affected by an intrusion that occurred two years ago. However, the exposure—both in time and number of accounts—was extremely limited,” said Target spokesperson Amy Reilly. “A previously planned security enhancement was already under way at the time the criminal activity against Target occurred and we believe that, at most, only a tiny fraction of guest credit and debit card data used at our stores may have been involved.”

Accused cyberthief ringleader Albert Gonzalez may not have had the “capacity to knowingly evaluate the wrongfulness of his actions and consciously behave lawfully and avoid crime” and his criminal “behavior was consistent with the description of Asperger’s disorder,” according to a government filing on Tuesday (Dec. 15), which itself quoted from a defense psychologist report.

The government was asking a federal judge for more time to investigate before a sentencing hearing, said the memo from Assistant U.S. Attorneys Stephen P. Heymann and Donald L. Cabell. “The government has been given no prior notice of either of these assertions, the defendant’s intended reliance on expert testimony to support them or that the defendant was undergoing a psychological forensic examination.”

A federal judge dismissed a data breach-related lawsuit against Heartland Payment Systems on Monday (Dec. 7), saying that the plaintiffs hadn’t proved any of their allegations that Heartland knew it had inadequate security and lied about it to shareholders. The judge’s detailed ruling sheds light on the environment data breach retail victims are likely to face in court and could provide some guidance on how they should act when discussing those breaches.

Unlike earlier retail data breach lawsuits—typically with consumers or banks as plaintiffs—this was a shareholder action and merely needed to prove that Heartland execs mislead the public about their security status. U.S. District Court Judge Anne E. Thompson, sitting in New Jersey, concluded Heartland execs had not. She listened to recordings of an analyst call to conclude that, in full context, the processor’s security claims were technically true.

Albert Gonzalez—who has already pleaded guilty to masterminding a cyberthief ring that stole data from TJX, BJ’s Wholesale Club, Boston Market and Sports Authority, among other major chains—signed papers this month agreeing to plead guilty to the remaining federal charges against him. But one of the retail chain victims, which federal officials have yet to officially identify, asked the court to protect its “dignity” by preventing the government from releasing the chain’s name.

Gonzalez agreed to plead guilty to his role in attacks on Heartland, Hannaford and 7-Eleven in a document signed at 10:14 AM New York time on Dec. 2.

Basking in the instant efficiency of E-mail and other forms of digital communication, we tech-savvy types often look down our noses at “snailmail.” But E-mail can’t deliver a pair of shoes. And, as an ongoing mail strike in the U.K. is reminding us, even the most Web-proficient retailers stand to suffer when wrenches are thrown into the easily-taken-for-granted cogs of the good old postal services. The strike by the Royal Mail union, whose members deliver letters and packages throughout the U.K., began October 22 and it has E-Commerce operators wringing their hands as the holiday shipping frenzy is about to begin.

The nail biting began even before the strike began. A survey by Interactive Retail in Media Group reportedly found that 85 percent of E-tailers believed even the threat of a postal strike would discourage their customers from placing holiday orders. At least one retailer, TJX, decided to be proactive. On its U.K.-only E-Commerce site, TKMaxx.com, the $19 billion seller of off-price clothes had this to say: “Postal strike? Phah! For the same price as our Royal Mail standard delivery, TK Maxx is upgrading this service to our DHL courier partner for the duration of the postal dispute.”

Back in June 2005, right around the time that several major retailers (including TJX, BJ’s Wholesale Club, Boston Market and DSW) were being attacked by Albert Gonzalez’s cyber thief gang, Wal-Mart was quietly experiencing its own data breach. In Wal-Mart’s case, though, the breach began in June 2005 and wasn’t discovered by the chain until some 17 months later.

These new details of Wal-Mart’s data breach—which saw POS source code grabbed and zapped to parties unknown in Eastern Europe—are shedding more light on the early days of such retail assaults and how various chains learned of and then dealt with them. But here’s the rub: Wal-Mart maintains that no customer or employee data was taken. Does it truly stand to reason that those thieves would have had secret access to the systems from the world’s largest retailer for 17 months and not taken any names or card data? Oddly enough, it seems likely that they, in fact, didn’t. And therein lies the potentially most intriguing part of the story.

The payment strategy struggles for Mobile-Commerce continue, with retail IT execs seeing the phone as a future “Get Out Of Interchange Jail Free” card in an elaborate game of Card Brand Payment Monopoly. Some see future secure chip-integrated phones as the answer, a way that moves payments away from Visa and MasterCard and permits a secure way to tap directly into a consumer’s bank account.

But retailers pursuing such a strategy might quickly discover that, with payment, when one door closes another opens—and it’s likely a trapdoor beneath your feet. For example, a secure route to bank accounts may indeed sidestep most—if not all—card fees for those mobile transactions. But it would also remove the liability shield that the brands’ zero-liability programs offer.

There’s a very old joke that when swimmers are about to go into shark-invested waters, they should always swim with a buddy. If a shark attacks, feed him your buddy. Retailers today, swimming in cyberthief-invested wireless zones, are discovering a similar guideline plays out when there is an attack against a large number of retailers, such as what happened with TJX, Hannaford, 7-Eleven and others in the Gonzalez cases.

Despite those heavy-weight retail brands, only a couple have borne the vast majority of the costs and headaches associated with a breach. Why? Because the first one or two chains have to go through the expense of identifying the breached numbers and having them shut down and reissued. That task’s completion makes life so much easier on the others. It’s also better for investigative costs, brand reputation and several other factors. Is this fair? Can and should something be done to make it more equitable?

When Albert Gonzalez officially pleaded guilty to many of the federal cyberthief charges against him on Friday (Sept. 11), the government shed a little more light on the case, such as that it was BJ’s Wholesale Club that was first attacked and that the Secret Service has collected “more than forty million distinct credit and debit card numbers from two computer servers” controlled by Gonzalez and his associates and has counted the consumer, retail and bank victims as “an enormous number of people, certainly millions upon millions, perhaps tens of millions.”

In Friday’s hearing, the government for the first time put a number next to the DSW breach, saying that the $1.5 billion apparel chain operating 300 stores in 37 states (in addition to supplying footwear to 367 leased locations) lost more than one million card numbers in the breach. The government also said that OfficeMax—the $8.3 billion office supplies chain with 939 stores in the United States and 83 in Mexico—played a crucial role, with Assistant Boston U.S. Attorney Stephen Heymann saying that OfficeMax’s “then vulnerable encryption of PINs enabled Gonzalez (and a colleague) to sell the conspirators’ bounty for particularly large profits.” The only new data morsel about TJX to emerge was a Heymann estimate that TJX alone “suffered close to $200 million in losses and associated expenses.”

Not that it was needed, but more proof materialized this month that substantial security investments are really hard to justify. TJX announced Sept. 2 what will likely be the last of the settlements of class action lawsuits against it from the data breach of its systems that began in 2005 and which impacted more than 100 million payment cards.

Last Wednesday (Sept. 2), TJX struck quite a bargain and settled with the handful of remaining banks. In settling all charges with four different financial institutions—AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank—TJX agreed to pay $525,000 to be split between the four businesses. Was that punitive or was that something closer to a nuisance payment for the $19 billion retail chain? Punitive would generally mean covering all legal costs plus reimbursing the banks for all out-of-pocket costs and then paying them something to compensate them for the pain of the litigation. The payment specifically excluded legal fees. According to the statement TJX issued, the settlement didn’t even cover all of the banks’ out-of-pocket expenses let alone offer anything for their efforts. Oh and it also allowed TJX to say that it “has denied all wrongdoing.” The amount enough that it was already covered in a reserve that TJX took back in the second fiscal quarter of 2007.

Albert Gonzalez, who the federal government has accused of breaking into the payment card databases of TJX, Hannaford, 7-Eleven, Target, J.C. Penney and a laundry list of other major retailers, has agreed to plead guilty to all of the charges against him from Boston and one count from New York, as StorefrontBacktalk reported on Thursday (Aug. 27). The plea agreement was filed on Friday (Aug. 28). His plea deal does not–at this time–include the New Jersey charges. The plea agreement was filed on Friday (Aug. 28).

In the Gonzalez plea bargain, the agreed-to sentencing recommendation—which calls for at least 15 years in prison and “no more than 25 years” in prison—does not seem much more lenient than he would have faced at trial. Even with as extensive a cyber attack as these, most U.S. courts wouldn’t go anywhere near “more than 25 years” in cases where no one was physically hurt and the defendant wasn’t accused of real violence or threatening violence. But a jury is a tricky animal and, technically, the counts he is pleading guilty to have a cumulative maximum sentence of 193 years in prison.

Albert Gonzalez, who has been accused of managing the data breaches at TJX, Hannaford, 7-Eleven and Heartland (among many others), has once again agreed to plead guilty to parts of two of the three federal cases against him, his attorney, Rene Palomino, said Thursday (Aug. 27). Two other major retail names have also been added to the list of retail victims: J.C. Penney and Target, as the list of unidentified retailers shrinks.

Look for Gonzalez to officially plead guilty to the federal charges from Boston, primarily involving TJX, BJ’s Wholesale Club, Boston Market and Sports Authority and New York, primarily involving Dave & Buster’s, on Sept. 11.

As details trickle out about how the feds supposedly broke the Gonzalez attacks against TJX, Hannaford, Heartland, 7-Eleven and tons of others, much of it focuses on a global effort to access servers and laptops overseas and doing so in countries where U.S. law enforcement cooperation is perhaps not what it should be.

Wired did a wonderful piece, summarizing federal filings in the New York part of the Gonzalez accusations (this is the Dave & Buster’s case). The story details the chase for a laptop in Turkey and the legal and police bumps along the way. Nothing new revealed for retailers trying to protect their networks, but it’s interesting background nonetheless.

Since the earliest days of law enforcement, police have wrestled with the appropriate way to deal with criminal gangs. At its simplest, what should be done with two burglars who break into a house? Who is the primary lawbreaker and who is merely the assistant? Legislatures and courts have often tried to sidestep the question, declaring that a murder charge, for example, will be applied to all participants of a home break-in if anyone gets killed. As a tactical practical matter, police (and that includes FBI, Secret Service, assistant district attorneys, deputy attorneys general and anyone who else charged with apprehending and punishing wrongdoers) often uses that ambiguity as a tool to pressure confessions. In short, the one who talks first gets to point the finger at the others and cut himself/herself the sweeter cooperating witness deal, while the suspect who hesitated gets left being charged as the scheme’s mastermind.

Such a drama is now unfolding with the Albert Gonzalez case, the Miami man accused of breaking into TJX, Hannaford, Heartland, Barnes & Noble, Sports Authority and a laundry list of others. Is Gonzalez the masterhead of a cyber thief ring? Was he coordinating different teams in the U.S., each group assigned to attack different retail chains? Or was he merely the pawn of an Eastern European data theft syndicate? In Dickensian terms, was he more Fagin, the Artful Dodger or even Oliver Twist?

Albert Gonzalez, the Miami resident who was indicted last summer with stealing credit card data from TJX, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble, Sports Authority, Forever 21 and DSW can now add Heartland, Hannaford and 7-Eleven to the lengthy list of retailers that the federal government says he penetrated. In case you feel left out, there are two to three additional major retail chains that the feds have accused him of attacking, although those chains have yet to disclose that they were breached.

But the indictment revealed several key contradictions with 7-Eleven and Heartland and one major retailer’s security executive found the government’s specifics to be a convincing indictment against PCI.

An E-Commerce software company that, as part of its service for small retailers accepted payment card data and then sent it to various processors, has found itself on the wrong end of a breached company news release, confirming that payment data from some 574,000 customers—processed through 4,343 of its small retail clients—had been accessed. The stolen data included transaction specifics, card account numbers, names and consumer addresses. The vendor—Network Solutions—had been certified PCI compliant (you just knew that was coming, no?)

The details include an early PCI attempt to try and walk back the certification, retailers complaining about their names appearing in a breach notification letter and the vendor bringing in General Dynamics, a familiar name from the data breach probes of both TJX and Hannaford. Plus a former IT manager with the company claiming that they retain credit card data a lot longer than they say they do.

The chairman of the powerful U.S. Senate Judiciary Committee, Sen. Patrick Leahy, is trying—after two failed attempts—to get his data breach bill made into law. But even though his bill would answer the pleas of many retailers by creating one single national standard for handling major retail data breaches, the bill’s details don’t deliver the comprehensive relief promised. In short, the bill is trying to make it more difficult for major retail chains to hide large data breaches when, in fact, the wording will make it easier for them to hide such breaches.

The core of the bill is where things get a bit dicey. It requires retailers to notify consumers impacted by a breach “without unreasonable delay” but it doesn’t say how much time retailers can take. Without that specific, it would seem difficult to enforce the law. Even worse, the exemptions for notification are so broad as to make it unlikely that any retailer would actually be impacted. For example, the bill provides a blanket exemption as long as a chain “provides a written certification to the U.S. Secret Service that providing such notice would impede a criminal investigation or damage national security.” The Secret Service then has to perform a review to determine if it’s a warranted claim. The problem is that the claim that something might impede a criminal investigation is so broad as to be meaningless.

The new PCI wireless guidelines are helpful, but it could have—should have—gone a few steps farther, opines PCI Columnist David Taylor. For example, one of the technical controls that was introduced with PCI DSS 1.2 is the wireless IDS/IPS. It’s listed as an option, with the other option being to manually carry a laptop around corporate and stores running wireless networks on a quarterly (or more frequent) basis and see whether any networks appear that the security person (if any) does not recognize.

Although it’s certainly understandable that, for SMEs, the cost of a wireless IDS/IPS can be prohibitive, this is the sort of technology that should be mandatory for larger (i.e., Level 1 and 2) companies. That is not only because of the time and effort that it saves, but also because it can be extremely difficult to spot “rogue” or malicious networks in dense urban areas, shopping malls and large multi-company facilities.

Nevada is making PCI the law and a group of state attorneys general plagiarized it liberally while trying to figure out what to force TJX to do. Like it or hate it, PCI Columnist David Taylor argues, the PCI DSS is the only set of data security standards out there that actually comes with an effective, ongoing validation and enforcement process.

That is not true of HIPAA or the vast majority of state or national data privacy or breach disclosure laws. Enacting PCI into law may help, but actually allocating government funds to review compliance on a regular basis does not seem likely, so these laws (like the breach disclosure laws) will be ignored by all except compliance officers, vendors, consultants and security geeks.

When it comes to regulating retailers, what could be worse than an over-zealous Washington? How about fifty over-zealous “Washingtons”? Discussions about “Big Brother” and onerous regulation of business usually center around the federal government. Not that Uncle Sam isn’t evil at times, but these days it’s the states that are causing the big headaches for retailers, especially those that operate on a multi-state or national level.

Every couple of weeks, it seems, another state makes news for attempting to regulate, tax or otherwise control retailers and retail technology. The toughest part, for merchants, is that states usually tackle the issues with little regard to being aligned with the efforts of their colleagues in other states or for the hardships their one-of-a-kind provisions impose on retailers. The laws just keep on coming. Nevada, for example, passed a data protection law last month that goes into effect Jan. 1, 2010. In addition to forcing businesses to use encryption when data storage devices containing personal information are moved outside the company’s physical or logical control, the new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

When a group of 41 U.S. states announced a settlement with TJX this week—a supposed punishment for the retail chain, in the words of one state attorney general, for treating sensitive payment card information “like trash”—it was billed in some circles as a painful lesson for retailers who treat security laxly. The truth is, the lesson was just the opposite.

The deal (see our full coverage of the terms of the settlement) consisted of three elements: Payment; new security rules; the need to report back to the states. How painful were any of those elements for the $19 billion owner of Marshalls, T.J. Maxx, HomeGoods, A.J. Wright, HomeSense and Winners? Let’s take a look at each.

After a probe and negotiations lasting 2-and-a-half years, the TJX chain agreed on Monday (June 22) to pay a group of 41 U.S. states $9.75 million for what appears to be the credit card industry’s worst data breach, a crime that touched more than 100 million payment cards and was revealed in January 2007.

But the dollars behind the settlement are relatively trivial for the $19 billion owner of Marshalls, T.J. Maxx, HomeGoods, A.J. Wright, HomeSense and Winners. The biggest impact will likely come from a wide range of security concessions, although many of the rules had already been directly or indirectly required by existing PCI guidelines.

U.S. District Court Judge D. Brock Hornby on Tuesday (May 12) became the latest jurist to rule in favor of data-breached retailers, telling Hannaford consumers that because they were compensated by their banks, they have no basis to sue civilly here. “There is no way to value and recompense the time and effort that consumers spent in reconstituting their bill-paying arrangements or talking to bank representatives to explain what charges were fraudulent. Those are the ordinary frustrations and inconveniences that everyone confronts in daily life with or without fraud or negligence.”

Similar to rulings from cases fellow data-breach retail victim TJX, Hornby said he couldn’t allow almost any of the defendants to continue with the case because the consumers hadn’t suffered out-of-pocket financial losses. In an ironic sense, this all stems from the card brands’ zero liability programs. Those programs guarantee that consumers will have all fraud losses wiped clean. (The one defendant who can continue is a consumer whose fraud loss costs—for reasons unknown—were not covered by her bank.) It’s ironic because the programs to created to make consumers feel safer about their payment security. Today, that program is preventing consumers from successfully suing retailers that mishandle their data, which in turn makes it more difficult for retailers to justify spending more than the minimum on data security.

Retailers need to carefully examine any new “beyond PCI” technical approaches being offered by their processors, as well as other service providers. They need to think about what will be required of them to take advantage of such “end-to-end” security and whether the investment in technology and labor will be transferrable, should they decide to switch to a competitor.

Beyond focusing on avoiding “Beyond PCI Lock-in,” pens GuestView PCI Columnist David Taylor, retailers also need to focus on ensuring that these new security efforts don’t break their existing applications. Some of the tokenization and end-to-end encryption approaches currently (or soon to be) on the market don’t always play nice with existing ERP, CRM and other enterprise applications.

The POS system is the Rodney Dangerfield of the retail IT world: It gets no respect. (Could have gone back yet further and said it was the Red Buttons of the retail IT world because it never gets a dinner, but that’s an even more obscure pop culture reference.)

Chains are just starting to see the business ROI potential of POS—especially when working with CRM—to fuel upsells and to legitimately increase loyalty. But few look at POS as a potential protector and a protector against some potentially very large expenses. Consider four items from the last few days.

A federal judge in Maine is promising to issue a decision imminently about whether a databreach class action lawsuit against Hannaford will be allowed to proceed. The arguments before U.S. District Court Judge D. Brock Hornby in the Hannaford case are almost identical to those put in front of another federal judge in late 2007 overseeing the TJX databreach. Although the first federal judge ruled in favor of TJX, a different federal judge could very easily go in a very different direction.

In both cases, the judge was overseeing the case of a major retailer and a very large databreach, presumably facilitated to varying degrees by IT errors or oversights by the retailer. The arguments boil down to this. The attorneys representing consumers suing Hannaford are arguing that Hannaford knew—or should have known—that its payment security procedures were inadequate and yet it still allowed consumers to use their cards at the chain’s stores.

When a federal appellate ruled on Monday (March 30) that it was sending a small part of one of the civil lawsuits involving TJX’s death breach back to the district court, it was a very narrow decision. But the act of sending it back and allowing for discovery to start again is likely to force TJX to spend millions more, according to attorneys watching the case. Perhaps even more importantly, the ruling is likely to slightly alter the risk-cost balance of retail security, putting just a little more pressure on chains to invest in their security operations.

It is true that discovery can be frightening for typical companies involved in class-action civil lawsuits, but for TJX, it can be positively terrifying. Throughout two trials, TJX showed itself to be far more worried about revealing thus-far-unreleased security details than monetary payments or almost anything else.

Although $19 billion retail chain TJX is suffering from the economy like all other chains, it recently got a $30.5 million financial windfall. How? By having underestimated how well it would do in court against various lawsuits and probes from the credit card industry’s worst-ever data breach. It impacted more than 100 million consumer cards, and some of the data grabbed came from as early as 2003.

According to TJX’s earnings statement issued Wednesday (Feb. 25), the chain had set aside significantly more money than it ended up needing to deal with the 2006 breach, thereby allowing the company to reallocate cash for other purposes and add about $18 million to the year’s net income.

Facebook officials learned a hard lesson this month when the social networking site snuck in a privacy policy change that could have allowed it to access users’ content—and use it forever for pretty much anything Facebook could think of—even after users had deleted it from their accounts. After public backlash, the policy was reversed—for now. But I’ll bet serious money that these execs learned the wrong lesson.

To interpret motivation and real intent, sometimes a look at history can be useful. Do you remember another Facebook privacy incident back in December 2007? In that case, Facebook tried sharing—without permission—customers’ purchases with people on their friends list. Is this a pattern? Is Facebook trying things, and if it’s caught and there’s a loud enough protest, the site pulls back? In short, is Facebook trying the permission versus forgiveness approach? Indeed, it seems to have tried both options. For a company that is trying to solidify a brand and build as much trust as possible, these tactical approaches seem odd.

Some four months after Best Buy dropped $121 million in mid-September 2008 to take over downloadable music pioneer Napster, both companies quietly said that Napster’s privacy policy was changing to let Best Buy do a wide range of unannounced things with the newly obtained data riches. Napster’s CEO, Chris Gorog, went so far as to write a blog that spoke of “personalized music pre-loaded on new MP3 players or mobile phones because of our collaboration.”

Regardless of what Best Buy ends up doing, in today’s rock-bottom economy, with its mergers and bankruptcies, the retail concept of data ownership is getting quite a workout. For example, CompUSA closed its doors but has now reemerged in a very different form in Florida. And there’s no telling where the petabytes (exabytes?) of customer information now controlled by Circuit City will wind up. From a privacy perspective, there are even scarier possibilities than someone’s music or computer purchases falling into the wrong hands.

All PCI QSAs worthy of their certifications will tell you that their assessment is a “point-in-time” audit. After all, with 200+ controls to review, how could it be anything else?

But, GuestView PCI Columnist David Taylor argues, how long is a “point in time”? And is there any way to make that point in time last longer, so that a “state of compliance” can persist for months–or at least until the next “point-in-time” review?

The sniffer malware that surreptitiously siphoned tons of payment card data from card processor Heartland Payment Systems hid in an unallocated portion of a server’s disk. The malware, which was ultimately detected courtesy of a trail of temp files, was hidden so well that it eluded two different teams of forensic investigators brought in to find it after fraud alerts went off at both Visa and MasterCard, according to Heartland CFO Robert Baldwin.

“A significant portion of the sophistication of the attack was in the cloaking,” Baldwin said. Payment security experts pretty much agreed that hiding files in unallocated disk space is a fairly well-known tactic. But it requires such a high level of access—as well as the skill to manipulate the operating system—that is also indicates a very sophisticated attack. One of those security experts—who works for a very large U.S. retail chain and asked to have her name withheld—speculated that the complex nature of the hiding place, coupled with the relatively careless leaving of temp files, could suggest a less-skilled cyberthief who simply obtained some very powerful tools.

When the Heartland breach was announced Tuesday (Jan. 20), it started to raise questions about whether major payment processors are really any more secure than their retail counterparts. GuestView Columnist David Taylor doubts they are, but he has advice for finding out.

Malware has two countervailing trends, both likely to continue. The first is that there is a rapidly growing market for highly automated malware that uses basic building blocks and can be easily adapted to identify and exploit new vulnerabilities. This malware exploits unpatched servers, poorly defined firewall rules, the OWASP top 10, etc. It is really aimed at the mass market–SMEs and consumers. Then there is the high-end malware that employs the “personal touch”–customized to specific companies and often combined with social engineering to ensure it’s installed in the right systems. This type of malware got TJX, Hannaford and now Heartland.

Are data thieves now bypassing retailers and hitting payment processors directly? That may be the case if the initial details about the new Heartland Payment Systems breach—where the data from some 100 million cardholders is handled—hold true. (That said, has anyone ever seen the initial information about a major data breach hold true for more than a week?)

Early on Tuesday (Jan. 20), Heartland issued a statement saying that it had been “the victim of a security breach within its processing system in 2008.” But it didn’t take long for some of those initial details to fall apart.

A key suspect in the TJX data breach case has been sentenced to 30 years in prison, but it has nothing whatsoever to do with the TJX case.

Maksym Yastremskiy was charged in Turkey with breaking into Turkish bank accounts electronically. During the hearing where he was sentenced to 30 years, he said that a laptop computer found in his hotel room containing bank information belonged to a friend. “I am innocent. I didn’t do anything to break bank accounts. Somebody else did it, not me. I want to be released from the jail,” he told the judge, according to The Boston Globe.