In an eerie snapshot of where some top marketers want to take the next generation of search engines, a Japanese government-backed research project is working on a search that is based on what a user does, not a keyword a user types in.

But the specific tactics being considered—and detailed in a Web site for the group officially dubbed the Information Grand Voyage Project—includes searching history of game programs, blog postings, surreptitiously captured video segments from TVs and computers, tracking Wi-Fi locations and using an RFID reader connected to a cell phone to identify a consumer’s activities “based on data captured by mobile device camera.” Read more.

Staples’ Canadian operation has been quietly testing 2-way live video kiosks at 34 locations, but these kiosks do more than talk with customers: They remotely control hardware, including scanners and payment authorization devices.

The trial, which one Staples Business Depot manager described as “one of the largest pilots that we’ve ever done,” involves one video kiosk—with a high-resolution Web camera, microphone, scanner and a touch-screen—at each store that is networked to 10 kiosks at a Toronto office with customer service reps. Read more.

Despite an almost universal embrace of the idea of merged channel, most retailers aren’t getting any closer to making it a reality, with overly restrictive inventory reserve policies, inconsistent data and political resistance getting most of the blame, according to a new Forrester Research report.

“How many smart people are out there who are simply not reserving inventory” for all channels, asked Forrester Principal Analyst George Lawrie. “You never know where demand is going to crystallize.” He cited morale—not to mention inventory—problems caused by “reserving inventory for stores that could have been sold by the catalog or online channel.” Read more.

A handful of Stop & Shop stores have been using in-store location tracking–coupled with basket content–to narrowly target ads to customers using handheld shopping devices, the chain confirmed in a statement issued Thursday (July 17). Some 92 of the chain’s 360 stores are participating in the trial.

“If a customer is walking down the health and beauty aisle, it can trigger an offer for a new brand of shampoo,” said Michele Deziel, the senior VP of marketing at Modiv Media, which is working with Stop & Shop on the trial, along with Microsoft.

Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft’s OS to be “so full of holes” and describes the fact that current PCI regs do not require end-to-end encryption as “astonishing.”

But Homa’s key point is that most retailers handle security backwards: Don’t pour everything into protecting the front door. Assume they’ll get through and have a plan to control them once they’re inside. Read more.

Retail deployment of the 2-D barcode, a technology that allows consumer cellphones to see virtually unlimited amounts of content by taking a picture of a special barcode, has slowed after an initial flurry of activity in January.

But several major cellphone carriers are preparing to bundle the 2-D barcode software with phones as they ship. Will that make a difference? Read more.

RFID vendor Impinj on Thursday (July 10) purchased all of Intel’s RFID operation–including the R1000 RFID reader chip. A joint Intel/Impinj statement said that the acquisition details are not being released, but The Seattle Times reported that Intel will get an equity stake in Impinj.

The move is not expected to change things much for RFID-focused IT execs in the near term, because both firms were pretty much headed in the same direction anyway. But ABI RFID Research Director Michael Liard said the move could accelerate already-projected RFID reader price drops over the next few years. Read more.

The PCI Security Council is branching out a little, with an attempt to bring unattended payment terminals (UPTs) under its jurisdiction. As kiosks get more sophisticated and start taking cash, credit cards, mobile transactions and other payment methods, the UPT security risk is sharply increasing.

The council has also launched a testing program for Hardware Security Modules (HSMs). “PIN entry devices go well beyond the typical POS terminals we are all familiar with and we are continually expanding into more and more areas,” said Bob Russo, general manager, PCI Security Standards Council. “Any device that processes personal identification numbers is an important link in the transaction chain.”

A semiconductor company is suing a Dutch university to keep its researchers from publishing information about security flaws in the RFID chips used in up to 2 billion smart cards, according to this intriguing Computerworld story.

NXP Semiconductors filed suit in Court Arnhem in The Netherlands against Radboud University Nijmegen. The company is pushing the courts to keep university researchers from publishing a paper about reported security flaws in the MiFare Classic, an RFID chip manufactured by NXP Semiconductors, the story said.

Although the question of RFID safety has been debated extensively over the years, with conflicting study results, a major new medical study released this week points to very specific electromagnetic dangers within nine inches of the transmitter.

The highly respected Journal of the American Medical Association (JAMA) found 34 electromagnetic interference instances out of 123 tests, with 22 of them rated potentially hazardous. “Interference changed breathing machines’ ventilation rates and caused syringe pumps to stop” at a distance of about nine inches, according to a story in The Wall Street Journal. This may give serious pause to some retail IT operations, who can have dozens of RFID devices in loading docks and assembly lines, in addition to trucks and even on shelves.

In one of the first wide-scale studies of SMS’ capability to hold up under volume pressure, the technology fared “surprisingly” poorly, according to Keynote Systems. This has particular significance for retailers, who are exploring the technology’s use for mobile communications connecting to both online and in-store.

“Response times for some short codes degraded severely during the busiest hours of the day. One CSC (common short code) showed a 60 percent peak-period slowdown every day, indicating a major capacity issue was present,” Keynote said. “Many of the CSCs monitored showed significant reliability issues. Several (experienced) more than 10 hours of outage while one (experienced) more than 50 hours.” Read more.

Welcome to E-Commerce Semantics 101. Your philosophical question for the day: When is a site truly mobile-friendly? Mobile commerce today is in that familiar classic battle of Chicken.com versus Egg.com: Retailers know the mobile users are out there, but they also know that few are trying to use the devices for making purchases. Consumers are open to making such purchases, but they can’t because so few retailers support it.

Major retailers won’t invest in a truly robust mobile deployment until they see most of their rivals doing so. Yes, this is why American business is in the global position it’s in today—that grand American Can-Do-But-Only-If-You-Do-It-First attitude. Read more.

Note to retailers looking to offer free Wi-Fi: It’s a good idea to first make sure you can make the offer. Starbucks discovered that an offer of two hours of free Wi-Fi a day simply wasn’t working.

“Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Card accounts. We are working to fix the problem and ask that you please try again later,” said a page shown to site visitors, according to this IDG News Service story. A Starbucks spokesman said that the problems were on Starbucks’ end, not AT&T’s. “Customers overwhelmed the site when joining Starbucks Card Rewards,” said Doug Cavarocchi, a Starbucks spokesman, in an e-mail.

A university study of cellphone users’ habits–which found that nearly half of the people tracked kept to a circle little more than six miles wide–is raising some ethical issues and might suggest a non-traditional retail testing method.

The Northeastern University study–according to this Associated Press story–could only have done its secret tracking because it was conducted outside of the United States, because such testing would likely be illegal here. Retailers looking to try out new mobile strategies might consider testing the domestic-only applications overseas.

Computerworld columnist Frank Hayes–a former colleague of mine from CMP and an awesome folk singer as well–has a wonderful column out about why the Wal-Mart RFID effort is still having problems.

Although some of the proprietary arguments are slightly overstated, Hayes makes a great point about how Wal-Mart’s $2 per pallet non-RFID penalty reflects a lack of understanding of why suppliers have resisted RFID tagging. It’s the software implementation costs and the fact that different retailers demand different versions. Hayes’ column is worth reading. (But not everyone seems to agree. The RFID Journal took exception to the piece, on several levels. And then some RFID Journal readers took exception to that disagreement.)

Barnes & Noble on Wednesday (May 28) launched its mobile E-Commerce site, which is pretty much a super-slimmed down version of its regular site.

B&N Mobile includes search, store-finder, book availability and order tracking. It’s not an especially sophisticated site, but it puts the world’s largest physical world bookstore on a very short list of major e-tailers who have bothered to design a version of their site for the cellphone.

Germany’s METRO Group is experimenting with RFID inserts to track meat and to immediately locate any product that is about to expire or that has expired.

METRO is placing the inlays into the foam meat packing trays used in their Future Store. “RFID has a key role to play in quality management for fresh food,” said Gerd Wolfram, managing director of MGI METRO Group Information Technology in a statement. “This automatic product identification technology will contribute to product quality and efficiency in our stores.”

MasterCard Canada this summer will start a 4-month NFC-phone trial, with the backing of some of Canada’s largest retailers, including Loblaw, Petro Canada, Tim Hortons’, Pioneer Petroleum, Rabba Foods, a major NHL arena and McDonalds.

One unusual aspect of the trial is that it will eventually support more than one payment card on each phone, said MasterCard Canada’s Nagesh Devata.

Much has been made recently of TJX firing a store employee who posted public comments about weak security procedures that still exist at the retail chain that was the site of the worst data breach in credit-card history.

The employee has been dubbed a whistleblower and it’s been suggested that TJX was wrong to have terminated the guy. In this case, I have to stand up for TJX: They were completely within their rights to terminate this employee. As for the charges themselves, those are dramatically more troubling. Read more.

Jane’s contactless loyalty card is detected as the Des Moines attorney approaches the self-checkout. The system knows the counselor’s shopping history and anticipates that the counselor likely has a dozen kiwis in her cart.

So when she places the barcode-less fruit on the scale, the first fruit it displays in its list is kiwi, followed by the four fruits and vegetables that Jane typically buys. Other fruits and vegetables follow alphabetically after Jane’s favorites have been displayed. Given how many fruits Jane buys each time, this shaves a precious 108 seconds off of her checkout. Read more.

Guestview Columnist David Taylor worries when he sees that more than 75 percent of enterprises are holding off on deploying server virtualization in the cardholder environment until PCI clarifies matters.

But there really is no reason to wait. Why? The proof is in the tracking tools. Whether the 1.2 release of PCI DSS in October 2008 specifically addresses server, network and desktop virtualization is less important than being able to provide proof to your PCI assessor that you can control, manage and track access to card data continuously. Read more.

The grocery challenge with the theft of moist, fresh products–such as cheese–has frustrated retail loss prevention managers because such products tend to react poorly with EAS tags. Checkpoint and Sealed Air Cryovac announced Wednesday (May 21) one possible way around this issue.

Cryovac has started to integrate anti-theft labels inside the vacuum shrink bags. “The first market request to Sealed Air Cryovac was for two million packs for the protection of Parmigiano Reggiano. In Italy, for instance, Parmigiano Reggiano has a shrink rate of about 9 percent,” said a joint statement. “Initial studies have shown that this RF-EAS source tagging program may cut down inventory shrinkage of dairy products from 9 percent to 1 percent.”

A pair of British shopping centers is experimenting with a creative way to leverage consumer cellphones. The consumers are being surreptitiously tracked by the signals emitted by all mobile devices and a database notes when consumers “enter a shopping centre, what stores they visit, how long they remain there and what route they take as they walked around,” according to a report in The London Times.

A spokesperson for the vendor behind the trials–Path Intelligence, of Portsmouth–said its equipment was just a tool for market research. “There’s absolutely no way we can link the information we gather back to the individual,” a spokesperson said. “There’s nothing personal in the data.” But their system does apparently grab a consumer’s phone’s unique IMEI number, which is found on all GSM and UMTS mobile phones. The carrier would theoretically have the data to match it to personally identifiable data.

The RFID market has a healthy future, looking at a 15 percent compound annual growth rate over the next five years, hitting $9.7 billion by 2013, according to a report issued Tuesday (May 20) by ABI Research.

These figures highlight an RFID market that is growing “robustly,” said ABI research director Michael Liard, pointing to recent commitments from Wal-Mart’s Sam’s Club and the German retail giant Metro AG as key factors.

Controversial RFID vendor Verichip on May 15 announced that it is selling much of the company, wants to sell the rest of it and that the company has parted ways with its CEO, Scott Silverman.

Verichip and its onetime parent company, Applied Digital, generated a lot of negative publicity for RFID with its efforts to push implantable RFID chips, including some especially controversial statements that Silverman made about RFID chips being implanted in non-citizen guest workers. The company’s sale of its XMark unit to The Stanley Works for $45 million will remove the vast majority of the company’s revenue. (RFID Update just ran an excellent look at whether such implantable RFID efforts are viable anymore.)

By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering “Trick or Treat?”

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn’t like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as “minor changes.” Read more.

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to “deputize” internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT. Read more.

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let’s say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday. The chain limits the offer to the Boston area through area code and other data.

But it just so happens that there’s a huge convention in San Jose that day of the Society Of People Who Live In Boston. Your San Jose locations get flooded with people asking for their free gift, leading to a lot of baffled employees and angry customers. This observation comes courtesy of a colleague who has far too much time on his hands to think up such things.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars “but not tens of millions.”

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption (”customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network”), host and network intrusion prevention systems (”to proactively prevent malware from being installed in our systems”) and better payment segmentation. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.

A difficult to duplicate RFID chip? That’s the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or “voiceprint,” which can’t be cloned and can be used to authenticate the chip, according to this RFID Update story.

“Each voiceprint is unique but falls within a defined band so separate readers do not have to be developed for each chip,” the story said. “However, MEMflakes can’t be read with RFID readers currently on the market.”

Although contactless payment has tremendous potential to advance payments and set the stage for mobile commerce, it’s suffering from benign neglect from both retailers and the card brands—and banks, too. That according to a new contactless payment report from analyst firm Javelin Strategy & Research.

The key argument of the report is that none of the three groups of companies involved—the card brands, the issuing banks and key retailers—is spending the dollars to create true incentives to make contactless payment work, said lead report author Bruce Cundiff, who is Javelin’s director of payments research. “There is no effective value proposition for merchants and for wireless carriers,” Cundiff said. Read more.

One of the most annoying parts of many a casual restaurant outing is at the end, when you just want to say “Check, please” and all wait staff seem to sense this and decide instead to join the Waitress Relocation Program.

Microsoft has decided to help (OK, they smelled money in those missing food servers) and created a device that permanently sits on the table. Redmond is backing this hardware that can take payment, print out a receipt and do it all without having to catch anyone’s eye. It allows the tip to be added (minus a deduction for subjecting you to the machine), and it can show various promotions. (OK, so having mandatory TV commercials when you’re dining out is probably not a good thing.) It also has a button to summon a manager if there’s an issue.

A DVD rental kiosk outfit has rolled out a kiosk that keeps track of orders and awards free videos for frequent shoppers. The idea of a kiosk that has a long-term memory and an active CRM component is a wonderful next step (OK, a baby step) for intelligent kiosks.

The new units from DVDPlay use E-mail addresses in lieu of a loyalty card. “By entering an E-mail address during the rental process, the stand-alone DVD rental machine’s patent-pending software recognizes the number of customer rental transactions and, after every tenth rental, generates a promotional code for a free movie that is automatically sent to the customer’s E-mail account,” said a statement issued by the company.

RFID vendor Mojix has rolled out a new RFID system that it says can read passive, Gen2-standard tags from 600 feet away; cover 250,000 square feet of area; and pinpoint tag location in 3D, according to this intriguing RFID Update story.

The move is interesting, because it shows a vendor’s willingness to play with the assumed RFID rules to try and generate a little retail ROI. The story quotes company officials saying that the claims are based on advances in digital signal processing, RF antenna design and computational processing power. Mojix’s STAR 1000 differs from traditional RFID systems by using separate components to power and read tags. “There is no rule of physics or regulation that says the receiver and transmitter have to be in the same housing,” said Kevin Duffy, Mojix senior vice president of sales and marketing.

A group of 109 McDonald’s restaurants in the Salt Lake City region are doing a mobile commerce trial, with participating consumers getting free iced coffee. Although those 109 stores are barely one coffee bean’s worth, given the $22.8 billion chain’s 31,377-store network, the trial is interesting both for its capabilities and for how much data-control McDonald’s was willing to give up.

McDonald’s is launching iced coffee as part of some new menu options and “part of our objective was to create additional awareness,” especially among the younger consumers who McDonald’s assumes will be receptive to a mobile coupon campaign.” Read more.

Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption.

Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more.

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system. Read more.

Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Whether it’s leaving firewalls in learning mode or having database access controls that all but ignore the activity of authorized users–who may be capable of nastiness few cyber thieves could dream of–it’s an amazingly risky approach. Read more.

Amazon.com on Wednesday rolled out a new service called TextBuyIt, which allows consumers to comparison shop online working solely with fast text messages. But the move may not sit well with other retailers, who could see this making it easier to find better deals elsewhere, especially in bookstores.

The service can also support Web searches—but that’s hardly new—and is being positioned by Amazon as an easier way for consumers to make Amazon purchases. The transactions can be almost solely done via text, with an old-fashioned phonecall used to verify the purchase. Read more.

Was the Hannaford data breach isolated or was it part of a sweep of similar penetrations? A Vermont ski resort is reporting an almost identical breach of card information in transit in February and an official there was told by law enforcement “that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.”

Those new details–courtesy of a Computerworld story–suggest that this might soon become the norm. The Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February. “We can tell you that this was a real-time theft,” said Okemo spokeswoman Bonnie MacPherson. “The information was being taken as the cards were being swiped.”

TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world’s worst payment data breach, which impacted some 100 million cards.

Participants “must agree not to seek or participate in any other recoveries that may be available to issuers and must also release MasterCard, TJX and TJX’s acquirers from all legal and financial liability associated with the TJX data breach, ” a joint statement said. Those banks have 30 days to whether to accept the offer.

Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them.

This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it. The program is expected to deactivate the last of its fobs by July. There are many reasons the fob may have died, but at least Amex—with six years of fob effort under its payment belt—can’t be accused of not giving the fob enough time to work. Read more.

The Hannaford data breach included payment information that was partly encrypted and partly clear text—and it was all transmitted over a private fiber-optic cable, according to a Hannaford official quoted in the Wall Street Journal.

This information—on top of the reports that Trojan Horse software was installed on 300 servers in 300 Hannaford stores–is painting a picture of a retailer that seemed to be following accepted security procedures. The story reported that the cyber-thief created software “intercepted the information as it went back and forth over a cable to a transaction processor in Denver. It was then transmitted to an Internet service provider somewhere outside the U.S.,” according to Hannaford marketing VP Carol Eleazer, who added that “it took a team of about 30 forensics experts and information technologists more than 10 days of round-the-clock troubleshooting to discover the malware.”

The data breach at Hannaford involved a Trojan Horse that was installed on servers at every one of its 300 grocery stores, according to Hannaford officials. The software intercepted card data at the POS and then periodically transmitted them “to an unnamed offshore Internet service provider.”

Those details come courtesy of a letter sent by Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Governor Deval Patrick’s Office of Consumer Affairs and Business Regulation, according to Hannaford officials and a report in The Boston Globe, which quoted from the letter. The chain decided to replace all of the servers to make absolutely certain the malicious programs were removed from the network.

In the multi-year databreach at TJX—the worst in credit card history—the retail chain “created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text,” according to a complaint issued Thursday by the U.S. Federal Trade Commission.

That report also found that TJX “did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks” and that it failed to “use readily available security measures to limit access” and cited one crucial example: not “using a firewall to isolate card authorization computers.” Read more.

The retail move to embrace 2-D barcodes that began with a Sears trial in December and strong interest from BestBuy, the Gap and Target is inching forward, with a 500-store trial starting Thursday in San Francisco.

The trial, involving CitySearch, Antenna Audio and Scanbuy, is a fairly basic mobile integration effort. “More than 500 restaurants, shops and businesses reviewed by Citysearch are placing printed bar codes in their windows, and people who have Scanbuy software loaded on their phones can simply take a picture of the code and their phone’s Internet browser will immediately take them to the restaurant’s corresponding Citysearch page,” said a statement from the group.