By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering “Trick or Treat?”

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn’t like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as “minor changes.” Read more.

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to “deputize” internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT. Read more.

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

California authorities have arrested two men in connection with another retail card-reader switch scam, an effort that police say brought in about $225,000 from 222 victims who swiped their debit cards at a regional grocery chain.

The arrests were in connection with the debit-card thefts at California grocery chain Lunardi’s, where police say the pair swapped out part of the card-reader with a skimmer, according to this San Jose Mercury News story. It was unclear whether the data was collected by piggybacking on the store’s network, wirelessly or if thieves retrieved the data by re-swapping the machines later. The Lunardi’s store that was hit is based in Los Gatos. The paper also reported that a nearby Los Gatos Arco gas station suffered a very similar debit-card breach a couple of weeks earlier.

With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it’s not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.

To state the obvious: It’s getting consumers to use them. I say it’s obvious, but one wouldn’t guess that based on what the vendors were saying this week. Read more.

With the nation’s largest casino town as its backdrop, IBM and NCR gambled that the ho-hum growth in self-checkout can become a winner if the systems are moved away from the front-of-the-store checkout lanes and moved back toward the deli, bakery and even in the middle of the cereal aisle. All in all, I’d rather take my chances at rolling a 10 the hard way.

Las Vegas was hosting the 2008 Food Marketing Institute and Marketechnics show, which felt like self-checkout central this week. Read more.

Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.

The story began on May 8 when a woman visited a Baltimore Home Depot to buy a few odds and ends, including plants, pots and tile sealer. Read more.

The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.

Theodore Karantsalis had filed the lawsuit for several reasons, but one was to prove that consumers would fare far better—faster, easier and more money—in small claims court than as one of many in some class-action litigation. Read more.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups.

The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe’s and Wal-Mart. The most prominent retailer who has fought such efforts is Target, whose legal battle continues. Read more.

As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let’s say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday. The chain limits the offer to the Boston area through area code and other data.

But it just so happens that there’s a huge convention in San Jose that day of the Society Of People Who Live In Boston. Your San Jose locations get flooded with people asking for their free gift, leading to a lot of baffled employees and angry customers. This observation comes courtesy of a colleague who has far too much time on his hands to think up such things.

This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. You really should read the details in this story in New York’s Saratogian newspaper, but the essence is that a woman walks up to an ATM at a Hannaford’s grocery store. (Just what Hannaford needs right now. More police-oriented publicity.)

She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves. Turns out that she worked for the ATM company, but the story asks why no one bothered to ask her what she was doing. Indeed, it’s a fine question. How many retailers have strict file access procedures, but would likely let a stranger plug a laptop into equipment without any questions? No, please, don’t answer that question. It’s too depressing to hear.

With an eye on retailers having to juggle payment systems between many varied environments–far beyond merely online and in-store–a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface, which it has dubbed “the first service-oriented architecture service interface schema and technical specification for the retail industry.”

“By making existing POS transaction functions available as SOA Services, RTI will enable the business logic behind these services to be easily reused for other customer and associate touch-points such as self checkout, fuel at grocery stores, kiosks, shop on the web, store within a store, portable shopper, mobile line buster and other complementary store solutions,” said a statement from the NRF’s Association for Retail Technology Standards (ARTS). Execs with Big Lots and BJ’s Wholesale Club represented retailers in a committee dominated by tech vendors.

Microsoft is “leaning toward going hostile in its pursuit of Yahoo,” with an announcement “likely” on May 2, according to a report in that day’s edition of The Wall Street Journal.

Although such a move would not likely have a direct impact on the IT side of E-Commerce with major retailers, it could sharply impact tens of thousands of smaller merchants that rely on Yahoo to sell their wares.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

British retailers are seeing a resurgence in cash purchases, mostly due to a weak economy and consumers who are “nervous about borrowing or spending on debit cards,” according to a new report from the British Retail Consortium (BRC).

The British retail group used the opportunity to beat up banks and card brands for overly high interchange fees. (Then again, retail lobbying groups need no special occasion to make such points, as they often volunteer them when asked about the weather.) But the question remains whether the consumer reactions that are pushing cash usage in the U.K. are likely to be replicated in other parts of the world. Read more.

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars “but not tens of millions.”

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption (”customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network”), host and network intrusion prevention systems (”to proactively prevent malware from being installed in our systems”) and better payment segmentation. Read more.

Pizza Hut is taking the “other people who bought also liked” approach mastered by Amazon.com and is trying to apply it to pizza and breadsticks and their Web site.

The new feature—dubbed Virtual Waiter and introduced by the fast-food chain on April 24—is based on “technology that gathers data from millions of online orders and suggests menu items that best match customers’ orders.” But a demo showed that the technology was much more sophisticated than that suggested. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.

Police near Canton, N.Y., are investigating a payment card data breach at a local retail chain that sounds oddly similar to the Hannaford and other related recent breaches. Is this a coincidence or a gang focused on retail data?

The new information on the Canton WiseBuys breach has the data being grabbed during a system changeover between December 5 and December 20, 2007, according to this WWNYTV story.

A difficult to duplicate RFID chip? That’s the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or “voiceprint,” which can’t be cloned and can be used to authenticate the chip, according to this RFID Update story.

“Each voiceprint is unique but falls within a defined band so separate readers do not have to be developed for each chip,” the story said. “However, MEMflakes can’t be read with RFID readers currently on the market.”

EBay’s PayPal is following the path set by other alternative payment players and is starting to appear in physical stores.

It’s not a huge chain, but it’s a start. Moosejaw Mountaineering and its seven stores will now accept PayPal and the chain is also starting to use in-store kiosks to display online customer reviews, according to this Internet Retailer story. Neither move is a first. BillMeLater is already inching into online payments, and the Fair Indigo chain in Wisconsin already started the kiosk-search-through-Web-customer-reviews effort last year. Still, any movement toward Merged Channel is welcome.

We’ve been seeing a bizarre trend this national recession. It seems to be hitting hard the companies that expected to be hit, the ones that cut back spending in anticipation of the downturn. Lo and behold, after cutting back on customer service and marketing programs, they see revenues fall. Did they correctly predict the sales drop or did they unintentionally cause the sales drop?

This question comes to mind when looking at some recent earnings reports. Wal-Mart’s been faring well, but it points to increased grocery and other low-cost items, suggesting that they may be taking sales away from higher priced grocery rivals. That might be a recession sign. But this week’s Amazon figures raise questions about such analysis. Read more.

GuestView Columnist David Taylor this week argues that one of the hardest parts of extending PCI controls to other confidential data is the application of Identity and Access Management (IAM) that crosses applications and platforms, without encountering the “analysis paralyses” that comes with trying to implement Single Sign-on.

Because many organizations create policies specifically to comply with PCI standards, there are some policies that specifically single out cardholder data for special protection. These need to be rewritten to reference a data classification policy. If that doesn’t exist, then it needs to be created, and some examples of data in the “confidential class” other than cardholder data need to be provided. Read more.

China POS shipments soared some 19 percent last year, figures that show China’s retailers quickly becoming some of the biggest POS purchasers in the world, according to a new global POS report from consultancy IHL Group. How fast are China’s retail purchases growing? Last year was the first time China blew past Japan in POS purchases and it also had more than 25 percent more shipments than Germany, said IHL President Greg Buzek.

One key reason is that retailers in China tend to have much smaller real estate footprints. That delivers a lot more retail locations, each of which is quite small. Buzek puts the number of today’s Chinese retail locations at 12 million, compared with 2.1 million in Japan, 363,000 in Germany and 2.25 million retail outlets in the U.S.

Although contactless payment has tremendous potential to advance payments and set the stage for mobile commerce, it’s suffering from benign neglect from both retailers and the card brands—and banks, too. That according to a new contactless payment report from analyst firm Javelin Strategy & Research.

The key argument of the report is that none of the three groups of companies involved—the card brands, the issuing banks and key retailers—is spending the dollars to create true incentives to make contactless payment work, said lead report author Bruce Cundiff, who is Javelin’s director of payments research. “There is no effective value proposition for merchants and for wireless carriers,” Cundiff said. Read more.

If there’s one thing that the last year of credit card catastrophes has made undeniable it’s that mixing credit cards, retailers, banks and card brands is unpredictable and a lot more complex than anyone wants to believe. Whether it was last year’s TJX revelations about how bad security can get (TJX to the SEC: The bad guys were able to get a copy of our encryption key, but not to worry. They grabbed the data before we had a chance to encrypt it, so the joke’s on them) or this year’s Hannaford details, where a PCI-compliant retailer lost data in transit while it was flowing through a secure private pipe, almost every assumption today is being challenged.

With that in mind, StorefrontBacktalk has been asking retailers, lawyers and other experts (and gadflies) for their favorite credit card security issue brain teasers. How many can you figure out? (No, there are no right answers, other than accepting cash.) Read more.

One of the most annoying parts of many a casual restaurant outing is at the end, when you just want to say “Check, please” and all wait staff seem to sense this and decide instead to join the Waitress Relocation Program.

Microsoft has decided to help (OK, they smelled money in those missing food servers) and created a device that permanently sits on the table. Redmond is backing this hardware that can take payment, print out a receipt and do it all without having to catch anyone’s eye. It allows the tip to be added (minus a deduction for subjecting you to the machine), and it can show various promotions. (OK, so having mandatory TV commercials when you’re dining out is probably not a good thing.) It also has a button to summon a manager if there’s an issue.

The PCI Security Standards Council on April 15 officially rolled out version 1.1 of the Payment Application Data Security Standard (PA-DSS). The specifics of the standard were spelled out last November and this is just the expected formal unveiling.

This fall, the group said it will maintain a list of validated payment apps. Also this fall, the group is likely to introduce an entirely new version of the PCI specification. But that version is not expected to have any impact on which apps are considered compliant.

GuestView Columnist David Taylor this week questioned why PCI doesn’t protect non-payment card information, such as Social Security numbers.

Any security consultant will tell you that it’s important to have a data classification scheme. Although it makes a nice spreadsheet, we have seen only a few leading-edge merchants and banks that actually attempt to enforce it and use it to drive access controls. Why? Taylor has concluded that it’s for a single strategic reason: “Data classification is boring.” Read more.

A DVD rental kiosk outfit has rolled out a kiosk that keeps track of orders and awards free videos for frequent shoppers. The idea of a kiosk that has a long-term memory and an active CRM component is a wonderful next step (OK, a baby step) for intelligent kiosks.

The new units from DVDPlay use E-mail addresses in lieu of a loyalty card. “By entering an E-mail address during the rental process, the stand-alone DVD rental machine’s patent-pending software recognizes the number of customer rental transactions and, after every tenth rental, generates a promotional code for a free movie that is automatically sent to the customer’s E-mail account,” said a statement issued by the company.

GuestView Columnist Joel Weise–the chief technologist for Sun Microsystems GSS Security Program Office–argues that although there are many qualified security assessors (QSAs), “a few who simply do not have the background and expertise in systems security manage to distort the original intent of PCI.”

“A good QSA would ask not only if an antivirus package existed or if a firewall appliance was installed or if a unique user ID policy was followed, but also how these were designed, architected, implemented, configured and monitored,” Weise wrote. “A good QSA would ask to what security policy must applicable operational procedures adhere and whether anyone looks at the alerts and logs generated by the antivirus or firewall products.” Read more.

As of June 17, anyone in Australia buying from eBay online will be told: “PayPal” or “Forget It, Pal.”

With the exception of in-person pickups and cash-on-delivery, plus a handful of large-ticket items (specifically cars, motorcycles, aircraft, boats, caravans, trailers, commercial trucks, services, real estate and businesses) for sale, sellers will be required to offer eBay-owned PayPal as a payment method by May 21, in anticipation of the June 17 ban on anything else. Said eBay: “If we think these changes will significantly improve the buyer experience, we may expand them to additional segments of sellers or categories.” Read more.

Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant.

The $4.8 billion automotive aftermarket parts chain—which dubs itself the nation’s second largest such chain, with 3,261 stores in 40 states, Puerto Rico and the Virgin Islands—said the breach appears to have impacted customers from 14 of its stores in Georgia, Ohio, Louisiana, Tennessee, Mississippi, New York, Virginia and Indiana. Read more.

A group of 109 McDonald’s restaurants in the Salt Lake City region are doing a mobile commerce trial, with participating consumers getting free iced coffee. Although those 109 stores are barely one coffee bean’s worth, given the $22.8 billion chain’s 31,377-store network, the trial is interesting both for its capabilities and for how much data-control McDonald’s was willing to give up.

McDonald’s is launching iced coffee as part of some new menu options and “part of our objective was to create additional awareness,” especially among the younger consumers who McDonald’s assumes will be receptive to a mobile coupon campaign.” Read more.

Guest Columnist David Taylor sees manual reviews as one of most serious threats to retail security. As one security manager put it: “We are so far behind in tracking down the alerts, we could have been breached a month ago and still not know it.” The heavy reliance on manual review of large volumes of security data is one of the major reasons why more security breaches of compliant companies are likely.

PCI DSS is famous for its level of detail, in laying out for merchants procedures for implementing and testing many different security controls. But PCI DSS does not tell merchants how they should actually manage all these alerts or which of these controls need to be integrated, and which of the procedures need to be automated. Read more.

When Best Buy removed annual fees from its bonus card, the company yielded about 10 times the number of shoppers opting to sign up for its rewards program, according to this Forbes.com story.

A location that gains a reputation as a “flat-screen store,” for example, is identified as one frequented by more people with disposable incomes. Hence, salespeople are trained to pitch complimentary products, like sound systems and attachments. Interesting story….

Focusing on recent improvements in refrigeration technology, the 115-store Piggly Wiggly is pledging to radically revamp its stores. The grocery chain is shaking up product positioning issues—all frozen foods are kept together, for example—that have been considered sacrosanct for decades.

“When you enter the Piggly Wiggly at The Market Common, you don’t see check-out lines. You don’t go down five aisles to get ingredients for one meal,” said Piggly Wiggly CEO David Schools. A statement said the chain will now “arrange food items based on how customers naturally look for them. Fresh, frozen and canned vegetables and fruit, for instance, will be in the same location, as will cereal and milk. One stop stations will offer complete meal solutions with items such as ground beef, hamburger buns, chips and beer grouped together for backyard grilling.” Will it work? Possibly. Then again, this is the same chain that strongly touted it’s support for biometric payment.

Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption.

Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more.

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system. Read more.

Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It’s not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Whether it’s leaving firewalls in learning mode or having database access controls that all but ignore the activity of authorized users–who may be capable of nastiness few cyber thieves could dream of–it’s an amazingly risky approach. Read more.

A series of restaurant chains—including Subway, Tully’s and Brinker (Chili’s, Macaroni Grill, On The Border, etc.)—have been experimenting with a way to use regular credit and debit cards as loyalty cards.

Although the merchant behind the program—Chockstone—stresses a variety of security mechanisms, the nature of the program itself seems to fly in the face of PCI guidelines that discourage using credit card numbers for anything other than payment transactions, similar to the unsuccessful attempts to get American businesses to stop using Social Security numbers as defacto employee and customer identification numbers. Read more.

Amazon.com on Wednesday rolled out a new service called TextBuyIt, which allows consumers to comparison shop online working solely with fast text messages. But the move may not sit well with other retailers, who could see this making it easier to find better deals elsewhere, especially in bookstores.

The service can also support Web searches—but that’s hardly new—and is being positioned by Amazon as an easier way for consumers to make Amazon purchases. The transactions can be almost solely done via text, with an old-fashioned phonecall used to verify the purchase. Read more.

There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing.

Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers. I’m going to try and avoid using modern-day chains to illustrate good and evil. Regrettably, I think it’s a safe bet that I am about two sentences away from failing that effort. Let’s take TJX as an example. (Only one sentence. I was close, though.) Based on various SEC filings and court documents, it’s clear that TJX engaged in a wide range of security procedures that were, to be charitable, less than diligent. But, as we’ve pointed out many times, the millions in expenses that TJX has had to spend had absolutely nothing to do with any alleged security sloppiness. Read more.

Was the Hannaford data breach isolated or was it part of a sweep of similar penetrations? A Vermont ski resort is reporting an almost identical breach of card information in transit in February and an official there was told by law enforcement “that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone.”

Those new details–courtesy of a Computerworld story–suggest that this might soon become the norm. The Okemo Mountain Resort ski area in Vermont announced this week that data from more than 46,000 credit and debit card transactions may have been compromised during a system intrusion over a 16-day period in February. “We can tell you that this was a real-time theft,” said Okemo spokeswoman Bonnie MacPherson. “The information was being taken as the cards were being swiped.”

TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world’s worst payment data breach, which impacted some 100 million cards.

Participants “must agree not to seek or participate in any other recoveries that may be available to issuers and must also release MasterCard, TJX and TJX’s acquirers from all legal and financial liability associated with the TJX data breach, ” a joint statement said. Those banks have 30 days to whether to accept the offer.

Although the coupon redemption rate has been steadily declining for at least 10 years, a new vendor survey suggests the recession may turn that around.

Of the 1,529 U.S. consumers who responded, 67 percent said they are much more likely, or somewhat more likely, to use coupons during a recession, according to the survey performed by ICOM Information & Communications. Technology is helping, though, with CRM doing better job targeting households and Web coupons finding new fans among the paper-repulsed young.

Bankrupt Pay By Touch—officially using the name Solidus Networks—has sold off two key units for a total of $4.8 million.

Phoenix Check Cashing dropped $4.2 million to pick up Pay By Touch’s check-cash¬ing division, known as BioPay Paycheck Secure, according to The Nilson Report. Acculink paid $600,000 for ATM Direct, a unit trying to introduce PIN-based debit card payments for E-Commerce sites, the publication reported.

Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them.

This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it. The program is expected to deactivate the last of its fobs by July. There are many reasons the fob may have died, but at least Amex—with six years of fob effort under its payment belt—can’t be accused of not giving the fob enough time to work. Read more.

The Hannaford data breach included payment information that was partly encrypted and partly clear text—and it was all transmitted over a private fiber-optic cable, according to a Hannaford official quoted in the Wall Street Journal.

This information—on top of the reports that Trojan Horse software was installed on 300 servers in 300 Hannaford stores–is painting a picture of a retailer that seemed to be following accepted security procedures. The story reported that the cyber-thief created software “intercepted the information as it went back and forth over a cable to a transaction processor in Denver. It was then transmitted to an Internet service provider somewhere outside the U.S.,” according to Hannaford marketing VP Carol Eleazer, who added that “it took a team of about 30 forensics experts and information technologists more than 10 days of round-the-clock troubleshooting to discover the malware.”

A new type of payment card forger is making the rounds, this time armed with a razor blade and very little money.

After the thief has been able to guess at random numbers and find a viable payment card, the culprit razors off the last few digits from a real payment card and KrazyGlues the guessed at numbers onto the card. He/she then scratches the magstripe to force the cashier to manually enter in the digits, according to this nicely-done story from the Oregonian newspaper.

The data breach at Hannaford involved a Trojan Horse that was installed on servers at every one of its 300 grocery stores, according to Hannaford officials. The software intercepted card data at the POS and then periodically transmitted them “to an unnamed offshore Internet service provider.”

Those details come courtesy of a letter sent by Hannaford general counsel Emily Dickinson to Massachusetts Attorney General Martha Coakley and Governor Deval Patrick’s Office of Consumer Affairs and Business Regulation, according to Hannaford officials and a report in The Boston Globe, which quoted from the letter. The chain decided to replace all of the servers to make absolutely certain the malicious programs were removed from the network.

In the multi-year databreach at TJX—the worst in credit card history—the retail chain “created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text,” according to a complaint issued Thursday by the U.S. Federal Trade Commission.

That report also found that TJX “did not require network administrators and other users to use strong passwords or to use different passwords to access different programs, computers, and networks” and that it failed to “use readily available security measures to limit access” and cited one crucial example: not “using a firewall to isolate card authorization computers.” Read more.

If there&#