In an eerie snapshot of where some top marketers want to take the next generation of search engines, a Japanese government-backed research project is working on a search that is based on what a user does, not a keyword a user types in.

But the specific tactics being considered—and detailed in a Web site for the group officially dubbed the Information Grand Voyage Project—includes searching history of game programs, blog postings, surreptitiously captured video segments from TVs and computers, tracking Wi-Fi locations and using an RFID reader connected to a cell phone to identify a consumer’s activities “based on data captured by mobile device camera.” Read more.

Staples’ Canadian operation has been quietly testing 2-way live video kiosks at 34 locations, but these kiosks do more than talk with customers: They remotely control hardware, including scanners and payment authorization devices.

The trial, which one Staples Business Depot manager described as “one of the largest pilots that we’ve ever done,” involves one video kiosk—with a high-resolution Web camera, microphone, scanner and a touch-screen—at each store that is networked to 10 kiosks at a Toronto office with customer service reps. Read more.

Guest View Columnist David Taylor points out that PCI compliance has consistently generated larger security budgets, with little or no requirement for justifying them, other than “our bank told us we have to do it.”

But with some acquirers being no better off financially than many retailers, it’s time to ask some hard questions: Is the risk of a security breach great enough to risk the financial health of our company? Read more.

Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft’s OS to be “so full of holes” and describes the fact that current PCI regs do not require end-to-end encryption as “astonishing.”

But Homa’s key point is that most retailers handle security backwards: Don’t pour everything into protecting the front door. Assume they’ll get through and have a plan to control them once they’re inside. Read more.

Two recent developments—one involving a New York federal judge and the other involving a group of U.S. senators—are signaling serious difficulties for E-Commerce efforts over the next two years.

The assumption of some anonymity on E-Commerce sites can be critical. Let’s look at a scenario for Amazon.com. One of its most critical value-adds is customer comments—both good and bad—about its products. What if a consumer—employed in the consumer appliance world—purchased a toaster that was absolutely horrible? Read more.

The number of reported data breaches has been soaring, with the figure from the first six months of 2008 some 69 percent higher than the number from the identical period last year. Among those were little-known recent breaches of Facebook, H&R Block and BearingPoint.

The report from the non-profit San Diego-based Identity Theft Resource Center lists 342 data breaches since Jan. 1, 2008. Of those 342 breaches, about 12 percent were cyber thieves, 16 percent were insider theft, 15.2 percent were accidental exposure and 13.5 percent were subcontractor issues. Also, about 20 percent of the data breaches involved data “on the move,” referring to laptops, thumb drives or PDAs. Read more.

Guest View Columnist David Taylor argues that outsourcing is considered the thing to do these days, like a summer barbecue. But it’s both easier and more complex than most merchants think.

The first move has to be to take a serious look at your data. Think of it like a residential move. How much of that accumulated stuff do you really need anymore? How much are you honestly going to be leveraging and using? The less you keep, the less you have to protect and manage. And the less you keep, the easier it will be to outsource. Read more.

No sooner had IT concocted a system to try and automatically detect an under-age shopper than someone has crafted a remarkably low-tech way to fool it. How low-tech? How about a picture ripped out of a magazine?

This delightful story from Pink Tentacle shows how the Japanese cigarette-machine RFID-leveraging face-recognition system is completely fooled by the magazine photo. “The face-recognition machines rely on cameras that scan the purchaser’s face for wrinkles, sagging skin and other signs of age. Facial characteristics are compared with a database of more than 100,000 people, and if the purchaser is thought to be well over 20 years old (the legal age), the sale is approved,” the story said.

The PCI Security Council is branching out a little, with an attempt to bring unattended payment terminals (UPTs) under its jurisdiction. As kiosks get more sophisticated and start taking cash, credit cards, mobile transactions and other payment methods, the UPT security risk is sharply increasing.

The council has also launched a testing program for Hardware Security Modules (HSMs). “PIN entry devices go well beyond the typical POS terminals we are all familiar with and we are continually expanding into more and more areas,” said Bob Russo, general manager, PCI Security Standards Council. “Any device that processes personal identification numbers is an important link in the transaction chain.”

A semiconductor company is suing a Dutch university to keep its researchers from publishing information about security flaws in the RFID chips used in up to 2 billion smart cards, according to this intriguing Computerworld story.

NXP Semiconductors filed suit in Court Arnhem in The Netherlands against Radboud University Nijmegen. The company is pushing the courts to keep university researchers from publishing a paper about reported security flaws in the MiFare Classic, an RFID chip manufactured by NXP Semiconductors, the story said.

Although the question of RFID safety has been debated extensively over the years, with conflicting study results, a major new medical study released this week points to very specific electromagnetic dangers within nine inches of the transmitter.

The highly respected Journal of the American Medical Association (JAMA) found 34 electromagnetic interference instances out of 123 tests, with 22 of them rated potentially hazardous. “Interference changed breathing machines’ ventilation rates and caused syringe pumps to stop” at a distance of about nine inches, according to a story in The Wall Street Journal. This may give serious pause to some retail IT operations, who can have dozens of RFID devices in loading docks and assembly lines, in addition to trucks and even on shelves.

A UK company is pushing retailers to use voice-recognition to authenticate purchases over the phone and online.

The Voice Commerce Group’s Voice Transact package has consumers call the service, quote a pre-arranged product code and then a series of digits dictated by the automated system. Verizon is involved in the rollout. VCG CEO Nick Ogden was quoted in E-Commerce Times saying that there are “current problems with the system, the biggest of which was interoperability between different banks’ systems and the standards used in the technology.”

A federal appellate court backed a group of retailers Monday (June 23)–including Best Buy, Circuit City, Costco and Lowe’s—by ruling that their gift card systems do not violate any patents.

This case has been winding its way through the federal court system for almost four years. It began when a telecom reseller called Realsource Communications said a 1998 patent protected the way it dealt with phone card payments. Read more.

Internal audit is not staffed to enforce PCI at the store level, argues GuestView Columnist David Taylor. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a “continuous” review of store-level IT security.

Since almost no one can afford to add another group of people with both auditing skills and IT skills, nor can most retailers afford to pay consulting firms to do this, I tend to recommend very specific PCI audit training courses for your internal audit staff. One way to do this is to send them to the same two day course that PCI auditors go through. Read more.

One of the repeated arguments made in retail data security circles is that retailers tend to have much weaker security because it’s not as much of a cultural priority as, for example, banking. So it’s a little bit consoling that the latest ATM databreach is apparently not the result of a retail breach, not the result of social engineering and the trusting bank clerk, but is the first proven incident of a bank server’s breach linked to ATM fraud.

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to a Wired story. Although Citibank told Wired that its systems had not been breached, Citibank “warned the FBI on February 1 that ‘a Citibank server that processes ATM withdrawals at 7-Eleven convenience stores had been breached,’ according to a sworn affidavit by FBI cyber-crime agent Albert Murray.”

GuestView Columnist David Taylor suggests that a surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort, as well as their costs.

At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what’s changed? Read more.

Are European retailers going to have any better luck than American retailers with consumer-facing biometric payments? The 750-store Albert Heijn supermarket chain, the largest such chain in the Netherlands, is about to find out.

While various European chains (such as Germany’s Wagener Department Stores) have enjoyed modest success with biometrics, the Albert Heijn chain’s June 17 statement said it would commit to the trial for six months.

One day after lawyers presented a proposed settlement in the Ameritrade 6.2 million-customer data breach, a U.S. federal court judge has tentatively rejected the settlement (on June 13), questioning the value of the deal for the consumer victims and the size of the $1.87 million attorneys’ fees.

San Francisco-based U.S. District Court Chief Judge Vaughn R. Walker gave lawyers on both sides until June 26 to address his concerns. The judge didn’t specifically say that the lawyer’s fees were too high, but merely that “plaintiffs’ counsel has not established the basis for its fee request,” leaving himself the opportunity to potentially approve the figure if he is satisfied with a justification. Read more.

A pair of unrelated reports out this week are challenging several fundamental IT security assumptions, including that data breach laws will reduce consumer losses and that insiders account for more thefts than external evil-doers.

A Verizon Business security report analyzed more than 500 data breach incidents over four years and found that 73 percent started from the outside and only 18 percent were inside jobs. Read more.

Incidents at Amazon and Ameritrade this week raise troubling questions about whether secrecy is used far too often and too quickly. Let’s say that a large Nordstrom’s store suddenly—without explanation—shut its doors at noon on a weekday, refusing to let anyone in. After several hours, the doors opened and people were let in, with no explanation. On the next business day, it happens again. And, again, no explanation.

The hypothetical Nordstrom example shows how much less respect is paid to the online consumer than the brick-and-mortar one. Does the inherent anonymity in the Web cut both ways? Like the site visitors emboldened by their namelessness who post comments and get into flame wars that they would never have the nerve to try in person, are E-tailers treating their customers with a disrespect that they would never dare consider in a physical store? Read more.

After admitting it had security holes that allowed a security breach of more than 6.2 million customers, attorneys for TD Ameritrade this week agreed to a settlement of a class action lawsuit.

The 74-page settlement outlined several efforts by Ameritrade, but it did not include any cash payments to the consumers who sued the company. Among the agreements were that Ameritrade will warn consumers about investment SPAM, pay for limited security testing, seed E-mail accounts seeking violators, pay $20,000 to the Honeynet Project and $35,000 to the National Cyber Forensics and Training Alliance as well as buy some of the impacted consumers a one-year license for an Ameritrade-selected anti-SPAM software package. Read more.

GuestView Columnist David Taylor thinks of logging and envisions Rodney Dangerfield.

“Whether we’re talking about logs generated by network or application firewalls, intrusion detection systems, file integrity monitor tools or the operating systems themselves, I’ve come to the conclusion that the only people who don’t hate them are the vendors who sell them. But, whether we hate them, disrespect them or merely ignore them, we need to learn to live with them.” Read more.

For the second consecutive workday, Amazon.com suffered a major crash on Monday (June 9), with the increasingly unlikely scenarios explaining why the historically robust site is failing.

The cause of the crash, which apparently took the weekend off after bringing down Amazon completely on Friday for almost three hours before seriously (but less severely) slowing down Amazon for several hours on Monday, ranged from excessive site sophistication to some kind of malware attack or excessive load. Frustratingly, there are reasons to discount all three scenarios. The fact that Monday’s slowdown was global–while Friday’s was solely domestic–complicates matters. Read more.

E-Commerce leader Amazon.com completely crashed for almost three hours on Friday afternoon (June 6), with one Web site performance tracking firm attributing the crash to excessive site complexity.

“One thing that is true about Amazon’s site is that it is very complex, utilizing numerous backend database, proxy servers, distributed application and Web servers, lots of dynamic images, etc.,” said Shawn White, director of external operations at Web site performance tracking firm Keynote. “Even accessing the homepage involves complex multi-step interactions between the Web browser and a number of backend systems within Amazon.” Read more.

GuestView Columnist David Taylor asks: What would you do if one of your employees decided to leverage your brand and set up a little side business inside your store, including selling products via an E-Commerce Web site, setting up a merchant bank account and taking credit cards? You’d probably fire the person, right? But, what if you couldn’t? And what if groups of employees started their own businesses, leveraging your brand, on your property, but forgot to tell you about it? Chaos would ensue, right?

Well, that is what it’s like for Treasury organizations at major academic institutions, where security and finance professions are faced with managing small “cities” with hundreds of “independently minded” individuals and groups who often see no need to inform “corporate” of their desire to start up a business. There are several critical lessons that can be learned from the experience of securing E-Commerce in higher education. Read more.

For those retailers worrying about the legal threats associated with the Fair and Accurate Credit Transactions Act (FACTA), in particular the rule that says they can’t give a customer a receipt displaying the last few digits of the payment card nor can it show the expiration date, they can rest a lot easier this week. That’s thanks to a ruling on Wednesday from a federal judge and the passage of a bill this week softening the law.

The new proposed law—which passed both the House and Senate this week and is awaiting President Bush’s signature—essentially removes the expiration date requirement of the law. So assuming the president signs it into law, the bill just got a lot easier to navigate. Read more.

MasterCard Canada this summer will start a 4-month NFC-phone trial, with the backing of some of Canada’s largest retailers, including Loblaw, Petro Canada, Tim Hortons’, Pioneer Petroleum, Rabba Foods, a major NHL arena and McDonalds.

One unusual aspect of the trial is that it will eventually support more than one payment card on each phone, said MasterCard Canada’s Nagesh Devata.

Guest View Columnist David Taylor believes that Web application vulnerabilities make up more than 60 percent of all software vulnerabilities. “They are so well known that the Open Web Application Security Project (OWASP) has published a list of these vulnerabilities. They are so easy to exploit that even the most junior hackers can find lists of popular Web application hacks and use them to break into your Web store.”

PCI’s plan to address these vulnerabilities had been delayed for two years, which has crippled compliance efforts. As the requirement is about to kick in in June, merchants are not thinking so much about PCI, unless their annual PCI compliance review date happens to coincide with the PCI 6.6 effective date. Read more.

Much has been made recently of TJX firing a store employee who posted public comments about weak security procedures that still exist at the retail chain that was the site of the worst data breach in credit-card history.

The employee has been dubbed a whistleblower and it’s been suggested that TJX was wrong to have terminated the guy. In this case, I have to stand up for TJX: They were completely within their rights to terminate this employee. As for the charges themselves, those are dramatically more troubling. Read more.

A handful of grocery chains—including PriceChopper and Wegmans—have started using CRM data to alert customers to product recalls. It’s an encouraging move to convince consumers that loyalty cards can be used to help them beyond taking 10 cents off a gallon of milk.

The program at PriceChopper—a 116-store grocery chain in New York, Connecticut, Massachusetts, New Hampshire, Pennsylvania and Vermont–is especially interesting as it uses an automatic phone-calling system to instantly and simultaneously reach out to impacted customers. Last month, the system was used to reach out to some 12,000 customers about a recall of Samuel Adams beer due to glass fragments, according to this intriguing report in the Daily Gazette, a daily newspaper from Schenectady, N.Y..

Jane’s contactless loyalty card is detected as the Des Moines attorney approaches the self-checkout. The system knows the counselor’s shopping history and anticipates that the counselor likely has a dozen kiwis in her cart.

So when she places the barcode-less fruit on the scale, the first fruit it displays in its list is kiwi, followed by the four fruits and vegetables that Jane typically buys. Other fruits and vegetables follow alphabetically after Jane’s favorites have been displayed. Given how many fruits Jane buys each time, this shaves a precious 108 seconds off of her checkout. Read more.

Guestview Columnist David Taylor worries when he sees that more than 75 percent of enterprises are holding off on deploying server virtualization in the cardholder environment until PCI clarifies matters.

But there really is no reason to wait. Why? The proof is in the tracking tools. Whether the 1.2 release of PCI DSS in October 2008 specifically addresses server, network and desktop virtualization is less important than being able to provide proof to your PCI assessor that you can control, manage and track access to card data continuously. Read more.

The grocery challenge with the theft of moist, fresh products–such as cheese–has frustrated retail loss prevention managers because such products tend to react poorly with EAS tags. Checkpoint and Sealed Air Cryovac announced Wednesday (May 21) one possible way around this issue.

Cryovac has started to integrate anti-theft labels inside the vacuum shrink bags. “The first market request to Sealed Air Cryovac was for two million packs for the protection of Parmigiano Reggiano. In Italy, for instance, Parmigiano Reggiano has a shrink rate of about 9 percent,” said a joint statement. “Initial studies have shown that this RF-EAS source tagging program may cut down inventory shrinkage of dairy products from 9 percent to 1 percent.”

A pair of British shopping centers is experimenting with a creative way to leverage consumer cellphones. The consumers are being surreptitiously tracked by the signals emitted by all mobile devices and a database notes when consumers “enter a shopping centre, what stores they visit, how long they remain there and what route they take as they walked around,” according to a report in The London Times.

A spokesperson for the vendor behind the trials–Path Intelligence, of Portsmouth–said its equipment was just a tool for market research. “There’s absolutely no way we can link the information we gather back to the individual,” a spokesperson said. “There’s nothing personal in the data.” But their system does apparently grab a consumer’s phone’s unique IMEI number, which is found on all GSM and UMTS mobile phones. The carrier would theoretically have the data to match it to personally identifiable data.

The RFID market has a healthy future, looking at a 15 percent compound annual growth rate over the next five years, hitting $9.7 billion by 2013, according to a report issued Tuesday (May 20) by ABI Research.

These figures highlight an RFID market that is growing “robustly,” said ABI research director Michael Liard, pointing to recent commitments from Wal-Mart’s Sam’s Club and the German retail giant Metro AG as key factors.

Some British convenience stores are trialing a facial biometric program to try and improve the accuracy of guessing the age of customers for age-restricted alcohol purchases. The systems “capture facial measurements that will be checked against a database of profiles of known offenders,” according to this story in ComputerWeekly.

The story quotes an exec with a POS firm involved as saying that the capabilities are relatively recent. “Until now, combining the many technologies has been virtually impossible, but we have jointly come up with a way of automatically reviewing moving clips that are constantly changing,” said Charlie Willetts, managing director of Charton, “and they are now able to use this as part of a bespoke facial recognition system.”

Controversial RFID vendor Verichip on May 15 announced that it is selling much of the company, wants to sell the rest of it and that the company has parted ways with its CEO, Scott Silverman.

Verichip and its onetime parent company, Applied Digital, generated a lot of negative publicity for RFID with its efforts to push implantable RFID chips, including some especially controversial statements that Silverman made about RFID chips being implanted in non-citizen guest workers. The company’s sale of its XMark unit to The Stanley Works for $45 million will remove the vast majority of the company’s revenue. (RFID Update just ran an excellent look at whether such implantable RFID efforts are viable anymore.)

By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering “Trick or Treat?”

Robert Russo, general manager of the PCI Council and a man who never met an acronym he didn’t like (when we chatted, he tried turning QA into a verb—and he frighteningly got darn close), is trying to play down the significance of the new version, describing the modifications as “minor changes.” Read more.

It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster’s restaurant chain. But according to a federal indictment and a U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

“As a result of a defect in the software program for the packet sniffer, the packet sniffer automatically deactivated whenever the compromised (Dave & Buster’s) POS servers rebooted in the normal course of the operation of the servers,” the indictment said. “Therefore, in order for the packet sniffers to capture data from the compromised D&B POS servers on an ongoing basis, the defendants had to regularly reactivate the packet sniffers.” This group might even have had a hand in the TJX incident. Read more.

From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to “deputize” internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

These leaders also tend to be more successful at getting business units and other departments to share the cost of PCI compliance with IT. Read more.

When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry’s worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing.

No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent, the retailer announced May 14.

NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

California authorities have arrested two men in connection with another retail card-reader switch scam, an effort that police say brought in about $225,000 from 222 victims who swiped their debit cards at a regional grocery chain.

The arrests were in connection with the debit-card thefts at California grocery chain Lunardi’s, where police say the pair swapped out part of the card-reader with a skimmer, according to this San Jose Mercury News story. It was unclear whether the data was collected by piggybacking on the store’s network, wirelessly or if thieves retrieved the data by re-swapping the machines later. The Lunardi’s store that was hit is based in Los Gatos. The paper also reported that a nearby Los Gatos Arco gas station suffered a very similar debit-card breach a couple of weeks earlier.

The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.

Theodore Karantsalis had filed the lawsuit for several reasons, but one was to prove that consumers would fare far better—faster, easier and more money—in small claims court than as one of many in some class-action litigation. Read more.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

GuestView Columnist David Taylor this week discovered that there’s a lot more than token opposition to tokenization.

One of the concerns is that companies have already spent money on encryption. The most popular reason for not implementing tokenization is that companies have already implemented data encryption and key management systems costing hundreds of thousands of dollars, and either they did not feel they needed tokenization or they were unwilling to be perceived by upper management as “changing course” by recommending the removal of the data they just spent all this money to protect. Read more.

Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups.

The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe’s and Wal-Mart. The most prominent retailer who has fought such efforts is Target, whose legal battle continues. Read more.

This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. You really should read the details in this story in New York’s Saratogian newspaper, but the essence is that a woman walks up to an ATM at a Hannaford’s grocery store. (Just what Hannaford needs right now. More police-oriented publicity.)

She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves. Turns out that she worked for the ATM company, but the story asks why no one bothered to ask her what she was doing. Indeed, it’s a fine question. How many retailers have strict file access procedures, but would likely let a stranger plug a laptop into equipment without any questions? No, please, don’t answer that question. It’s too depressing to hear.

Like it or not (place this father defiantly in the “not” category), children are using the Internet’s social network sites at a younger age, with retail marketers hovering close by. How young?

New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll. For 10-12-year-old girls, the figure is 27 percent, more than 2-and-a-half times the prior year’s 11 percent. In the 13-15-year category, boys jump to 46 percent and girls jump to 54 percent. Oddly enough, that 54 percent for 13-to-15-year-old girls actually dropped three percent from 2006.

With an eye on retailers having to juggle payment systems between many varied environments–far beyond merely online and in-store–a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface, which it has dubbed “the first service-oriented architecture service interface schema and technical specification for the retail industry.”

“By making existing POS transaction functions available as SOA Services, RTI will enable the business logic behind these services to be easily reused for other customer and associate touch-points such as self checkout, fuel at grocery stores, kiosks, shop on the web, store within a store, portable shopper, mobile line buster and other complementary store solutions,” said a statement from the NRF’s Association for Retail Technology Standards (ARTS). Execs with Big Lots and BJ’s Wholesale Club represented retailers in a committee dominated by tech vendors.

With a privacy invasion trial about to begin, Best Buy’s IT department will be conducting more frequent remote audits of the chain’s Geek Squad tech support department.

“Using powerful mainframes at Best Buy’s headquarters in Richfield, the company now scans several hundred Geek Squad computers each night to see if customer data is stored appropriately,” said a story in the May 1 edition of the Minneapolis Star-Tribune. “Previously, these audits were done only several times a year.” Best Buy is also setting up a system where customer files can only be viewed by the file names, without personal content. In addition, the retailer has now banned thumb drives by its Geek Squad technicians.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

British retailers are seeing a resurgence in cash purchases, mostly due to a weak economy and consumers who are “nervous about borrowing or spending on debit cards,” according to a new report from the British Retail Consortium (BRC).

The British retail group used the opportunity to beat up banks and card brands for overly high interchange fees. (Then again, retail lobbying groups need no special occasion to make such points, as they often volunteer them when asked about the weather.) But the question remains whether the consumer reactions that are pushing cash usage in the U.K. are likely to be replicated in other parts of the world. Read more.

Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars “but not tens of millions.”

Homa called a news conference to detail some of those planned security improvements, including Triple DES PIN encryption (”customer card information is now encrypted from the PINpad at the store register and remains encrypted while it’s in our own internal network”), host and network intrusion prevention systems (”to proactively prevent malware from being installed in our systems”) and better payment segmentation. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.