The Federal Trade Commission on Thursday cracked down—albeit mildly—on an E-Commerce site that the government made security claims that were "deceptive and violated federal law."
The site—www.lifeisgood.com—collected a wide range of information from its consumer customers, including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes. It also put a statement on its site that said, "All information is kept in a secure file and is used to tailor our communications with you."
The government said the promise was misleading. "Contrary to these claims, the FTC alleges that Life is good failed to provide reasonable and appropriate security for the sensitive consumer information stored on its computer network," the FTC said in a statement.
The FTC said the site "unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network and by storing credit security card codes." The site also "failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks," the government organization said.
Much of this, though, would have likely gone on undetected had it not been for a cyber thief launching a successful SQL injection attack on the site, grabbing lots of that consumer data.
The government's punishment was that the site has to pay for a third-party independent security audit every other year for 20 years.
The settlement—approved by the FTC 5-0—"also contains bookkeeping and record keeping provisions to allow the agency to monitor compliance with its order," the FTC said.
The problem with the FTC's proposed settlement is that there is no substantial punishment element to it. The settlement simply lists some of the things every site should be doing anyway. According to the particulars made in this statement, LifeIsGood.com is suffering no pain because it was caught.
For example, consider this every-other-year audit requirement. Because the site accepts credit cards, the site should already be subject to PCI compliance. PCI rules would have the site underdoing a security compliance assessment once a year already. If the site wants to be PCI compliant, then, the FTC requirement would be irrelevant.
Technically, we are talking about two very different kinds of probes. The PCI probe is an assessment, which is typically more of a question process, while the FTC probe would be an SAS 70 Type II probe, which is a true audit.
As a practical matter, though, the differences are necessarily that pronounced. There is a huge variation between how different assessors handle PCI reviews and some are almost as demanding as a full SAS 70 Type II audit. If the assessor and the bank and the credit card agree, they can pretty much make a PCI compliance hurdle be as high as they want.
This is especially true given the fact that any discovered breach such as this will trigger a PCI rule that will subject any sized retailer—even a Level 4—to the most stringent demands of a Level 1 assessment.
PCI compliance consultant David Mertz, of Compliance Security Partners LLC, argues that the FTC fine is indeed a huge punishment because of the much higher fees that third-party assessors and auditors will charge for it, dollars that he estimated at between $10,000 and $25,000 for a PCI third-party assessment and between $75,000 and $250,000 for an FTC-level audit.
Another PCI compliance consultant, Dave Taylor, who is also president of the PCI Vendor Alliance, sees it differently. "The reason is due to probability, not severity of the audit," Taylor said. "FTC enforcement actions are rare. BJ Wholesale, etc. The sins of the merchant have to be pretty blatant and someone has to complain to the feds to get the ball rolling. So, few merchants do thing specifically to avoid FTC actions. PCI remains much more certain as an annual event driven by an ongoing relationship with the merchant bank."
Getting back to the FTC order, their other claims are even more common sense, as opposed to punitive.
"The settlement bars Life is good from making deceptive claims about its privacy and security policies." And this somehow doesn't apply to every other site out there, ones that have not been caught doing anything wrong?"It requires the company to establish and maintain a comprehensive security program reasonably designed to protect the security, confidentiality, and integrity of personal information it collects from consumers." 'Nuff said. This is a punishment?"The program must contain administrative, technical, and physical safeguards appropriate to Life is good's size, the nature of its activities, and the sensitivity of the personal information it collects." *sigh*LifeIsGood must "Designate an employee or employees to coordinate the information security program.
Identify internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place." Not quite 25 years of hard labor, is it?"Design and implement safeguards to control the risks identified in the risk assessment and monitor their effectiveness.""Develop reasonable steps to select and oversee service providers that handle the personal information of Life is good customers."Evaluate and adjust its information-security program to reflect the results of monitoring, any material changes to the company's operations, or other circumstances that may impact the effectiveness of its security program."
I have no problem with this nice guideline of what every site should be doing. But to label it a punishment and to trumpet it as such suggests that the government must think e-tailers are a stunningly gullible bunch.
|
Search Through All Stories
New stats out of India show three things: a sharply growing acceptance of the Internet (27 percent year-to-year increase); embracing of American sites (the top three most popular sites were from Google, Yahoo and Microsoft); and huge growth potential, given that barely 3 percent of its people today use the Internet.
Wal-Mart is certainly a company of few words. But when the world's largest retailer (it's expecting to hit $400 billion in annual sales later this year or early next year) wants to make a technology endorsement, a few words are all that's necessary.
In an eerie snapshot of where some top marketers want to take the next generation of search engines, a Japanese government-backed research project is working on a search that is based on what a user does, not a keyword a user types in.
Staples' Canadian operation has been quietly testing 2-way live video kiosks at 34 locations, but these kiosks do more than talk with customers: They remotely control hardware, including scanners and payment authorization devices.
Guest View Columnist David Taylor points out that PCI compliance has consistently generated larger security budgets, with little or no requirement for justifying them, other than "our bank told us we have to do it."
Despite an almost universal embrace of the idea of merged channel, most retailers aren't getting any closer to making it a reality, with overly restrictive inventory reserve policies, inconsistent data and political resistance getting most of the blame, according to a new Forrester Research report.
This issue's Reach Of The Week goes to IT analyst firm IDC and its report released Wednesday (July 16) that its survey of 250 execs "found that there is a growing level of commitment" to supporting green programs. So far so good, but let's look a little closer at these IDC figures.
A handful of Stop & Shop stores have been using in-store location tracking—coupled with basket content—to narrowly target ads to customers using handheld shopping devices, the chain confirmed in a statement issued Thursday (July 17).
Consumers older than 50 are rapidly growing fond of the Web, with such users checking news, for example, more frequently than those younger than 20 as well as participating in online communities more. But the study found that instant messaging and video downloads were "still tools for young users."
For those e-tailers wondering if video is an effective way to reach American consumers, here's the latest video stat, courtesy of Comscore: In May alone, U.S. Internet users viewed more than 12 billion online videos, representing an increase of 45 percent versus one year ago.
Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."
Retail deployment of the 2-D barcode, a technology that allows consumer cellphones to see virtually unlimited amounts of content by taking a picture of a special barcode, has slowed after an initial flurry of activity in January. But several major cellphone carriers are preparing to bundle the 2-D barcode software with phones as they ship. Will that make a difference?
Two recent developments—one involving a New York federal judge and the other involving a group of U.S. senators—are signaling serious difficulties for E-Commerce efforts over the next two years.
The number of reported data breaches has been soaring, with the figure from the first six months of 2008 some 69 percent higher than the number from the identical period last year. Among those were little-known recent breaches of Facebook, H&R Block and BearingPoint.
Fujitsu is hoping retailers in the United States will embrace a checkout system used by some European stores, but untested in the U.S., that splits scanning and payment processes into two different stations in the store. If American retailers decide to switch to this system, it will call for a significant overhaul of their current checkout systems.
Guest View Columnist David Taylor argues that outsourcing is considered the thing to do these days, like a summer barbecue. But it's both easier and more complex than most merchants think.
RFID vendor Impinj on Thursday (July 10) purchased all of Intel's RFID operation--including the R1000 RFID reader chip. A joint Intel/Impinj statement said that the acquisition details are not being released, but The Seattle Times reported that Intel will get an equity stake in Impinj.
No sooner had IT concocted a system to try and automatically detect an under-age shopper than someone has crafted a remarkably low-tech way to fool it. How low-tech? How about a picture ripped out of a magazine?
Will consumers ever deploy counter-top barcode scanners and a Web site to have groceries delivered to them automatically? A company called Ikan.com is hoping they will.
A new E-commerce payment system at UrbanOutfitters.com allows users to complete purchases in one screen, boosting cart conversion rates by 19 percent.
The PCI Security Council is branching out a little, with an attempt to bring unattended payment terminals (UPTs) under its jurisdiction. As kiosks get more sophisticated and start taking cash, credit cards, mobile transactions and other payment methods, the UPT security risk is sharply increasing.
A semiconductor company is suing a Dutch university to keep its researchers from publishing information about security flaws in the RFID chips used in up to 2 billion smart cards.
Amazon.com on Wednesday (July 9) finally deployed Bill Me Later as a payment option, almost eight months to the day after Amazon announced its intent to do so.
For the second time in two weeks, one of the largest grocery chains in the U.K. hit a snag with its Web site, triggering a 24-hour outage and causing the 823-store retailer to use a temporary homepage. Sainsbury's, a $38 billion retailer, is calling these incidents coincidental.
When the $1.3 billion JCrew apparel chain launched its new Web site on June 29, it was the culmination of a 2-year deployment effort. Seems that customers may have to wait a bit longer to fully use those new capabilities, as the site quickly crashed and has suffered significant slowdowns ever since.
J.C. Penney customers are twice as likely to say they are highly satisfied with their in-store shopping experience if they are working with store employees who are accessing the company's Web site while standing next to them.
When an order processing snafu shut down the delivery operations of one of the U.K.'s largest grocery chains, the $38 billion retailer acted starkly different than the typical U.S. retailer. The London-based 823-store Sainsbury's grocery chain immediately issued almost a half-million dollars' worth of vouchers.
A new Retail Systems Research report is challenging the way retail IT looks at application development backlogs. The report is based on a survey showing that some 79 percent of retailers have appdev backlogs of at least a year, with one-fifth of those hitting delays of more than two years.
The conventional wisdom has held that China is not likely to embrace E-Commerce, because of the Chinese aversion to credit payments and fears of piracy and poor quality products. But a Forbes story this week makes a powerful argument that E-Commerce—and a credit-card lifestyle in general—will be coming to China very soon and in a big way.
In one of the first wide-scale studies of SMS' capability to hold up under volume pressure, the technology fared "surprisingly" poorly, according to Keynote Systems. This has particular significance for retailers, who are exploring the technology's use for mobile communications connecting to both online and in-store.
A U.K. company is pushing retailers to use voice-recognition to authenticate purchases over the phone and online. The Voice Commerce Group's Voice Transact package has consumers call the service, quote a pre-arranged product code and then a series of digits dictated by the automated system. 
A federal appellate court backed a group of retailers Monday (June 23)—including Best Buy, Circuit City, Costco and Lowe's—by ruling that their gift card systems do not violate any patents.
Internal audit is not staffed to enforce PCI at the store level, argues GuestView Columnist David Taylor. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.
Wal-Mart and a handful of others have been trying to do green the right away, with policies that will have a significant environmental impact and that also improve operations.
When Oracle finally introduced its Retail 13 integrated suite this week, after three years of acquisition and integration, the teams working for the world's largest enterprise software vendor might have breathed a sigh of relief.
Are European retailers going to have any better luck than American retailers with consumer-facing biometric payments? The 750-store Albert Heijn supermarket chain, the largest such chain in the Netherlands, is about to find out.
The Moodys Investor Service has upgraded how important a retailer's E-Commerce activity is when assessing that retailer's overall economic health. Although this isn't a radical change for the financial firm—and the thought that E-Commerce is important is hardly surprising—it's one of several recent moves suggesting that the young teen-age Web is starting to be taken a wee bit more seriously.
North American self-service transactions will process $607 billion this year, a figure that is projected to soar to $1.7 trillion by 2012, according to report published Wednesday (June 18) by the IHL Group. When IHL began work on the report, "I did not expect the acceleration that we're seeing in the out years," said IHL President Greg Buzek. "I did not expect how fast it's growing."
One of the repeated arguments made in retail data security circles is that retailers tend to have much weaker security because it's not as much of a cultural priority as, for example, banking. So it's a little bit consoling that the latest ATM databreach is apparently not the result of a retail breach, not the result of social engineering and the trusting bank clerk, but is the first proven incident of a bank server's breach linked to ATM fraud.
A pair of unrelated reports out this week are challenging several fundamental IT security assumptions, including that data breach laws will reduce consumer losses and that insiders account for more thefts than external evil-doers.
Just in time for Friday the 13th, Oracle is finally ready to unveil Oracle Retail V 13, with a formal rollout slated for Tuesday (June 17). Oracle's main retail suite is not expected to undergo any radical changes (even the name change is expected to be slight); it's mostly claims of better integration and interoperability.
E-tailers in continental Europe are just now starting to get hit by slower growth, but they are still shining much more brightly than their U.S. counterparts, according to new figures from eMarketer.
For the second consecutive workday, Amazon.com suffered a major crash on Monday (June 9), with the increasingly unlikely scenarios explaining why the historically robust site is failing.
When Best Buy launched a Spanish version of its site last fall (2007), E-Commerce officials quickly noticed unexpected activity, such as customers spending twice as much time on the Spanish site.
Note to retailers looking to offer free Wi-Fi: It's a good idea to first make sure you can make the offer. Starbucks discovered that an offer of two hours of free Wi-Fi a day simply wasn't working. "Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Card accounts. We are working to fix the problem and ask that you please try again later," said a page shown to site visitors.
The Meijer department store chain—with 182 stores in Michigan, Ohio, Indiana, Illinois and Kentucky—is getting creative with its Web site, food recipes and online coupons.
New York State has started pushing to collect sales tax from e-tailers that have no physical presence in the state, prompting Amazon and Overstock to fight back. But all e-tailers are hoping against the odds that other states don't pull the same revenue-generating attempt. If New York gets legal greenlights, several more states will quickly mimic its efforts, leading to a flood of almost every state within two years.
The worst performance grades were given to Foxnews.com, IGN.com, Gamespot.com, CNN.com, Break.com and ESPN.go.com. The best performance grades were given to Google.com, Live.com, Orkut.com and Craigslist.org.
GuestView Columnist David Taylor asks: What would you do if one of your employees decided to leverage your brand and set up a little side business inside your store, including selling products via an E-Commerce Web site, setting up a merchant bank account and taking credit cards? You'd probably fire the person, right? But, what if you couldn't?
Shoppers at Gap.com will now be able to use a single shopping cart and consolidate shipping at any of the chain's four brands, the Gap announced on Tuesday (May 27). But the change for The Gap, Banana Republic, Old Navy and PiperLime is delicate, as the company still wants those brands to maintain their distinct personalities. Those conflicting goals give the new site a bit of a Jekyll-and-Hyde feel.
Borders this week officially stepped out of the shadow of Amazon and re-launched Borders.com, with an effort that scores points for creativity. The physical side of Borders (as in brick-and-mortar as opposed to Olivia Newton-John) has been trying to arrange its bookshelves to display more of the covers.
Germany's METRO Group is experimenting with RFID inserts to track meat and to immediately locate any product that is about to expire or that has expired. METRO is placing the inlays into the foam meat packing trays used in their Future Store.
