VeriFone Secure Retail Payments

Payment Security Web Portal Brought to You by VeriFone

News

July 2008

Former Hannaford CIO: Avoid Microsoft and Change PCI's Encryption Rules - www.StoreFrontBackTalk.com - 07/11/08 - "Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be 'so full of holes' and describes the fact that current PCI regs do not require end-to-end encryption as 'astonishing.'"
HED: Tighten Your Perimeter - Chain Store Age - 07/11/08 - "It’s back-to-school season – the retail industry’s official kickoff to peak-season shopping frenzies. This year, more than any other in recent history, retailers are depending on vital fourth-quarter sales and there is no margin for error in retail operations."
VISA Report: Merchant Compliance Up - www.VISA.com - 07/10/08 - "The percentage of merchants who are in compliance with the Payment Card Industry Data Security Standard (PCI DSS) increased in the first quarter of this year, Visa says."
ATM PIN theft – CNN Report - www.CNN.com - 07/10/08 - "How safe is your ATM PIN when you use a machine you don't normally use? CNN's Deborah Feyerick reports."
MasterCard Worldwide Expands PCI Merchant Education Program - PR Newswire - 07/09/08 - "MasterCard Worldwide today announced the availability of three new seminars designed to help merchants protect payment card data and reduce the likelihood of reputational risk and the incidence of fraud."
Identity Thieves Skim Credit Info at Gas Pumps - The Philadelphia Inquirer - 07/09/08 - "Thought you were getting robbed by the high price of gas? A type of identity theft can siphon your funds even faster, if you pay at the pump."
Sweetbay Credit Card Hackers Still Pump Out Profit - www.TampaBay.com - 07/08/08 - "Five men driving pickup trucks were arrested while swiping diesel from the gas station at a Gibsonton Wal-Mart Supercenter last month. "
7-Eleven Responds to Citibank Hacker Case - www.CSNews.com - 07/08/08 - "Hackers successfully accessed Citibank's network of ATMs inside 7-Eleven stores, stealing millions of dollars and personal information from unsuspecting customers, CSNews Online reported yesterday. It is estimated the breach began in October of last year. To date, it is unclear how many of Citibank's approximately 5,700 branded ATMs in 7-Eleven stores were impacted."
7-Eleven's Citibank ATMs Hacked - www.CSNews.com - 07/07/08 - "In what amounts to millions of dollars, hackers successfully accessed Citibank's network of ATMs inside 7-Eleven stores stealing both money and funds, a recent court filing stated."
Citibank Debit Card Fraud Highlights ATM Vulnerabilities - Computerworld - 07/07/08 - "Malicious ATM intrusions, such as the late-winter breach that resulted in the compromise of Citibank debit card data, are not at all surprising given the vulnerable state of many of the servers and other components involved in processing such transactions, according to some industry representatives."
Digital Thieves Steal Millions From Citibank Customers - www.SecureComputing.net.au - 07/02/08 - "The team, who were arrested by the FBI in March, managed to hack into an ATM transaction processing firm and collect the PIN numbers from cards used in 7-11 stores. The machines were branded as Citibank’s, but were built and maintained by the 7-11 chain."
Security Analysis: The Case For Disclosing Breach Data - InformationWeek - 07/02/08 - "Read this chapter from The New School Of Information Security before your company gets hacked, and learn why covering up a data breach is a bad short-term strategy and a risky long-term one."
Google Search Identifies Citibank PIN Number Thief - InformationWeek - 07/02/08 - "FBI agents were able to cross-link surveillance video with ICQ info to arrest a man in a dark baseball cap emblazoned with the words "Top Gun" and a star and wings symbol."
Raw Data-Breach Numbers Rise, But the Real Picture Is Fuzzy - Digital Transactions - 07/02/08 - "Data breaches are running at record levels, according to the San Diego-based Identity Theft Resource Center, a non-profit that tracks cybercrime. ITRC says it recorded 342 data breaches from Jan. 1 through June 24, up 69% from the same period in 2007. But, as with the origins and perpetrators of so many individual data breaches, mystery lies behind the aggregated numbers."
Personal Fraud And Scams Cost Australians $1 Billion - www.SecureComputing.net.au - 07/01/08 - "A recent report by the Australian Bureau of Statistics revealed that over five per cent of Australians, aged 15 and over, were victims of personal fraud in 2007. The total cost of personal fraud and scams for the same period was nearly $1 billion."
US Dept. of Justice Investigation Results in Visa Debit Rule Change - www.PaymentsNews.com - 07/01/08 - "The US Department of Justice (DOJ) has announced that, as the result of a DOJ antitrust investigation, "Visa Inc. has rescinded a rule that required merchants to treat Visa-branded debit cards differently when used as a PIN-debit card (and processed via non-Visa networks) from the same cards when used as signature debit cards and processed on the Visa network."
Citibank ATM Breach Reveals PIN Security Problems - Associated Press - 07/01/08 - "Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record."

June 2008

Chittenden Reissues Thousands of Debit Cards - www.WCAX.com - 06/30/08 - "The security breach at Hannaford supermarkets a few months ago continues to have a ripple effect here. The Chittenden Bank is now reissuing about 15,000 MasterCard ATM and Debit Cards after recent reports showed fraudulent activity on some cards. Many banks immediately sent out new cards to customers when Hannaford announced that security had been breached."
Hannaford Data Breach Fallout Continues - www.SeacoastOnline.com - 06/30/08 - "The fall out from the Hannaford data breach that began last year continues. Approximately 7,000 individuals who have Ocean National Bank ATM/Debit Cards are having them replaced because there has been recent illegal activity on them reported."
PCI Security Standards Council Strengthens Payment Card Data Security by Adding Additional Payment Devices to Existing Standards - www.PCISecurityStandards.org - 06/30/08 - "The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announces the addition of two new payment industry device types to the PED program to strengthen cardholder data security."
Gartner Group Says Unattended Payment Terminals Are Vulnerable to Data-Security Attacks - Gartner Group - 06/30/08 - "Gartner Group analyst Avivah Litan says unattended payment terminals, particularly older models, are vulnerable to data-security attacks. "A lot of gas pump [terminals] are using very old technology that's subject to PIN attacks," Litan tells CardLine, referring to methods thieves use to capture cardholder PINs from PIN-entry devices."
88% Of UK Businesses Are Still Not Compliant With PCI DSS – Study - ePayments News Network - 06/30/08 - "Study shows that 88 percent of UK businesses have not succeeded in complying with the Payment Card Industry Data Security Standard (PCI DSS) yet, despite the fact that compliance became mandatory in 2006. The majority of the respondents claim they have not established any fixed deadline in regard to meeting the standard, while 54 percent cannot say when they will achieve full compliance."
Valve Hacker Caught by Dutch Police - www.ShackNews.com - 06/29/08 - "A man who hacked into a third party Valve file server and stole the credit card numbers of Steam Cyber Cafe users was caught by police in the Dutch town of Maastricht this Tuesday."
Hackers Steal Credit Card Info From Millions – Restaurant Company Suspected - www.WCTV.tv - 06/27/08 - "Many credit union members have become victims of a nationwide theft. Al Hammock, the Senior Vice President for Envision Credit Union says they are just one of many credit unions that had members' cards compromised."
Montgomery Wards Didn't Tell Consumers About Credit Card Hack - Associated Press - 06/27/08 - "NEW YORK (AP) — An old name in retail was hit by a modern scourge — a hack of its customers' credit card numbers — but didn't inform the consumers, revealing how data breaches might be heavily undercounted even with new notification laws."
Federal Appellate Panel Back Circuit City In Gift Card Patent Case - www.StoreFrontBacktalk.com - 06/27/08 - "A federal appellate court backed a group of retailers Monday (June 23)--including Best Buy, Circuit City, Costco and Lowe's—by ruling that their gift card systems do not violate any patents."
Web Firewalls Trumping Other Options As PCI Deadline Nears - Computerworld - 06/27/08 - "Companies scrambling to comply with a Web application security requirement due to take effect next week appear to be heavily favoring the use of Web firewall technologies over the other options that are available under the mandate, according to analysts."
Visa to Help Ease Pain at the Pump - www.VISA.com - 06/26/08 - "Visa Inc. (NYSE: V) today announced that it is implementing processing and rate changes that will result in benefits for American consumers and fuel merchants frustrated by rising prices at the pump. Visa's new processing approach for fuel transactions will enable consumers to buy gas more easily and allow motorists and station owners to better avoid the risks and inconveniences associated with pump limits and holds on funds."
PCI Compliance: Who's Re-Minding the Store? - www.StoreFrontBacktalk.com - 06/26/08 - "Internal audit is not staffed to enforce PCI at the store level. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security."
Hacking the Call Center - www.DarkReading.com - 06/26/08 - "Hold the phone: Your call center handles sensitive data, too. The contact center mostly has been forgotten as a potential point of breach -- even though customer service representatives take credit card numbers and outsourced help desk workers have access to your databases."
Google, Microsoft Lead Efforts To Spur Digital Identities - www.SecureComputing.net.au - 06/25/08 - "Google and Microsoft are among an extensive set of technology vendors aiming to spur the adoption of digital identity cards. The two Internet giants have helped form the Information Card Foundation (ICF), which aims to develop technologies to secure digital identities on the Internet and which was launched today."
Don’t Be at Risk: Discover What Every C-store Owner Needs To Know About PCI Standards - Convenience Store News - 06/25/08 - "One of the biggest issues impacting c-store retailers who accept credit and debit cards is mandatory compliance with Payment Card Industry Data Security Standards (PCI DSS)."
Merchants Call Credit Card Industry's Bluff On Compliance (Europe) - www.TheRegister.co.uk - 06/24/08 - "Nine in ten (88 per cent) European firms have failed to achieve compliance with a credit card industry standard for processing ecommerce transactions. European merchants are behind their US counterparts in getting up to speed with the Payment Card Industry's Data Security Standard (PCI DSS), according to a survey by management tools firm NetIQ."
Finance Companies Slap Fines On Retail (Australia) - www.AustralianIT.news.com.au - 06/24/08 - "CREDIT card companies have begun fining local retailers who do not comply with the Payment Card Industry's data security standard, an industry expert says. Howard Glavin, manager of IBM/ISS's PCI service delivery, said fines for non-compliance in Australia had started at $5000 per company, per month, with a $75,000 monthly fine levelled against one merchant."
PCI Standard 'Ignores' Insider Threat - www.VNUNet.com - 06/23/08 - "New measures implemented in section 6.6 of the Payment Card Industry (PCI) standard, which come into force on 30 June, do nothing to address the threat of insiders, according to a database security firm."
Data Breach At Tampa Bay Area Bank - www.MyFoxTampaBay.com - 06/23/08 - "TAMPA - Customers of one Bay Area bank should check their bank statements and apply for a new debit card after a data breach last week. Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards."
Credit/Debit Card Fraud: New Trends, Incidents - www.BankInfoSecurity.com - 06/23/08 - "Credit and debit card fraud: It's the threat that keeps growing and evolving. A year ago, many banks and credit unions were forced to cancel and reissue thousands of cards as a result of the TJX breach. More recently, banks located in Indiana saw accounts breached from ATM or debit card transactions."
PCI Compliance Continued to Grow in 2007 - www.PCISecurityStandards.org - 06/22/08 - "Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants and nearly two-thirds of medium-sized merchants have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume."
PCI Compliance Continued to Grow in 2007 - www.PCISecurityStandards.org - 06/22/08 - "Visa Inc. announced today that as of the end of 2007, more than three-fourths of the largest U.S. merchants and nearly two-thirds of medium-sized merchants have now validated their compliance with the Payment Card Industry Data Security Standard (PCI DSS). Merchants in these two categories account for approximately two-thirds of Visa's U.S. transaction volume."
As Debit Interchange Goes Up, Signature Leads The Way - ETA Currents - 06/20/08 - "Increasing debit card interchange rates are boosting issuers' revenues, but a recent Oliver Wyman Group study found that many industry players are not accurately tracking the fees. The average gross signature-debit interchange revenue per transaction totals about 57 cents and the average network fee amounts to roughly 6 cents, which results in an average net gain of 51 cents per transaction, the study estimates."
Re-Thinking Payment Gateways - www.StoreFrontBacktalk.com - 06/19/08 - "A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what's changed?"
Senate Housing Bill Requires eBay, Amazon, Google, and All Credit Card Companies to Report Transactions to the Government - www.FreedomWorks.org - 06/19/08 - "Hidden deep in Senator Christopher Dodd's 630-page Senate housing legislation is a sweeping provision that affects the privacy and operation of nearly all of America’s small businesses. The provision, which was added by the bill's managers without debate this week, would require the nation's payment systems to track, aggregate, and report information on nearly every electronic transaction to the federal government."
Rules Changing For Merchants Handling Credit Card Data - www.CreditCards.com - 06/19/08 - "Ever wonder what happens to your credit card data after you swipe that plastic in a store or enter it online? Today's answer: It depends. An ongoing industry-wide effort is slowly standardizing data-handling processes to keep consumers' personal information as safe as possible, but it's a largely invisible struggle."
What HIPAA can learn from PCI - www.SCMagazineUS.com - 06/18/08 - "It is important to understand that HIPAA is about the portability and accountability of patient data, not the privacy or protection of data. However, it is safe to ask that within HIPAA accountability is there not some implication of protection? Who's responsible for ensuring that medical records are only accessed by those providing care? More importantly: is that responsible party capable of providing adequate protection? Quite frequently, the answer is no."
Data Thieves Get Focused (But Buyers Get Sloppy) - Computerworld - 06/18/08 - "Increasingly, thieves are after more-specialized information such as health care data, single sign-on credentials for remote log-in to corporate networks and FTP account data, according to a new report from security vendor Finjan Inc."
PCI SECURITY STANDARDS COUNCIL ANNOUNCES ANNUAL COMMUNITY MEETINGS - www.PCISecurityStandards.org - 06/18/08 - "Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announces the dates and locations of its Community Meetings for its participating organizations. This year, the Council will host two events, one in North America and one in Europe, ensuring broad global discussion of the PCI security standards among stakeholders."
Citibank Hack Blamed for Alleged ATM Crime Spree - blog.wired.com - 06/18/08 - "A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors."
More State Data Breach Activity - ETA Currents - 06/12/08 - "At the state level, a new data breach notice bill was introduced in the Alabama legislature called the Legislature back for a special session. The new measure comes after five notice bills died when the Legislature ended its regular session. Alabama is one of only seven states without a data security breach law."
NRF’s Organized Retail Crime Survey - www.NRF.com - 06/12/08 - "NRF’s Organized Retail Crime survey is distributed each spring to senior loss prevention executives nationwide. This year, 114 executives responded, representing all segments of retail, including drug store, supermarket, mass merchant, home improvement, apparel, department, and specialty stores. The 2008 Organized Retail Crime Survey is NRF's fourth annual survey."
A Look At Data Breaches - And How To Prevent Them - Verizon Business - 06/12/08 - "Verizon Business has announced a comprehensive report on data breaches concluding that "nearly nine in 10 corporate data breaches could have been prevented had reasonable security measures been in place." The study also provides key recommendations to help businesses protect themselves and urges them to be proactive."
PCI Council to Launch Assessor Quality Assurance Program - www.SearchSecurity.com - 06/11/08 - "A quality assurance program for PCI assessors is slated to be rolled out in September by the PCI Security Standards Council (PCI SSC). The council maintains the PCI standards and oversees training and certification of Approved Scanning Vendors (ASVs) and Qualified Security Assessors (QVAs)."
NRF Survey Shows Organized Retail Crime Activity Is Growing! - www.bloggernews.net - 06/11/08 - "According to FBI estimates, Organized Retail Crime (ORC) is a $30 billion a year business. The National Retail Federation’s 2008 Organized Crime Survey shows another alarming trend, which is that the amount of e-fencing to sell stolen merchandise on auction sites like eBay and Craigslist has grown 6 percent."
Hannaford Breach Lawsuits Assigned To Judge - Bangor Daily News - 06/10/08 - "The federal lawsuits filed around the country over the security breach of Hannaford Bros. Co’s computer network have been consolidated and assigned to the District of Maine and U.S District Judge D. Brock Hornby."
Yes, Contactless Payments Are Safe - www.RFIDJournal.com - 06/10/08 - "Reuters ran an article a few weeks ago entitled "Mobile phone payments 'pose huge fraud risk'." The story quoted Greg Day, an analyst at security specialist McAfee, as saying near-field communications (NFC) used for phone payments represent an opportunity for sophisticated criminals to steal a lot of money."
Report: Data Breach Disclosure Laws Don't Slow Down Identity Theft - www.ConsumerAffairs.com - 06/08/08 - "In the wake of the many high-profile data breaches, lost laptops, and other exposures of personal information, the conventional wisdom has been to pass laws governing how data is controlled, including an emphasis on security and notifying affected individuals that their data has been compromised."
Company Tries To Prevent Identity Theft - www.SCNow.com - 06/07/08 - "dentity theft occurs every 10 seconds in the United States. But in South Carolina, some measurable strides have been made with the Financial Identity Fraud and Identity Theft Protection Act signed into law April 2."
Payment Systems Fraud Is Not the Same as Data Security! - www.Glenbrook.com - 06/07/08 - "I've just returned from the Chicago Federal Reserve Banks' 2008 Payments Conference where this year's topic was Payments Fraud: Perception versus Reality. The conference had good presentations on fraud perspectives in payments ranging from check processing to PayPal, mobile commerce, and contactless card technology."
Security Breach Prompts Bank to Replace ATM Cards - www.InsideINdianaBusiness.com - 06/05/08 - "Indiana-based 1st Source Bank is replacing all ATM cards for account holders after an unknown amount of related information was exposed. The Fort Wayne Journal Gazette reports cyber-thieves accessed the data. An official tells the paper the bank has not received any reports of other suspicious activity."
Security Not A Driver For PIN Enabled Credit Cards In Australia - www.SecureComputing.net - 06/05/08 - "Opting to use a PIN number for credit card transactions over a signature won’t necessarily improve security nor minimise fraud rates, according to the PEN or PIN project manager."
Defending Against The Modern Cyber Criminal - www.NCCMembership.co.uk - 06/05/08 - "When you look at the evolution of cyber crime, it is clear that day-by-day, businesses and consumers are facing even more serious threats to their security. Phreaking, hacking, viruses, worms and identity theft. What's next asks Jim Doherty."
PCI Compliance: Learning From The U.S. Air Force - www.SCMagazineUS.com - 06/04/08 - "In the spring of 2005, someone broke into a web application for the Assignment Management System of the United States Air Force, and stole 33,000 records. As data breaches go -- judged by numbers alone -- this is a drop in the bucket. But judging by extent of loss, the breach was expansive. The hackers stole the names, career information, birth dates, social security numbers, marital status, number of children and academic records of 33,000 Air Force Officers. Three years later, no one knows where the data went."
Deconstructing PCI 6.6 - www.SCMagazineUS.com - 06/04/08 - "Organizations handling credit cards feel pressure building as the deadline for PCI Requirement 6.6 compliance, June 30, 2008, approaches. Most are still evaluating how to strategically ensure compliance with this requirement, while maintaining a strong security posture."
OSU Bookstore Investigating Possible ID Theft - www.DHOnline.com - 06/02/08 - "The Oregon State Police is investigating the theft of personal information from as many as 4,700 online customers of the OSU Bookstore who used credit cards to purchase items."
Beware: Credit Card Fraud Rates Increasing (Australia) - www.SecureComputing.net - 06/02/08 - "Credit and charge card fraud rates increased in 2007, as more dollars were lost to fraudulent overseas online merchants, according to the Australian Payments Clearing Association (APCA)."

May 2008

1st Source Bank Reports Security Breach - www.WSBT.com - 05/31/08 - "1st Source Bank is sending out letters reminding their customers to check their recent bank account activity. The bank says someone hacked into a computer containing debit card information earlier this month."
A Look Into The Dark Underbelly Of Data Breaches - www.NetworkWorld.com - 05/30/08 - "The process by which large volumes of data are stolen, resold, and ultimately used by criminals to commit fraud, has evolved from the sale of a few pieces of sensitive information, such as credit card numbers and expiration dates, to full blown identity packages containing multiple types of sensitive personal information."
Arco Debit-Card Scams In San Jose, Los Altos Linked To Statewide Ring - Mercury News - 05/29/08 - "A group of high-tech thieves who police believe stole bank card information from consumers at gas stations in South San Jose and Los Altos are likely the same group that has been targeting Arco stations statewide, the Mercury News has learned."
Visa Extends Fraud-Recovery Process to PIN-Debit Transactions - Digital Transactions - 05/28/08 - "Visa Inc. is extending to PIN debit cards a process for reporting and recovering fraud losses from data breaches. In effect for credit cards and the Visa check cards since October 2006, the process, dubbed Account Data Compromise Recovery, will apply to Visa’s Interlink point-of-sale debit and Plus ATM networks beginning Nov. 1."
TJX Employee Fired For Exposing Shoddy Security Practices - www.TheRegister.co.uk - 05/23/08 - "TJX Companies, the mammoth US retailer whose substandard security led to the world's biggest credit card heist, has fired an employee after he left posts in an online forum that made disturbing claims about security practices at the store where he worked."
Most Retailer Breaches Are Not Disclosed, Gartner Says - www.PCWorld.com - 05/23/08 - "While nearly half of U.S. retailers have been hit with some kind of information security attack, only a small percentage of them have actually reported breaches to their customers, research company Gartner reports."
Debit Card Skimmer Awaits Prison Term - Calgary Herald - 05/23/08 - "A man who made debit card skimming devices in his Calgary apartment for export around the world is facing prison. The Crown and defence agreed Thursday during sentencing arguments that Nicholas Wayne Joehle should spend time behind bars."
The 'Security Standards Dilemma': Network Segmentation And PCI Compliance - www.SearchSecurity.com - 05/20/08 - "While the exact details of the Hannaford Bros. data security breach may always be called into question, we do know that criminal hackers accessed as many as 4.2 million credit and debit card numbers by installing malware on the servers of more than 270 of the company's stores."
Senate Passes Credit and Debit Card Receipt Clarification Act - www.NACSOnline.com - 05/20/08 - "After last week’s vote in the House of Representatives, the Senate followed suit last night by also passing H.R. 4008 by unanimous consent."
New Attack Trend Pushes POS Encryption To The Fore - Computerworld - 05/20/08 - "The relatively scant attention that retailers have paid to securing their point-of-sale systems over the past few years is making the POS setups increasingly attractive targets for cybercrooks who are looking to steal payment card data."
International Cybercrime Ring Busted - InformationWeek - 05/19/08 - "On Monday, the U.S. Department of Justice charged 38 individuals in the United States and Romania with ties to organized crime in two separate indictments involving computer and credit card fraud."
Visa's Operating Regulations Now Available Online - www.NACSonline.com - 05/15/08 - "As announced last week, today Visa Inc. has made available its various regional Operating Regulations on its corporate web site - except for Visa Europe which remains and separate entity."
House Passes Credit and Debit Card Receipt Clarification Act - www.NACSonline.com - 05/15/08 - "Tuesday, the House of Representatives unanimously passed the Credit and Debit Card Receipt Clarification Act (H.R. 4008), which would help to clarify the requirements of what retailers print on credit and debit card receipts and remove the threat of frivolous litigation surrounding the issue of the expiration date on the receipts."
PCI Compliance Costs $2B - www.PaymentNews.com - 05/14/08 - "A few weeks ago, as part of an article about Hannaford's recent card data breach, I blogged about my 'guestimate' of the cost of PCI compliance across the industry. I said: "Seems like somewhere between US$100 million and US$1 billion?" and asked for reactions. No one reacted - so maybe everyone agreed with my estimate?"
Few Expected To Make PCI Deadline For Web App Security - Computerworld - 05/14/08 - "Retailers covered by the Payment Card Industry data security standard (PCI-DSS) have just about a month and a half left to comply with new requirements for protecting Web applications. But as with previous PCI-related deadlines, this one appears destined to pass with a majority of merchants unlikely to be in full compliance."
Guide To Passing PCI's Five Toughest Requirements - www.SearchSecurity.com - 05/14/08 - "If you fail PCI requirement #3 - protect stored data - you're just like 79 percent of failed assessments. It's time to break away from the pack. PCI requirements are tough but if you take the right steps, you can pass not only the five most challenging requirements, but all 12 of them."
PCI SECURITY STANDARDS COUNCIL TO RELEASE VERSION 1.2 OF THE PCI DATA SECURITY STANDARD IN OCTOBER 2008 - www.PCISecurityStandards.org - 05/14/08 - "Council to evolve PCI DSS with enhanced clarity on technical requirements, improved flexibility and greater management of evolving risks and threats"
Time To Abandon Credit Cards And Go Back To Cash? - www.NetworkWorld.com - 05/14/08 - "We often poke fun at those that still swear by cash and cheques, but with all the data breaches going on, will they have the last laugh?"
Ukrainian Indicted On Charges Of Data Theft - Boston Globe - 05/14/08 - "A Ukrainian man tied to the theft of credit-card data from Framingham retailer TJX Cos. has been indicted in connection with a separate theft of payment information involving a national restaurant chain."
Hackers Indicted for Stealing Credit and Debit Card Numbers From National Restaurant Chain - PR Newswire - 05/12/08 - "Three defendants have been charged in a federal grand jury indictment and complaint with illegally accessing the computer systems of a national restaurant chain and stealing credit and debit card numbers from that system, Assistant Attorney General Alice S. Fisher of the Criminal Division and U.S. Attorney for the Eastern District of New York Benton J. Campbell announced today."
Opinion: Battling Information-Security Stockholm Syndrome - Computerworld - 05/12/08 - "Corporate American has been battered by ineffective information security for a long time, with untold billions of dollars in collective losses through the years. Sites that tracked defaced Web pages stopped listing them when they become too numerous to enumerate. Similarly, data breaches are now so common that even large breaches barely make the news."
Opposition To Tokenization A Lot More Than Token - www.StoreFrontBacktalk.com - 05/09/08 - "There's more than token opposition to tokenization. That's arguably one of the top conclusions to come out of 100 hours of interviews with merchants, banks, PCI assessors and card processors for the PCI Knowledge Base."
Two Men Linked To Lunardi's Identity Theft Arrested In So. Cal, Make Bail - Mercury News - 05/09/08 - "Police say two men arrested Thursday in Southern California are connected to last month's massive identity theft scam at the Lunardi's Supermarket in Los Gatos."
Cybercriminals Kill For Rewards - www.SecureComputing.net.au - 05/09/08 - "The cybercriminal's stable diet of trojans and botnets is taking a back seat in the multi-million dollar cybercrime industry as blackmail, extortion, terrorism and even murder become prominent in the organised crime syndicates of the digital age."
Card-Skimming Scam Busted - www.EdmontonSun.com - 05/07/08 - "Cops are crediting a concerned citizen and his 'Spidey sense' for helping crack a local cell of debit- and credit-card fraudsters."
'Crime Server' Found with Thousands of Bank Customer Records - www.BankInfoSecurity.com - 05/07/08 - "More than 5,000 customer records from 40 international financial institutions were discovered last month on a computer server in Malaysia."
The Tangled Web Of PCI Compliance - www.SecurityInfoWatch.com - 05/06/08 - "Fear and loathing will dominate when Best Practice 6.6 of the PCI Data Security Standard becomes a requirement June 30. The regulation requires that merchants dealing with debit and credit cards tighten up their security by both conducting application code reviews and installing Web application firewalls."
More on Pen or PIN on Credit Cards in Australia - www.PaymentNews.com - 05/06/08 - "We mentioned the Pen or PIN program in Australia earlier today. The Pen or PIN website includes several resources explaining what's happening including a general backgrounder, one for retailers, another for cardholders, and an FAQ for media."
NACHA's Secure Vault Payments Goes Live with First Merchant - www.PaymentNews.com - 05/06/08 - "NACHA has announced that Secure Vault Payments is now a live alternative payment option. The ACH-based Internet payments network allows consumers to conduct e-commerce and bill payment transactions without sharing personal account information."
PIN Pad Stolen from Store in Guelph Canada - www.GuelphNow.ca - 05/06/08 - "On April 22nd at approximately 9:00 pm, Guelph Police were called to a sports store in the Stone Road Mall (love that mall…) after an employee reported the theft of a debit card pin pad. (huh…aren’t they attached to something?"
VeriFone Brings Breach Protection to Petroleum Retailers - VeriFone, Inc. - 05/05/08 - "GRAPEVINE, TX, (NACStech 2008, Booth #509) – May 5, 2008 – VeriFone Holdings, Inc. (NYSE: PAY) today announced that it is extending its VeriShield Protect credit and debit card encryption technology to Secure PumpPay, its PCI-approved solution for upgrading fuel dispensers to accept electronic payments securely."
Vendors Respond To ‘7 Dirty Secrets Of The Security Industry’ - www.TheTechHerald.com - 05/05/08 - "Recently during a talk at Interop, Joshua Corman, security strategist for IBM/ISS, offered up “7 dirty secrets" in the security industry. The talk, titled “Unsafe at any speed: 7 Dirty Secrets of the Security Industry,” was aimed at explaining why companies should have a “healthy level of skepticism about what security vendors are trying to tell you” when evaluating your business’s needs."
Debit Card Scams Hit Shoppers In Tech-Savvy Valley - Mercury News - 05/03/08 - "In the time it takes to pay for a bag of groceries or a tank of gas, thieves can empty your bank account. It happens when you swipe your debit card."
The Tangled Web of PCI Compliance - www.InternetNews.com - 05/02/08 - "Merchants in the U.S. and Canada last year lost an estimated 1.4% of their online revenue—or about $3.6 billion—to online payment fraud, according to CyberSource Corp.’s 9th Annual Online Fraud Report. The good news is that, as a percentage of total sales, credit card fraud losses have been trending downward since 2004, when they were at 1.8% of online revenue."
Hannaford Breach May Presage '08 Trend - Washington Post - 05/02/08 - "Already, there are signs that 2008 may turn out to be a record-breaking year for retailer and card processor data breach disclosures. Kevin Mandia, president of Mandiant Corp., an Alexandria, Va.-based company that specializes in investigating data breaches, said his firm responded to more credit card losses in the past year than in any prior 12-month period."
Safety Payoff - Internet Retailer - 05/02/08 - "Merchants in the U.S. and Canada last year lost an estimated 1.4% of their online revenue—or about $3.6 billion—to online payment fraud, according to CyberSource Corp.’s 9th Annual Online Fraud Report. The good news is that, as a percentage of total sales, credit card fraud losses have been trending downward since 2004, when they were at 1.8% of online revenue."
ID Theft Bigger Threat Offline - Inside Bay Area - 05/02/08 - "When Gina Titus became a victim of identity theft after her wallet was stolen, she expected to have her credit cards used for some unauthorized purchases. What Titus didn't expect was to get hit with a maternity bill."
Rite Aid Cuts Deal For Visually-Impaired Web, POS Support - www.StoreFrontBacktalk.com - 05/02/08 - "Rite Aid on Thursday announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups."
ABC Evening News Report on Card Cloning and Theft - www.ABCNews.Go.com - 05/01/08 - "Click here to view this video."
How Identity Theft Happens and How to Protect Yourself - www.ABCNews.Go.com - 05/01/08 - "The first step to preventing identity theft is to understand how it happens. Here are some of the most common vulnerabilities and strategies for fighting back."
Which Do You Want, Buddy? Compliance Or Security? - www.StoreFrontBacktalk.com - 05/01/08 - "Only a small minority of retailers say that they are getting much value from their security investments. Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins, policies that are not enforced…"
New Type of Gasoline Theft Hits Lexington - www.NACSOnline.com - 05/01/08 - "While gas theft has largely been defined by drive-offs, which are on the rise in many areas, thieves also are looking at disrupting store satellite transmissions to obtain free fuel."
Scrambling for Data Security in an Increasingly Insecure World - www.RISNews.com - 05/01/08 - "Last month's data breach at Hannaford Bros., which exposed payment card data of 4.2 million credit card holders and led to 1,800 cases of fraud, has added to anxiety from the TJX data breach to give the entire industry a bad case of information insecurity."

April 2008

Federal Breach Notification Stuck In Congress - www.SearchCIO-Midmarket.com - 04/30/08 - "CIOs prepping a notification in the wake of a breach of personal information must comply with the law for each state in which a customer lives. That could potentially mean following the small details in at least 43 different laws (the District of Columbia has also passed legislation)."
The Legal Implications Of The PCI Data Security Standard - www.SecureComputing.net - 04/30/08 - "While starting off as “just” an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 (“PCI” or “PCI Standard”) now presents serious legal challenges and risk for retailers. The PCI framework currently operates like a law without courts or regulators."
Securing Wi-Fi Must Be Priority - www.SecureComputing.net - 04/30/08 - “Wireless is a different medium and presents different challenges that we faced with wired,” said David King, chairman and chief executive officer of AirTight Networks, makers of wireless intrusion prevention systems. “All the borders and boundaries that used to exist at the physical level are gone. The perimeter has to be redefined.”
Credit-Card Security Falters - Wall Street Journal - 04/29/08 - "Despite efforts by the credit-card industry to force retailers to protect their customers' data, several recent security breaches suggest that current requirements aren't enough."
PCI: Is it working? - The Green Sheet - 04/28/08 - "The Payment Card Industry (PCI) Data Security Standard (DSS) is complex. It includes 12 requirements and more than 200 subrequirements covering topics from technology to general security practices. And it has spawned a compliance consulting market to assist merchants who are having difficulty making heads or tails of the requirements."
Paying Breach Bill May Not Buy Hannaford Full Data Protection - ComputerWorld - 04/28/08 - "Hannaford Bros. Co. said last week that it expects to spend "millions" of dollars on IT security upgrades in response to the recent theft of up to 4.2 million credit and debit card numbers from its systems."
The Art of Data Management Compliance, Part 3: Executing Processes - E-Commerce Times - 04/28/08 - "Meeting regulatory demands is tough -- and doing so in a cost-efficient manner is even tougher. There are various software products out there to help companies streamline how they manage their compliance efforts. For instance, Compliance Coach offers a software product called "Compliance Pal," which provides identity theft protection."
VeriFone To Focus On Security And Unattended Payment Systems At Kiosk Europe - Kiosk Europe - 04/28/08 - "VeriFone, a secure electronic payment solutions provider, will host a drop-in Security Advisory Clinic May 6 at Kiosk Europe 2008. Visitors to the show can pick up a step-by-step guide to payment security and best practices and receive one-on-one advice and information about practical procedures that can be implemented to maintain security."
FACTA Shatters Credit, Debit Card Myths - The Green Sheet - 04/27/08 - "Lawyers have filed more than 300 class action lawsuits throughout the United States that could potentially cost merchants and acquirers hundreds of millions of dollars. At the heart of this litigation are untruncated credit card receipts."
Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI - www.StoreFrontBackTalk.org - 04/25/08 - "Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars 'but not tens of millions.'"
The Secret To Protecting All That Is Confidential - www.StoreFrontBackTalk.com - 04/25/08 - "Last week, we pointed out that the leading merchants and financial institutions in the PCI Knowledge Base are applying the PCI controls to data other than credit card numbers because they found that it is easier to centrally manage a set of controls when they are based on a consistently enforced set of security policies."
Police Investigate Identity Theft At Canton WiseBuys - www.WWNYTV.net - 04/24/08 - "Canton police are investigating the theft of thousands of dollars from local bank accounts in what is being described as a major identity theft ring."
Credit Card Fraud: How Big Is The Problem? - www.PCISecurityStandards.org - 04/24/08 - "Reports of website data breaches, identity theft and credit card fraud are increasingly in the news. But is the problem as widespread as the coverage suggests?"
PCI Security Standards Council Issues Information Supplements - www.PCISecurityStandards.org - 04/22/08 - "The PCI Security Standards Council has announced the availability of two Information Supplements providing further clarification for PCI DSS requirement 11.3, regarding penetration testing, and Requirement 6.6, regarding application code review and application firewalls. Both of these information supplements provide guidance to help merchants and service providers meet these two requirements in support of their PCI DSS compliance efforts."
Hannaford Data Breach: An Inside Job? - www.BankInfoSecurity.com - 04/22/08 - "The hackers that broke into Hannaford Brothers, a northeast U.S. grocery chain, may have spawned other attacks, including one at Okemo Resorts in Ludlow VT. As law enforcement and forensic experts continue to sift through the evidence of these attacks, the retailer and the ski resort remain mum on further developments. (See related stories: Hannaford Data Breach: The Victims Fight Back; Hannaford Data Breach May be 'Tip of the Iceberg')"
Hannaford Reveals Theft Details, Plans to Spend Millions on Military-Level Security - www.RISNews.com - 04/22/08 - "BREAKING NEWS: In an invitation-only conference call this morning, Hannaford Bros. CEO Ron Hodge and CIO Bill Homa reveal new facts about the recent theft of 4.7 million customer credit and debit card files from the grocer’s data base. They also outline steps taken before and after the criminal intrusion, including details about future initiatives that will ensure a military-level of security and cost millions of dollars to ensure deterrence, protection and detection."
Hannaford Vows To Enhance Security After Breach - www.Boston.com - 04/22/08 - "Hannaford Bros. Co. says it's taking steps to enhance the security of its data network following a massive breach that compromised up to 4.2 million credit and debit card numbers."
Clothing Retailer Settles With FTC Over Credit Card Breach - www.SCMagazineUS.com - 04/21/08 - "The Federal Trade Commission has approved a final consent order that settles charges an online clothing retailer failed to properly secure its customers' personal information."
A Trio Of Credit Card Conundrums - www.StoreFrontBackTalk.com - 04/18/08 - "If there's one thing that the last year of credit card catastrophes has made undeniable is that mixing credit cards, retailers, banks and card brands is unpredictable and a lot more complex than anyone wants to believe."
Will Your Business Be the Next Data Breach Headline? -- A STORES Magazine Webinar - Stores Magazine - 04/18/08 - "Learn more about how technology can help you to secure your data and enable PCI compliance. All attendees will receive exclusive peer feedback on PCI compliance experiences, as well as vendor information, spending plans, and more through PCI Knowledge Base's industry research report-research you can't get anywhere else!"
Extending PCI Standards To Protect All Confidential Data - www.StoreFrontBackTalk.com - 04/17/08 - "One of the things that differentiates the leading merchants that are part of the PCI Knowledge Base from other merchants is that nearly 40 percent of these merchants have targeted 2008 as the year they plan to extend the application of the PCI security standards to embrace other confidential data, beginning with Social Security numbers."
Merchants Liable For Data Breaches - www.PracticalEcommerce.com - 04/17/08 - "What do online merchants Art.com, Geeks.com and Bananas.com have in common? They're three in a small, but growing, list of ecommerce sites hacked for their customer's credit card data."
Hackers Open New Front In Payment Card Data Thefts - Computerworld - 04/17/08 - "Security managers often describe their efforts to protect corporate data from being compromised as a full-fledged battle of wits against cybercrooks who are continually arming themselves with innovative tools and methods of attack."
Q&A: Head Of PCI Council Sees Security Standard As Solid, Despite Breaches - Computerworld - 04/16/08 - "The PCI Security Standards Council was established by the major credit card companies in September 2006 as an independent organization to manage the Payment Card Industry Data Security Standard. In an interview with Computerworld, general manager Bob Russo talks about the council's efforts to administer the PCI standard amid continuing concerns about credit and debit card security."
PA-DSS Changes from PABP - www.PCISecurityStandards.org - 04/16/08 - "The Payment Application Data Security Standard has evolved from VISA’s Payment Application Best Practices (PABP). The attached document outlines the changes between the two programs."
PA-DSS Program Overview - www.PCISecurityStandards.org - 04/16/08 - "The goal of PA-DSS is to help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, other sensitive authentication data or PIN data, and ensure their payment applications support compliance with the PCI DSS. PA-DSS requirements apply to payment applications that are sold, distributed or licensed to third parties."
Payment Application Data Security Standard Requirements - www.PCISecurityStandards.org - 04/16/08 - "The requirements for the Payment Application Data Security Standard (PA-DSS) are derived from the Payment Card Industry Data Security Standard (PCI DSS) and the PCI DSS Security Audit Procedures. These documents, which can be found at www.pcisecuritystandards.org, detail what is required to be PCI DSS compliant (and therefore what a payment application must support to facilitate a customer’s PCI DSS compliance)."
Payment Application Data Security Standard Issued - www.PCISecurityStandards.org - 04/16/08 - "The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), has announced the release of version 1.1 of the Payment Application Data Security Standard (PA-DSS)."
Payment Application Data Security Standard (PA-DSS) FAQ’s - www.PCISecurityStandards.org - 04/16/08 - "The PCI DSS recently released the new Payment Application Data Security Standard (PA-DSS). Below are some of the most important FAQ’s. The complete list of FAQ’s is attached."
GuestView Column: Many QSAs Do Not Have The Background, Expertise To Assess PCI - www.StoreFrontBackTalk.com - 04/15/08 - "Although there are many qualified security assessors (QSAs), a few who simply do not have the background and expertise in systems security manage to distort the original intent of PCI."
The Ins And Outs Of Database Encryption - www.SearchSecurity.com - 04/15/08 - "This tip is part of the SearchSecurity.com Data Protection Security School lesson, Database defenses for a new era of threats. Visit the school and lesson pages for additional learning resources."
Identity Theft Charges, Guilty Plea - www.TechnologyNewsDaily.com - 04/15/08 - "On April 11, 2008, JASON DAVID LINGO, age 28, of Granite City, Illinois, pleaded guilty to a three count superseding indictment charging him with Possession of Unauthorized Access Devices, Mail Fraud, and Aggravated Identity Theft."
Hannaford Faces Lawsuits Over Data Breach - www.RecordOnline.com - 04/15/08 - "Some nine lawsuits are seeking consolidation into a federal class-action lawsuit against Hannaford Bros. for a data breach that exposed some 4.2 million debit and credit card numbers to potential fraudulent use."
Preliminary Chip and PIN Results from Canada - www.PaymentNews.com - 04/15/08 - "Members of the payment card industry in Canada - Interac Association, MasterCard Canada, Visa Canada and many of their respective card issuers and payment processors - have reported positive preliminary results from an industry trial of chip technology in Kitchener-Waterloo, Ontario."
Study Reveals 63 Percent of Consumers Dissatisfied With Data Breach Notification and Response Methods - www.MarketWire.com - 04/15/08 - "TRAVERSE CITY, MI--(Marketwire - April 15, 2008) - A new study conducted by the Ponemon Institute shows that consumers are dissatisfied with the notification process used by companies following a data breach affecting their personal information. Sponsored by ID Experts, the Consumer's Report Card on Data Breach Notification revealed 63 percent of survey respondents said notification letters they received offered no direction on the steps the consumer should take to protect their personal information."
Stolen Bank Account Data Was Most Advertised Item On The Internet Black Market In 2007 - ePayments News Network - 04/15/08 - "In the second half of 2007, stolen bank account details were the most frequently advertised items on the internet black market, states a report. The advertised price for bank account data varied between USD 10 and USD 1000, depending on the location and funds available in the account. According to the report, bank accounts that included higher balances were advertised for much higher prices."
New Australian Customer Privacy Breach Guidelines - www.SmartCompany.com.au - 04/15/08 - "New privacy guidelines could help businesses give customers greater confidence that personal information such as credit card data is being held securely, Federal Privacy Commissioner Karen Curtis says."
Forensics: Under Investigation - www.SecureComputing.net.au - 07/01/08 - "The closest thing the world of computer forensics has to the Ten Commandments is the guidance set down in the Association of Chief Police Officers' Good Practice Guide for Computer-Based Electronic Evidence."
Covering the Bases: Eight Steps to Ensuring Level-4 Customer PCI Compliance - www.VerticalSystemsReseller.com - 04/14/08 - "Contrary to popular belief, using PCI-validated payment software is not the only step required to ensure compliance. There are other areas that VARs need to be aware of, such as encryption. While this area is one of the most controversial within PCI circles, there are others, such as storage and documentation that must be taken into account. To alleviate the dreaded "failure to comply," and to ensure that "all the bases are covered when it comes to meeting compliance measures, here are eight steps VARs should keep in mind when helping customers with PCI compliance."
MerchantLink Finds PCI Compliance and Credit Card Frustrations - www.PaymentNews.com - 04/14/08 - "MerchantLink has announced results of a survey on credit card security and PCI compliance among attendees of the recently completed 2008 Multi-Unit Restaurant Technology Conference (MURTEC 2008) finding that 'corporate reputation and customer concerns regarding the security of their data are the primary worries in the hospitality industry in terms of credit card use among restaurants of all sizes and styles.'"
Visa Announces a New Category for Unattended Point-of-Sale PIN Entry Devices - www.VISA.com - 04/11/08 - "The Payment Card Industry (PCI) PIN Entry Device (PED) Security Program is making a distinction between attended point-of-sale (POS) PEDs and unattended POS PEDs, which has resulted in the creation of a separate category for unattended POS PEDs. The attached bulletin reviews the program changes and compliance mandates that may impact payment system participants."
Advance Auto Parts Breach Included Unencrypted Payment Data From 2001 - www.StoreFrontBackTalk.com - 04/11/08 - "Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant."
VeriFone System Encrypts Data at Start of Purchase - American Banker - 04/10/08 - "The San Jose terminal maker VeriFone Holdings Inc. has developed a system that can encrypt payment data when cards are presented to a merchant, filling a potential security gap."
Family Dollar Opts for VeriFone’s MX830 and VeriShield Protect - VeriFone, Inc. - 04/10/08 - "Discount Retail Chain to Deploy New VeriFone Cardholder Security Protection Solution and Customer-Facing Card Payment Systems"
Next Version Of PCI DSS Due In September - www.SearchSecurity.com - 04/10/08 - "PCI Security Standards Council General Manager Bob Russo said merchants can expect the next revision to the Payment Card Industry Data Security Standard in September."
Is Online Shopping Ever Secure? - The Guardian - 04/10/08 - "Few websites meet industry standards when it comes to storing our credit card details. So, asks Danny Bradbury, is e-commerce in the UK fundamentally flawed?"
VeriFone Introduces VeriShield Protect: Secures ConsumerCard Data Even When Retailer Systems Are Breached - VeriFone, Inc. - 04/09/08 - "VeriFone Holdings, Inc. (NYSE: PAY) today introduced VeriShield Protect, a system designed to thwart continuing criminal efforts to gather unencrypted account holder data via breaches of merchant networks, applications and servers that come in contact with consumer credit and debit card information."
PCI Knowledge Base Marshals Industry Muscle to Impart PCI Best Practices - Business Wire - 04/09/08 - "The Payment Card Industry Security Vendor Alliance (PCI SVA) today announced the launch of the PCI Knowledge Base, a research program designed to help merchants, assessors, banks, processors and vendors anonymously share PCI knowledge and experience."
Terminal Maker VeriFone Steps into the Busy Data-Security Arena - Digital Transactions - 04/09/08 - "At the RSA security conference the vendors argued the case for a single US federal data-breach notification law, echoing similar demands last year in the UK"
Symantec, RSA Call For Unified Data-Breach Law - www.ZDNet.co.uk - 04/09/08 - "At the RSA security conference the vendors argued the case for a single US federal data-breach notification law, echoing similar demands last year in the UK"
House Of Cards - www.Reformer.com - 04/09/08 - "Dennis Haw-thorne of Brattleboro recently noticed a $194 purchase from Staples on his credit card statement that he didn't recall making."
MasterCard Introduces IPS - New Debit Processing Platform - www.PaymentNews.com - 04/08/08 - "MasterCard Worldwide has announced a new debit processing platform,MasterCard Integrated Processing Solutions (IPS), calling it 'a powerful MasterCard-engineered debit processing platform' that 'offers financial institutions a complete processing solution to help create differentiated products and services, enabling them to quickly expand their payments portfolios across banking channels.'"
New Security Breach Highlights Need for Innovative Strategies in Post-PCI Era - www.RISNews.com - 04/08/08 - "An additional 56,000 American consumers have been affected by yet another security breach - this time at Advance Auto Parts, a specialty chain with 3,261 stores. News surfaced last week that a computer hacker tapped into financial information at 14 Advance Auto stores in Virginia and seven other states."
New Mobile Payment Patent Sidesteps Wireless Concerns - www.StoreFrontBackTalk.com - 04/03/08 - "With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all."
Data Breaches More Than Doubled in 2008 First Quarter - www.PaymentsNews.com - 04/02/08 - "Data breaches disclosed by Hannaford Bros Supermarket Chain, GE Money, and Georgetown University are just some of the 167 breaches reported during the first quarter of 2008, according to the non-profit Identity Theft Resource Center (ITRC)."
TJX Could Pay Another $24M for Breach - Associated Press - 04/02/08 - "Discount retailer TJX Cos. could pay as much as $24 million in a settlement Wednesday with MasterCard Inc. over a massive breach that exposed tens of millions of payment card numbers to hackers."
PCI Is a Bust, Retailers Need a New Roadmap to Security - www.RISNews.com - 04/01/08 - "In light of recent breeches, the industry is moving credit card security to the top of its priority list. Last week’s leading story, RIS Hotline, “PCI May Never Stop Hackers: Time to Rethink Security” drew a huge response regarding the incomplete role that PCI compliance plays."
Web Hacker Gains Credit Card Data At Okemo - Rutland Herald - 04/01/08 - "Okemo Mountain Resort is the latest target of an Internet thief who gained access to customer credit card information."

March 2008

Data Breaches: Attacks Seeking Credit Card Data Double,PCI DSS Efforts Crucial, Visa Official Says - Privacy Law Watch - 03/31/08 - "The number of attacks on credit and debit card processing systems more than doubled from 2006 to 2007, and that trend appears to be continuing in 2008, a Visa Inc. data security official said March 27."
Ponemon Institute Unveils Second Annual Study on Enterprise Encryption Trends - PR Newswire - 03/31/08 - "58 percent of organizations expect to deploy a single enterprise-wide key management solution in 2008"
Advance Auto Says Data On 56,000 Customers Exposed - Reuters - 03/31/08 - "Advance Auto Parts) Inc said Monday a "network intrusion" had exposed credit card, debit card and checking account information for up to 56,000 customers and was the subject of a criminal investigation."
Credit Cards At Ski Resort Compromised - Associated Press - 03/31/08 - "A Vermont ski resort has been the target of a security breach that may have compromised tens of thousands of credit cards."
Malware at Hannaford Raises More Questions About Data Security - Digital Transactions - 03/31/08 - "Fraudsters planted so-called malware, or malicious software, on servers at about 300 supermarkets in or affiliated with the Hannaford Bros. Inc. supermarket chain and with it were able to steal credit and debit card data, according to a letter from a Hannaford attorney to Massachusetts officials. The thefts happened even though Hannaford at the time was compliant with the Payment Card Industry data-security standard, or PCI."
Lessons Learned From Hannaford Breach - www.NetworkWorld.com - 03/31/08 - "As a frequent chronicler of data breach incidents it is my duty to chime in on the Hannaford Supermarket data breach incident. There are two aspects of this and previous breaches that should be considered. One aspect is best practices in disclosure; what should you do when your organization is the victim of data theft? The other is the mechanics of the attack including the who, what, why, and where."
Grocery Chain Data Breach Offers Lessons for CIOs - www.Sci-Tech-Today.com - 03/31/08 - "The Hannaford Brothers grocery chain may have been PCI compliant, but that doesn't protect against an inside job. The theft of card data in transmission came after malware was installed on all of Hannaford's servers. The Hannaford breach compromised 4.2 million cards and shows the need to enforce tighter internal IT controls."
Data Theft Carried Out On Network Thought Secure - Wall Street Journal - 03/31/08 - "Criminals involved in a massive data breach at the Hannaford Bros. and Sweetbay grocery chains stole the customer information from a part of a computer-network system that security experts had believed was secure."
You Lock Your Door, So Guard Your Card - The Tampa Tribune - 03/30/08 - "Henry Davis keeps a sharp eye on his checking account balance. Even an $11 discrepancy recently caught his eye, though he figured it was an honest mistake by himself or his bank."
Credit Card Scam Requires No Credit Card - www.OregonionLive.com - 03/30/08 - "Before heading out for a weekend trip to Seattle with his wife, Aaron Reed checked his bank account online."
Hannaford Case Exposes Holes In Law, Some Say - The Boston Globe - 03/30/08 - "A security breach at grocery chain Hannaford Brothers Cos. is testing the teeth in Massachusetts' new data-privacy law."
Hannaford Bros. PCI Compliance Claims Spurs Questions - www.Baseline.com - 03/28/08 - "As details trickle out about New England’s Hannaford Bros. grocery chain’s data exposure of 4.2 million customer records, questions are swirling about the implications affecting a merchant that has already been certified compliant with PCI security standards. Will security assessors be found liable?"
Malware Cited in Supermarket Data Breach - Associated Press - 03/28/08 - "Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.'s supermarkets across the Northeast and in Florida enabled the massive data breach that compromised up to 4.2 million credit and debit cards, the company said Friday."
Hannaford: Malware Caused Massive Data Breach - E-Commerce Times - 03/28/08 - "Malware is the culprit behind the Hannaford Bros. data breach that compromised about 4.2 million credit and debit card accounts, the company confirmed in a Boston Globe story. The breach has been linked to about 2,000 cases of fraud."
Advanced Tactic Targeted Grocer — 'Malware' Stole Hannaford Data - The Boston Globe - 03/28/08 - "A massive data breach at Hannaford Brothers Cos. was caused by a "new and sophisticated" method in which software was secretly installed on servers at every one of its grocery stores, the company told Massachusetts regulators this week."
FTC: TJX "Failed To Provide Reasonable And Appropriate Security" - www.StoreFrontBackTalk.com - 03/28/08 - "In the multi-year databreach at TJX—the worst in credit card history—the retail chain "created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text," according to a complaint issued Thursday by the U.S. Federal Trade Commission."
How To Avoid Liability For A Data Breach - www.ZDNet.co.uk - 03/27/08 - "Picture the scene: it's almost 5pm on Friday afternoon and a key database server crashes moments before a scheduled backup. Close analysis reveals it's not accident; rogue code has infected the machine, potentially exposing hundreds of customer records. What's the first thing you do?"
Hannaford May Not Have To Pay Banks' Breach Costs Under PCI, Says Gartner - Computerworld - 03/27/08 - "If Hannaford Bros. Co. was compliant with the Payment Card Industry (PCI) Data Security Standard at the time it was breached, banks and credit unions will have a hard time getting the supermarket chain to pay their breach-related costs, according to a Gartner Inc. analyst."
PCI Compliance A Good Start, But Not Enough - www.SearchCIO.com - 03/27/08 - "The news earlier this month from Hannaford Bros. Co. was ugly: 4.2 million credit and debit card numbers stolen by a cyberintruder during the past three months. The breach affected 271 stores in the Hannaford supermarket chain, 23 independently owned markets and 70 banks nationwide."
Stolen Credit Card Portal Uncovered - www.SecureComputing.net - 03/27/08 - "Security experts have discovered an underground exchange promoting the sale of fraudulent credit card data with guarantees and volume discounts for large-scale fraudsters."
Data Skimming From Personal Plastic Has Consumers, Retailers Restless - www.Fosters.com - 03/27/08 - "Susceptibility to credit-card fraud has retailers and their customers scurrying for proactive measures necessary to insulate themselves from further exposure."
Banks Saddled With Costs To Replace Compromised Cards - www.Fosters.com - 03/26/08 - "The multi-million dollar tab for replacing credit and debit cards that were compromised by the security breach at Hannaford Bros. Co. will likely be borne by banks and credit unions that issued the cards."
Experts: Data Theft Likely To Flourish - www.TampaBay.com - 03/25/08 - "Fabienne Mostrum discovered her debit card numbers had been stolen again when Publix refused to honor the card. Her online check of the account confirmed a thief charged $630 in a Maryland Wal-Mart."
Still No Arrests In Desoto County Credit Card Theft Ring - www.TampaBay.com - 03/25/08 - "There's another twist in the DeSoto County credit card theft ring. Investigators thought they had pin-pointed the source that was hacked. But that's turning out not to be the case."
PCI May Never Stop Hackers: Time to Rethink Security - www.RISNews.com - 03/25/08 - "Millions of shoppers were affected when a security data breach at Hannaford Bros. exposed the payment card data of more than 4.2 million credit card holders and led to 1,800 cases of fraud."
Navigating PCI Compliance for Levels 2 & 3: Cutting Through the Static - Stores Magazine - 03/24/08 - "PCI compliance is a hot topic. However, there is also a lot of confusion about the compliance requirements. Attend this webinar to get the inside scoop from a compliance expert who has helped many retailers become PCI-compliant."
The Legal Implications, Risks and Problems of the PCI Data Security Standard - Infosec Compliance - 03/24/08 - "While starting off as “just” an information security standard, the Payment Card Industry Data Security Standard, v. 1.1 (“PCI” or “PCI Standard”) now presents serious legal challenges and risk for retailers. "
Creating a Computer Security Incident Response Team: A Process for Getting Started - www.CERT.org - 03/24/08 - "Keeping organizational information assets secure in today's interconnected computing environment is a true challenge that becomes more difficult with each new "e" product and each new intruder tool."
PCI's A Lot More Useful Than Some Perceive - www.StoreFrontBackTalk.com - 03/21/08 - "The headline of a recent entry in the Securosis blog by Rich Mogull, former Gartner analyst and noted security curmudgeon, was a pointed 'Is PCI Worthless?'"
Hannaford Bros. Kept Mum On Data Breach For 19 Days - www.BurlingtonFreePress.com - 03/21/08 - "Hannaford Bros. Co. waited 19 days before announcing its systems had been hacked in a sophisticated attack."
Hannaford Breach Raises New Fears - Associated Press - 03/20/08 - "At first, it sounded like another in a long line of credit card breaches: Up to 4.2 million account numbers were stolen by thieves who cracked computers at Hannaford Bros. Co., an Eastern supermarket chain."
Technical Details Remain Light In Supermarket Data Breach - www.News.com - 03/19/08 - "Details remain sketchy regarding Monday's announcement of 4.2 million credit card and debit cards exposed at a Maine-based supermarket chain. However, public comments made by Ronald Hodge, CEO of Hannaford Supermarkets, suggest that even with recent improvements in payment card transaction security, there may be holes."
The Hannaford PCI Fallout - www.StoreFrontBackTalk.com - 03/19/08 - "Shortly after reports surfaced that the Hannaford grocery chain had been PCI compliant at the time of its data breach attack, the Web has been crawling with those questioning the value of PCI, even as the confusing preliminary details of the breach are being sorted out."
What Did Hannaford Know And When Did It Know It? - www.StoreFrontBackTalk.com - 03/19/08 - "As details of the Hannaford data breach trickle out, the familiar data breach pattern of apparent inconsistencies has emerged."
Credit Details Stolen In Carshalton Internet Fraud - www.WimbledonGuardian.co.uk - 03/19/08 - "Hundreds of customers have had their credit card details stolen after a Carshalton homeopathic store was hit by internet fraudsters."
The Pros And Cons Of Data Breach Insurance - www.SearchSecurity.com - 03/19/08 - "Security incidents at the Hannaford Bros. Co. supermarket chain and elsewhere illustrate the importance of a response plan, but industry experts are less than enthusiastic when asked if such a plan should include data breach insurance."
Grocery Chain Data Breach Extends Security Debate - www.RedmondMag.com - 03/19/08 - "A data security breach within Massachusetts grocery chain Hannaford Bros. on Monday not only led to 1,800 known cases of fraud but is also serving as debate fodder in the ongoing argument about data ownership and Payment Card Industry (PCI) compliance."
Privacy and Security Law Report: A How-to Guide to Information Security Breaches - The Bureau of National Affairs - 03/19/08 - "Since 2005, there have been reports of over 500 U.S. security breaches. Proactive incident response planning can help minimize the impact when and if a breach occurs."
Hannaford Brothers Data Breach Might Reveal Current Security Standards Are Outdated - www.CreditCards.com - 03/19/08 - "Hannaford Bros. Co., a grocery retailer based in the Eastern United States is the latest corporation to be victimized by a substantial data breach. Saying that, customers of Hannaford Bros. are going to be victimized, also."
Hannaford Bros. Was in Compliance with PCI When Hacked - Digital Transactions - 03/18/08 - "Fraudsters obtained payment card data originating with Hannaford Bros. Co. while the regional supermarket chain was compliant with the Payment Card Industry data-security standard, or PCI."
Taco Bell Co-Operates With Scam Investigation - www.CreditCards.com - 03/18/08 - "Taco Bell has replaced all its PIN pads with new hand-held debit terminals and is fully co-operating with the police investigation into a fraud scam at its Dunsdon Street restaurant, the company said Tuesday."
Hannaford Data Breach Exposes More Than 4 Million Cards - www.StoreFrontBackTalk.com - 03/17/08 - "The Hannaford supermarket chain confirmed on Monday a "data intrusion" during payment authorization transmissions that exposed some 4.2 million credit and debit cards and led to 1,800 reported cases of fraud thus far."
Card Thieves 'Skimming' Pay-At-The-Pump Customers - www.CreditCards.com - 03/17/08 - "As if the high cost of gas wasn't enough, credit and debit card users who pay at the pump have to face a new way to be gouged at the pump: skimmers."
Hannaford Breach Exposes 4.2M Credit, Debit Cards - Associated Press - 03/17/08 - "PORTLAND, Maine (AP) — A security breach at an East Coast supermarket chain exposed more than 4 million card numbers and led to 1,800 cases of fraud, the Hannaford Bros. grocery chain announced Monday."
Certegy Offers To Settle Lawsuit Stemming From Theft Of Data On 8.5M Consumers - www.TamilStar.com - 03/16/08 - "In a move designed to avoid the time and costs associated with a protracted legal battle, Certegy Check Services Inc. has offered to settle a class-action lawsuit filed on behalf of 8.5 million people whose personal data was compromised by an insider theft that the company disclosed last July."
Soaring Rates Of Debit Fraud Prompt Switch To Smart Cards - www.TheGlobeAndMail.com - 03/14/08 - "Talk to the Interac Association about the rising tide of debit-card fraud in Canada and it will tell you a big part of the solution lies in an invisible chip embedded in the plastic."
University Of Delaware And The UCF Announce First PCI Compliance Conference Designed Exclusively For Hospitality Compliance Managers - Reuters - 03/14/08 - "The University of Delaware, in conjunction with the Unified Compliance Framework, has created the first conference dedicated to Payment Card Industry compliance within the hospitality industry."
Paper Compliance Vs Operational Compliance - www.StoreFrontBackTalk.com - 03/14/08 - "One of the key conclusions to be found in the PCI Knowledge Base is that the rush to get compliant with PCI security standards over the past year has caused many retailers to focus on "paper compliance" – making sure their Report on Compliance (ROC) was filed by the deadline to avoid fines."
Contactless Payments Security Questions & Answers - www.PaymentTrends.com - 03/14/08 - "The Smart Card Alliance has published an FAQ on contactless payment security that applies 'only to contactless payment using contactless smart card technology, as implemented by American Express, MasterCard and Visa.'"
APACS Reports Card Fraud Statistics for 2007 - www.PaymentTrends.com - 03/14/08 - "In the UK, APACS has reported 2007 statistics for both card fraud losses and online banking fraud losses. Card fraud losses were up by 25% with the increase being driven by a £90.5 million increased in fraud abroad as more UK card details were stolen for use in countries yet to upgrade to chip and PIN."
UK Plastic Card Fraud Jumps By 25% - The Guardian - 03/12/08 - "Losses from credit and debit card fraud jumped 25% last year to reach £535m, driven by a surge in crimes being committed overseas by criminals using stolen UK card details, figures showed today."
Police Urge Shoppers At Park Royal To Change PINs After Security Breach - Vancouver Sun - 03/12/08 - "WEST VANCOUVER - Shoppers who recently used their debit cards at either of two La Senza outlets or the Aldo Shoes boutique in Park Royal Mall should quickly change their access codes, West Vancouver police advise."
ISACA PCI e-Symposium - ISACA - 03/11/08 - "ISACA, the Information Systems Audit and Control Association Join, is holding an upcoming PCI e-Symposium. PCI DSS regulations will be discussed in detail, as well as what to look for in a PCI vendor/partner."
Hackers Claim RFID Smart-Card Hack, But Chip Vendor Disagrees - www.SecureComputing.net - 03/06/08 - "A semiconductor company on Tuesday disputed claims by a hacker that he can access the firm's radio-frequency identification (RFID) chips to jeopardise the security of billions of credit card users."
Details On The New Anti Card Fraud Mobile Phone Technology - www.Net-Security.org - 03/06/08 - A new Israeli technology brought to the U.S. by Secure Identity Systems (SIS) thwarts credit and debit card fraud, and potentially stops ID thieves in the act. This in turn helps banks better protect customers, stem losses due to fraud, and attract new depositors with free identity protection services.
VISA Partial Authorization at AFD Transaction Update - www.VISA.com - 03/01/08 - "In December 2006, Visa announced several changes to enhance the value of all Visa products at Automated Fuel Dispensers (AFDs). These changes to date have resulted in, or are expected to result in, lower cost of acceptance, fewer declines and increased sales, as well as an overall positive cardholder experience benefiting the merchants, issuers and Visa cardholders."
Trustwave Global Compromise Statistics Q1 2008 - Trustwave - 03/08 - "The information gathered in our investigations of over 350 payment card compromises to date in 14 countries around the world challenges some common misconceptions about the large-scale theft of cardholder information today. In our analysis of these cases, we've found that the organizations targeted by malicious hackers for compromise may not fit the profile that many people would expect."
PIN-Ovation - www.OCTANEmagazine.ca - 03/08 - "Say goodbye to swiping. In a decade, magnetic stripe payment will have all but disappeared in Canada, in favour of the Europay MasterCard Visa (EMV) chip and PIN technology currently adopted by 86 countries worldwide."
International Narcotics Control Strategy Report 2008 - Bureau of International Narcotics and Law Enforcement Affairs - 03/08 - "In the United States and around the world, law enforcement continues to struggle with the many low-tech but highly effective ways criminals launder money and finance terrorism."

February 2008

Court to Notify Those Who Made a Purchase or a Return at a TJX Store about a Class Action Settlement - CNW - 02/29/08 - "A notification program began today in the United States, Canada, and Puerto Rico, as ordered by the United States District Court for the District of Massachusetts, to alert people who made a purchase or return to a TJX store about a proposed settlement reached with The TJX Companies, Inc. and Fifth Third Bancorp ("Defendants") in a class action lawsuit against them about the computer system intrusions into personal and financial information at TJX retail stores."
For Sale: Passwords To Fortune 500's Servers - InformationWeek - 02/27/08 - "Cybercriminals are paying premiums based on compromised sites' Google PageRank to buy thousands of login names and FTP credentials, a security software company reports."
PCI And The Circle Of Blame - InformationWeek - 02/23/08 - "Who's responsible for the security of credit card data? From retailers to auditors to card brands, the first order of business is self preservation--and that costs all of us."
Can You Buy PCI Compliance? - InformationWeek - 02/23/08 - "Cisco and security vendors would like you to think so, but some CIOs aren't so sure. It's no surprise that vendors have swarmed around the PCI Data Security Standard. It already has generated a mini-industry of Qualified Security Assessors and certified scanning companies."
Update: Credit Card Receipt Truncation Environment Changing - www.StoreFrontBackTalk.com - 02/22/08 - "A PCI security software vendor issued a statement this week that retailers could avoid PCI's requirement if it adopted a token approach the vendor was selling. The claim would have been even better if it were true."
More PCI Deception. Won't Vendors Ever Learn? - www.StoreFrontBackTalk.com - 02/22/08 - "Ever since federal rules went into effect January 2007 that prohibited credit card receipts from displaying expiration dates or the last several digits of a credit/debit card number, a lengthy list of retailers have been sued for violating the act, including Apple, Rite Aid, Harry & David, Ikea, KB Toys, Disney, Regal Cinemas and AMC Theaters."
Minding Your Partner's Security: The Weakest Link - www.StoreFrontBackTalk.com - 02/22/08 - "In the past week, I talked to several specialty retail chains all facing the same problem: Their corporate location and all or most of the fully owned stores have achieved PCI compliance, but they have hundreds of other franchisees and independent retailers, which carry their brand."
Insurance Company Reimburses TJX Almost $19 Million For Data Breach - www.StoreFrontBackTalk.com - 02/22/08 - "In the middle of a better-than-expected earnings report from TJX on Wednesday, the retailer whose databreach of 100 million cards was the worst in credit card history reported that it was paid somewhat less than $19 million by its insurance company."
The Hands-Free Way To Steal A Credit Card - www.News.com - 02/21/08 - "Adam Laurie, an RFID security expert, used the Black Hat DC 2008 conference here, to demonstrate a new Python script he's working on to read the contents of smart-chip-enabled credit cards."
Building Security Into Your Software-Development Lifecycle - www.SecureComputing.net.au - 02/21/08 - "In the beginning, software vendors thought that they could handle security vulnerabilities as they handle software bugs using their regular support process. Unfortunately, it's not so easy. Software security vulnerabilities are not like other software defects."
Merchants Want Lawmakers To Regulate Credit-Card Fees - www.BurlingtonFreePress.com - 02/17/08 - "Legislation under consideration in Montpelier stems from an effort by a national special-interest group working to draw attention to fees credit cards charge merchants."
State Bill Clarifies Breach Obligations - The Green Sheet - 02/15/08 - "The approval of California Senate Bill 364, which clarifies what information merchants must publicize in the event of a data breach, could add to the security burden of merchants and ISOs."
Washington State Reps. Pass Ban On RFID Skimming - InformationWeek - 02/15/08 - "The bill also makes it a violation for businesses to retain personal information gleaned from RFID chips without card owners' consent."
Americans' e-Commerce Conundrum - www.InternetNews.com - 02/15/08 - "A new study from the Pew Internet Project casts light on the love-hate relationship many Americans have with e-commerce."
The Librarian Wins In The Data Breach David Vs. Goliath Battle - www.StoreFrontBackTalk.com - 02/14/08 - "A Florida librarian—whose confidential data was apparently accessed in a databreach involving Wells-Fargo and Sprint Nextel—won his lawsuit against the two giants on Tuesday, when neither company bothered to send anyone to represent them at the hearing."
E-Payment Fraud Reaches $3.6 Billion for 2007, or 1.4 Percent of Sales, Study Says - Internet Retailer - 02/14/08 - "Payment fraud robbed Web merchants of 1.4 percent of revenue in 2006 and 2007, increasing from $3.1 bil to $3.6 bil, according to CyberSource's 2008 Online Fraud Report."
PCI Security Standards Council Announces Availability of PIN Entry Device (PED) Approval Listings - Business Wire - 02/11/08 - "The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announced that PCI PED equipment approval listings and security requirements documents are available on the Council’s website at https://www.pcisecuritystandards.org/pin/."
Stanislaus State Officials Believe They've Found Source Of ID Theft - www.ModBee.com - 02/09/08 - "TURLOCK -- It was like any other day when Phillip Cuaresma went to pay some bills online, except this time his bank account was missing $1,000. His statement showed purchases made in Mexico, which he hasn't visited since 2005."
Tokenization: You Can't Protect Data You Don't Have - www.StoreFrontBackTalk.com - 02/08/08 - "Not enough merchants know about Tokenization – the automated replacement of a credit card number with another (non-sensitive) number at the POS. I say that because, I've been talking to a lot of merchants who are members of the PCI Knowledge Base and only about 20 percent are familiar with the term and maybe 10 percent know enough to discuss its pros and cons."
Canadian Standards Assoc. Learning Centre Online Store Breach - PrivacyNews - 02/08/08 - "On Jan. 21st, the Canadian Standards Association notified the New Hampshire DOJ of a security breach involving its Learning Centre online store. On December 20, 2007, CSA became aware of a breach that may have resulted in unauthorized access to personal information, specifically names, addresses, credit card account numbers and card expiration dates provided to CSA by customers."
Target Reports Some Target VISA Customers Victims Of Call Center Employee Fraud - PrivacyNews - 02/08/08 - "On January 22, Target notified the New Hampshire DOJ that its fraud detection unit had determined that three employees of a company that provides call center support services to Target National Bank (the issuer of Target Visa credit cards) had accessed customer VISA account information including names, addresses, account numbers, social security numbers, and telephone numbers."
Soccer League's Online Shoppers Get Kicked By Security Breach - Computerworld - 02/08/08 - "February 08, 2008 (Computerworld) A series of SQL injection attacks on servers hosted by a third-party service provider has compromised the personal data of an unspecified number of individuals who had shopped on Major League Soccer's MLSgear.com Web site."
Rogers Chasing Paper Trail - www.EdmontonSun.com - 02/08/08 - "A pile of Rogers Video envelopes containing credit-card slips and resumes was on its way to Calgary when it ended up on a mall parking lot, the company said yesterday."
Cops Bust Major ID Theft Ring In New York - www.SCMagazineUS.com - 02/07/08 - "Thirty-eight people living in New York have been charged with leveraging stolen consumer data to create bogus credit cards that were then used to purchase high-priced goods, such as computers and televisions, authorities said."
Gartner Says Consumers Prefer PIN-based Debit - www.PaymentsNews.com - 02/07/08 - "Gartner has announced results of a survey of 4,500 online U.S. adults, conducted in August of 2007 that concludes that while banks and credit card issuers have put significant efforts into marketing contactless and signature-based debit card payments, they have failed to win over consumers."
California Senate Strengthens Breach Notification Requirements - www.SecureComputing.net - 02/07/08 - "According to SB364, a security breach notification must contain the toll-free telephone numbers of the major credit reporting agencies – to allow consumers to put a hold on their credit – and the name and contact information of the business that has experienced a breach."
PCI Security Standards Council To Host Webinar on Latest Self Assessment Questionnaire - Business Wire - 02/07/08 - "The PCI Security Standards Council, a global, open industry standards body providing management of the Payment Card Industry Data Security Standard (DSS), PCI PIN Entry Device (PED) Security Requirements and the Payment Application Data Security Standard (PA-DSS), today announces a complimentary webinar, “Navigating and Understanding the PCI SSC Self Assessment Questionnaire,” to be held on Thursday Feb. 21, 2008 at 11:30 a.m. EST and a second session the same day at 7:30 p.m. EST."
PCI Security Standards Council Updates Self Assessment Questionnaire - www.PCISecurityStandards.org - 02/06/08 - "The PCI Security Standards Council has announced that its updated Self Assessment Questionnaire (SAQ) for merchants and service providers is now available."
The Cost of ID Theft, Part 2: Fixing the System - E-Commerce Times - 02/06/08 - "The costs as well as the volume of ID thefts continue to rise. Estimated business losses per victim increased by about $7,500 from 2003 to 2004, from $41,717 to $49,254, according to the Identity Theft Resource Center. "
The Cost of ID Theft, Part 1: Beyond Dollars and Cents - E-Commerce Times - 02/05/08 - "The ultimate cost to ID theft victims varies across industries, Uriel Maimon, senior researcher for the software firm RSA, told the E-Commerce Times. "In the banking and electronic commerce industries, the end user is usually indemnified, and most of the damage is done to the business.""
Calif. Considers Expanding Data Breach Notification Rules - InformationWeek - 02/04/08 - "The California State Senate passed a data breach bill that requires notices to explain clearly what has happened and what people can do to protect themselves."
Ask the Auditor: Who is Responsible for Information Security? - www.ITCInstitute.com - 02/01/08 - "Our new column, 'Ask the Auditor,' answers real questions submitted by real readers. This week, certified internal auditor and certified information systems auditor Dan Swanson answers the question of who is responsible for information security."
The Ultimate Conundrum: Security Logs Are Discoverable - www.StoreFrontBackTalk.com - 02/01/08 - "Most merchants are so focused on protecting credit card and social security numbers that they forget the very process of securing their environment creates a risk. All of the alerts and log data from all of the various network, application and database monitoring tools must be promptly reviewed and acted upon."
Compliance: PCI's Growing Pains - www.SCMagazineUS.com - 02/01/08 - "By statistical standards, the Payment Card Industry Data Security Standard, which recently wrapped up its first full year as the merchant benchmark for protecting credit card numbers, has been a rousing success."

January 2008

California Senate Approves Bill To Outlaw Skimming RFID Tags - InformationWeek - 01/31/08 - "Technology to steal -- or skim -- information from RFID tags is readily available, off-the-shelf, and surprisingly inexpensive."
Debit-Card Ring May Be Linked To Tamil Terrorists - Canwest News Service - 01/31/08 - "TORONTO- A routine traffic stop this week has unravelled an international debit card fraud ring, has led to 373 criminal charges and possibly has broken up a Tamil Tiger terrorist fundraising and money laundering operation, police said Wednesday."
Gambier Struck By Credit-, Debit-Card Fraud - www.KenyonCollegian.com - 01/31/08 - "As of Jan. 29, the Office of Campus Safety reported 30 students, faculty and staff members, along with Village Inn (VI) and MiddleGround owners Joel Gunderson and Margaret Lewis, as victims of credit or debit card fraud, said Kenyon News Director Marc Ellis."
Secure Computer Gets Tough On PCI Standard - www.SecureComputing.com - 01/30/08 - "Secure Computing has announced the launch of a new global initiative - which includes a dedicated website and programs - aimed at educating users about the Payment Card Industry’s (PCI) Data Security Standard (DSS) and its looming June 30 compliance deadline."
Where's Your Credit Card Data? - InformationWeek - 01/30/08 - "PCI regulations require companies to protect credit card numbers. But first you have to know where they are. Here's what I've learned from retailers and PCI auditors about step one of PCI compliance."
ChoicePoint To Pay $10M To Settle Last Breach-Related Lawsuit - Computerworld - 01/28/08 - "January 28, 2008 (Computerworld) Data broker ChoicePoint Inc. has agreed to pay $10 million to settle the last remaining class-action lawsuit filed against