Emerald Business Systems Blog

Discounting sets ‘grim tone’ for holiday retail

Posted in Retail,Sustainable/Green by ebs4pos on October 30, 2009

American retail chains panicked last holiday season as they stared at overstocked shelves and wondered, “How will we sell all this stuff?” Their response to the collapse of the economy—namely, to markdown everything in sight and cross their fingers—was a last-minute act of desperation. Because they spent the past year ruminating about worst-case scenarios, however, many retailers now face a new problem as the holidays actually approach, says Stevan Buxbaum, executive vice president of Agoura Hills, Calif.-based Buxbaum Group, the consulting and turnaround investment firm.

“Retailers were so nervous they over-constricted their inventories,” explains Buxbaum, who looks for comparable store sales to be in the flat to negative 1 percent range for the season. “They are now scrambling to stock up. The problem is that we have a worldwide supply chain. Much of the inventory comes from Asia and can sit on a boat for up to six weeks before it gets here. Beefing up inventories in time for the holiday season will be virtually impossible.”

via Marketing | Report: Discounting sets ‘grim tone’ for holiday retail | Retail Customer Experience.


Study Finds Protecting Credit Card and Patient Data Drives IT Spending Yet Most Organizations Still at Risk

Posted in Uncategorized by ebs4pos on October 30, 2009

Business & Finance
Oddly Enough
Special Coverage
Your View
The Great Debate
Reader Feedback
Do More With Reuters
Your View
Make Reuters My Homepage
Partner Services
Affiliate Network
Professional Products
Support (Customer Zone)
Reuters Media
Financial Products
About Thomson Reuters
Study Finds Protecting Credit Card and Patient Data Drives IT Spending Yet Most Organizations Still at Risk
Tue Oct 20, 2009 9:15am EDT

Email | Print |
| Reprints | Single Page
[-] Text [+]
Featured Broker sponsored link

Study Finds Protecting Credit Card and Patient Data Drives IT Spending Yet
Most Organizations Still at Risk
Less than half encrypt backup tapes, full disks and databases while nearly 20
percent said they would wait for a data breach before they encrypt tapes

SAUSALITO, Calif., Oct. 20 /PRNewswire/ — Trust Catalyst, a research firm
helping companies build data protection strategies that strengthen customers’
trust — today announced the findings of its second annual 2009 Encryption and
Key Management Benchmark Report which surveyed more than 600 IT security
professionals and was sponsored by Thales.

The study found 41 percent surveyed encrypt backup tapes, 43 percent encrypt
databases and 49% encrypt full disks, despite the growing number of new
industry, state and national data protection regulations. While participants
indicated the protection of health care and credit card data was driving
future IT spending, 19 percent said they would wait for a data breach before
they would encrypt tapes. This data left unprotected in databases and backup
tapes causes these organizations to be at higher risk for a data breach.

The study revealed the primary obstacles preventing organizations from
encrypting these applications were due to concerns about cost and data
availability. Once data is encrypted, participants fear they could lose this
data or it would not be available when it was needed causing a business
disruption even though twice as many surveyed admitted to a data breach than
losing data because of a lost encryption key.

“Given the nature of new data breach regulations, organizations no longer have
the luxury of time to wait and encrypt credit card and healthcare data because
of data availability concerns,” said Kimberly Getgen, Principal of Trust
Catalyst. “With less than 50 percent of participants encrypting backup tapes
and nearly 20 percent of respondents saying it would take the pain of a data
breach to get their organization to reverse their decision, too many
organizations, customers and patients are needlessly at risk.”

Here are some of the study’s key findings:

— Patient and Credit Card Data Protection Drives IT Budgets. 53.9
indicated they were allocating budget for PCI DSS, 28.9% for HIPAA and
22.4% for the EU Data Privacy Directive. HIPAA was the number one
allocator of new budgets for US participants.
— Cost of encryption remains top concern. Participants express that
remains the single most important factor preventing data that “should”
be encrypted from being encrypted. Over half cited the cost of the
encryption solution (26%) or the cost of managing the encryption
solution (25%) as their primary obstacles for being able to bring
encryption into their organizations where it is needed most.
— Operational concerns delaying encryption projects. The decision to
postpone encryption is often because operational efficiencies like
availability of data and performance are seen as more important than
data protection. For example, when asked specifically about what was
preventing them from encrypting databases, it was the complexity of
managing keys that was identified as the primary obstacle preventing
participants from encrypting backup tapes (24%). Here, participants
said availability was far more important than confidentiality.

— Cloud computing not ready for prime time. 52.1 percent of
cite data security concerns as being the number one barrier preventing
their organization from adopting cloud computing. 42.6 percent of
survey participants said they were not currently planning on moving to
the cloud while another 46.5% said they would wait until data is
encrypted before moving. 58.8 percent said they would want to manage
their own encryption keys if encrypted data was moved to the cloud.

The full 2009 Encryption and Key Management Benchmark report can be downloaded
from http://www.trustcatalyst.com/2009EncryptionSurvey.php

The Beatings Will Continue Until Service Improves

Posted in Bars and Taverns,General Business,POS,Restaurant,Retail by ebs4pos on October 29, 2009

It amazes me how many business leaders treat their IT business partners poorly. Delivering IT services is hard, no matter which company you work for. IT is complex, and it breaks (at the worst times). IT people are not perfect. Does anyone really think that all of the yelling and screaming is going to help? The same people who wouldn’t think about giving anything but an “Exceeds” on a performance review have no problem screaming at a service provider over and over again.

Then there are negotiations. “You need to sharpen your pencil, I’m not paying this much.” Good IT leaders will work hard to deliver services at the lowest possible cost. But they need to be careful not to negotiate such a low price that the vendor will never be able to meet their expectations for service. Believe it or not, getting the lowest price is not always the right goal. By the way, if anyone is looking for someone to help negotiate a cheap, crappy IT service I know plenty of people who would rock your world

via StorefrontBacktalk » Blog Archive » The Beatings Will Continue Until Service Improves.

What to do After the Breach?

Posted in Uncategorized by ebs4pos on October 29, 2009

There is no shortage of advice of ways to try and prevent a data breach. But if it happens to you, do you have a plan of precisely what to do next? Very few retailers do.

Before we delve into what you should do next—and the fact that you really need to get your teams together and figure it out now (think of it as Data Breach Disaster Recovery Plan)—let’s look at why this is such a difficult area. In the last couple of years, a veritable who’s who of major retailers have been breached, including TJX, Hannaford, 7-Eleven, Target, J.C. Penney, BJ’s Wholesale, Boston Market, Sports Authority, Dave & Buster’s, Office Max, Barnes & Noble, Forever 21 and DSW. And that’s merely a partial list of the ones we know about.

And in almost every one of those cases, the cyber thieves entered those networks, rummaged around, copies GBytes of payment data and related files, transferred that data to themselves and left—all without the retailers detecting any alarms. Invariably, it was the card brands—and sometimes the U.S. Secret Service—that detected the fraud days, weeks, months and sometimes years later and then circled back to give a heads up to the retailers involved.

That’s complicating factor Number One: You’re likely to learn of the breach long after it’s been halted by the thieves themselves. That tends to fuel the tendency to react slowly, as it doesn’t feel like an emergency. Trust me: It is.

Complicating factor Number Two: Data logs. As Wal-Mart learned a few years ago, those logs are the first things that professional cyber thieves will alter and manipulate once they break in. You simply can’t trust them if you know that cyber thieves have had hours of free reign within your network. That’s one of the reasons that real-time alerts (E-mail or otherwise)—stored in various locations far away from the enterprise servers (beyond the reach of the intruder)—are so attractive. Before the bad guy can cover his tracks, video of those tracks has already been sent to 40 different inboxes.

That said, today’s the day. You’ve just gotten the call from Visa that your systems are apparently the common point of purchase with a few million fraudulent transaction attempts. What are the first three things you need to do?

One: Identify The Nature Of The Breach
Although number two on this list is cutting off your networks from the intruder and others associated with the intruder, you can’t meaningfully do that until you at least reliably know the basics of the attack.

What if you choose to yank your system from the network—which is exactly what one breached Colorado liquor store did—and you later discover that the attacks were done physically on the card swipes and that network access limits wouldn’t stop them?

Or perhaps you choose to break off all external links, leaving intranet and VPN connections alive so operations can continue. And you later learn that it was an inside job done by two people in accounting and an IT programmer? Oops.

So as tempting as it is to make “cutting off the intruders” number one on this list, establishing the exact nature of the breach has to be Number One. (Actually, phoning a reporter for StorefrontBacktalk really should be Number One, so as to prevent this breach from impacting others. You’re a retail patriot, no?)

Two: Cutting Off The Bad Guys
You have learned of a major security hole. Even if you’re confident the perpetrators have been caught and made inactive, these thieves use discussions forums and share knowledge. You can wager generously that it’s known—at least in the cyber thief world—that you’ve been breached and how.

You’ve got to plug those holes before the next wave of silent attacks happen. Don’t forget that they are silent, leaving almost no easily discoverable tracks. They may be copying files as you sit in a meeting debating options.

But you actually have a sub-priority that should trump your key priority: Maintain operations and maintain them seamlessly. Whatever you do, it can’t meaningfully impact customers. You can’t simply stop accepting online coupons or processing CRM points if you used to.

There are an infinite number of ways of cutting off access to the bad guys, but they generally fall into two equally-viable categories: Go Back; and Move Forward.

The Go Back strategy suggests cutting off access as much as possible to cut your losses and halt damage. It has some severe drawbacks, both in terms of functionality and security (no encryption), but it’s also likely to avoid further breaches for a bit. After all, it’s hardly cost-effective to steal one card at a time by tapping phone lines.

The Move Forward approach is also known as the “Panicky IT Executive Throwing Money At The Problem.” To be fair, many of the “move forward” options will have to be seriously considered for Step Three, which is returning the network to the new normal. But it’s not an especially great idea at this stage because the immediacy required prevents the kind of due diligence this merits. Still, adding software to plug limited holes or to generally boost protection is something to consider at this phase.The Zero Liability programs from the major card brands do a wonderful job of limiting direct financial losses from your customers. But if, in an attempt to make your systems temporarily breach-proof, you start losing customer-facing functionality, you have the real potential of alienating—and losing—key customers. If that happens, candor—in the form of “Well, we’ve been breached and we think this Eastern European cyber thief gang has your credit card info”—is not likely to help you, unless you define “help” as stopping customers from walking away and instead getting them to run away.

Three: Activating The New Normal
Once you’ve figured out exactly what the attackers did—to your satisfaction at least—and prevented anyone from doing those particular techniques to you again, you need to return to the living and get your operation to move into the next security phase.

But given the RFPs that need to be created and circulated plus the competing bids and then the questions and trials and trail evaluations and then limited deployments, you could easily have to live a year or two with your “immediate” approach. Don’t rush the new normal as that will be your key safeguard for quite some time.

If the size of your chain means that you may have to live longer without the new normal, that would certainly suggest that the Move Forward approach in Number Two might be a good way to go for you.

Breaches are becoming a fact of life in retail IT today and there’s no way to prevent them. But with some prep right, you can at least make the post-breach nightmare a little less horrific.

Evan Schuman is a guest blogger on the McAfee Security Insights blog. Evan is the founder and Editor-in-Chief of StorefrontBacktalk.com, a global site that tracks retail IT and E-Commerce issues for readers. He also writes the weekly Retail Realities column for CBSNews.com. More on Evan can be read on his author page.

Local is good, but fresh is better

Posted in Restaurant,Sustainable/Green by ebs4pos on October 28, 2009

The buzzwords are flying as marketers look for new ways to appeal to still-stingy consumers. A recent report by Hartman Group found that “the picture is no longer black or white; it is a colorful mosaic where organic and/or natural intersects and overlaps with attributes such as local, fresh, sustainable, safe, green, quality, lack of additives and many more.”Personally, I’m a big fan of “local” — it communicates a human dimension that I find refreshing in an increasingly homogenous shopping world. When it comes to food, though, local is good, but our research with consumers in August shows that “fresh” is better. Consumers told us: “Local foods are fresher and you are helping out your economy locally” “When local there is less chance that they have been processed or preserved with mystery chemicals” “Locally grown means that it takes less than 3 hours to get to me. Means the food is fresher and travels less fuel, energy to get to me.”

via Marketing | Local is good, but fresh is better | Retail Customer Experience.

5 Ways to Reduce Theft in your Bar

Posted in Bars and Taverns,POS,Restaurant by ebs4pos on October 26, 2009

I once read the results of a survey that said 20% of bar owners said they had been the victim of theft in some form or another. It went on to say that the other 80% were either lying or not aware of just how widespread theft and fraud in this industry is.In an average week, I work with 5 or 6 Hospitality Business owners in identifying stock and cash losses and implementing simple effective procedures to Identify when theft is occurring, Eliminate the losses once identified, and Implement a procedure to prevent it from happening again. It never fails to amaze me as to the level of complacency that exists and the potential that exists for significant losses.Follow these steps and you’ll reduce the risks in your business:

via 5 Ways to Reduce Theft in your Bar.

The Problem with Logging

Posted in PCI by ebs4pos on October 25, 2009

Kim Zetter from Wired Magazine put Wal-Mart back in the news recently with information about an alleged incident that occurred in the 2005-2006 timeframe. One of the key issues making the rounds is the following assertion made by Zetter:

The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.

Logs serve multiple purposes, and for that reason they tend to grow rapidly. Sure, storage is cheap nowadays, but every company still struggles with this very basic concept. While I won’t speak specifically to the Wal-Mart incident (Evan Schuman has some great additions), I will address some of what I see with my customers and their struggles with logging.

via Branden Williams’s Security Convergence Blog » The Problem with Logging.

MasterCard/Visa Remove Reciprocity

Posted in PCI by ebs4pos on October 25, 2009

Thanks to a fellow reader for pointing this out! It appears that MasterCard and Visa (sorta) have removed the reciprocity statements from their level definitions. Discover still has the reciprocity statement on their levels, American Express and JCB never used reciprocity for their level definitions (to my best recollection).

Several industry insiders have been told that it was never the intent of MasterCard to force a merchant that accepts a single JCB card to go through an on-site assessment if they did not meet the MasterCard threshold. Now it appears that this is the case as the official merchant level definitions reflect exactly this.

Unfortunately, the road does not end there. In fact, it starts forking like crazy.

Now that reciprocity is gone, you have to take each card brand’s volume INDIVIDUALLY in order to determine your level and requirements. As you know, each brand may end up with different validation requirements depending on where you fall in the spectrum. For example, a merchant processing 2,000 Discover, 2 Million MasterCard, and 50,000 non-ecommerce Visa transactions annually is considered a level 2 with MasterCard & Discover, and a level 4 with Visa. This means they must have an on-site assessment thanks to MasterCard’s program (facing fines if you don’t) and submit a SQL to Discover, yet are not required to submit anything for Visa. WOW! Can it GET any more complex?


Visa Canada still uses reciprocity in their merchant levels and still requires QSAs to attest to merchants’ SAQs. For some strange reason, it appears that Level 1 Visa merchants in Canada must do both an SAQ and a ROC? I think there is a typo there, but I could be wrong.

Your merchant level discussion just got much more complex. If all else fails, your best bet is to list out your annual card acceptance rates by brand, and double check the levels on their website to determine what you need to do. This is an important discussion to have with your QSA (if you use one) to make sure that all of the reporting criteria are met.

via Branden Williams’s Security Convergence Blog » MasterCard/Visa Remove Reciprocity.

An Ode to Diapers: Finding What You’re Truly Passionate About

Posted in General Business by ebs4pos on October 24, 2009

I opened the diaper, but I already knew it wasn’t going to be pretty. I had just rolled the inside of Sam’s shirt up so that I as I peeled it off him his head would remain cleaner than his bottom. Suffice it to say that the clean-up took a little while, and involved a little wriggling, struggle, smearing, and washing up.

I was reminded of this when a reader emailed me this question about finally getting his business going:

“I don’t know if it’s fear or some other issue holding me back from really getting going or if it’s simply that I haven’t found something or the idea that really gets my blood pumping. I still carry around a notebook, jotting down ideas and thoughts, etc. when the logical part of my brain says I really should get my a** into gear and get going. 🙂

“Any thoughts or advice or perhaps resource pointers to really figure out my purpose, passion, the idea to surround my business with would be much appreciated.”

I have so much respect for this guy. From the rest of his letter (no, I’m not showing you the other bits) it’s really clear he has a tremendous amount of skill, integrity, sincerity and desire. And yet he’s waiting to get going. His best guess so far, as you can tell, is that he just hasn’t found a business idea that he’s passionate enough about.

He hasn’t found what he really wants to do.

There’s a reason he hasn’t found it. And he won’t.

via An Ode to Diapers: Finding What You’re Truly Passionate About » Heart of Business.

Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices

Posted in General Business,Online Business,Security by ebs4pos on October 24, 2009

Researchers scanning the internet for vulnerable embedded devices have found nearly 21,000 routers, webcams and VoIP products open to remote attack. Their administrative interfaces are viewable from anywhere on the internet and their owners have failed to change the manufacturer’s default password.

Linksys routers had the highest percent of vulnerable devices found in the United States — 45 percent of 2,729 routers that were publicly accessible still had a default password in place. Polycom VoIP units came in second, with default passwords lingering on about 29 percent of 585 devices accessible over the internet.

“You can reflash the firmware or install any software you wish on vulnerable devices,” said Salvatore Stolfo, a Columbia University computer science professor who is overseeing the research project aimed at uncovering vulnerable appliances on the internet. “These devices will be owned and used by bot herders and other miscreants.”

Hackers can use vulnerable routers to conduct click fraud or DNS cache poisoning attacks or to launch attacks on other systems. (See our recent Threat Level story about vulnerable routers used by Time Warner customers.) Someone with remote access to the administrative interface of a VoIP system would also be able to install firmware to record conversations.

via Scan of Internet Uncovers Thousands of Vulnerable Embedded Devices | Threat Level | Wired.com.

Next Page »