Swipe-Fee Settlement Objections Get One Last Day In Court

What was billed as the final showdown over the mammoth interchange settlement on Thursday (Sept. 12) turned out to be as contentious as the year leading up to it. It took more than five hours for U.S. District Judge John Gleeson to listen to the parade of critics and objectors in his Brooklyn courtroom. By the end, he was clearly frustrated. "Is this ever going to come to an end without comprehensive legislation?" he asked at one point?

Well, it might if someone would actually get all the way to trial with a lawsuit over whether Visa (NYSE:V) and MasterCard's (NYSE:MA) rules for card acceptance and interchange fees violate antitrust laws. And that might happen even if Judge Gleeson approves the settlement, since both merchants, including Target (NYSE:TGT) and Macy's (NYSE:M), and card brands have already filed new lawsuits over the antitrust question. In the meantime, the judge has a pile of arguments to deal with in the weeks or months before he issues his ruling.

Got Fingerprints? Biometric Security Isn't That Simple

Sometimes it's the little things. Apple just announced its new version of the iPhone, and among the (mostly minor) changes, the company added a little thing that is a potential game changer: a fingerprint reader to authenticate the user. It's a simple biometric of the type that has been on many computers for years. But just as the addition of the iTunes store to the iPod transformed digital purchases, and the addition of apps to iOS transformed software, the addition of the biometric reader can transform identity management, online purchases, key management and DRM, and can be used to either enhance or destroy privacy as we know it.

But there are problems with biometrics, writes Legal Columnist Mark Rasch, and some of them are inherent. The second thing an electronic fingerprint system must do is scan the fingerprint and create some form of digital representation of what has been scanned. The first step? That's is the hardest: Having a way of identifying the individual who's being biometrically "fingerprinted."

Apple's Fingerprinting Helps Security, But It's Not Enough

Apple (NASDAQ:AAPL) has discovered the fingerprint. OK, Apple actually discovered the fingerprint in 2008, when it began filing patents for biometric security. But after five years and the acquisition of biometric authentication vendor AuthenTec, on Tuesday (Sept. 10) Apple finally unveiled an iPhone that can be unlocked with a fingerprint. Very impressive, and something Apple views as crucial for its eventual foray into mobile payments. The only problem? It's really not enough.

That's not a knock against AuthenTec or Apple. There's a fundamental problem with all fingerprint-based authentication—and the very reason it's so popular for law enforcement. The huge advantages of fingerprints over any traditional password or fob system are that (a) they're virtually unique, and (b) users aren't likely to lose, forget or get confused about them. The big problem with fingerprints? You leave copies of them virtually everywhere you go.

PayPal's Hands-Free Checkout: What Could Go Wrong?

We know PayPal is probably the most committed U.S. mobile payments player whose name isn't Starbucks (NASDAQ:SBUX), so we're trying not to be cynical about PayPal Beacon, the hands-free in-store...

Who Pushed Amazon Into The Flowers?

The fact that Amazon (NASDAQ:AMZN) is getting into the flower delivery business, as it acknowledged to All Things D on Tuesday (Sept. 10), isn't a surprise. Neither is the fact that it's deeply...

Twitter Is Still A Great Retail Tool—And Too Big A Retail Risk

How is it that Twitter has become one of the most valuable social-media tools for most retailers and one of the biggest and hardest-to-nail-down risks for them? That question cropped up again last Thursday (Sept. 5), when popular multi-account Twitter management tool HootSuite announced a partnership with Nexgate to finally provide what, in any other context, would be considered the absolute minimum tools necessary to keep an organization from regularly shooting itself in the corporate foot.

The problem, in a nutshell, is that Twitter was never designed for this. Like so many other things on the Internet, it was intended as something relatively simple for ordinary users—in this case, an online replacement for mobile text messages. But the combination of potentially instant response and the fact that Twitter is free made it perfect for everything from customer service to group chats, at least in the eyes of budget-strapped corporate users. Could anyone have intentionally designed an Internet boobytrap more potentially devastating? Probably not.

Remember When Debit Didn't Need Interchange?

Amid a lot of wailing among bankers over the 21-cent cap on debit interchange fees—and now the threat that the cap could be pushed even lower by a Washington, D.C., federal judge—a little bit of inconvenient reality has shown up. Mark Horwedel, CEO of the Merchant Advisory Group, actually remembers why banks started using debit cards in the first place. More to the point, he remembers that debit interchange fees weren't capped at all back then—because there wasn't any debit interchange.

Yes, that interchange-free time is ancient history—way back in the 1990s. It was also a time when big retail chains actually had some control in a major part of the payment system. If you want a clear picture of how chains are capable of losing that kind of self-determination—and how it's likely to happen again with whatever new payments systems retailers adopt in the next few years—this is a useful reminder.

Heartland Lawsuit Revived By Appeals Court

Heartland Payment Systems can be sued by several card-issuing banks for negligence after all. On Tuesday (Sept. 3), a three-judge panel of the 5th U.S. Circuit Court of Appeals ruled that a federal court in Texas erred in March 2012 when it threw out the case on the basis of the economic loss doctrine. (Don't worry, we'll get to what that means.) That effectively ended the financial institutions' case against Heartland, which stemmed from the processor's now-legendary 2008 data breach.

But the appeals court said that while the judge was right about Texas law, Heartland could be sued under New Jersey law, where Heartland is headquartered, because the economic loss doctrine works differently there. The key issue: Except for going to court, the issuing banks had no clear way of going after Heartland to get their money back. That means the case is alive again and will return to Texas for further proceedings.

Data Broker's Transparency Isn't Quite In Both Directions

In a move that will satisfy nobody, data broker Acxiom announced that, beginning Sept. 4, it has launched a new website,, where people can log in and see some of what the data broker knows about them. This is supposed to be a move toward greater transparency and openness, and toward that end is a good move, but ultimately it may result in data brokers having more information about consumers.

What appears to be a service for consumers is, in fact, a service that benefits the data broker and its customers, writes Legal Columnist Mark Rasch—and it only indirectly helps out the consumer. What it definitely doesn't tell consumers is exactly where data about them comes from, and especially what it will be used for.

Is This The End Of CRM As We Know It?

You know all that CRM data you've been so lovingly collecting from loyalty programs, special offers, POS systems and any other way you could find to gather shopper information? It's about to be put at risk by a data broker—and not in the way you expected. Acxiom, one of the world's biggest data brokers, is opening a portal this week that will let consumers see much of the information that Acxiom has about them and where (in general terms) it came from, as well as the ability to correct it. The portal will also let consumers opt out of having the information used in the future.

What's that have to do with your CRM data? Simple: Acxiom is doing this to get out in front of federal regulation. The example it sets may well end up as the model that the Federal Trade Commission (FTC) uses for all non-credit marketing data. Unless you're ready right now to give your customers access to their data—or at least a big chunk of it—that data is at risk.

Genesco Winning Against Visa In Breach-Fines Case? Its New Motion May Tell The Tale

Genesco (NYSE:GCO), which has been waging what at first appeared to be a quixotic battle against Visa's PCI fines for a 2010 breach, is doing surprisingly well. First a U.S. District Court in Tennessee rejected Visa's arguments that Genesco shouldn't be allowed to sue Visa over the $13 million in fines that Visa assessed after the breach. Now Genesco has filed its own motion for summary judgment, asking the court to declare that Visa couldn't fine Wells Fargo and Fifth Third $5,000 each for the breach because, under California law, that's only allowed if it's in proportion to the amount of the breach.

Those $5,000 fines are pocket change compared with the major PCI fines that the banks were assessed (and passed along to Genesco, as usual). But if U.S. District Judge William Haynes Jr. buys Genesco's argument—and he seems to be agreeing with Genesco a lot so far—that could augur badly for Visa, both in this case and in future efforts to assess PCI fines that aren't directly related to provable damages caused by the breach.

Citi Pays $55,000 For $2.7 Million 2011 Breach

Citi has paid $55,000 to settle a lawsuit by the Connecticut attorney general over a 2011 breach that exposed payment card numbers of 360,000 cardholders—only 5,066 of which were from Connecticut. The settlement, which was announced last Thursday (Aug. 29), is the first to come out of the breach more than two years ago, and could set the standard for settlements in other states. (California had more than 80,000 affected cardholders, and it helped out with the Connecticut investigation.)

At the time the breach was revealed in June 2011, media reports said thieves eventually stole $2.7 million using affected accounts. Reports also said the hackers didn't have to do anything sophisticated to get access to the card data. The thieves just logged into the Citi site reserved for credit card customers, noticed that the URL included the account number, replaced that with a different account number and got access to another customer's information without any further authentication. An automated program made it possible to collect data on hundreds of thousands of numbers. And that, unfortunately, isn't the worst of it.

Everyone Tells Debit-Fee Cap Judge: Please Leave It Alone For Now!

At least there's one thing the warring parties in the debit-fee cap lawsuit agree about. Last Thursday (Aug. 29), lawyers for both the Federal Reserve and retailer groups asked U.S. District Judge...

Walgreens' Shelf-Tag Price Problems Draw Another Lawsuit

Walgreens (NYSE:WAG) is in trouble over pricing discrepancies for the third time this year. On Aug. 27, the Missouri attorney general sued the 7,800-drugstore chain, claiming that undercover investigators were charged more than shelf tags said they should for more than 20 percent of the items they bought in tests at Walgreens stores in five Missouri cities. That's after a $1.4 million January settlement in California over pricing issues in the San Francisco Bay area and a $300,000 settlement in March in Wisconsin in a similar case.

At a certain point, this begins to smack of sloppiness, and not just at the level of store management. Yes, that's likely a problem, since one of the most common reasons for pricing problems is that shelf tags haven't been updated. But this is now a recurring issue in three separate states. That makes it time for Walgreen's IT to start looking for technology solutions that will be cheaper than trying to get store managers to do their jobs. (That is what store technology is for, right?)

Why Is Amazon Going To The Supreme Court Over Sales Taxes?

Oh, Amazon (NASDAQ:AMZN), we've missed this side of you. For the past two years, Amazon has been a vocal advocate of a federal law making online sales taxes legal. But the e-commerce giant still had...

New Social-Data Credit Reports May Be Legal. But Do They Make Sense?

A scientific study several years ago indicated that the best way for people to lose weight was for them to have friends who were dieting. The impact of peer pressure on behavior has long been measured. Now, according to an article in CNN Money, a number of companies like Lenddo, Kreditech and Kabbage, are trying to bring this "peer pressure" mentality to the measurement of credit risk. It goes a long way towards answering the ultimate privacy question, "If I am not doing anything wrong, why should I care about privacy?"

The new credit reporting companies use data analytics to measure a consumer's likelihood of default by measuring not only his or her personal factors, but also the factors of that person's contacts, friends and associates on social networking sites like Facebook, LinkedIn and Twitter. For retailers using those new-style credit reports, the new approaches might pass muster under the federal Fair Credit Reporting Act, writes Legal Columnist Mark Rasch. That doesn't answer the question of whether they actually say anything about how credit-worthy the customer really is.

Tesco: Just One Iffy Idea After Another

We were going to say something this week about unconfirmed reports that U.K. grocery giant Tesco is planning to sell its own branded tablet, but we've already talked about that in our sister...

Extra! Extra! Get Yer How-To-Launch-A-Cyberattack Instructions Right Here!

How do you know when prepaid automated cyberattacks have hit the mainstream? When mainstream newspapers give them free advertising. This month at a Usenix security conference held in Washington,...

U.S. Secret Service: Five Retailer Breaches Are Linked

If it seems like this spring and summer have seen a rash of supermarket-chain security breaches, it turns out there's a reason. Five recent cyberattacks against smaller retail chains all appear to have come from the same overseas criminal gang, according to the U.S. Secret Service. That includes the breach at Schnuck Markets that netted thieves as many as 2.4 million card numbers, four other breaches at chains a Secret Service spokesman declined to name, and a collection of retailers in Kentucky and Indiana who all shared the same local reseller who provided the POS remote-access software that thieves exploited.

While investigators wouldn't finger the victims other than Schnuck's, it's easy to make a short list of likely suspects who reported apparent remote-access breaches over the past six months. They include regional grocery chains Bashas and Raley's, restaurant chain Zaxby's, convenience store chain Mapco Express (NYSE:DK) and discount hardware chain Harbor Freight Tools.

McDonald's Happy Table Isn't Something Real IT Has A Use For, Or Is It?

Of all the technology experiments that McDonald's (NYSE:MCD) has tried around the world, the one that seems the least like "real IT" is something called the Happy Table. The idea was that in Singapore there's no room for children's play areas in the restaurant, because real estate is just too expensive there. The solution: Stick a few NFC tags to the underside of tables, write an app for NFC-equipped Android phones to detect position from them, and let the kids drive virtual go-karts through a tabletop version of McDonaldLand. Just an ordinary day in the data center, right?

Of course, in the best tradition of cheap, hacked-together projects, the Happy Table actually works very well. It is cheap on the hardware side—all that's required for the restaurant is a few dollars' worth of NFC tags that don't contain any proprietary information. On the software side, there's an app to write that can detect those tags and also entertain the kids, and that can't look cheap or hacked together. But once it's written, the cost of rolling it out widely is very low. That's what McDonald's plans to do next, all over Asia. And McDonald's IT? It should be working fast to leverage everything it can get from the Happy Table.