Heartland Lawsuit Revived By Appeals Court

Heartland Payment Systems can be sued by several card-issuing banks for negligence after all. On Tuesday (Sept. 3), a three-judge panel of the 5th U.S. Circuit Court of Appeals ruled that a federal court in Texas erred in March 2012 when it threw out the case on the basis of the economic loss doctrine. (Don't worry, we'll get to what that means.) That effectively ended the financial institutions' case against Heartland, which stemmed from the processor's now-legendary 2008 data breach.

But the appeals court said that while the judge was right about Texas law, Heartland could be sued under New Jersey law, where Heartland is headquartered, because the economic loss doctrine works differently there. The key issue: Except for going to court, the issuing banks had no clear way of going after Heartland to get their money back. That means the case is alive again and will return to Texas for further proceedings.

Data Broker's Transparency Isn't Quite In Both Directions

In a move that will satisfy nobody, data broker Acxiom announced that, beginning Sept. 4, it has launched a new website,, where people can log in and see some of what the data broker knows about them. This is supposed to be a move toward greater transparency and openness, and toward that end is a good move, but ultimately it may result in data brokers having more information about consumers.

What appears to be a service for consumers is, in fact, a service that benefits the data broker and its customers, writes Legal Columnist Mark Rasch—and it only indirectly helps out the consumer. What it definitely doesn't tell consumers is exactly where data about them comes from, and especially what it will be used for.

Is This The End Of CRM As We Know It?

You know all that CRM data you've been so lovingly collecting from loyalty programs, special offers, POS systems and any other way you could find to gather shopper information? It's about to be put at risk by a data broker—and not in the way you expected. Acxiom, one of the world's biggest data brokers, is opening a portal this week that will let consumers see much of the information that Acxiom has about them and where (in general terms) it came from, as well as the ability to correct it. The portal will also let consumers opt out of having the information used in the future.

What's that have to do with your CRM data? Simple: Acxiom is doing this to get out in front of federal regulation. The example it sets may well end up as the model that the Federal Trade Commission (FTC) uses for all non-credit marketing data. Unless you're ready right now to give your customers access to their data—or at least a big chunk of it—that data is at risk.

Genesco Winning Against Visa In Breach-Fines Case? Its New Motion May Tell The Tale

Genesco (NYSE:GCO), which has been waging what at first appeared to be a quixotic battle against Visa's PCI fines for a 2010 breach, is doing surprisingly well. First a U.S. District Court in Tennessee rejected Visa's arguments that Genesco shouldn't be allowed to sue Visa over the $13 million in fines that Visa assessed after the breach. Now Genesco has filed its own motion for summary judgment, asking the court to declare that Visa couldn't fine Wells Fargo and Fifth Third $5,000 each for the breach because, under California law, that's only allowed if it's in proportion to the amount of the breach.

Those $5,000 fines are pocket change compared with the major PCI fines that the banks were assessed (and passed along to Genesco, as usual). But if U.S. District Judge William Haynes Jr. buys Genesco's argument—and he seems to be agreeing with Genesco a lot so far—that could augur badly for Visa, both in this case and in future efforts to assess PCI fines that aren't directly related to provable damages caused by the breach.

Citi Pays $55,000 For $2.7 Million 2011 Breach

Citi has paid $55,000 to settle a lawsuit by the Connecticut attorney general over a 2011 breach that exposed payment card numbers of 360,000 cardholders—only 5,066 of which were from Connecticut. The settlement, which was announced last Thursday (Aug. 29), is the first to come out of the breach more than two years ago, and could set the standard for settlements in other states. (California had more than 80,000 affected cardholders, and it helped out with the Connecticut investigation.)

At the time the breach was revealed in June 2011, media reports said thieves eventually stole $2.7 million using affected accounts. Reports also said the hackers didn't have to do anything sophisticated to get access to the card data. The thieves just logged into the Citi site reserved for credit card customers, noticed that the URL included the account number, replaced that with a different account number and got access to another customer's information without any further authentication. An automated program made it possible to collect data on hundreds of thousands of numbers. And that, unfortunately, isn't the worst of it.

Everyone Tells Debit-Fee Cap Judge: Please Leave It Alone For Now!

At least there's one thing the warring parties in the debit-fee cap lawsuit agree about. Last Thursday (Aug. 29), lawyers for both the Federal Reserve and retailer groups asked U.S. District Judge...

Walgreens' Shelf-Tag Price Problems Draw Another Lawsuit

Walgreens (NYSE:WAG) is in trouble over pricing discrepancies for the third time this year. On Aug. 27, the Missouri attorney general sued the 7,800-drugstore chain, claiming that undercover investigators were charged more than shelf tags said they should for more than 20 percent of the items they bought in tests at Walgreens stores in five Missouri cities. That's after a $1.4 million January settlement in California over pricing issues in the San Francisco Bay area and a $300,000 settlement in March in Wisconsin in a similar case.

At a certain point, this begins to smack of sloppiness, and not just at the level of store management. Yes, that's likely a problem, since one of the most common reasons for pricing problems is that shelf tags haven't been updated. But this is now a recurring issue in three separate states. That makes it time for Walgreen's IT to start looking for technology solutions that will be cheaper than trying to get store managers to do their jobs. (That is what store technology is for, right?)

Why Is Amazon Going To The Supreme Court Over Sales Taxes?

Oh, Amazon (NASDAQ:AMZN), we've missed this side of you. For the past two years, Amazon has been a vocal advocate of a federal law making online sales taxes legal. But the e-commerce giant still had...

New Social-Data Credit Reports May Be Legal. But Do They Make Sense?

A scientific study several years ago indicated that the best way for people to lose weight was for them to have friends who were dieting. The impact of peer pressure on behavior has long been measured. Now, according to an article in CNN Money, a number of companies like Lenddo, Kreditech and Kabbage, are trying to bring this "peer pressure" mentality to the measurement of credit risk. It goes a long way towards answering the ultimate privacy question, "If I am not doing anything wrong, why should I care about privacy?"

The new credit reporting companies use data analytics to measure a consumer's likelihood of default by measuring not only his or her personal factors, but also the factors of that person's contacts, friends and associates on social networking sites like Facebook, LinkedIn and Twitter. For retailers using those new-style credit reports, the new approaches might pass muster under the federal Fair Credit Reporting Act, writes Legal Columnist Mark Rasch. That doesn't answer the question of whether they actually say anything about how credit-worthy the customer really is.

Tesco: Just One Iffy Idea After Another

We were going to say something this week about unconfirmed reports that U.K. grocery giant Tesco is planning to sell its own branded tablet, but we've already talked about that in our sister...

Extra! Extra! Get Yer How-To-Launch-A-Cyberattack Instructions Right Here!

How do you know when prepaid automated cyberattacks have hit the mainstream? When mainstream newspapers give them free advertising. This month at a Usenix security conference held in Washington,...

U.S. Secret Service: Five Retailer Breaches Are Linked

If it seems like this spring and summer have seen a rash of supermarket-chain security breaches, it turns out there's a reason. Five recent cyberattacks against smaller retail chains all appear to have come from the same overseas criminal gang, according to the U.S. Secret Service. That includes the breach at Schnuck Markets that netted thieves as many as 2.4 million card numbers, four other breaches at chains a Secret Service spokesman declined to name, and a collection of retailers in Kentucky and Indiana who all shared the same local reseller who provided the POS remote-access software that thieves exploited.

While investigators wouldn't finger the victims other than Schnuck's, it's easy to make a short list of likely suspects who reported apparent remote-access breaches over the past six months. They include regional grocery chains Bashas and Raley's, restaurant chain Zaxby's, convenience store chain Mapco Express (NYSE:DK) and discount hardware chain Harbor Freight Tools.

McDonald's Happy Table Isn't Something Real IT Has A Use For, Or Is It?

Of all the technology experiments that McDonald's (NYSE:MCD) has tried around the world, the one that seems the least like "real IT" is something called the Happy Table. The idea was that in Singapore there's no room for children's play areas in the restaurant, because real estate is just too expensive there. The solution: Stick a few NFC tags to the underside of tables, write an app for NFC-equipped Android phones to detect position from them, and let the kids drive virtual go-karts through a tabletop version of McDonaldLand. Just an ordinary day in the data center, right?

Of course, in the best tradition of cheap, hacked-together projects, the Happy Table actually works very well. It is cheap on the hardware side—all that's required for the restaurant is a few dollars' worth of NFC tags that don't contain any proprietary information. On the software side, there's an app to write that can detect those tags and also entertain the kids, and that can't look cheap or hacked together. But once it's written, the cost of rolling it out widely is very low. That's what McDonald's plans to do next, all over Asia. And McDonald's IT? It should be working fast to leverage everything it can get from the Happy Table.

Fed To Retailers: No, We're Not Cutting Debit Interchange Until The Supreme Court Says We Have To

So much for billions in debit-interchange refunds for retailers—at least for the next few years. Last Wednesday (Aug. 21), lawyers for the Federal Reserve told a federal judge that they had appealed his ruling striking down the Fed's 21-cent debit-fee cap, and that the Fed has no plans to recalculate the fee during the appeal.

The Fed's appeal was actually much quicker than it technically had to be—just 21 days after U.S. District Judge Richard Leon's ruling instead of the 60 days the Fed had to decide whether to appeal. In practical terms, though, the move means banks will probably get several more years to keep charging retailers higher debit interchange than may be legally allowed—and pocketing an extra $3.5 billion per year.

Harris Teeter's Home-Grown Mobile Wallet: Is This Grocery's Starbucks Moment?

Why is Harris Teeter making its own mobile wallet? The 212-store mid-Atlantic grocery chain didn't really build the wallet that it's piloting starting this month at a supermarket in suburban Charlotte, N.C.—it's using a white-label wallet from startup Paydiant. But why not PayPal, Isis, Google Wallet, Square or any of the other existing, fully developed mobile wallets? The answer may be right there in the question: Those name-brand wallets are too fully developed for what Harris Teeter has in mind.

Those big-name mobile wallets all have their own very specific transaction models. Their developers know exactly what they want their wallets to do and be used for, and retailers are the ones who have to make adjustments to shoehorn the wallet systems in. That's why retailers have to, in essence, be bribed—and the bribes aren't nearly big enough to really change a chain's behavior. To paraphrase the old light-bulb joke, it only takes one vendor to change a retailer's POS—but the retailer has to really want to change. And most retailers don't.

In The As-A-Service Society, Retailers Hold All The Cards, At Least For Now

Moving from an ownership society to an "as a service" society radically transforms the nature of the relationship between the consumer and the retailer. As consumers merely "rent" that which they used to own, the retailer has the ability—and the legal authority—to cut off the customers whenever the retailer changes his or her business model. Businesses create their own digital repossession rights, which leave consumers out in the cold, and it may take new deceptive trade practice laws to reverse this trend.

Case in point: Legal Columnist Mark Rasch recently bought a replacement Amazon Kindle 3G, and paid an extra $50 for 3G Internet access, which Amazon touted as giving him the ability to access the Internet, and download books without requiring his own Wi-Fi connection. But when the Kindle keyboard 3G stopped working, he replaced it with a Kindle touch 3G—and when he tried to use the 3G Internet access, he was in for a shock.

PCI 3.0 Pushes Security, Not Just Requirements

If you want to get a handle on PCI version 3.0, one place to start is compensating controls. You know the idea: You can't meet the letter of some PCI requirement, so you come up with an alternative security measure that your QSA confirms will produce the same result. Instead of having to twist your systems in knots over a requirement, you focus on making your systems secure. And that, in a nutshell, is what the new version of the PCI Data Security Standard is trying to do too.

Last Thursday (Aug. 15) the PCI Council released what it calls "change highlights" for the new version, which will officially be published in November and will go live on Jan. 1, 2014. There are some specific new requirements, but with version 3, the big pictureis that PCI wants you to focus on the big picture—ongoing security instead of meeting checklist requirements when a QSA comes to inspect. And while it all makes sense in context, it may be hard for some retail IT people to get from PCI-is-a-pain to PCI as a framework for doing business.

Payment Card Usage Is Up. Payment Card Fraud Is Up More.

If you were under the impression that payment card fraud was headed down, new numbers from the Nilson Report aren't going to brighten your day. The newsletter reported last Thursday (Aug. 22) that...

Biometric Authentication, Cracked In Seconds? OK, Maybe We're Being A Little Optimistic Here

With all the current retail-related efforts at biometric security—everything from PayPal's (NASDAQ:EBAY) authentication-by-photo to the iPhone's supposed new fingerprint feature—it's useful to be...

American Apparel's RFID Project Doesn't Automate Cycle Counts, It Wipes Them Out

A funny thing happened on the way to American Apparel (AMEX:APP) using RFID to automate the process of inventory cycle counts: The retailer threw out the process. Instead of using RFID technology to let associates count faster—which is what CTO Stacey Shulman was talking about a couple years ago—there's now going to be no associates, no counting, no cycle time. Instead, ceiling-mounted RFID antennas will track inventory continuously. From the point of view of store managers and associates, the process won't be automated. It will be gone.

Technically, of course, it will just be invisible, involve no store manpower, and have cycles too short to notice and too frequent to count. But change a store process that much and it really is gone. That's the kind of transformation that pundits like to talk about, but almost no chains actually do—mainly because retail IT departments are too busy automating processes instead of obliterating them.