Like many of you, I find that sometimes it is difficult to know how social networking can play a part in business – especially small e-commerce and retail businesses. More and more we are seeing companies experiment with or incorporate social networking sites into their marketing strategies. As confusing as it can be – I am intrigued and think that it is very important for all of us to pay attention to trends in this space. For instance, if you’ve been on YouTube lately, you may have noticed that the popular video site is now in the e-commerce business.

The Google-owned company recently announced that it was adding “click-to-buy” links to thousands of videos and will be partnering with e-commerce juggernauts iTunes and Amazon.com in the process.

Watching a video about a soon-to-be-released video game? Well, now you can just click a link and buy it! It’s a bold move that should benefit both the retailers and YouTube.

Which brings me back to the world of social networking and how it can help small- and medium-sized retailers. Did you know that heavy social-networking site users are more apt to visit online retail sites? According to a 2007 comScore study, 95 percent of people who regularly visited sites such as Facebook, MySpace and YouTube said they also visited retail sites. That’s compared to 80 percent of the total U.S. Internet audience.

If you’re marketing to a younger populace, you may absolutely want to think about a social network strategy. According to a recent study by shopping comparison site PriceGrabber, 85 percent of Generation Y participates in some form of social networking.

I recently interviewed Kristi Grigsby, marketing director for Neighborhood America, an organization that builds enterprise-oriented social networks for clients ranging from Volkswagen to Fox News, on how these sites can benefit retailers.

First, Grigsby says, you need to determine if a social site is right for you. She says that merchants who already have customers are more apt to succeed than those who don’t. (After all, a network won’t do you much good if no one goes to it). Having a compelling product is another precursor. A retail technology product, for example, is a better candidate than, say, a lawn care product. (Nothing against lawn care products.)

So, what can a social site do for you? It will let you better connect with your customers. Yes, they will be in control. But that’s a good thing. Grigsby says that when your customers are in control, you will get unfiltered opinions—directly from the people buying your products. Wow – what a cost-effective way to generate some market research.

Best of all, social network sites aren’t just for large car companies or news organizations. Grigsby tells of one small t-shirt retailer, Threadless, which has been wildly successful with its network. The site lets users design their own shirts. These designs are voted on by other users. The top-rated shirts, meanwhile, are then made. The company (which is not a client) is getting thousands of clothing design — for virtually free!

The 35-person firm adds 20,000 new members monthly and receives 150 new t-shirt designs every day. This year, the company expects to post $20 million in revenue!

“That’s a lot of t-shirts,” Grigsby says with a laugh.

Oh, and if you’re thinking that a down economy may not be a good time to start a network, you may want to rethink.

“In these economic times, consumer spending is down,” Grigsby says. “It’s a competitive market. Never has there been a more critical time to think about connecting with customers more intimately — especially for retailers.”

I haven’t solved the mystery of social networking, but I will continue to share what I find out. We are interviewing a subject matter expert on this topic later this month – so stay tuned, it should be fascinating stuff!

'Til next time,
Joan
The eSecurity Diva

We’re constantly reading stories about hackers ripping off personal information and stealing money. In September, we even heard that someone broke into a certain vice presidential candidate’s e-mail account.

http://www.time.com/time/politics/article/0,8599,1842097,00.html

I must confess a certain intellectual curiosity concerning who these hackers actually are. Their psychological makeup if you will. After all, we wouldn’t be in business if it weren’t for these criminals.

However, it turns out that most hackers don’t view themselves as criminals. USA Today has a fantastic read on the mind-set of the two cyber thieves recently busted for stealing tens of millions of credit card numbers from TJX and other retailers two years ago.

http://www.usatoday.com/tech/news/computersecurity/hacking/2008-10-22-hackers-mindset-data-theft_N.htm

Subject No. 1 is 27-year-old Albert Gonzalez, a Cuban-American who was previously arrested in 2003 on other credit card fraud charges. Seems to me that when Mr. Gonzalez is released, he should consider choosing another career. Because cybercrime is hardly profitable when you’re sitting in prison.   

Subject No. 2 is Irving Jose Escobar, who has amassed a pretty impressive rap sheet during his 20 years on the planet, including a home invasion robbery and—you guessed it—“illegal use of a credit card,” according to the paper. Ditto on the new career advice for Mr. Escobar.

Both of these men adamantly claim their innocence. And both claim the system that penalized them for stealing millions of dollars is corrupt. USA Today says many hackers are “young men…who think they’re doing the system a favor by exposing flaws and have no qualms about opportunities to exploit rich Westerners.”

Indeed, one cybercrime expert, David Perry, says most hackers “simply believe they are showing vulnerabilities in the system.” (And netting a nice paycheck in the process.)

Gonzalez and Escobar aren’t the only people charged with cybercrimes who are delusional. In July, a city of San Francisco computer engineer was recently arrested for withholding crucial access codes to a network that handles 60 percent of the city’s data. The engineer, Terry Childs, claimed he was protecting San Francisco by keeping the mayor and others out of the system.

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2008/07/22/BAGF11T91U.DTL

The study of hacker personalities has even been debated in academia. Some professors have classified hackers into different groups, just like they have for violent criminals. Take a look at this Wired story from 1999.

http://www.wired.com/science/discoveries/news/1999/01/17427

I don’t know if better knowing the psychology of a hacker better prepares you to defend against them. But it certainly doesn’t hurt.

'Til next time,
Joan
The eSecurity Diva

Last week the PCI council released the new Self Assessment Questionnaire version 1.2. We’ve spent a fair amount of time analyzing the new version so that we can report key changes to you. Overall, the changes aren’t significant, but it is clear that the PCI Council is starting to pay more attention to Level 4 merchants (as defined by VISA) by providing more clarity and flexibility in its questioning. And since we are exclusively focused on small and medium-sized merchants, we are pleased to see progress in this area. That’s not to say that there isn’t more work that needs to be done.

But, I digress. In this post I’ll highlight the most notable change, and then I will provide you with a link to access more comprehensive analysis.

The most notable change in SAQ 1.2 is the ability to select "Non-Applicable" for questions in the SAQ. Previously, only merchants qualifying for SAQ D (versus A, B and C) could respond to questions with "Special" and still achieve compliance. In this case their alternate answer was "Compensating Controls" which required that the spirit of the requirement still be met. The merchant was also required to fill out a large worksheet that detailed the specific compensating control employed by the merchant. With SAQ 1.2, merchants filling out SAQ A, B or C can indicate that a specific requirement is not applicable to their environment and then provide a brief explanation. For example, if a merchant is trying to answer question 9.7.2, “Is the media sent by secure courier or other delivery method that can be accurately tracked?" and the merchant never sends media by courier, the merchant can indicate that information on the SAQ.

To access ControlScan’s complete analysis on changes employed via the SAQ version 1.2, please click on the following link: http://www.pcicomplianceguide.org/merchants-20081030-saq-version-1_2.php

I am also interested in hearing your thoughts on the latest changes. Please share your point of view by commenting on this post.

'Til next time,
Joan
The eSecurity Diva

As if you didn’t have anything else to worry about, a new report by Horizon says retailers are No. 1 victim (or cause) of data breaches nationwide.

http://www.verizonbusiness.com/resources/security/databreachsuppwp.pdf

From 2004 to 2007, the retail industry has accounted for 35 percent of all data breaches. That’s pretty striking if you think about it. Restaurants and grocery stores (20 percent) were the only type of businesses that came close. Financial service companies were a distant third at 14 percent.

But there is a silver lining in these statistics. And it’s a pretty thick lining. Unlike banks, the attacks on retailers are far less sophisticated. That means these breaches are easier to prevent!

Often, vulnerable point-of-sale (POS) systems are the target. In fact, 68 percent of retail attacks involved hackers taking advantage of open virtual private network connections or weak wireless security. Sometimes it’s as simple as leaving remote access connections open when they’re not being used.

Just think how many of these incidences could have been prevented with just a few simple security precautions.

Attacks that may be a bit harder to prevent are those that are either caused by or perpetrated by your partners. Thirty-six percent of retail breaches were the result of these third-party vendors.  The retail and food industries in particular are more susceptible to vendor-caused breaches, because vendors often provide outsourced POS services.

“We also see more and more where these third parties are specifically misusing that level of access granted to them,” said Bryan Sartin, director of investigative response for Verizon Business security solutions, who was quoted in CNET News.

 http://news.cnet.com/8301-1009_3-10056490-83.html

CNET says Verizon investigators often find that restaurant chains report similar problems concerning potential data breaches. "You'll see that they have the same fraud patterns and the same (illegitimate purchases), all within the same time frame,” Sartin says. “So it's compelling circumstantial evidence that it's the same perpetrator doing the same things we've seen elsewhere. And we can get good insight into how they did it. It always suggests that it was a vendor."

So how can you limit this third-party misuse? Well, first of all, you need to have a secure network and make sure you are PCI compliant. This includes having all custom-written programs reviewed by an organization that specializes in application security. It also means making sure all cardholder data is encrypted.

http://www.pcicomplianceguide.org/

Then, if you haven’t already, make sure you fully understand how your vendors handle and store your customer data. You also need to find out if your third-party vendors are PCI compliant, since they will likely have access to at least some sensitive information. ANYONE who handles cardholder data must be in compliance.

Prevention is often a simple task. It can also be extremely confusing. If you’re even slightly unsure about your PCI compliance or the health of your security protocols, I encourage you to drop me a line anytime.

'Til next time,
Joan
The eSecurity Diva

I know the economic slump is a great source of anxiety for most of you. It certainly is for me.

I also know it doesn’t help when the media virtually ignores the positive. If you read publications such as Time and many others, you may begin to think there are no good signs out there at all.

This is particularly troubling as we approach the holidays.

Many reports have indicated that Christmas will be quite blue for many retailers. One of the sources for these reports is none other than the National Retail Federation (NRF), which predicts that holiday sales will increase only 2.2 percent during the holidays, compared to a decade-long average of 4.4 percent. Even worse, retail consultancy Archstone Consulting predicts only .5 percent to 1 percent growth, Time says.

This time of year, of course, is paramount for retailers, many of whom rely on Christmas shopping to fuel 40 percent of revenue.

But what Time and many others are not reporting is that online shopping remains strong. In fact, online spending is expected to increase 9 percent this year, the NRF says. And according to numerous surveys, shoppers and online retailers still remain optimistic about online retail.

In a recent survey by the NRF, 72 percent of online retailers believed e-commerce operations could better withstand a slowing economy than offline stores. In another study, commissioned by software provider Avail Intelligence, nearly 80 percent of polled consumers said they were going to shop online the same amount or more than they did during the 2007 holiday season.

The United States, as well as much of the world, is obviously facing serious economic uncertainty. But the fear that is peddled in much of the media is not tempered with positive news. Here are two more good signs you may not be aware of:

• Toys’R’Us plans on hiring 35,000 seasonal employees to deal with expected demand—the same amount hired last year. Toys’R’Us certainly would not be hiring this many people if the company didn’t expect parents to buy lots of toys.
• Gift cards sales are expected to soar during the 2008 holidays. NRF says these sales will increase 6.6 percent from the same period in 2004.

But e-commerce, many experts believe, will be the brightest star during these not-so-bright times. Stores such as Big Lots are starting to see this; the budget retailer is entering the e-commerce world this holiday season.

The reason Big Lots is entering the e-commerce world is that more consumers are turning to the Internet for their shopping needs.

One reason is for this trend is that online shopping eliminates the need to drive to and from stores. Another reason is that it saves money on gasoline.

But perhaps the best reason is the virtually endless choices that the Internet delivers. These choices, in turn, bring more competition and therefore better deals.

In a down economy, consumers are seeking these deals. Look for many cost-conscious consumers to flood the Internet in November and December. This may be a great time to test any special offers you have in your back pocket.

Stay tuned right here to find out how you can best prepare for—and profit from—this flood.

‘Till Next Time,
Joan
The eSecurity Diva

I just returned from the PCI Security Standards Council Annual Community Meeting I attended last week in Orlando. According to the Council there were 575 delegates from 310 different organizations in attendance, representing merchants, acquirers and vendors. This is up from 320 participants last year.  There is no doubt that PCI compliance is top-of-mind for many organizations.

Of the many topics covered, I want to share one area with you that I found particularly interesting.  The Council is introducing a Quality Assurance Program that will be phased in starting October.  Their goal is to achieve more consistency across providers, initially targeting Qualified Security Assessors (QSAs) and Authorized Scanning Vendors (ASVs).  They defined specific grading scales and remediation steps that will be taken if vendors are found to be non-compliant with program standards. The Council will review a good sampling of ASVs and QSAs each year and will post the names of those vendors who are “under review” in their Website (a sort of modern day letter “A”?).

We welcome this step by the Council.  When any new standard emerges (think SOX), vendors clamor to figure out how to take advantage of the market opportunity.  In most cases, this works well by supplying buyers with many options at a fair price.  In some case, though, vendors are looking for a way to make a quick buck, and their processes and deliverables may not meet the standards.  When the security of cardholder data is at stake, this creates unknown risk for both consumers and merchants.  It will be interesting to observe (and possibly participate!) in the process.

I'll keep you posted on what I continue to uncover. What do you think? Please share your thoughts with me along with other merchants like you by commenting on this post.

'Til next time,
Joan
The eSecurity Diva

The card processor for a tiny Mexican restaurant, hit by robbers who stole a whopping 10 to 15 receipts with credit card numbers on them, was recently fined the equivalent of $83.50 for each card because the data was not properly secured.

Meanwhile, a recent forensics analysis showed that a larger Internet merchant was possibly breached because it was storing nearly 1,500 unencrypted credit card numbers. The fine for the same processor was $4.44 per card, even though the analysis showed no proof of a breach.

Then there’s clothing retailer TJX, which we all know about. The large Level 1 merchant, whose lax security practices led to millions of compromised records, reached a settlement of 64 cents per breached credit card with Visa and 83 cents per card with MasterCard.

See anything awry here? I sure do. Ken Musante does too.

Musante, president of the processor charged in the top two fines—Humboldt Merchant Services—is lobbying for more clarification, transparency and consistency in the penalty process. There is often no rhyme nor reason in the penalties imposed now, he says in Digital Transactions, a monthly magazine that covers the North American consumer electronic transaction market. Additionally, the system unfairly penalizes processors and often takes so long that some breached merchants actually are out of business by the time the fines are levied.

His solution is that PCI forensics companies should keep a database of breaches and base network fines on that database and the following metrics:

• The number of valid versus unencrypted cards compromised
• The extent and amount of related information—such as expiration date and name—that were exposed
• The extent and amount of prohibited information—such as magnetic-stripe data—that were compromised

Such a system would be more predictable and fairer, he says. In addition, these new guidelines would bring fines on quicker, Musante adds. It also could “hold the bank card associations more accountable.”

I believe him. The PCI fining system is pure chaos. As Forrest Gump would say, it’s like a box of chocolates. You know the rest.

Without a doubt, a more uniform and reasonable system is badly in need. If we expect more merchants to follow PCI security rules, the penalties for breaking those rules should at least be logical.

Remember the federal bust in early August that netted 11 hackers who allegedly stole more than 40 million credit card numbers? Now, The Wall Street Journal reports that many of the victims of those thefts were never even notified by the restaurants and retailers who were hacked.

This is true despite the fact that some 40 states have breach notification laws.

Only four of the nine companies that were hacked clearly notified their customers. The companies that did not – Boston Market, Forever 21, and possibly Barnes and Noble, Office Max and Sports Authority – had varying excuses. One excuse was that they never “confirmed” data was stolen, the WSJ says. Barnes and Noble, Office Max and Sports Authority, meanwhile, wouldn’t even say whether they made disclosures in the first place. (A WSJ investigation found no evidence of any disclosures).

I’m surprised how little PR backlash these companies have received. It’s not only law that says you have to notify customers in the event of a breach, but it is the ethical thing to do. The only reasonable debate is how that disclosure should happen.

However, four companies – TJX, BJ’s Wholesale Club, DSW and Dave and Busters – did notify customers shortly after the breaches were discovered. These companies deserve full credit for their actions, especially TJX. The clothing retailer has been lambasted for more than a year in the press since the disclosure in early 2007.

I’m well aware of the paradox here. The four retailers that allegedly were not proactive so far have received little condemnation. And some of the retailers who were proactive are now synonymous with the words “data breach.” Not very fair.

So, does that mean that doing the right thing isn’t always the best thing? I interviewed crisis management expert Dean Trevelino, owner of public relations firm Trevelino/Keller, on this very topic. To begin, he says, all retailers should follow these three steps:

1. Retailers big and small need to make the necessary investments in making sure they are as protected as possible. That, of course, means having a robust and consistent security policy in place. For smaller retailers, he says, these investments ought to be weighed with substantial thought next to the revenue they may be bringing in.
2. All retailers – even the smaller ones – need to have a basic crisis control plan in place. This includes a to-call list -- i.e. PR, legal and IT.
3. If it does happen, you “absolutely need to be forthcoming,” Trevelino says. That means a disclosure within 48 hours. But he adds that no disclosure should occur if you don’t have a clear handle on how it happened. “Grab the smartest people you can find and drill down on the causes and solutions to the problem,” he says. “Once you do that, let effected customers know ASAP what they should do and what you are doing to solve the problem," he adds.

So what about the paradox? Trevelino sums it nicely:

While TJX received its fair share of bad press, the worst is over. In fact, he says, the companies on the up-and-up may be viewed rather positively, now that the thieves have been busted. In contrast, for Boston Market and the rest of them, the worst is likely yet to come.

“It’s a heck of a road back if you’re weak from a security standpoint and not forthcoming,” Trevelino says. “People will forgive you if you didn’t have enough security, especially nowadays – you’re simply just one of the many victims. But if you’re a victim and not forthcoming, that’s a difficult thing to recover from.”

Our Vice President of Marketing, Heather Varian Foster, was recently interviewed by Shawna Fennell on the Yahoo! Store Power Hour about Payment Card Industry (PCI) compliance as it related to small- to medium-sized e-commerce merchants - and in particular, Yahoo! Store customers. We realize that there is a vast need for better education about PCI in the marketplace. It is a relatively new standard and there is a lack of good information available to an audience in need. Below are a sampling of the questions and answers discussed in the interview that will hopefully be helpful to you as you navigate through the PCI compliance process for your business.

What do PCI compliance requirements mean to small and medium-sized (Level 4) merchants?

If you are a merchant and you accept credit cards you must validate compliance at least annually. There is no way around this - all merchants need to do this. So let's talk about how you do that.

First you need to complete the Self-Assessment Questionnaire (SAQ) on an annual basis. A few months ago a new SAQ was launched and was re-designed to make the questions more relevant to what the merchant actually does. There are now 4 parts, and depending on which part best matches what your company does, will determine the number of questions you will need to answer - and whether or not you will need quarterly vulnerability scanning. You will also need to make sure you attest to the truthfulness and accuracy of your responses on the SAQ.

What challenges do small and medium-sized merchants face when they are trying to become PCI compliant?

Most small and medium-size companies don't have large IT departments, or an IT department at all to handle the compliance process. So, often the business owner is forced to take on a role they are not comfortable with. Also, many smaller merchants can't get the help they need from their Web hosts to complete the SAQ or remediate vulnerabilities. Merchants should be very selective as they search for the right support services for their businesses, their PCI compliance provider, acquirers, hosts and others, to make sure they are going to get the help they need.

Since there are millions of small and medium-sized merchants - how do they find out about PCI compliance and the impact on their businesses?

First of all acquirers must take on the responsibility of educating their merchants regarding card holder data security, storage of prohibited card holder data and PCI DSS compliance (according to VISA USA's VISA Business Review  -May 2007). Having said that, there has only been a recent sense of urgency from the acquirers to do so. You should certainly look to them, payment processors, Web hosts and shopping carts or other merchant service providers you use to seek this information. You can also visit www.pcisecuritystandards.org or you can also visit our Website, www.controlscan.com for more information about PCI compliance.

Some of the other questions answered in the interview include:

• How do small and medium-sized merchants know which SAQ to fill out or if they need to be scanned?
• Who needs to see proof of PCI compliance?
• If you are PCI compliant are you secure?
• What does PCI compliance mean to Yahoo! Store customers?
• Are merchants fined?
• What happens if you are breached?
• Does PCI compliance help increase conversions on merchants' Websites?
• What is the October 1, 2008 PCI compliance deadline?
• Will this deadline hold?
• How do I learn more about PCI compliance?

To hear the answers to the rest of the above questions, you can listen to the interview by visiting http://www.wsradio.com/wsradio-player.cfm/type/windows/show/1-Choice-Yahoo!-Store-Power-Hour/segment/19536.

'Til next time,
Joan
The eSecurity Diva

I recently sent some employees to an (ISC)² seminar to get an industry-recommended security certificate. The seminar is aimed at providing education on the newest and hottest cyber threats.

With all the news of mega breaches out there, including one I just wrote about in this blog, it would seem as if an information-packed seminar such as this one would be packed with IT people, right? Actually, it was. But with public sector IT people. Private sector attendees were few and far between.

What’s going on here? This little piece of news could be a telltale:

According to a new report by the Identity Theft Resource Center, the percentage of breaches occurring in the government sector has been dropping steadily over the past three years. The percentage of breaches occurring in the private sector, meanwhile, has skyrocketed 69 percent from the same six-month period last year. Mix that news with the fact that the private sector is substantially less prone to reporting breaches than the public sector and the situation gets even worse.

As the report indicates, the government sector – for a change – is outperforming the private sector. The report says during the first half of this year, breaches in the government accounted for only 17 percent of all reported breaches, a 13 percentage point decrease from 2006.

Leading the seminar was Bill Lipiczky, a senior architect with IT consultancy Managed By Design. He acknowledges the lopsided attendance record, estimating that the private sector accounted for only 20 percent of the class. He says companies often do not have as full a grasp on cyber threats as it should.

“They don’t have a good handle on the risk,” Lipiczky says. “I kind of liken it to life insurance.”

Life insurance. Kind of like not really thinking about bad things until something bad happens.

To be fair, Lipiczky points out that the government’s emphasis may be because it has more pressing things to worry about than simply identity theft. Like national security, for one. Stuff like foreign governments trying to hack into our critical systems. But something clearly has to be done here. The number of breaches cannot continue spiraling out of control without the Congress getting involved more than it already is. Do we really want that?

So, I have a challenge. Let’s start attending more professional development courses like the one offered by Lipiczky. Let’s start being more proactive about preventing breaches. And let’s show that we can do the right thing without being legislated to do so.

‘Til Next Time,

Joan,
The eSecurityDiva