Target is upgrading the security of its private label payment cards and implementing other network improvements as it seeks to restore confidence after one of the largest-ever data breaches last year.
The retailer will upgrade three types of payment card it uses to support chip-and-pin technology, where a microchip on the card holds customer data to improve security. It will also update its payment terminals to accept chip and pin, at a total cost of $100 million.
Visa and Mastercard have set a deadline for U.S. retailers to be able to accept chip-and-pin cards by October 2015. If the deadline isn’t met, the liability for fraudulent purchases made with chip cards resides with retailers.
Target spokeswoman Molly Snyder said Tuesday the company already had plans to accommodate chip-and-pin cards, widely used in Europe and elsewhere, but has accelerated its technology upgrade by about six months.
Avivah Litan, a vice president at Gartner with expertise in payments, said chip-and-pin cards would in theory have prevented Target’s data breach in which it lost 40 million payment card records via malicious software on its network.
She said Target’s move is more than symbolic even though the retailer was already moving to chip-and-pin. It gives customers a more secure way to pay using Target’s branded cards, she said.
“It’s good for consumers, and in the end, probably going to be good for Target,” Litan said.
Target has been under intense pressure to shore up its network following the breach. It is facing 80 civil lawsuits and inquiries from regulators including state attorneys general, the Federal Trade Commission and the U.S. Securities and Exchange Commission, according to its March 14 annual report.
Starting next year, Target will upgrade its debit cards, called REDcards, which account for around 20% of Target’s sales, to chip and pin.
The cards include a credit card and a debit card that Target issues and can only be used at its stores. The upgrade also applies to a credit card co-branded with MasterCard that can be used anywhere, Snyder said.
Target is also rolling out new software and payment terminals compatible with chip and pin to its 1,797 U.S. stores by next September.
So far, cybercriminals haven’t been able to steal sensitive data from the microchip of chip-and-pin cards, although some computer security researchers have found ways to attack the system.
Visa and MasterCard have long championed chip and pin as a replacement for magnetic stripe cards. Data can be easily copied from the magnetic stripe with off-the-shelf equipment.
Chip-and-pin cards still have a security hole, however: most still have the magnetic stripe, since they wouldn’t work at most U.S. stores today without it. That could change as the U.S. moves toward full chip-and-pin compliance, but the transition could take years.
The U.S. Treasury Department’s anti money-laundering unit is warning companies linked to the digital currency Bitcoin that they may have to comply with federal law and regulation as money transmitters, a Treasury spokesman said.
Treasury’s Financial Crimes Enforcement Network (FinCEN) has sent “industry outreach” letters to about a dozen firms, regarding potential anti-money laundering compliance obligations related to Bitcoin businesses, FinCEN spokesman Steve Hudak told Thomson Reuters’ regulatory information service Compliance Complete.
Bitcoin, which unlike conventional money is bought and sold on a peer-to-peer network independent of any central authority, has grown popular among users who lack faith in the established banking system. It has also raised concerns among law-enforcement authorities that digital currencies could be used for laundering money.
The letters have had a “chilling effect” on Bitcoin businesses, which are intimidated by the threat of civil and criminal sanctions for non-compliance, said Jon Matonis, executive director of the Bitcoin Foundation, an advocacy group. The firms, he said, may effectively be “put out of business in an extrajudicial manner.”
Brad Jacobsen, a lawyer representing one Bitcoin businessman who received a letter from FinCEN, said his client has chosen to suspend his business activity “while state and federal compliance matters are considered and/or appropriate exemptions are determined.”
FinCEN’s letters, which ask recipients for more information about their business models, put the firms on notice that there is a legal “gray area,” so they are “better off to err on the side of caution” and comply with FinCEN’s rules, Matonis said.
Certain Bitcoin businesses came under FinCEN regulation in March when the Treasury bureau issued guidance defining some players in the digital currency industry as money transmitters.
For more than a decade the money-transmission industry, which includes firms such as Western Union and PayPal, has been required to enact anti-money laundering controls, report suspicious activity, register with FinCEN and obtain state licenses.
These steps are required to comply with the Bank Secrecy Act, the main anti-money laundering statute, and avoid running afoul of a federal law that bans unlicensed money transmitters.
While some Bitcoin businesses reject FinCEN’s assertion that they are money transmitters, a number have still registered with the agency, a search of the Treasury bureau’s website shows.
FinCEN sent letters to Bitcoin-related businesses on the Internet that appeared to fall under its definition of money transmitters but had not registered, Hudak said. He said FinCEN will keep sending letters to unregistered Bitcoin businesses.
“As we come across them, and as people tip us off, we’ll make inquiries. That is part of what we do,” Hudak said.
The FTC, over the past years, has gone after companies that have suffered data breaches, citing the authority granted to it under a section of the FTC Act that prohibits “unfair” and “deceptive” trade practices. The FTC extracted stiff penalties from some companies by arguing that their failure to properly protect customer data represented an unfair and deceptive trade practice.
On Thursday, FTC Chairwoman Edith Ramirez called for legislation that would bestow the agency with more formal authority to go after breached entities.
“I’d like to see FTC be the enforcer,” Law360 quoted Ramirez as saying at a privacy event organized by the National Consumers League in Washington. “If you have FTC enforcement along with state concurrent jurisdiction to enforce, I think that would be an absolute benefit, and I think it’s something we’ve continued to push for.”
According to Ramirez, the FTC supports a federal data-breach notification law that would also give it the authority to penalize companies for data breaches. In separate comments at the same event, FTC counsel Betsy Broder reportedly noted that the FTC’s enforcement actions stem from the continuing failure of some companies to adequately protect data in their custody.
“FTC keeps bringing data security cases because companies keep neglecting to employ the most reasonable off-the-shelf, commonly available security measures for their systems,” Law360 quoted Broder as saying.
An FTC spokeswoman was unable to immediately confirm the comments made by Ramirez and Broder but said the sentiments expressed in the Law360 story accurately describe the FTC’s position on enforcement authority.
The comments by the senior officials come amid heightening protests against what some see as the FTC overstepping its authority by going after companies that have suffered data breaches.
Over the past several years, the agency has filed complaints against dozens of companies and extracted costly settlements from many of them for data breaches. In 2006 for instance, the FTC imposed a $10 million fine on data aggregator ChoicePoint, and more recently, online gaming company RockYou paid the agency $250,000 to settle data breach related charges.
Much of the criticism has focused on a proposed “Tag Suggest” feature that would use facial recognition technology to match faces in photos with public profile features, part of a broad set of privacy changes the social networking giant announced on August 29.
FTC spokesman Peter Kaplan said regulators would study the changes as part of the government’s oversight of Facebook’s privacy practices, which began in 2011 after Chief Executive Mark Zuckerberg apologized for privacy missteps and pledged to obtain users’ permission before sharing their personal data.
“As in all cases, we’re monitoring compliance with the order and part of that involves interacting with Facebook,” Kaplan said Wednesday.
He added that the commission had no reason to believe that the company had violated its 2011 agreement.
Facebook posted an update to its data use policies on the company website on August 29 to explain how users’ personal information is used by advertisers and third-party applications.
The new policy proposal came days after the company finalized a $20 million class-action settlement related to how Facebook displayed its users’ “likes” and pictures in its ads products.
Facebook said in a statement on Wednesday that it was in full compliance with the FTC and that its new policy did not grant the company expanded privileges in how it used personal data.
U.S. regulators and law enforcement agencies were scheduled to meet on Monday with an advocacy group for Bitcoin, a digital currency that has been under fire for its alleged role in facilitating anonymous money transfers and supporting online purchases of illegal street drugs.
The meeting in Washington was arranged by the Treasury Department’s anti-money laundering unit at the request of the Bitcoin Foundation, an advocacy group of Bitcoin-related businesses.
It will be an opportunity for wide-ranging discussions about the digital currency, a Treasury official said.
Bitcoins, which have been around since 2008, first came under scrutiny by law enforcement officials in mid-2011 after media reports surfaced linking the digital currency to the Silk Road online marketplace where marijuana, heroin, LSD and other illicit drugs are sold.
In recent months, the U.S. government has taken steps to rein-in the currency and more regulatory action is expected.
Tokyo-based Mt. Gox, the world’s largest exchanger of U.S. dollars with Bitcoins, had two accounts held by its U.S. subsidiary seized this year by agents from the Department of Homeland Security on the grounds that it was operating a money transmitting business without a license.
The Federal Bureau of Investigation reported last year that Bitcoin was used by criminals to move money around the world, and the U.S. Treasury said in March that digital currency firms are money transmitters and must comply with rules that combat money laundering.
The Senate Committee on Homeland Security and Government Affairs launched an inquiry into Bitcoin and other virtual currencies earlier this month, asking a range of regulators to list what safeguards are in place to prevent criminal activity.
PayPal, the online payments division of eBay Inc, has sparked a furor in the publishing world by requesting some e-book distributors to ban books that contain “obscene” themes including rape, bestiality or incest.
PayPal sent an email on Feb 18 to Mark Coker, founder of e-book publisher and distributor Smashwords, saying it would “limit” the company’s PayPal account unless Smashwords removed from its website e-books “containing themes of rape, incest, beastiality and underage subjects.”
PayPal sent similar warnings to online publishers and booksellers including BookStrand.com and eXcessica, according to the Electronic Frontier Foundation, a non-profit that supports free speech, privacy and other individual rights in the digital world.
A PayPal spokesman confirmed that the company sent such notifications to companies but declined to identify specific recipients.
EFF and other groups including the Authors Guild, the American Booksellers Foundation for Free Expression and the Association of American Publishers are planning to send a letter to PayPal on Wednesday asking the company to reverse its policy.
PayPal “is now holding free speech hostage by clamping down on sales of certain types of erotica,” the groups said, according to a draft of the letter sent to Reuters. “We strongly object to PayPal functioning as an enforcer of public morality and inhibiting the right to buy and sell constitutionally protected material.”
PayPal said it was acting in part because banks and credit card companies it works with restrict such content, according to an email PayPal sent to Smashwords on February 24. Reuters obtained copies of the emails.
“Our banking partners and credit card associations have taken a very strict stance on this subject matter,” PayPal said in the February 24 email. “Our relationships with the banking partners are absolutely critical in order to provide the online and mobile services we (offer) … to our customers. Therefore, we have to remain in compliance with their rules, which prohibit content involving rape, bestiality or incest.”
The move has caused an uproar in the publishing world, which is concerned that banks and credit card companies may be exerting too much control over what books can be written, published and read.
A PayPal spokesman said the company allows its service to be used for the sale of “erotic” books but added that the company has to draw the line “on certain adult content that is extreme or potentially illegal.”
Responding to increased use of tablets within business settings, IBM will launch on Wednesday several mobile applications designed to let employees use IBM enterprise social collaboration software with iPads and other mobile devices.
The new applications, free to customers with active licenses of the IBM software, have been built specifically for tablet interfaces and have security, IT management and compliance features.
“The apps are very lightweight and talk directly back in a secure manner to the enterprise systems that people who don’t have these devices are using inside the company,” said Rob Ingram, senior manager of IBM’s Mobile Collaboration Strategy.
One of the applications lets employees use IBM Connections via iPads, while another one is for LotusLive Meeting users to participate in online meetings using iPhones or Android, BlackBerry or iPad tablets.
For IBM Sametime, another application lets employees engage in one-on-one or group instant messaging sessions on iPad and Android tablets. There is also one application for Lotus Symphony Viewer that lets users view ODF-based files, including documents, spreadsheets and presentations, on iPads, iPhones or Android devices.
There are also applications for managing telephony tasks within IBM Sametime from tablets and for Android device users to add widgets to home screens as shortcuts to their Lotus Notes mail and calendar.
“All of these capabilities together provide a workable set of solutions for people that are coming to us in droves now looking for iPad and other tablet support,” Ingram said.
IBM is also releasing on its developerWorks website preview versions of new tools for enterprise developers to create mobile applications for Android devices. The company also
has a new WebSphere tool for companies to enhance their sites’ mobile interfaces.
The applications will be available in popular mobile app stores like the Apple App Store and Android Market.
The Emergency Broadcast System has been for decades the way in which we were notified of emergencies via the television and radio. (Or more likely, the way in which we were notified of a “test of the Emergency Broadcast System.”)
The Urgent Communications Journal reported today that Alcatel-Lucent has made commercially available its broadcast message center that’s designed to help bring these alerts to people’s cellphones in order to comply with Federal Communication Commission’s Commercial Mobile Alert System.
With this new system, service providers will be able to send targeted government agency texts to alert mobile users in a specific area. While everyone will have to receive presidential alerts (something that’s never been issued in the almost 50 years of the program’s existence), people will be able to opt out of messages about imminent threats and Amber alerts.
“With the public increasingly relying on cell phones, it becomes mission critical for service providers to be able to share critical, time-sensitive information over these devices during times of crisis,” Alcatel-Lucent’s vice president Morgan Wright told MSNBC.
The program is being tested in California and Florida and should be ready in time to comply with the new FCC guidelines by April 2012.
In a major victory for the music industry, a New York federal judge has ordered embattled P2P software maker LimeWire to immediately and permanently stop distributing and supporting its file-sharing software.
In a 17-page injunction issued on Tuesday, Judge Kimba Wood of the U.S. District Court for the Southern District of New York ordered LimeWire to cease the searching, downloading, uploading, file trading and file distribution functionality of LimeWire’s P2P file-sharing software.
The injunction instructed LimeWire to immediately communicate the court’s decision to all users of the software and to all of the company’s employees, principals and other stakeholders. It gave the company 14 days to report back to the court on the steps LimeWire has taken to comply with the order.
A spokeswoman for the company today stressed that the court’s order does not mean that LimeWire is shutting down and said that it only prevents LimeWire from distributing or supporting its P2P software.
It does not prohibit the company from going ahead with its previously announced plans to launch a subscription based music service and neither does it prohibit the company from operating its online store, the LimeWire spokeswoman said.
“While this is not our ideal path, we hope to work with the music industry in moving forward,” the spokeswoman said by e-mail. “We look forward to embracing necessary changes and collaborating with the entire music industry in the future.”
The court injunction is a huge victory for the Recording Industry Association of America (RIAA), which has been trying to get the court to shut down LimeWire for quite some time. The RIAA and the music labels it represents have accused LimeWire and its chief executive, Mark Gorton, of willfully enabling widespread copyright infringement.
In numerous court documents the music industry has claimed that the use of LimeWire’s P2P software by users to illegally download and distribute copyrighted music has caused the industry tens of millions of dollars in losses.
In a ruling in May, Wood found LimeWire and Gorton liable for inducing and enabling copyright infringement. Wood agreed with the recording companies and found that LimeWire and Gorton had engaged in conduct that knowingly fostered and enabled copyright infringement.
The judge upheld virtually all of the arguments raised by the recording companies and ruled that LimeWire had failed to implement any meaningful barriers that would have made it harder for users of its software to illegally share and download music files.
The court injunction ominously noted that LimeWire almost certainly will be held liable for the piracy and potentially be assessed statutory damages that are well beyond its capacity to pay.