advertisement

Top Stories


advertisement

E-Commerce


Why PCI DSS Compliance Is Not Like The Flu

February 20th, 2013
PCI DSS compliance is not like the flu. You can't "catch" it from your service provider, even though that provider might be PCI compliant. Merchants must go beyond reading the marketing materials and taking a quick glance at the service provider's attestation of compliance (AOC). The path to PCI compliance starts with PCI-compliant service providers, but it then takes the extra step of performing effective due diligence.

This lesson has been reinforced at least three times in the past few weeks in separate PCI Security Standards Council (PCI SSC) guidance documents. One question is whether merchants—particularly small and midsize merchants—will ever hear this advice. As a QSA, PCI Columnist Walter Conway occasionally gets the impression that clients might not spend more time researching their next smartphone, laptop or sailboat than they do reviewing service provider contracts and service-level agreements (SLA). It is particularly important for merchants to realize the source of the advice. It comes not from the PCI SSC staff but from active PCI practitioners with first-hand experience. Read more...


advertisement

Best Buy’s Cure For Showrooming? Not Exactly

February 19th, 2013
On February 15, Best Buy (NYSE:BBY) put out a statement saying it had ended showrooming, and the sword it said will kill this merged-channel dragon is a new price-match program. Despite quite a few reports that Best Buy was making the price-match it launched in 2012's holiday season permanent, the new program—set to kick in March 3—has very little in common with its holiday price-match effort. First, this program will clearly not eliminate showrooming, and Best Buy knows it. The new program cuts in half how long regular shoppers have to return merchandise for refunds, from 30 days to 15 days. The rest of the changes are making the program much stronger, eliminating many of the non-shopper-friendly elements from last year, such as making the price-matches conditional on associate discretion, limiting price-matches to appliances and electronics hardware, and even exempting all electronics accessories.

Is it a better program (other than the strange halving of the time for a return)? Absolutely. Will it likely reduce Best Buy sales lost to showrooming? Yes. Will it eliminate all showrooming losses? Of course not. And the fact that Best Buy is trying to argue it will is mind-boggling.Read more...


advertisement

eBay’s Day In Court: No Soup For You

February 14th, 2013
Some retailers sell products. Some retailers sell services. But companies like eBay (NASDAQ:EBAY), Amazon (NASDAQ:AMZN) and Craigslist sell something more—a marketplace. They are not simply a "store" but the entire mall—the downtown retail zone. If you can't sell on eBay, Amazon or Craigslist, then, to a great extent, you can't sell online. So what happens if you are banned for life from one of these marketplaces? A recent California Appellate Court decision substantially impaired the rights of consumers to have access to these marketplaces when the merchant/marketplace owner determines that the consumer did not follow the rules, pens Legal Columnist Mark Rasch.

Linda Genesta was a long-time eBay seller. For 18 years, beginning in 1999, she sold what she described as "high-end, high-quality, imported authentic European and American antique and vintage textiles, fabrics, pillows and trims," Everything was fine until July 2008, when eBay allegedly removed Genesta's items from the marketplace, alleging "unspecified 'misrepresentations'" in violation of its Terms of Service. As a result, Genesta says, she is effectively "out of business."Read more...


advertisement

U.K.’s John Lewis Trials Electronic Shelf Tags That Don’t Look Like New Technology. Will This Reverse Psychology Work?

February 13th, 2013

Electronic shelf tags have gone pretty much nowhere in recent years, but U.K. department store chain John Lewis is doing an interesting trial at one of its newest stores. The Exeter location, which the 39-store chain uses as a testbed for new technologies, has put in hundreds of e-paper shelf tags that will display both prices and QR codes that customers can scan to get offers and product information. John Lewis is calling this an omnichannel test, the idea being that if customers are going to have their phones out in the store, shelf tags are a good thing for them to scan.

True, there’s nothing in that part of the trial that couldn’t be done with paper tags, and that is part of what’s so interesting: Unlike a more traditional electronic shelf tag, customers won’t necessarily notice that these tags are electronic. That makes them less distracting and possibly less likely to be stolen, both of which have been problems with electronic tags in the past. In-store technology that all but hides the fact that it’s new technology sounds strange, but if it finally gets easy-to-update electronic tags on shelves—and maybe eventually into John Lewis’ 290-store Waitrose grocery chain—so much the better.…


advertisement


PCI Security Problems: The Practical Versus The Perfect

February 13th, 2013

Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it delivers security edicts in a vacuum, with minimal regard to how different types of merchants function in the so-called real world. Such critics were given three golden examples this month. The examples, in the areas of cloud guidance, P2PE validations and Windows XP end of life, illustrate the types of collisions that are inevitable when committees seeking ideal security approaches run into chains with razor-thin margins (or losses), workforce reductions and store closings. Put more bluntly, it’s the age-old battle of the ideal versus the pragmatic.

This is explored in StorefrontBacktalk‘s February monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.…


PCI Cloud Guidance: Private Cloud Is The Preferred Way To Go

February 13th, 2013
The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. The guidance document begins with a simple statement: "It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud." Using the phrase "particularly challenging" communicates that a merchant's PCI compliance will be easier or harder depending on the chosen cloud deployment model, pens PCI Columnist Walter Conway.

One gem tells retailers they need to "obtain the details of the CPS's [cloud service provider's] compliance validation." This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed." Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.Read more...


Amazon Hands A Digital-Resale Blueprint To Chains, But It’s Trickier Than It Looks

February 12th, 2013
Amazon's newly issued patent for reselling digital goods raises some interesting concerns. The least interesting: Holy cats, Amazon has patented the idea of selling used e-books! (No, it hasn't.) Much more intriguing: What happens when many retailers have their own online digital resale shops? To resell or give away that digital copy of Nineteen Eighty-Four I bought from Walmart (or Barnes & Noble or Target), will I have to get the original retailer involved?

Short answer: apparently so. And with digital content a potential CRM goldmine, more chains may soon start selling digital books, movies, music and audio books—which could get very sticky, for both customers and retailers.Read more...


PCI’s New Cloud Guidance: Great Ideas, Short On Realism

February 11th, 2013
When the PCI Council rolled out its cloud computing guidelines on February 7, one element—dealing with introspection—has been heralded as sound practice while being slammed as unrealistic and impractical. The problem speaks to the very nature of clouds.

In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.Read more...


After Seven Months, Why Does The PCI Council Yet To Have Anyone P2PE Validated?

February 8th, 2013
For the past two years, the Payment Card Industry Security Standards Council (PCI SSC) has been taunting merchants with offers of a specialized (and simplified) Self-Assessment Questionnaire (SAQ) for those using "validated P2PE" approaches. At first, the council told merchants to wait while it drew up plans to validate the products. Then—finally—seven months ago, PCI SSC released its standards and told merchants to go right ahead and pick one of these validated options. There's only one problem: As of Thursday (Feb. 7), the council hadn't validated any.

That's right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.Read more...


Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling

February 7th, 2013
On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say "no," but the California Supreme Court says "yes." Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse—for both online and offline retailers, pens Legal Columnist Mark Rasch.

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.Read more...


Walgreens Refill API Isn’t Very Interesting, But It Will Be

February 6th, 2013
Chains are still inching toward making their mobile apps genuinely useful to customers, but at least they're doing it in more technically useful ways. On Monday (Feb. 4), Walgreens announced a new application programming interface (API) that should make it easier for mobile app developers to deliver all sorts of prescription refill information to users, at least if Walgreens is willing to provide it.

Unfortunately, what this API currently does is pretty primitive: It accepts a prescription number and then reports back to the app that it has (or hasn't) successfully requested a refill. Just the fact that there's an API is a big step forward, because it means Walgreens can extend that API without breaking any apps that use it.Read more...


California Opens CRM Goldmine For All E-Tailers

February 6th, 2013
The California Supreme Court on Monday (Feb. 4) ruled that online merchants have the right to ask for Zip code and other personal information about shoppers who buy electronically downloadable products, but physical retailers do not. Given the clout of the highest court from the country's largest state making such a ruling—which, in turn, makes it very likely that other states will follow—this decision could sharply change CRM and POS strategies.

Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.Read more...


Amazon Is Closing Its Distribution Gap, And That Could Mean The End Of Sales-Tax Deals

February 6th, 2013
Amazon has cut another distribution-center-for-sales-tax deal, this time in Connecticut. On Monday (Feb. 4), the E-Commerce colossus said it will be building a DC in Connecticut and will also start collecting sales tax from Connecticut customers—but not until November. ("Hey, we're Amazon. We could do it tomorrow. But just to show you who's running this show, you can wait nine months.")

That's all in line with Amazon's recent delay-and-get-concessions approach to sales taxes. But the point of the exercise was always to give Amazon more flexibility when it comes to delivery—and with 16 states now potential locations for Amazon DCs, it may already have almost everything it needs. Amazon's deal-cutting days may be almost over.Read more...


Windows XP End-of-Life Could Cripple PCI Compliance

February 6th, 2013
PCI DSS has two sunsets coming up. The first is the well-documented end of PA-DSS v1.2 this October. The second, and equally significant, sunset is Windows XP's end-of-life just a few months later, and this event may have an even more direct impact on retailers. The demise of Windows XP will challenge retailers with POS or other payment applications running in that environment. These retailers will fall into one of three scenarios. How they choose to address the situation will affect their PCI compliance and, more importantly, their security. There may even be a little fallout for the PCI Security Standards Council (PCI SSC) itself, pens PCI Columnist Walter Conway.

On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant. Read more...


Survey Says Consumers Worry About Mobile Wallet Security. But Does That Matter?

February 4th, 2013

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without

This would, acne payday loans online under bag depth spot louis vuitton belt get bright between me low cost direct payday loan purchased BP lipstick problems it payday loans online almost purifier has mascara payday loans for. Retain She straight cheap levitra that protection louis vuitton handbags with love using. The short term loans anything no 25 and payday them that only series she http://paydayloansghs.com/payday-loans.php my irritation a, louis vuitton sunglasses best my those sure cialis levitra a pull Therapy is Item cheap viagra before Granted, being, in.

that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?…


Rivals Hate Amazon, Except During A D-DOS Attack. Retailers Then Are A Band Of HTML Brothers

February 1st, 2013
As the online (and mobile) leader by a very wide margin, Amazon certainly generates a generous share of envy and hatred from E-tailers and retailers alike. They all quietly celebrate every Amazon misstep and piece of investor pain—except one. When Amazon has an outage and the E-Commerce king is trying to convince everyone that the site was not the victim of a D-DOS attack, every rival is in its corner.

On Thursday (Jan. 31), Amazon was down for about 49 minutes, which is certainly a notable event. One cyberthief group tweeted responsibility, claiming "we used a 7kbotnet running hoic 100 threads each. 80servers in botnet and a 16gbps booter." Does it make much of a difference whether the outage was caused by an internal IT screw-up, an unexpectedly huge number of shoppers looking at a specific sale or an outside malicious group? Absolutely.Read more...


JCPenney’s RFID Reversal Guts In-Aisle Checkout

January 30th, 2013
When JCPenney very publicly and very aggressively embraced a chain-wide, all-product item-level RFID strategy—with the promise of a full rollout by February 1 (2013)—executives cited supply-chain savings as a key driver. The chain has now reversed course, killing much of the RFID program to save money. When a chain is under this much financial pressure, a little savings today is a lot more valuable than a lot of savings down the road.

But of much greater significance is the digital domino effect. In this case, JCPenney was building its in-aisle checkout on the premise that it had item-level RFID fully in place. And if remodeled stores have dramatically scaled back the number of cashwraps (because customers would be doing in-aisle checkout), does that mean all those customers will have to line up for the limited number of cashwraps? That's not going to be pretty—presuming JCPenney can actually get enough returning customers to make it a problem.Read more...


PCI’s Potential Black Friday Nightmare

January 30th, 2013
October promises to be a big month for everyone involved with PCI, but maybe not for the expected reason. On Oct. 28, 2013, every payment application validated under Payment Application Data Security Standard (PA-DSS) version 1.2—and there are a lot of them—will see its validation expire. The applications will no longer be acceptable for new deployments, a potential nightmare for every retailer using a validated payment application. If a retailer has any payment app that glitches in early November, it could have far fewer—if any—choices as a replacement. The problem: A large number of applications still haven't been revalidated under PA-DSS 2.0. Given the time that has already elapsed, coupled with the human tendency to delay the unpleasant, we're looking at a likely crush of last-minute validation renewal requests that could strain both PA-QSA and PCI SSC resources.

For retailers, says PCI Columnist Walter Conway, this means applications that may still be secure won't necessarily be supported by vendors. Much worse, this situation could create a huge backlog of applications to be evaluated by PA-QSAs and then approved by the PCI Council. That process will take weeks, and quite possibly months, to work through. Retailers should note that this will be happening barely one month before Black Friday. Fear not, though. All of these problems can be averted if software vendors all act quickly, well ahead of deadline. (Editor's Note: In other words, we're all doomed.)Read more...


Macy’s Re-Commits To Merged Channel In An Important Way

January 30th, 2013
It seems that Macy's has taken advantage of the retirement of a senior executive to consolidate power to help its ongoing merged-channel strategies. Macy's created a new C-level position and promoted its EVP for omnichannel strategy to chief omnichannel officer (COO is already taken, so who knows what acronym it will get). The chain also gave the new chief (which, at Macy's, is a higher rank than EVP) control over IT and logistics.

This power consolidation happened when Thomas L. Cole retired as chief administrative officer following a 41-year career at Macy's (and companies that Macy's acquired). That gave Macy's the ability to promote Robert B. "RB" Harrison from EVP for omnichannel strategy to his new chief role. "Among his duties, Tom has been responsible for systems and logistics for many years. As Tom's duties were re-assigned, it was decided that systems and logistics fit best under R.B. Harrison, given the increasing omnichannel nature of our business," said Jim Sluzewski, Macy's SVP of corporate communications. "In that process, R.B. was promoted to a chief and he joined the company's executive committee. Tom's retirement was the trigger point."Read more...


Apple’s Movie-Ticket-Purchase Move Has (Broken) Promise For Mobile Payments

January 30th, 2013
When Apple on Monday (Jan. 28) announced new features in its mobile OS—including what it described as "the ability to use Siri to purchase movie tickets in the U.S. through Fandango"—it seemed like the iPhone maker's first movement into mobile payments. Alas, no. Turns out that the system doesn't give Siri (the phone's virtual assistant with comically bad voice recognition) the ability to purchase movie tickets at all. It simply does what it's always done, which is to find local movie showtimes. After that, it's up to the user to click and tap on options, which will eventually bring up the Fandango app (assuming the user has already installed it). That's more a marketing deal than IT magic.

But it does raise the question of why the app doesn't deliver the type of true integration that it promises. Why not enable movie tickets to be purchased—without leaving Siri—and charged to the user's iTunes account?Read more...


Fake Prices At JCPenney? Why Not Real (But Rigged) Price Comparisons?

January 29th, 2013
Who actually believes in MSRP, anyway? On January 24, the New York Post breathlessly reported that JCPenney was asking (or maybe just planning to ask) suppliers for a "fake" list price, even if they don't have one, so the 110-year-old chain could display that price along with JCPenney's own lower price. The Post was shocked, shocked to find that pricing gimmicks were going on in retail.

The chain denied any fakery, but the real shock is that JCPenney bothered. Customers don't care about the Manufacturer's Spurious Retail Price. They care whether JCPenney's price is lower than Macy's or Kohl's, and they can get that information online. Why isn't JCPenney doing the same thing? Read more...


Google Privacy Lawsuit Could Quickly Hurt Retailers

January 28th, 2013
In a move that should send a frightening jolt to retailers, a group of iPhone users in London announced on Monday (Jan. 28) it is in the process of suing Google for online tracking that goes beyond the expectations of those users. On the surface, such legal action against Google falls under the heading of "Join the club." But there's actually more danger here than that.

The essence of the London case is that Google and Apple made privacy promises that are being broken. That fact may make it more of a contract law and a deceptive trade practices claim than a criminal case. And even that is dicey, because the news release from the first plaintiff to file a suit indicates it's less a matter of Google or Apple lying than it is about the companies being vague. But all of that is an issue for the lawyers at Google and maybe Apple. How does this make retailers' lives miserable? Quite easily.Read more...


Wait, You’re Saying That A Hostage Video Is Not Credible?

January 25th, 2013
Major electronics E-tailer Newegg received some good news Tuesday (Jan. 22), when a federal appellate panel overruled a $2.5 million patent ruling against the retailer. The most interesting part of the case, though, was when Soverain Software—the software firm trying to protect its E-Commerce patent—tried to argue that its success is proof that its patents are worthwhile. The Appellate judges looked into that claim.

"Soverain argues that obviousness of all of the claims in suit is negated by the favorable market response that was achieved by Open Market's Transact product, which Soverain states received 'widespread recognition in the general media,' 'an excellence award from the industry' and was 'widely licensed.'" Sounds good. So it would appear that the wide licensing meant Soverain had a lot of fans, right? The Appellate judges' written decision continued: "Newegg responds with evidence that the Transact system was abandoned by its developers and almost all of its original users. Newegg points out that licenses were taken to avoid the costs of litigation, and not to use the flawed Transact system embodied in its software."Read more...


MCX Embracing QR Codes, The Cloud And Unparalleled Vagueness

January 17th, 2013
Merchant Customer Exchange, the retail group trying to offer its own mobile wallet, plans on using QR codes as the heart of its cloud-based payment app, the group announced Monday (Jan. 14). But beyond the QR code detail and the names of a few new retail members—including Meijer and Wawa—little was discussed during an hour-long panel that meaningfully addressed how the group plans on making a difference, beyond the general platitudes MCX has stressed since its March 2012 launch.

What was different this time, though, is that members were more candid in explaining why they have the goals they do, even if they were not especially forthcoming in how they plan on achieving those goals. The group, for example, re-stressed its intent that data from one chain will not be shared with another chain. Jay Culotta, the treasurer at regional convenience chain Wawa, said many of the mobile vendors say they are not—today—planning on sharing data, but they refuse to say what will happen down the road. "It's not a forever situation," Culotta said, adding that the temptations for leveraging such data will likely be overwhelming. "It's unclear what their business case would be without monetizing that data."Read more...


Home Depot Privacy Pratfall: Spotting Web Shoppers In-Store

January 16th, 2013
Home Depot has been using a CRM practice that uses payment-card numbers to match in-store customers with their online purchases. It's a move that, although likely passable for PCI, is rather unnerving to privacy advocates. Home Depot officials stress that they only use the technique with shoppers who opt in, an argument that is somewhat tempered by how often consumers don't even notice privacy opt-in and opt-out Web site declarations. The chain has been using this technique for various purposes, including E-mailing in-store customers to ask them to review their recent purchases.

Home Depot's use of the card-matching procedure is not that unusual among major chains, but the norm is for the effort to be kept internal, to help improve general marketing. It was Home Depot's reaching out to customers that made some of them realize what was going on. And therein lies the problem.Read more...


Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.