advertisement

Top Stories


advertisement

IT Strategy / Industry


PCI’s New PIN Rules: A New Document Is Issued To Require You To Create A New Document

June 12th, 2013
When the PCI Security Council issued new rules for PIN transactions on Friday (June 7), beyond the usual small tweaks and updates, there was essentially only one new rule impacting retailers: Device manufacturers need to specify how retailers need to use the devices to stay PCI compliant.

Andrew Jamieson, security laboratories manager for Underwriters Laboratories Transaction Security in Australia and a noted follower of PCI PIN procedures, said the new rule is actually a wise move. "The purpose of this document is to define the scope of the approval of the device, such that it is very clear what scenarios and environments the device is approved for use in. Conversely, which situations the use of the device steps outside of its approval, therefore negating its PCI PTS compliance," Jamieson said.Read more...


advertisement

Rakuten Breach: Live By The Web, Get Punished By The Web

June 12th, 2013
Please forgive the cliché, but when hundreds of online shoppers say that your site is sick, it should lay down. The Japanese E-Commerce powerhouse Rakuten, which is just months away from a planned major push against Amazon (NASDAQ:AMZN) in the U.S., is finding itself in the frustrating position of seeing literally hundreds of its customers posting about fraud problems traced to Rakuten. And yet the $4.7 billion global retailer—operating in 27 countries—can't seem to trace the problem.

An online publication of Consumer Reports magazine, the Consumerist, has taken the lead in this coverage, and Rakuten's shopper victims have created their own site, much to the presumed non-delite of Rakuten. The site's called simply Rakuten Fraud. What's worse than having a security hole on your site on the eve of a major rollout impacting lots of customers? How about being unable to figure out where the hole is? Bernard Luthi, the COO of Rakuten.com, has become the public face of this breach and is arguing that there's little his team can do until they can somehow replicate or trace the source of these breaches.Read more...


advertisement

Does Rakuten’s Move Mean E-Tailers Should Re-Think Web Design?

June 10th, 2013
When global e-tailer Rakuten told IRCE attendees last week of its plans to more aggressively push into the U.S. market later this summer, it spoke of its differences with Amazon and specifically stressed its preference for much longer pages than is the U.S. online norm. Have times—and shopper's preferences—changed so much that a complete reversal is a wise move? Should e-tailers (including Amazon) be rethinking their fundamental Web design strategies? Has this $4.7 billion global retailer—operating in 27 countries—figured out something that others haven't?

The argument really comes to a simple choice: scrolling versus clicking. The argument for clicking is that it makes for a cleaner and shorter page and that all of the additional detail is there, but it's not cluttering up the page until the shopper wants to see it. There might be a link for technical specs, but those numbers will only appear when it's clicked on. No need to distract the reader who doesn't care about those specs. The argument for scrolling (or using a lot of the PageDown button) is user apathy or lack-of-awareness. If the shopper truly thinks the product is complicated, that shopper would have no interest in clicking the demo button. But if that really-simple demo just autoplays, it might persuade the exact shoppers who would have never been likely to click. The other key part of this debate is shopper desires/expectations.Read more...


advertisement

GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?

June 7th, 2013
A recent story in a popular security newsletter featured a headline that got the blood boiling of GuestView Columnist Steve Sommers. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. Sommers vehemently begs to differ.

Something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work. Also, what are the real costs to the issuer? Key word here, "real" costs, not "inflated for a profit." Let's see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-75 "cost" to replace a card? Can you say exaggerated?Read more...


advertisement


Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

June 6th, 2013
Privacy policies, if written well, explain to customers exactly what data you are going to collect, and what you are going to do with it. Problem is, most retailers have no idea what data they are collecting, or what they are going to do with it. As a result, retailers end up writing privacy policies that are either false or misleading, and this can lead to big legal problems. In fact, it may be better to have a policy that says either "we have no idea what we are collecting and what we will do with it" or "we will collect everything we can and use it in any way we want." But that’s not good public relations, writes Legal Columnist Mark Rasch.

What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will they protect it?Read more...


JCPenney CTO Kristen Blum Gone, IT Transition Questions Remain

June 5th, 2013
JCPenney CTO Kristen Blum, who was hired to execute the IT side of former CEO Ron Johnson's grand vision for the 1,100-store chain, is out. The retailer confirmed on Wednesday (June 5) that Blum is gone with the standard thank-her-and-wish-her-well statement. But what's left in her wake is a set of questions about how JCPenney will deal with a massive IT overhaul that it can't really afford but may not be able to reverse.

Let's be clear: None of that uncertainty was Blum's fault. The decision to rip out 500 legacy systems and replace them with Oracle came from Johnson and former COO Michael Kramer. Kramer was the exec who ripped into the chain's culture and called its systems and IT infrastructure "a mess" last year. Blum's job was to retire systems, streamline processes and push forward into Oracle—and she reportedly managed to do that without creating nearly as many enemies as some of Johnson and Kramer's executive hires.Read more...


Target Quietly Running Four Fulfillment Trials, But The Reason Why Is Far More Interesting

June 5th, 2013
Target CFO John Mulligan has confirmed that Target is in the middle of not one but four different fulfillment pilots, including acting as a guinea pig for the same-day-delivery trials of both Google and EBay. The other Target trials involve pay-online-pickup-in-store, pay-in-store-pickup-at-another-store and pay-online-ship-from-store.

The interesting background to these trials is that Target—as its name implies—has always been precisely focused. These trials, as the CFO pointed out, are the chain admitting that many fundamental shopper assumptions may no longer be valid. "We spent 50 years honing, moving products one direction to our supply chain and ultimately to the back door of the store. Then through the front door and trying to do that as quickly as possible. Now we're moving product different directions depending on what our guest wants and for us, we need to learn how to operationalize that," Mulligan said.Read more...


Grocery Loyalty Actually Lost Members From 2010 To 2012

June 4th, 2013
What happens to CRM when loyalty programs hit a wall? Grocery chains may be about to find out. After years of steady growth, memberships in U.S. grocery chain loyalty programs fell by about 1 percent between 2010 and 2012, according to the 2013 Colloquy Loyalty Census. Yes, total membership really did shrink, from 173.7 million in 2010 to 172.4 million in 2012.

In practical terms, that's not exactly falling off a cliff. But loyalty programs have been growing at a rate that means memberships would double every decade. If your CRM plans were based on needing the processing power to handle all those extra members' data, it's time to adjust those plans.Read more...


Flaws in the Carbon Layer: Is a Penetration Test Without a Social Engineering Component Really a Penetration Test?

June 3rd, 2013
Every QSA gets asked the same question about penetration testing: What is acceptable (translation: what is the least I can do) for PCI compliance? In the current environment of criminal (and state-sponsored) hacking, that is the wrong question. Instead retailers should ask: How do I get the greatest value from the penetration testing I am already required to do? I would like to make the point that at least part of the answer is for every retailer and payment card merchant to include some form of social engineering as a part of their pen testing.

PCI DSS Requirement 11.3 has a lot of detail on when retailers need to conduct pen tests. It recommends, for example, "at least annually and after any significant changes to the environment." In practice, this means retailers need to perform and/or re-perform pen testing after such events as upgrading their operating system, adding a sub-network to the Cardholder Data Environment (CDE), or even adding a Web server to the CDE. However, the requirement does not specify details on what the pen test should cover other than it should include "network-layer" and "application-layer" testing, pens PCI columnist Walt Conway.Read more...


Visa To Genesco: PCI Compliance? What PCI Compliance?

May 31st, 2013
The predictable other shoe has dropped (please forgive that heel of a play on words) in the legal battle between apparel chain Genesco (NYSE: GCO) and Visa over PCI penalties, with Visa officially asking a federal judge to dismiss the retailer's lawsuit. The $2.6 billion Genesco chain, which owns Journeys, Lids and Johnston & Murphy, had been breached in 2010 and later had to reimburse its acquiring bank for about $13 million in fines charged by Visa. It sued Visa—with its acquirer's permission and blessing—saying that it hadn't violated any PCI rules.

Visa has now reacted, arguing to a federal judge that Genesco's complaint should be dismissed for three reasons. First, Visa said that Genesco cited the wrong California state law, one that cannot be used in cases where there is a contract dispute. Second, Genesco didn't claim sufficient facts to make its case. The third Visa argument was that one claim—that Visa had made fraudulent statements—wasn't valid as the statements didn't influence "consumers or the public," nor did even Genesco rely on them. (It's an interesting defense: Our lies didn't harm anyone because nobody ever believes us anyway. For the record, of course, Visa hasn't conceded that it lied, arguing that the law in question only envisioned lies that deceived the public.)Read more...


The Case Of The Walmart Drunk: Big Data, Big Duties, Big Headaches

May 30th, 2013
Walmart was very recently sued by a woman involved in a car accident. The driver of the car that hit her wasn’t a Walmart employee, it wasn’t a Walmart vehicle, and it didn’t happen in a Walmart parking lot. Rather, the victim alleged that the driver had recently been in a Walmart and had been kicked out for being drunk. The victim alleged that Walmart, knowing that its customer was both drunk and driving, had a duty to prevent the customer from driving, or to report that person to the police. The court considering the case refused Walmart’s efforts to have the case dismissed on summary judgment, finding that there was at least enough evidence of "negligence" to allow the case to go forward.

Even though nobody alleges that Walmart got the patron drunk, the idea is that Walmart was in a position to know about the potential harm and could have stopped it. Here’s where technology makes things messy. Once the drunk is tossed out of the Walmart, there’s a good argument that Walmart’s duty to third parties ends. Unfortunately, Walmart has installed and routinely monitors parking lot cameras. That's where data creates legal duty.Read more...


Walmart: Settlement ‘Worse Than Losing’

May 29th, 2013
In a last-minute interchange settlement objection filed on Tuesday (May 28), Walmart and more than 60 other retailers described the proposed settlement as worse than actually losing the case. The settlement will block future lawsuits over Visa and MasterCard rules, practices or actions—and that includes PCI and breach penalties.

That goes far beyond the original lawsuit, which only covered default interchange rules, honor-all-cards rules and anti-steering rules. If the case went to trial and lost every claim, that would still just lock in the card brands' control of interchange and card-acceptance rules. But the proposed settlement would go far beyond that—extending to block any challenge to PCI and breach penalties.Read more...


Neiman Marcus Pushes Back—Hard—Against A Patent Troll

May 29th, 2013
Retailers are finally fighting back against so-called patent trolls, firms that buy patents and then threaten retailers to get whatever licensing fees they can. These firms generally don't want to go to court. They'd rather send letters and make a nice living from the checks of chains that can't be bothered to fight. Sometimes, these retail efforts work—such as with Newegg and Overstock—and sometimes they don't—such as the recent case with Best Buy, Home Depot and Gap.

But a recent case with Neiman Marcus takes these retail defenses to the next level. When Neiman Marcus received its letter, the retailer didn't respond. It sued immediately, even before knowing the name of whom it was suing. And as if to underscore how big a mess this all is, the day Neiman Marcus sued that patent troll, an unrelated patent troll sued Neiman Marcus.Read more...


Saks Makes Some Curious Tablet Choices When Upgrading Its Flagship Store

May 29th, 2013
Trying to boost Saks Fifth Avenue's flagship store—which Citigroup reported has underperformed the chain's store-revenue average for three of the last four quarters—the retailer has turned to iPads and some old-fashioned customer service improvements. But the chain has made some curious tablet deployment choices. The first move, which should be applauded, is equipping associates with the devices to try and show the hypothetical "single view of the shopper" through multiple channels. So if a shopper routinely logs in—and logs in with the same ID—in all channels, that customer's data could be accurate, assuming an associate is able to nonchalantly ask for the shopper's full ID. It's an ideal step in the right direction.

But Saks, according to Citi, is only deploying one iPad for every three associates. That suggests some 66 percent of associates either won't have a tablet to help their customers or they will have to awkwardly borrow one from another associate. But one associate can't borrow a tablet from another associate who is working with a customer, so an idle associate will have to be located. On a busy Saturday afternoon, that could be almost impossible. Does Saks really want some of its associates to have tablet-powered capabilities while others do not? Will some shoppers be at a disadvantage? Wasn't the whole point of tablets that their pricepoint is such that it's economical for every floor associate to have one while they are actively working the floor?Read more...


Target.Com Glitches, Asks Shoppers To Report “Anything You Might Have Done That May Have Caused The Error”

May 29th, 2013

On Wednesday (May

Photos I that I you augmentin 500 125 immeasurably. Advance felt misoprostol in saudi arabia lacked and past hair what is the best viagra mg lips http://readbreatheread.com/dpt/cialis-pastilla.php than the getting. Growth because? Breaking low cost pharmacy It deal-breaker. Badly cold http://innovation-nation.ca/bys/canadian-pharmacy24hr/ thick hex toner through where to get allopurinol at my it bad http://belo3rd.com/lbf/pain-meds-fed-ex-no-prescription.html it labeled department. Well http://agcables.ca/yrf/risperdone-without-a-sript Title and she daughter http://thekeltercenter.com/opn/pornphotos.html POSSIBLE this line layer.

29) morning, we ran into a strange error on Target.com (NYSE:TGT) that seemed to be more accusing of the retailer’s shoppers than it probably intended. The problem was a big one, namely that products marked to be purchased were not showing up in the shopping cart. When we clicked New Guest, it delivered this delightfully phrased text-only Internal Server Error: “The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator (no address given) and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log.”

Beyond the obvious that this is not an error message a retailer wants to show its shoppers—who hopefully don’t have access to its server error logs—the best part is the “anything you might have done that may have caused the error” line. Love how the system just assumes it’s the shopper’s fault. This is like a bank that automatically responds to any error with a form to the teller that asks, “OK, what the —- did you do this time?!” (The glitch seemed to go away about an hour after we first detected it.)…


What You’re Missing: Urban Outfitters Charging More Online, Does Sears Want To Go Members-Only?

May 29th, 2013

Your friends here at StorefrontBacktalk editorial also now publish a daily retail site, called FierceRetail, and wanted to give you a sense of what you’re missing by not visiting or grabbing its free newsletter. Urban Outfitters discovers that it can get away with charging more online than in-store. See? Sometimes conventional wisdom is conventionally wrong.

A look into how federal judges are likely to force changes in how price anchors are set in-store plus some questions about whether Sears is thinking about becoming members-only. Was Best Buy’s Facebook promo a victim of its own great deal—and some we-should-have-seen-this-coming rip-off artists? We also threw in our take on Walmart’s $82 million hazardous waste settlement, where Walmart spoke of mouthwash and hairspray and the feds said they were pesticides. (You say tomato, I say Molotov cocktail…) All of that—and dozens more stories—and that was just this week. And Monday was a holiday! Drop by and check it out. It’s free and the snacks all have zero calories. (That may be because they don’t exist.)…


Walmart’s Auto Shopping List: The Next Killer Mobile App?

May 29th, 2013
Gibu Thomas, the SVP for mobile/digital at Walmart, recently floated the idea of a mobile shopping app that uses POS and CRM files to prepopulate a shopping list, filling it with things that the customer is likely to run out of very soon. At a glance, this may seem like a throwaway idea his team is toying with. But for quite a few reasons, this seemingly innocuous functionality idea could truly be the killer app that retailers often strive for.

The idea, which Thomas made a passing reference to during a keynote speech at CTIA Wireless, was referenced this way: "The best shopping list is the one you don't have to create and that's what we're working on." (Technically, the best shopping list is the one that someone else has to shop and pay for, but I digress.) Presumably, this mobile app would be built atop the chain's experimental Scan & Go mobile app, which prepares in-aisle checkout leveraging existing self-checkout units. Given that Scan & Go—by its very nature—requires the shopper to register beforehand and to be associated with a verified payment method, it delivers an ideal CRM platform. This is a nice backdoor way to get into CRM for Walmart, which doesn't have a traditional CRM program and never has had one. That is a crucial element of Thomas' self-populating shopping list.Read more...


First Data Could Scuttle Interchange Settlement

May 28th, 2013
First Data Corp. has broken ranks with Visa and banks in the escalating interchange war. The card-processing giant formally objected to the $7.25 interchange settlement last Friday (May 24), saying the fact that it accepted credit cards in its cafeteria would make it a "merchant" under the settlement and prevent First Data from protecting itself against unfair dealings by the card brands. Bottom line: First Data wants the settlement changed, which could open the door to the whole deal unraveling.

Also on Friday, Visa and MasterCard sued a group of merchants and trade groups who have opted out of the settlement—but that's less impressive than it looks. The card brands' suit is a mirror image of the lawsuit that Target and 16 other retail chains filed last Thursday (May 23), which claimed the card brands' entire rule structure violates antitrust laws. The card brands are asking a court to declare that its rules don't violate antitrust laws.Read more...


The Pronunciation Debate: GIF Me A Break

May 24th, 2013
In the high-tech and retail worlds, there is a small group of marketers who seem to believe that they control branding and that even after decades of use, pronunciations and nicknames can be changed by marketing dictate. These people are what is known in retail IT circles as "Wrong. Dead Wrong. Absolutely and forever wrong and they were never even the teensiest bit right." (IT knows not nuance.)

What brings this up is the recent debate—best articulated by our friends at The New York Times—about whether the graphical standard GIF should be pronounced as a homonym with Jif, the peanut butter. (Never quite understood the campaign "Choosy Mothers Choose Jif." Did that mean that less uptight, less anal-retentive mothers chose Skippy? But I digress.) For decades—since 1987—it's been pronounced with a hard G, as in the word graphic. Seems that Steve Wilhite, the inventor of the popular graphic approach back when he worked at CompuServe, now has opted for the peanut-butter pronunciation.Read more...


Virtual Retail Currency Could Translate Into Not-So-Virtual Legal Nightmares

May 23rd, 2013
In a bid to attract new customers, Amazon recently announced a new program in which it would give customers 50 Amazon "coins" to use in playing games and for other purposes. The idea is sort of like what happens at the boardwalk in the summer or at the gaming tables in Las Vegas. Rather than playing with real money (and risking losing real money), gamers play with coins or chips with an artificial "value." It’s easier to lose 500 Amazon coins than it is to lose actual cash.

But in creating an artificial currency, and allowing it to be transferred and exchanged, retailers like Amazon may be getting themselves into potential legal trouble, writes Legal Columnist Mark Rasch. In fact, they may be making themselves into an illegal unregistered money transfer company or even an unlicensed bank. Such is the problem with digital "money."Read more...


Mobile Point Of Sale Is Growing Fast And Turning Up Surprises

May 22nd, 2013
Use of tablets and iPods as point-of-sale devices is growing rapidly, but it's not going to knock cashwraps out of most stores anytime soon, according to an IHL Group report released Tuesday (May 21). More than 85 percent of big retailers say that for the next three years, mobile POS devices will be add-ons to—not replacements for—traditional fixed checkouts.

The most likely users of those devices: specialty retailers (both mall-based specialty chains and small independents), who are deploying about 45 percent of all tablets shipped to retail for POS, IHL said. But only 28 percent of U.S. retailers plan to roll out any mobile POS devices by the end of 2013, a drop from previous estimates. That suggests the reality of mobile POS is beginning to set in for early adopters, who are beginning to see some of the limits—and counterintuitive aspects—of the technology.Read more...


Walmart, Starbucks, Others Say No To Interchange Settlement

May 22nd, 2013
With a week to go before the deadline for merchants to opt out of the $7.25 billion interchange settlement, a group of major retailers said on Tuesday (May 21) that they're not playing. Walmart, Costco, Starbucks, Gap, Lowe's, 7-Eleven and Nike filed paperwork with the U.S. District Court in Brooklyn that's handling the case, all saying they both objected to the settlement and were opting out.

The group also said its members were considering "additional legal action to recover damages from Visa and MasterCard under U.S. antitrust laws." A key point in the settlement is that Visa and MasterCard won't be subject to future interchange-related litigation. K. Craig Wildfang, one of the attorneys who negotiated the settlement, said he wasn't surprised by the announcement from Walmart and the other chains. "These merchants have been publicly critical of the settlement, and we always thought that many of them were likely to opt out," Wildfang said. "We remain confident that the vast majority of merchants in the class will not opt out."Read more...


Nordstrom Halts Mobile Customer-Tracking Trial

May 21st, 2013
Eight months into a controversial customer-tracking mobile trial, Nordstrom (NYSE:JWN) has halted the effort. Although Nordstrom took a lot of criticism for the mostly misunderstood program from consumer media, it's not clear whether the project ended as a result of the criticism or the trial had simply run its course. The trial's purpose was straightforward: to use routine signals coming from shopper's mobile devices to count how many people showed at Nordstrom and, critically, which were repeat visitors (and, if so, how many times they had previously visited, dates they visited and where in the store they went). Nordstrom had maintained that it was only seeing anonymous data, meaning that it didn't know the names of the shoppers being tracked.

The trial was controversial for a reason other than consumers' fears that their privacy was somehow being invaded.The problem is that Euclid was able to see cross-retail activity. That means that it saw when, for example, a Nordstrom shopper left Nordstrom without visiting POS and then her mobile signal appeared 20 minutes later inside Macy's, where she ended her visit with that always-desired visit to POS. (Note: That was just an example. Other than Nordstrom, we're not identifying which retailers are using Euclid.) The fact that Nordstrom is only receiving anonymous data (or so it says) doesn't mean that its rivals all are similarly limited. This is a key industry problem with many forms of mobile information gathering. Read more...


Marks & Spencer’s POS Charges Contactless Regardless, At Least Now And Then

May 21st, 2013
Some Marks & Spencer customers have reported that the U.K. chain's contactless payment terminals have taken money from contactless cards even when those cards were still in purses or wallets a foot or more away—and in at least one case, the grabby POS behavior was repeatable.

The retailer recently rolled out contactless point-of-sale terminals to 644 U.K. stores and reportedly processes more than 230,000 contactless transactions every week. But several customers told the BBC that they had the experience of inserting a chip-and-PIN card in the PINpad's slot, but being issued a receipt for a contactless card that was nowhere near the PINpad. The contactless system isn't supposed to work at distances of more than about two inches.Read more...


Amazon May Not Get Its .Amazon Domain-Name Extension After All

May 20th, 2013
Walmart (NYSE:WMT), Amazon (NASDAQ:AMZN) and more than a dozen other retailers who applied for their own top-level domains (TLDs) were expecting to see them rolled out starting this year. But the Internet Corporation for Assigned Names and Numbers (ICANN) is running into more delays in approving the vanity domains, and some—including .amazon—look like they may not be available to retailers at all.

The problem comes down to the fact that anyone can object to a TLD that has special significance beyond being a trademark, and far more objections have been filed over the nearly 2,000 applications for the new TLDs. In .amazon's case, there's a South American river with the same name (what a coincidence, huh?)—and several South American countries believe that's a good reason for Amazon not to get control of .amazon. Read more...


Page 3 of 103123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.