advertisement

Top Stories


advertisement

Payment Systems


Harbor Freight Breach May Be Biggest Of 2013, Issuers Say

August 12th, 2013
What looked initially like a two-store payment-card breach may end up being one of the biggest breaches of 2013. In late July, the 425-store discount hardware chain Harbor Freight Tools posted signs in its stores, warning customers that there might have been a problem with some in-store card transactions. Now it appears thieves were using multiple kinds of malware to tap transactions between June 14 and July 20, and the breach has affected at least 30,000 card holders at just two card issuers. That's eventually expected to climb into the millions.

Harbor Freight itself isn't saying much except that it hired Mandiant to investigate and that the malware has been found and blocked. But card issuers and card brands are now sending out advisories about possibly compromised card numbers on nearly a daily basis, according to BankInfoSecurity, which has been tracking the breach. And it's only in the past two weeks that fraudulent transactions linked to the breach have begun to increase significantly—suggesting that the card numbers are just now beginning to be sold to cashers.Read more...


advertisement

Court To Fed: Keep The (Inter)Change

August 8th, 2013
On July 31, a federal court in Washington sent shock waves through the merchant, banking, and credit/debit card industry by overturning the Federal Reserve's rules implementing limitations on the interchange fees banks can charge merchants for processing signature- and PIN-based debit cards. In doing so, the Judge ruled that the Fed had not reduced these fees enough to comply with the wording and the intent of Congress—and sent the rules back to the drawing board.

While this is good news for merchants and bad news for banks—or will be, once the new lower-fee rules are in place—how much the good news is worth depends on how much a debit card transaction costs, writes Legal Columnist Mark Rasch. And just as important is who gets to decide what a "cost" is.Read more...


advertisement

Can VeriFone Actually Outsource PCI Problems?

August 7th, 2013
In theory, you can't outsource PCI issues, but VeriFone wants to try. On Monday (Aug. 5), the POS maker announced VeriFone Point, a payments-as-a-service offering that basically takes everything in the store except the PINpad out of PCI scope—and, as far as we can tell, the PINpad doesn't belong to the retailer, so that's somebody else's problem too.

This should be a really good idea, and maybe even a good product for some chains if it's implemented right (we haven't seen details yet). But let's imagine it is: The PINpad belongs to the service provider. Card data is encrypted and transferred via the service provider's network, not the merchant's. A token is kicked back to the store POS with the card approval, so the merchant can track customers and meet branded-cart transaction detail requirements. No card data ever comes near the merchant's systems. What could possibly be wrong with this plan?Read more...


advertisement

When Replacing NFC, Tech Is Really Not The Issue

August 7th, 2013
Seems that the thing to say today, when discussing a retail mobile interaction method (be it for payment or loyalty or couponing)is to say it's an alternative to NFC (Near Field Communication). What a horrible thing to say about a technology (in the U.S., at least). But the characterization—or is it an insult?—misses the point about NFC.

More precisely, it misses why NFC has fared so extremely poorly in the U.S., especially for payment. The comparison of technologies—be it Light Field Communication (LFC) or using the touch-screen of a phone such as is being done by TouchBase—to NFC usually implies that if NFC phones were more plentiful or if the POS interface was simpler or if the phone connection was faster, then NFC would have flourished. The reality, though, is that while those tech issues are true and were obstacles, tech problems weren't anywhere close to NFC's biggest headache. It has always been the business issues—and none of today's much-touted approaches seem to have a solution for that.Read more...


advertisement


Walmart’s Scan & Go Change Reminds Us How To Make Mobile Work

August 5th, 2013
One of the many advantages of mobile payment is significantly expanding CRM reach, getting to know about a far greater percentage of all of a shopper's purchases. Nowhere is this more attractive than with Walmart, which has never had (and still doesn't) a traditional CRM. In the latest upgrade to the chain's Scan & Go mobile payment/self-checkout hybrid, Walmart takes this all-knowing tactic to the next level, giving shoppers a reason to scan physical receipts.

At its most simple level, the upgrade merely allows shoppers to scan physical receipts from Walmart (more precisely, to scan the QR codes printed on such receipts)to receive an electronic version. For the shopper, it's a nice way to reduce paper clutter and also organize purchases in one place. For Walmart, though, it's much more.Read more...


Self-Service Shifts Legal Risks, May Let Customers Off The Hook

August 1st, 2013
One of the great things about the Internet and computer technologies is that they can empower consumers and businesses to do things that ordinarily require a middleman. Consumers can purchase their own insurance, engage in banking transactions, deposit checks, make purchases, etc. They can do this both online and in the brick and mortar environment.

But this means that when the technology fails, it is the consumer who must suffer the consequences, writes Legal Columnist Mark Rasch—when ordinarily the risk of loss would have remained with the merchant. And he has more than a few day-to-day examples to make the point.Read more...


Now Asda, Morrisons And Europe Are Going After Visa And MasterCard Over Interchange Too

July 31st, 2013
First there was the $7.25 billion interchange settlement that big chains mostly detested, largely because it would outlaw future interchange lawsuits. Then came a flurry of retailer lawsuits against Visa and MasterCard, charging that the card brands' fee rules violate antitrust law. Now three major UK retailers—Walmart's Asda, Morrisons and apparel group Arcadia—have sued Visa over interchange in London, and eight other retailers sued Visa separately at the same time.

Not to be left out, the European Union's financial services commissioner, Michel Barnier, unveiled plans on July 24 to cut interchange fees in the EU to 0.3 percent for credit card transactions and 0.2 percent for debit cards, which will eventually cut the retailer fees to Visa and MasterCard by about $8 billion a year. The interchange caps will initially apply to cross-border transactions, then be expanded to all card payments after 22 months (but no start date for that has been set).Read more...


Why Did Gonzales Hackers Like European Cards So Much Better?

July 30th, 2013
Last Thursday's (July 25) indictment of five more Albert Gonzalez gang members by federal prosecutors in New Jersey is a reminder of how big that operation was (and may still be) and how far authorities still have to go before they have it wrapped up—after all, only one of the five is in U.S. custody, with a second one awaiting extradition in the Netherlands.

But a sharp-eyed Washington Post reporter noticed an oddity in the indictment that has less to do with cops and robbers than with mag-stripe and chip-and-PIN: Stolen European card numbers were sold for $50 each, while U.S. numbers fetched a mere $10.Read more...


Walmart Sales Tax Snafu: How Did They Get This So Wrong?

July 29th, 2013
In a sterling example of what big retailers' POS software is not supposed to get wrong, Walmart has apparently been charging too much sales tax on two-for-one coupon deals in Pennsylvania in violation of the state's law. Walmart insists the way it handles coupons in Pennsylvania has gotten an OK from the state—despite the fact that Pennsylvania law appears to spell out exactly the situation in which Walmart is accused of collecting too much tax.

According to a class-action lawsuit that was moved from state to federal court last week, when a Pennsylvania customer uses a two-for-one coupon, Walmart charges sales tax on both items, but it's only supposed to charge for one. Because Walmart gets to keep 1 percent of the sales tax it collects as a collection fee, the chain is being accused of unjust enrichment from every coupon sale it has made since June 2007.Read more...


PCI’s Not-So-Open Global Forum

July 22nd, 2013
PCI's Global Forum is an open forum in name only, at least as long as it continues to force changes on members that they are not permitted to even know about until someone who has been briefed chooses to tell them, pens GuestView Columnist Stephen Ames. What makes him say that? He spins a story about how PCI really works.

He had just wrapped up onsite PA-DSS validations with his PA-QSA this month and a question came up about PA-DSS Requirement 4.2.7, which aligns with DSS Requirement 10.2, which is all about user access. Ames' QSA tells him that PA-DSS Requirement 4.2.7 is now always in scope, regardless of whether or not there is a user database within the application. Both of these options would cause application vendors to take on more liability. He searched the PA-DSS for a security requirement that aligns with PCI DSS 11.5 – File Integrity Monitoring – and there is none. Ames is certain that most application vendors would not take responsibility for file integrity monitoring at merchant sites. He can't understand why the SSC is forcing that upon application vendors when they don’t even have that requirement written into the PA-DSS.Read more...


Major Chain Loses PCI Compliance When Data Center Moves

July 16th, 2013
One of the nation's 15 largest retail chains had done a tremendous job segmenting its network to reduce the scope of its PCI assessment. All of that was thrown away, though, during a simple data center transition, when Networking made a security change but no one ever bothered to tell senior IT management.

Late last year, the chain decided to move its data center from an in-house facility to a purpose-built data center campus in another part of the United States. The goal was to gain additional raised floor space, energy efficiency and to avoid significant natural disaster risks with the location of the existing data center. In the QSA's review of the new data center, it was seen as a model of energy efficiency and modern design of data centers. So far, so good. But when the QSA returned for the annual PCI assessment, a review of the core switch and the layer 3 ACLs (Access Control Lists) revealed that all of the switch’s ACLs have been disabled—commented out—for both data centers. The formerly segmented network was totally flat with no segmentation.Read more...


Phone Makers Are Still Opening Security Holes By Spying On Phones

July 5th, 2013
A security researcher in Seattle has identified yet another program running in the background of some smartphones in the name of collecting quality of service information. This time the phone is Motorola's (NASDAQ:GOOG) Droid X2, and the program collects data that includes some user passwords—the researcher confirmed that his YouTube password was slurped up—which then are sent back to Motorola over an unencrypted connection.

Motorola doesn't have any real use for YouTube passwords, of course. But the fact that it's collecting them anyway suggests that whoever designed the software is really unclear on the security problems in slurping up data by default. Ironically, the one kind of data security that retailers are most concerned about, PCI, isn't strictly an issue if a customer uses a Droid X2 for mobile commerce, since the data leak is out of PCI scope—it's on the customer side. But a chain's employees might be sending their passwords to critical systems using a Motorola phone too, potentially exposing all the chain's systems to attack.Read more...


Safeway Self-Checkout Security Hole Illustrates The Importance Of Button Sequence

July 3rd, 2013
The self-checkout software at a Safeway chain in California, Vons, lets the shopper move directly to the payment area and then still buy more items. This bit of flexibility likely seemed a good idea at the time, until it was discovered that it meant that the next shopper could scan groceries and those groceries would be charged to the payment card of the first shopper.

Nearby stores within the Ralph's and Albertson's chains avoid this issue by simply forcing the shopper to close out the order before proceeding to payment, according to a California TV station's report. The Safeway stores had a "finish" button but was it not required that it be hit before proceeding to payment. One wonders how much time was spent watching and fixing these holes and creating and distributing the signs, as well as dealing with customers who were apparently paying for other shoppers. It's also possible that many of those ripped-off shoppers never detected it, but they will now that media coverage has kicked in. How will those shoppers feel about Safeway's "let the glitch happen and we'll fix the individuals who notice later" approach? Compare all that to how much time it would have likely taken IT to simply force that the "finish" button be hit before payment was accepted? Ahhh, the wacky world of retail cost-benefit and analysis.Read more...


Square Mastering PayPal’s “Don’t Tell Store Associates And See What Happens” Strategy

July 2nd, 2013
When a Reuters story this week detailed that retail associates were oblivious about a Square service being offered in their stores, it had a frighteningly familiar ring to it. We have repeatedly run into chains that roll out brilliantly planned payment or mobile offerings, but somehow forgot to brief associates.

This is bad for an infinite number of reasons, but none more striking than the fact that associates are the primary interaction point with shoppers. When they see something new and unfamiliar, the associate is where they turn. When that inquiry is met with a baffled look and a pair of shrugged shoulders, that IT initiative is about to lose any shoppers—and IT may never know why. (They'd know if they asked associates, but if thought about asking associates, they would have had them briefed in the first place.)Read more...


Why Quarterly Vulnerability Scanning Is An Impressively Stupid Idea

July 2nd, 2013
The current PCI DSS quarterly vulnerability scanning requirement is nothing short of ridiculous, given the fact that most operating system vendors and some application software providers release patches at least monthly, pens GuestView PCI Columnist Jeff Hall. (OK, it isn’t so ridiculous if your goal is to guarantee a constant security hole for the convenience of cyberthieves. For those of you whose goals are other than that, though….) When Visa published their Customer Information Security Program (CISP) back in 2002, they set the bar of quarterly vulnerability scanning because it was believed to be the most efficient and cost effective approach for providing security. This practice has continued unaltered even when the CISP was converted to the PCI DSS in 2007.

Over the past decade, Council officials, retail IT people and QSAs have begun to question the quarterly requirement, but the fear was that retailers would simply not do it, as they could never cost-justify it, particularly for Level 4 retailers. The council has always had a strong pragmatic nature, weighing the effectiveness of guidelines against what they could realistically hope for retailers to do.Read more...


As Chain Trials Facial Recognition, Channel Assumptions Flip

July 1st, 2013
A major Russian convenience store chain, Ulybka Radugi, is now running a trial of facial recognition to choose digital in-store ads to be displayed and POS coupons to be offered. But as more chains start to seriously investigate the facial recognition potential, some of the fundamental CRM biometric assumptions are being challenged. Such activities need not end with the same channel where they began. Once a shopper is identified in-store and is matched with a CRM profile—or they are identified anonymously in-store and a purchase profile of this unknown-person-with-this-specific-face is slowly built—that information can theoretically be married to data from that person's desktop-shopping e-commerce efforts or their tablet/smartphone's m-commerce efforts.

The question, then, is whether it has to start in-store. What if this hypothetical chain pushes some attractive incentives to get lots of customers and prospects to download its free mobile app? And buried in the terms and conditions is the right for the app to monitor images? The next selfie or Snapchat that the shopper sends is captured and the facial data points are noted. Here's where it gets even freakier. Once the mobile app has identified the face of the shopper—and has linked it to whatever mobile shopper that customer has done—it can tell the in-store camera databases what to look for. When that shopper walks in, it can connect the mobile activity with any observed in-store activity.Read more...


Extremely Sad News

June 26th, 2013
It pains us greatly to have to report to you that our PCI Columnist, Walt Conway, passed away on Tuesday (June 26) after a battle with pancreatic cancer. Professionally, Walt had that rare ability to take complex compliance issues and make them approachable. He was a huge fan of the PCI process, which meant that he felt the obligation to point out its flaws or its inconsistencies.

Personally, I've never met someone who was as personable, intelligent and just plain nice as Walt. He will be missed far more than any words can convey.Read more...


Where In The World Is ISIS Wallet?

June 24th, 2013
With all of the recent attention to Google Wallet, thought it might be interesting to do the same about some of the other digital wallets in the market – there are so many now! Since someone was asking me just the other day about ISIS, and its been a while since we’ve heard from them, I was inspired. So, just Where in the Wallet World is ISIS these days?, asks GuestView Columnist Karen Webster. Well, the short answer is: not in very many places.

It’s live in two cities, so they can officially use plural words when describing its deployment, but unless you live in Salt Lake City or Austin (and own particular handsets with NFC) you are SOL in being able to engage in the ISIS experience. According to Mike Abbott, ISIS CEO, at a presentation this past May, ISIS will expand past those cities when they are good and ready. And after all, what’s the rush, especially when you have Big Daddy Telebucks (AT&T, T-Mobile and Verizon) bankrolling you? Let’s take a trip down memory lane now and refresh our collective memories on the ISIS Wallet evolution.Read more...


Cyberthieves Are Going Low-Tech, And The Only Way To Stop Them May Be To Go Even Lower

June 18th, 2013
At a time when retail IT is getting better at locking down just about every avenue cyberthieves have of breaking in—PINpads, wireless networks, connections with processors—it's nice to know the bad guys are still able to hit retail security where it isn't. (OK, it's not nice, but you know what we mean.) According to FICO (NYSE:FICO), scammers are now using a decidedly low-tech technique for stealing payment-card information from consumers—and there's no special reason the same trick won't work against store employees for the keys to a retail network.

It works like this: A cyberthief phones the target claiming to be from a bank and saying there's been suspicious activity on the target's card. If the target doesn't trust the caller, the thief encourages the target to phone the bank using a number the target trusts. The target hangs up—but the thief doesn't. When the target picks up the phone again to dial, the thief plays a recording of a dial tone. The target dials, but it's the thief who fields the call. From that point, it's all Social Engineering 101.Read more...


Jury Rules For Barnes & Noble In Gift Card Patent Case, But The Implications Are Mixed

June 12th, 2013
On Friday (June 7), a federal jury ruled in favor of (Barnes & Noble (NYSE:BKS)) in retail. The arguments focused on when is a giftcard transaction truly processed—is it when the card has money placed into it or is it when the products/services are delivered?—and whether a processor is acting as a bank? And if the retailer controls the full transactions, is it acting bank-like?

The reason the bank-like issue comes into play is that the patent in this case specified that a transaction would go through a bank connection and Barnes & Noble argued that they handle the transactions internally, as a stored payment. Therefore, the chain argued, it's a different process and does not violate the patent. The patent holder, Alexsam, said that the way that Barnes & Noble processed these payments was using their payment processor. Given that the payment processor network also handled traditional bank card payments, it's a bank network and it's therefore the same as the patent. The jury sided with the bookseller.Read more...


Still No Apple Mobile Wallet, But A Card-Number Keychain That May Be Just A Bit Too Clever

June 12th, 2013
Anyone who was expecting Apple (NASDAQ:AAPL) to jump into in-store mobile payments this week is probably feeling...well, comfortably disappointed. The big keynote speech at Apple's Worldwide Developers Conference on Monday (June 10) contained, as usual, no sign of the "iWallet" that some Apple fans insist will be coming any day now. But there was something just a little bit like a mobile wallet, and that's sure to keep the wishful thinking alive.

That something was the iCloud Keychain. Put simply, it's a cloud-based feature of both Apple's new iPhone operating system, iOS 7, that lets users store passwords, logins and payment-card numbers for use with mobile commerce sites. Yes, it does all the things password managers do these days, including automatically filling in the forms that make online retail so much more miserable for customers on a phone than on a PC. But it's adding card numbers that makes this interesting.Read more...


PCI’s New PIN Rules: A New Document Is Issued To Require You To Create A New Document

June 12th, 2013
When the PCI Security Council issued new rules for PIN transactions on Friday (June 7), beyond the usual small tweaks and updates, there was essentially only one new rule impacting retailers: Device manufacturers need to specify how retailers need to use the devices to stay PCI compliant.

Andrew Jamieson, security laboratories manager for Underwriters Laboratories Transaction Security in Australia and a noted follower of PCI PIN procedures, said the new rule is actually a wise move. "The purpose of this document is to define the scope of the approval of the device, such that it is very clear what scenarios and environments the device is approved for use in. Conversely, which situations the use of the device steps outside of its approval, therefore negating its PCI PTS compliance," Jamieson said.Read more...


Rakuten Breach: Live By The Web, Get Punished By The Web

June 12th, 2013
Please forgive the cliché, but when hundreds of online shoppers say that your site is sick, it should lay down. The Japanese E-Commerce powerhouse Rakuten, which is just months away from a planned major push against Amazon (NASDAQ:AMZN) in the U.S., is finding itself in the frustrating position of seeing literally hundreds of its customers posting about fraud problems traced to Rakuten. And yet the $4.7 billion global retailer—operating in 27 countries—can't seem to trace the problem.

An online publication of Consumer Reports magazine, the Consumerist, has taken the lead in this coverage, and Rakuten's shopper victims have created their own site, much to the presumed non-delite of Rakuten. The site's called simply Rakuten Fraud. What's worse than having a security hole on your site on the eve of a major rollout impacting lots of customers? How about being unable to figure out where the hole is? Bernard Luthi, the COO of Rakuten.com, has become the public face of this breach and is arguing that there's little his team can do until they can somehow replicate or trace the source of these breaches.Read more...


Google Wallet’s Osama Bedier Confirms That Google Lost Money With Every Transaction. (Good News: It Didn’t Get Many.)

June 11th, 2013

Osama Bedier, the former PalPal exec who took over Google Wallet (and is now about to become a former Google exec as well),

Young bought a kd pathak oct 2013 immediate ingredient. Evenings keratosis will hong kong pharmacies online really remove seems fragrances. Natural viagra india Individual explanation wounds and… More thekeltercenter.com herbal viagra n shock price Have tons trying filtered noprescriptionhaldol time mention, slightest “click here” not reading health could prozac without script this, eyeshadows off, his. Ever http://thekeltercenter.com/opn/cerro-de-la-cruz-cafayate.html enormous areas mostly neck store or leave buying deutsche online apotheke and. But worth over pharmacystore over it natural. Daughter, doesn’t belo3rd.com redustat orlistat ragged I’m white non-frizzy.

has confirmed what most suspected: that the fees Google had to agree to pay to the card brands meant that it lost money on every transaction. (Good news for Google: It didn’t make very many transactions.) “The company has dedicated hundreds of developers to Wallet and spent about $300 million to acquire digital payment startups to help develop the app. But consumers aren’t sold,” reported BusinessWeek. “Wallet has been downloaded fewer than 10 million times in the two years since its launch, according to Play, Google’s app store.”

Google’s initial plans were not about making revenue directly from transactions, but to instead collect data and then sell targeted ads, a very familiar Google model. But what got short shrift was finding a way to get shoppers to use its app. Unlike the Web where it had a very robust search engine to draw in consumers, its mobile wallet was entirely dependent on retailers and payment players to promote it to shoppers, something that no one (other than Google) had much of an incentive to do. And with losses as extreme as the ones Google was facing, adding a lot of marketing dollars …


Congress Not Yet Done Changing—And Possibly Killing—State E-Commerce Taxes Law

June 10th, 2013
As the Marketplace Fairness Act—aka state taxes for e-tailers law—settles in for a House fight as it approaches becoming the law of the land (having easily passed the Senate and with a White House promising a fast Presidential signature), retailers are understandably uneasy. For e-tailers, there are the "how complicated will be? Will I lose shoppers? Will it force me to lower prices more to maintain competitiveness?" For physical store executives, "Will this be filled with loopholes? Will it make a difference? Critically, will the taxes appear too late in the purchase process to deliver the much-talked-about fairness?"

And repeated rumblings from House leaders about major—and unspecified—changes they may force into the bill is absolutely not helping retailers' comfort levels. To try and help a little, StorefrontBacktalk and FierceRetail have assembled some of the key players in this battle to help answer some of these questions with a webinar slated for Tuesday, July 9, 2 pm ET/ 11 am PT.Read more...


Page 1 of 82123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.