advertisement

Top Stories


advertisement

Payment Systems


GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?

June 7th, 2013
A recent story in a popular security newsletter featured a headline that got the blood boiling of GuestView Columnist Steve Sommers. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. Sommers vehemently begs to differ.

Something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work. Also, what are the real costs to the issuer? Key word here, "real" costs, not "inflated for a profit." Let's see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-75 "cost" to replace a card? Can you say exaggerated?Read more...


advertisement

Flaws in the Carbon Layer: Is a Penetration Test Without a Social Engineering Component Really a Penetration Test?

June 3rd, 2013
Every QSA gets asked the same question about penetration testing: What is acceptable (translation: what is the least I can do) for PCI compliance? In the current environment of criminal (and state-sponsored) hacking, that is the wrong question. Instead retailers should ask: How do I get the greatest value from the penetration testing I am already required to do? I would like to make the point that at least part of the answer is for every retailer and payment card merchant to include some form of social engineering as a part of their pen testing.

PCI DSS Requirement 11.3 has a lot of detail on when retailers need to conduct pen tests. It recommends, for example, "at least annually and after any significant changes to the environment." In practice, this means retailers need to perform and/or re-perform pen testing after such events as upgrading their operating system, adding a sub-network to the Cardholder Data Environment (CDE), or even adding a Web server to the CDE. However, the requirement does not specify details on what the pen test should cover other than it should include "network-layer" and "application-layer" testing, pens PCI columnist Walt Conway.Read more...


advertisement

Visa To Genesco: PCI Compliance? What PCI Compliance?

May 31st, 2013
The predictable other shoe has dropped (please forgive that heel of a play on words) in the legal battle between apparel chain Genesco (NYSE: GCO) and Visa over PCI penalties, with Visa officially asking a federal judge to dismiss the retailer's lawsuit. The $2.6 billion Genesco chain, which owns Journeys, Lids and Johnston & Murphy, had been breached in 2010 and later had to reimburse its acquiring bank for about $13 million in fines charged by Visa. It sued Visa—with its acquirer's permission and blessing—saying that it hadn't violated any PCI rules.

Visa has now reacted, arguing to a federal judge that Genesco's complaint should be dismissed for three reasons. First, Visa said that Genesco cited the wrong California state law, one that cannot be used in cases where there is a contract dispute. Second, Genesco didn't claim sufficient facts to make its case. The third Visa argument was that one claim—that Visa had made fraudulent statements—wasn't valid as the statements didn't influence "consumers or the public," nor did even Genesco rely on them. (It's an interesting defense: Our lies didn't harm anyone because nobody ever believes us anyway. For the record, of course, Visa hasn't conceded that it lied, arguing that the law in question only envisioned lies that deceived the public.)Read more...


advertisement

Walmart: Settlement ‘Worse Than Losing’

May 29th, 2013
In a last-minute interchange settlement objection filed on Tuesday (May 28), Walmart and more than 60 other retailers described the proposed settlement as worse than actually losing the case. The settlement will block future lawsuits over Visa and MasterCard rules, practices or actions—and that includes PCI and breach penalties.

That goes far beyond the original lawsuit, which only covered default interchange rules, honor-all-cards rules and anti-steering rules. If the case went to trial and lost every claim, that would still just lock in the card brands' control of interchange and card-acceptance rules. But the proposed settlement would go far beyond that—extending to block any challenge to PCI and breach penalties.Read more...


advertisement


What You’re Missing: Urban Outfitters Charging More Online, Does Sears Want To Go Members-Only?

May 29th, 2013

Your friends here at StorefrontBacktalk editorial also now publish a daily retail site, called FierceRetail, and wanted to give you a sense of what you’re missing by not visiting or grabbing its free newsletter. Urban Outfitters discovers that it can get away with charging more online than in-store. See? Sometimes conventional wisdom is conventionally wrong.

A look into how federal judges are likely to force changes in how price anchors are set in-store plus some questions about whether Sears is thinking about becoming members-only. Was Best Buy’s Facebook promo a victim of its own great deal—and some we-should-have-seen-this-coming rip-off artists? We also threw in our take on Walmart’s $82 million hazardous waste settlement, where Walmart spoke of mouthwash and hairspray and the feds said they were pesticides. (You say tomato, I say Molotov cocktail…) All of that—and dozens more stories—and that was just this week. And Monday was a holiday! Drop by and check it out. It’s free and the snacks all have zero calories. (That may be because they don’t exist.)…


First Data Could Scuttle Interchange Settlement

May 28th, 2013
First Data Corp. has broken ranks with Visa and banks in the escalating interchange war. The card-processing giant formally objected to the $7.25 interchange settlement last Friday (May 24), saying the fact that it accepted credit cards in its cafeteria would make it a "merchant" under the settlement and prevent First Data from protecting itself against unfair dealings by the card brands. Bottom line: First Data wants the settlement changed, which could open the door to the whole deal unraveling.

Also on Friday, Visa and MasterCard sued a group of merchants and trade groups who have opted out of the settlement—but that's less impressive than it looks. The card brands' suit is a mirror image of the lawsuit that Target and 16 other retail chains filed last Thursday (May 23), which claimed the card brands' entire rule structure violates antitrust laws. The card brands are asking a court to declare that its rules don't violate antitrust laws.Read more...


Virtual Retail Currency Could Translate Into Not-So-Virtual Legal Nightmares

May 23rd, 2013
In a bid to attract new customers, Amazon recently announced a new program in which it would give customers 50 Amazon "coins" to use in playing games and for other purposes. The idea is sort of like what happens at the boardwalk in the summer or at the gaming tables in Las Vegas. Rather than playing with real money (and risking losing real money), gamers play with coins or chips with an artificial "value." It’s easier to lose 500 Amazon coins than it is to lose actual cash.

But in creating an artificial currency, and allowing it to be transferred and exchanged, retailers like Amazon may be getting themselves into potential legal trouble, writes Legal Columnist Mark Rasch. In fact, they may be making themselves into an illegal unregistered money transfer company or even an unlicensed bank. Such is the problem with digital "money."Read more...


The Long—Make That Really Long—Goodbye To Google Checkout

May 22nd, 2013
Is Google Checkout finally ready to checkout? We know all about the traditional Hollywood fondness for the long goodbye scene, but even by movie standards, Google is pushing it. Google has been trying to say goodbye to GoogleCheckout for years. It was mid-June 2011—just about two years ago—when Google officials threw in the towel on Google Checkout publicly, admitting that it was being allowed to "stagnate through a starvation of marketing and engineering resources." That's a slow death scene that Cleopatra would have been proud of. (We ran a story back in 2009, asking if a then-recent fee increase was "the dying gasp of Google Checkout.")

Yes, it's the same goldie oldie plot: Search Engine Loves Payment App, Search Engine Loses Payment App, Search Engine Prays That No One Finds Payment App, Search Engine Wonders If It Can Get Away With Doing A Jodi Arias On Payment App. On Tuesday (May 21), Google again tried killing Google Checkout. In a "We really mean it this time. Dead. We promise" statement, Google said: "Today, we're letting web merchants know that in six months, Google Checkout will be retired as we transition to Google Wallet." Really?Read more...


Mobile Point Of Sale Is Growing Fast And Turning Up Surprises

May 22nd, 2013
Use of tablets and iPods as point-of-sale devices is growing rapidly, but it's not going to knock cashwraps out of most stores anytime soon, according to an IHL Group report released Tuesday (May 21). More than 85 percent of big retailers say that for the next three years, mobile POS devices will be add-ons to—not replacements for—traditional fixed checkouts.

The most likely users of those devices: specialty retailers (both mall-based specialty chains and small independents), who are deploying about 45 percent of all tablets shipped to retail for POS, IHL said. But only 28 percent of U.S. retailers plan to roll out any mobile POS devices by the end of 2013, a drop from previous estimates. That suggests the reality of mobile POS is beginning to set in for early adopters, who are beginning to see some of the limits—and counterintuitive aspects—of the technology.Read more...


Walmart, Starbucks, Others Say No To Interchange Settlement

May 22nd, 2013
With a week to go before the deadline for merchants to opt out of the $7.25 billion interchange settlement, a group of major retailers said on Tuesday (May 21) that they're not playing. Walmart, Costco, Starbucks, Gap, Lowe's, 7-Eleven and Nike filed paperwork with the U.S. District Court in Brooklyn that's handling the case, all saying they both objected to the settlement and were opting out.

The group also said its members were considering "additional legal action to recover damages from Visa and MasterCard under U.S. antitrust laws." A key point in the settlement is that Visa and MasterCard won't be subject to future interchange-related litigation. K. Craig Wildfang, one of the attorneys who negotiated the settlement, said he wasn't surprised by the announcement from Walmart and the other chains. "These merchants have been publicly critical of the settlement, and we always thought that many of them were likely to opt out," Wildfang said. "We remain confident that the vast majority of merchants in the class will not opt out."Read more...


Marks & Spencer’s POS Charges Contactless Regardless, At Least Now And Then

May 21st, 2013
Some Marks & Spencer customers have reported that the U.K. chain's contactless payment terminals have taken money from contactless cards even when those cards were still in purses or wallets a foot or more away—and in at least one case, the grabby POS behavior was repeatable.

The retailer recently rolled out contactless point-of-sale terminals to 644 U.K. stores and reportedly processes more than 230,000 contactless transactions every week. But several customers told the BBC that they had the experience of inserting a chip-and-PIN card in the PINpad's slot, but being issued a receipt for a contactless card that was nowhere near the PINpad. The contactless system isn't supposed to work at distances of more than about two inches.Read more...


PayPal Offers Free Card Processing, But For Who?

May 15th, 2013
PayPal is offering free credit, debit, check and PayPal processing for qualifying merchants until the end of 2013. The catch: The retailer has to trade in a cash register for a PayPal-compatible point-of-sale system, according to a blog post by PayPal president David Marcus on Tuesday (May 14). The promotion will go live in June, although applications are being accepted now, Marcus wrote. He didn't give any other details of the deal, such as how much trade-in value a retailer will get in order to buy a PayPal-equipped POS from Erply, Leapset, Leaf, NCR Silver, ShopKeep or Vend, or exactly what "free" means when it comes to processing costs.

But to qualify for the promotion, merchants currently must be primarily using an old-fashioned system such as a cash register, and PayPal may send out employees to collect the register and verify the system upgrade.Read more...


Card Processor Hit In A $40 Million Breach. Was It Yours?

May 15th, 2013
A U.S. payment card processor was attacked in February as part of a $40 million cyberheist, federal prosecutors said last Thursday (May 9)—but they didn't identify who the processor was. That left retailers no way of knowing whether their processor was the one that thieves breached to gain essentially unlimited access to the processor's systems, potentially including merchant card data.

It wasn't until Sunday that the mystery breach victim was revealed to be EnStage, a processor that's headquartered in Silicon Valley but outsources its processing to a site in India. And it's still not certain whether any merchant card data was actually stolen in the breach.Read more...


Bank Using Voice Biometrics To Authenticate Customers. Could It Work In Retail Call Centers?

May 10th, 2013
Retail security experts have long argued that shoppers in-store provide more security identification potential than those online and that shoppers phoning into a call center offer the least. But a major U.K. bank is using biometrics to authenticate telephone customers by using the customers' pre-recorded vocal patterns. Could the same approach help reduce fraud pushed through retail call centers?

The bank, Barclays Wealth and Investment Management, uses 20 to 30 seconds of the conversation with the phone agent and compares the audio WAV file to a sample taken from that customer earlier. If the software thinks it's a match, the agent is silently signaled that the customer's voice has been verified. If the software does not find a match, agents are supposed to use their regular security questions to verify.Read more...


C-Store Chain Mapco Express Hit With Remote Access Breach

May 8th, 2013
Regional convenience-store chain Mapco Express (NYSE:DK) said on Monday (May 6) that thieves may have stolen credit and debit card information from all 377 of its stores during March and April.

"The hackers accessed the payment processing systems used in all of our stores from March 19-25, in certain stores from April 20-21, 2013, and at two stores in Goodlettsville and Nashville, Tenn., from April 14-15, 2013. If you used your credit or debit card at one of these locations during these time periods, you card data may have been compromised," the retailer said in a statement.Read more...


Nordstrom’s Typhoid Outbreak Used POS Data To Contact Individual Shoppers

May 8th, 2013
After a cook in one of its in-store restaurants was discovered to have typhoid fever, Nordstrom is trying to directly contact customers who might have been exposed to the disease. The retailer is sifting through point-of-sale transactions from the Nordstrom Cafe in the store at San Francisco's Stonestown Galleria mall in an attempt to identify specific customers who could have been exposed, but that's proving more challenging than expected, a spokesperson for the chain said on Monday (May 6).

The San Francisco health department notified the store late last Thursday (May 2) that an employee was diagnosed with typhoid and may have exposed customers who ate in the restaurant to it on April 16, 17, 18, 20 or 27. As of this week, no cases of customers or other store associates having the disease have been reported, according to the health department. But Nordstrom is still trying to track down anyone potentially exposed.Read more...


Best Buy, Home Depot, Gap And Others Lose Major Patent Gift Card Lawsuit

May 8th, 2013
A large group of major chains—Best Buy, JCPenney, Barnes & Noble, Gap, McDonald's, Toys R Us and Home Depot—has been dealt a major patent legal blow Friday (May 3) when a jury unanimously sided with a Texas company that owns a gift card processing patent.

Technically, the jury verdict didn't say that those chains had violated the patents, but merely that the arguments from those chains that the Texas company's (named Alexsam) patents should be ruled invalid failed. The next case will address the issue of whether those chains had in fact violated those patents. That said, much of the evidence that the chains used to indicate why the patents were invalid can be turned right back against them now to prove that their processes are so similar that it must be a patent violation. As a practical matter, it's unlikely that this case will see another jury trial, as the parties will almost certainly work out a deal, in which the chains would simply buy licenses for the Alexsam patent. The question will be how much they'll agree to pay for the patents.Read more...


In Kmart’s Armed Data Breach, Police Somehow Not Told Everything

May 8th, 2013
When a Kmart suffered the loss of sensitive pharmacy customer information in mid-March during an armed robbery, Sears officials and lawyers quickly reviewed details and made sure to follow all federal rules—especially HIPAA guidelines. Somehow, though, Kmart never got around to mentioning the data loss to the police, who were never able to find the gunman because the only physical evidence he took with him—a disk containing that day's data backup—was unknown to them, thanks to Sears.

The Little Rock, Arkansas, police investigating the armed robbery—where the gunman slashed the assistant manager's tires to distract him before ordering him at gunpoint to open the safe—were not happy about being kept in the dark and possibly lied to. The investigating detective, Det. Julio Gil, "only learned of the cartridges being stolen from Kmart when he was called by media," said Sgt. Cassandra Davis, who is in charge of the Little Rock Police Department's public affairs unit. The detective "called Kmart and Kmart only then confirmed. He had to call them and ask about it before he learned what (the gunman) had actually taken. No one from Kmart made a report," Davis said.Read more...


Walmart Builds Own Search, No Competitive Advantage In Buying

May 7th, 2013
Walmart is arguably the most tightfisted retail chain in the world, constantly driving out costs any way it can. So why is the world's largest retailer now focused on building its own technology instead of buying it off the shelf? According to the chain's e-commerce chief, that's the only way it can get a competitive advantage from the technology.

"We can't do what we need to do and want to do with off-the-shelf solutions," said Neil Ashe, Walmart president and CEO of global e-commerce, speaking at a retail conference last week. And one of the first big projects to come from the insourcing is a proprietary search engine that has tighter integration with local stores that will let Walmart continuously customize its search without having to wait for outsiders to develop the features it wants.Read more...


Can Ebay Pull Off A Giant Touch Window For New York Shoppers?

May 6th, 2013
Ebay and retailer Kate Spade are doing something this summer that would have been unthinkable just a few years ago: creating a pop-up store in New York that will feature a gigantic touchscreen store window. Let's be clear—what would have been unthinkable would be a relatively small (82-store) apparel chain taking on something this technically aggressive, even with a partner as big as eBay to help foot the bill.

Leaving aside all the obvious unanswered questions—from "how do you physically protect a giant touchscreen?" to "how much of an exhibitionist does a customer have to be to browse a web catalog that's taller than she is, right out in public?"—it's a testament to how inexpensive and physically tough this kind of technology has become that it's viewed as practical. Of course, that all assumes that the chain and eBay will actually get it to work as advertised.Read more...


PayPal’s New Autofill Program Has Real Potential With Mobile

May 1st, 2013
EBay's PayPal (NASDAQ:EBAY) Tuesday (April 30) started pushing its new online login system, called Log In With PayPal. The essence of the new program is pretty much "autofill," in that it autopopulates the forms of any e-tail site that is part of the program. It also allows PayPal users to login in with their PayPal credentials—which is not new—a move that is intended to make it less necessary for shoppers to keep track of dozens of password/login combos for all of their favorite e-tail sites.

From the shoppers' perspective, that single login is not that exciting, as most have been doing a very insecure replacement: using the same login/password for those dozens of sites. In effect, that's what PayPal is doing. The security impact is that if there is a breach—at PayPal, at that shopper's computer, elsewhere—that password can now be used to access all of those sites. At least that's the hole until PayPal is contacted and the password is shut down or changed.Read more...


Walmart, First Data Say No To PayPal. (Is That Even Allowed?)

May 1st, 2013
PayPal's plan to use Discover's payment-card network to get its in-store payment system into most U.S. stores that accept payment cards isn't quite working out. Contrary to what the eBay subsidiary has been touting, all stores that accept Discover aren't automatically able to take PayPal payments—at least not until they and their acquirers explicitly sign on.

Result: Both Walmart and acquirer First Data have declined to accept the system, and Discover is now doing deals with acquirers one by one in order to get PayPal's system available in more stores. Discover said on Tuesday (April 30) that it has gotten a green light from 50 acquirers, and it is hoping PayPal will be live in 2 million stores by the end of this year, up from 250,000 now.Read more...


NCR’s Anti-Skimming ATM Tech Could Also Help Store PINpads

May 1st, 2013
New anti-fraud technology that NCR (NYSE:NCR) announced last week for its ATMs might find even broader use in point-of-sale PINpads—but not the way that most PINpads are currently designed. The new features, which NCR is calling SPS (for "skimming protection solution"), involve two elements. First—and most technically interesting—is a jammer that disrupts a skimmer that has been attached to the front of an ATM. When a motorized card reader pulls a payment card into the ATM, the electromagnetic jammer prevents a skimmer from reading the mag stripe on the card.

The second, more mundane technology is having the card-reading device send diagnostic information to the bank in real time when there's evidence of tampering. Read more...


Tesco Really Doesn’t Like NFC

April 26th, 2013
Near field communication (NFC) is retail's whipping boy these days, with almost every analyst and vendor going out of their way to point out how poorly it's done and how bleak the NFC future is. And although deep shopper apathy about NFC has justified many of those critiques, major chains—wanting to keep their options open—have hesitated in outright attacking NFC. That's why a blistering critique from the world's third largest chain, Tesco, is so potentially devastating.

"NFC was revolutionary 10 years ago but I think it just might have passed its sell-by date," Lyndon Lee (Tesco Enterprise Consultant Architect) told attendees at a mobile payments conference in London this week, according to a report in NFC World. "Is mobile NFC at the right place, at the right time? I don't see any real movement or activity. NFC usability is not really revolutionary and, for the general public, is it really that cool? I think the next generation won't think it's cool enough for them and they won't use it. Mobile NFC is unappealing."Read more...


Amazon Issued Patent To Make Mobile Purchases Anonymous

April 19th, 2013
When Amazon was awarded a patent this week to allow for anonymous online purchases—anonymous from shopper to shopper, not anonymous to Amazon—it could be the world's largest e-tailer taking its next step into payments. The actual money part of the payments are still to be handled through the same means Amazon does today—payment card, bank account debits, gift cards, Amazon Store Card, etc.—so it's not about Amazon becoming a processor. What it does, though, is add a layer on top to allow consumer-to-consumer transactions to be done without sharing private information with strangers. (Or, much worse than strangers, relatives.)

When this approach would make sense depends on the nature of the transaction. If the purchase involves the seller sending a physical product to the recipient, the recipient has little choice but to reveal name and street address. But for digital purposes, it could work well. And it might even work with physical shipments, assuming the recipient uses a post office box or some similar alternative.Read more...


Page 2 of 82123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.