Top Stories


Payment Systems

Pepsi’s Merging A Vending Machine With Social, CRM

May 4th, 2011
Some mighty strange things have happened to vending machines lately, with machines offering iPhones and live crabs and accepting smiles for payment (really) and contactless payment (although some would argue that smiles are more viable).

But Pepsi has now rolled out a touchscreen vending machine that isn't primarily designed to actually give you anything to drink. It's an interesting intersection between social media, vending machines and CRM. In a "tis better to give than receive" mode, consumers walk up to the machine and can only use it to gift a drink to a friend or colleague (or, for that matter, a bitter enemy) by "selecting a beverage and entering the recipient's name, mobile number and a personalized text message." This creative idea actually has some fascinating CRM potential. It exposes Pepsi to friends/associates lists and flags new people who might be open to receiving promotional contacts.Read more...


As Sony’s Breach Tops 100 Million Accounts, It Needs To Fix Its Encryption Rhetoric

May 4th, 2011
Thus far, Sony's IT people are not having a great spring. Facing a 100-million-account data breach, Sony's management this week worked hard to see if they could make this situation any worse. Consider this statement Sony used, trying to defend itself and its security operations: "The personal data table, which is a separate data set, was not encrypted, but was, of course, behind a very sophisticated security system that was breached in a malicious attack."

Word of advice to any retailer that is publicly dealing with a more-than-100-million-account breach: Be awfully conservative in using the phrase "of course." Limit it to sentences such as "Of course we'll refund your money" and "Of course we'll pay for your credit monitoring and your time in dealing with our mess" and "Of course we're idiots who you should spit upon." If you feel the desire to say "of course" to modify that you had "a very sophisticated security system," you need to pop another Valium and write a new draft.Read more...

advertisement’s Mobile App Shops Offline: When You Gotta Shop, You Gotta Shop

May 4th, 2011
No one knows this better than When you've got to go, you've got to go. And when you have to shop, you have to shop; there are no exclusions for mobile shoppers without a wireless signal., which is part of the Quidsi group acquired by Amazon last month, borrowed the offline buying technique from SMS. The mobile app enables the consumer to shop without a signal, although it won't complete the transaction until a signal is reestablished. It gets darn close, though, with a exec estimating that the "completion" will take 5 to 7 seconds—long enough for a password to be typed and two clicks. But there is a major downside, at least for now: The customer's offline shopping can't go beyond choosing previously purchased products.Read more...


PCI And EMV Cards: The Urban Myth That Won’t Die

May 3rd, 2011
The recent comments by leading retailers that want U.S. card issuers to move to the EMV standard for card authentication are missing the point. EMV cannot, does not and will not make PCI go away, regardless of recent moves by Visa Europe, pens PCI Columnist Walt Conway.

PCI is impervious to silver bullets of any kind. There are a few things every retailer needs to understand about both EMV and PCI before jumping on this particular bandwagon. Conway crafts a little thought experiment that assumes, as was suggested, that EMV becomes the "metric system" equivalent for payment cards. That means Chip-and-PIN—like a shift to the metric system—replaces all previous card and cardholder authentication methods. My EMV metric system card has no signature panel, no magnetic stripe. And the PAN is printed, not embossed, on the front of the card. Does PCI go away? Conway suggests it does not.Read more...


Target, Wal-Mart On EMV: The Metric System Of Payment

April 27th, 2011
EMV may become the metric system of payment, a process that almost everyone in the world adopts, with the U.S. stubbornly refusing. In a panel discussion on Wednesday (April 27), Target and Wal-Mart agreed that EMV Chip-and-PIN is an extremely desirable way to go. But hardly anyone has a concrete plan for making it happen in the U.S.—in a meaningful way—anytime soon. Still, both chains were certain of one thing: If magstripes could magically be made to go away tomorrow, the retail world would be a happier place.

"If we can envision a world where magstripe doesn't exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs," said Mike Cook, Wal-Mart's VP and assistant treasurer. "So you no longer have to have your database encrypted. You no longer need to have the secure lines. You're no longer storing data that could be used by somebody else. The PCI costs become significant cost savings."Read more...

eBay Tackles The Local Inventory Problem, But Only The Ultra-Easy Part

April 27th, 2011
eBay is pushing ahead with its local inventory search efforts. These include a deal with Intuit's QuickBooks POS package to feed SMB retail inventory data directly into eBay's engine with a plug-in, through eBay's Milo acquisition. eBay seems to have opted to attack the easiest part of the local inventory problem, hoping that the exponentially harder part—getting tens of millions of small retailers to computerize their inventory in at least a semi-rational form—will somehow work itself out.

This is both good news and mediocre news. It’s good news in that major players are at least trying to tackle some of the toughest issues facing retailing today. (The other most challenging retail tech issue today—mastering social media content and marrying it with CRM data—is also being tackled this month, by Wal-Mart. Not unlike eBay's pragmatic challenges with local inventory, Wal-Mart is discovering that there's a reason social media data efforts are feared by so many in IT. It's genuinely difficult stuff.)Read more...

Square Reverses Course, Now Embraces Encryption

April 27th, 2011

Square, the well-funded startup that found itself on the winning end of a pissing context with VeriFone last month, because it refused to encrypt mobile payment transactions, has now reversed course and embraced such encryption. It switched course on Wednesday (April 27), which by remarkable coincidence is the same day it announced that encryption aficionado Visa had made an unspecified investment in Square.

Sam Quigley, a Square manager with the title Security Lead, casually responded to a question at a Visa conference that Square will be distributing—for free, mind you—an encrypting card reader this summer for its mobile-phone-payment users. This is an amusing turn of events. Last month, VeriFone was deluged with no shortage of bad blood for having demanded that Square either encrypt transactions or risk destroying the solar system. Square said no such system was necessary. I guess a month—and Visa dollars—has a way of changing one’s perspective. And, I guess VeriFone ended up winning this battle, in that Square did what it asked the company to do. But it wasn’t what VeriFone wanted Square to do. VeriFone didn’t want the victory; it wanted the battle. By embracing encryption, VeriFone’s fears have become quite real.…

Is PCI Done?

April 27th, 2011
PCI Columnist Walt Conway finds himself wondering whether PCI is still a hot topic. He's not questioning whether PCI is worthwhile; rather, he notes the lack of significant changes in the standard coupled with developments in the PCI ecosystem.

The end of PCI as we know it has implications for merchants and their QSAs. For one thing, QSAs will need to be more than just assessors. That is, in Walt's opinion, more merchants will expect their QSAs to be partners in achieving and maintaining compliance. Such a partnership includes addressing the full range of security and risk issues that affect the business. As a result, QSAs will need to know a lot more about the payment-card business and the merchant's own business than any amount of PCI Council training can provide. Read more...

Visa Talks Up Canadian EMV E-Commerce Trials

April 27th, 2011
At Visa's Global Security Summit in Washington, D.C., on Wednesday (April 27), Visa officials went out of their way to point to an unusual EMV/Contactless trial now going on in Canada. It's actually a series of trials—with hundreds of consumers—that started back in September and allows E-Commerce shoppers to literally tap their payment cards on their terminals, a move that not only authenticates the payment but also autofills their screen using information on file with Visa.

The trial starts by giving the consumer a small reader that plugs into the machine's USB slot, said Thom Hounsell, product manager at SecureKey, the Canadian firm handling the trials with Visa. That reader establishes "a secure channel from the terminal directly to Visa," SecureCard CEO Greg Wolfond told attendees at the Visa event.Read more...

Sony’s Half-Right Breach Tactics: Shutdown A Win, Notification A Fail

April 25th, 2011
Sony announced on Tuesday (April 26) that its PlayStation Network game service and online store had been breached a week before and that intruders had gained access to the personal information of 77 million users. That included names, addresses, birthdates, E-mail addresses and—maybe, just maybe—credit-card numbers. Sony apparently didn't think card numbers were exposed, but "out of an abundance of caution," decided to warn customers. A word of advice, Sony: Next time you want to show an "abundance of caution," do it before someone breaks in and steals 77 million customers' worth of personal data.

Actually, Sony's response to the breach was half right. As soon as it learned it had been attacked, Sony took down the game network, so thieves couldn't use stolen passwords and the company's forensics people could search for evidence uninterrupted. What Sony got wrong was waiting a week before announcing the breach and issuing the payment-card warning. In fact, Sony could have given its customers a heads-up almost immediately—and without making a public announcement.Read more...

Starbucks Issues Environmental Report, Opts To Exclude Mobile

April 25th, 2011

Starbucks has just issued an extensive report detailing all of the things it has done to support the environment. But one of the key environmentally friendly moves the company has made—its mobile payment effort—is curiously missing. Hey, if you’re going to get down to talking about using special lightbulbs, you would think that the deadtree-saving nature of not having printed receipts for those thousands of mobile purchases would at least get a bullet or two.

Starbucks, by the way, does deserve kudos for the candid way it handled the report. On the top of a chart with its goals and progress, it chose to lead with an item where it missed its goal—more than 15 times over. Its first goal was “to reduce energy consumption by 25 percent in our company-owned stores by 2010” and the reality: “Our electricity use decreased by 1.6 percent in company-owned stories in 2010.” The chain gave that goal a “did not achieve” icon. (Presumably, the “we didn’t even come bloody close” icon was too large.)…

iPhone Knows Where You’ve Been Since Last Summer

April 21st, 2011

As retailers struggle with geolocation, it turns out that Apple has already done the heavy lifting when it comes to iPhone users. On Wednesday (April 20), two U.K. researchers announced that they found an unencrypted iPhone database that records the user’s location (by latitude and longitude) as many as 100 times each day, based on cell towers, in addition to IP addresses of Wi-Fi access points the phone has connected to and data from geofencing applications. The downside: Some data is wildly inaccurate, and Apple isn’t saying why it’s being stored for as long as a year.

Of course, if there’s a way to create potential privacy problems, Apple will find it—from preserving every iPhone keystroke to recording the user’s heartbeat and guessing the user’s mode of transportation. Unfortunately, because Apple hasn’t explained why this location data is being kept (dating back to whenever iOS 4 was installed on the phone), retailers can’t count on the data being available for anything useful. But maybe Apple just likes keeping track of where its users have been—and always with their best interest at heart. If it was anyone else, this would sound like stalking.…

How Fast Does An NFC Transaction Need To Be?

April 21st, 2011
We've noticed an interesting separation between retail programmers' desire to make transactions happen as quickly as possible and what shoppers notice/care about/experience. As talk of near field communication (NFC) mobile payments approaching reality becomes common, we're wondering how much of the speed conversation is even a little bit meaningful. Some quick context: For years, advocates of NFC (and RFID contactless payment before that) mobile payments have argued that it will be much faster than magstripe. The practical reality is that the time for the transaction processing is pretty much going to be identical—about two seconds—for all of the above.

The real difference in time—and there truly is one—has nothing to do with IT, authentication or any other technological issue. It's the practical reality that shoppers tend to keep credit and debit cards buried deep within their wallet/pocketbook, whereas they tend to either have their mobile phone in their hand or in a convenient outer pocket, easily within Bluetooth range. That extends the debate from whether a swipe or a wave is faster to whether the entire mobile payment process is easier and faster because of how people use mobile phones.Read more...

New White House E-Commerce Security Report Trusts Technology Way Too Much

April 21st, 2011
The White House has issued its "final strategy document" on a national security approach that would sharply impact E-Commerce. Although the report is a vast improvement over the initial report released last summer, it still suffers from the belief that cramming tons of sensitive information into a token—which may or may not be adequately secured—is a safe move. Also, it comes close to encouraging consumers to trust these tokens, perhaps to a very dangerous extent.

Some examples from the report: "Mary is tired of remembering dozens of usernames and passwords, so she obtains a digital credential from her Internet service provider that is stored on a smartcard." So anyone who steals (or clones) her smartcard can now do all of those things pretending to be her? Yeah, that's a hugeimprovement. Not for Mary but for any cyberthief.Read more...

ID’ing Customers Should Be Easy—If Only Mobile Carriers Can Get It Together, Says JCPenney CIO

April 21st, 2011
Spotting loyalty-program customers when they walk into a store should be easy. It isn't. Not all of your best customers will check in, or have an app running, or keep Wi-Fi turned on so you can spot them electronically. The only thing you can be sure of is that they'll almost certainly have a mobile phone turned on, and that should be a sure way of knowing they've arrived. Unfortunately, that depends on mobile carriers—which, ironically, seem to be the last ones figuring out mobile commerce.

Case in point: JCPenney. "If we could figure out our rewards customers, it'd be a big win," said CIO Ed Robben. "If I want to be more personalized, I've got to know you're there. You're either checking in with us as you come in, or we're sensing you as you come into a store and are able to react to that. Most everybody's going to have GSM and 3G turned on. They may not have their Wi-Fi turned on. I just don't know that that's reliable enough for where we'd want to detect the customer."Read more...

JCPenney CIO: We Forgot About In-Store (But For A Good Reason)

April 21st, 2011
How could JCPenney forget about its stores? That's essentially what the 1,100-store retailer did while developing its new 7-foot-tall in-store kiosks, according to CIO Ed Robben. In his first interview as JCPenney's CIO, Robben acknowledged that the 106-year-old chain, which for years did nothing but in-store and wasn't quick to get into E-Commerce, so completely embraced the idea of a Web site kiosk for customers to check online for products that no one thought to include in-store information customers expected—such as store maps and where to find a restroom.

That disconnect between what developers built and what customers expected would have been unthinkable as recently as five years ago, when JCPenney's strategy was to use its Web site to drive customers to stores. But when a skunkworks team began work on the kiosk in the summer of 2009, the goal was to flip that, so in-store customers who couldn't find exactly what they needed could check the expanded assortment online—in Robben's words, "to extend the aisle to the online assortment."Read more...

JCPenney CIO Decides: No RFID For Checkout

April 21st, 2011
The usual assumption about item-level RFID is that it's perfect for managing inventory all the way from the stockroom to store shelves and through the checkout. But if JCPenney CIO Ed Robben is right, that approach is wrong. The 1,100-store chain has been testing RFID just on high-SKU items, such as athletic shoes, bras and denim apparel—and isn't using it at the POS at all.

Of course, testing RFID on just a few items means it's useless at checkout time—unless everything has a tag, you still need scanners for the items that don't. But it also means instead of trying to speed checkout, RFID is only being used to keep shelves stocked in specific categories of goods. By dumping the end-to-end goal, it may be possible to get more real leverage out of RFID—and keep the cost and supplier headaches down, too.Read more...

Wal-Mart’s Price-Match Illusion

April 13th, 2011
When Wal-Mart on Monday (April 11) rolled out its new price-match program, it said it would match a rival's price, even if the customer doesn't have a copy of that rival's ad. In reality, that’s not the case. Not even close.

Wal-Mart's announcement made it one of the first major chains to do away with the need for the customer to produce the dead-tree advertisement that Wal-Mart is being asked to match. But that paper document is being replaced—to a major degree—with associate discretion. Will shoppers be happy trading greater convenience for less consistency? The price-match change is part of a much bigger campaign, where Wal-Mart is trying to regain its low-price reputation. The chain is characterizing the price-match policy as "simplifying" and issued a statement that clearly said "customers do not have to bring in a competitor's advertisement. If customers find a lower advertised price, we'll match it at the register."Read more...

Gonzalez Wants To Be Cleared, Hints That The Secret Service Wanted TJX Broken Into

April 13th, 2011
Albert Gonzalez—the cyberthief extraordinaire who is now serving prison time after he pled guilty to breaking into the systems of TJX, Target, 7-Eleven, JCPenney and Sports Authority, among many other major retail chains—has asked a federal judge to let him withdraw his guilty plea. His stated reason is that, as an undercover informant for the U.S. Secret Service, he was legally authorized to break into those networks. But his court filings don't seem to support his claim.

Gonzalez doesn't allege that any government employee ever asked—or authorized—him to do any of the break-ins for which he pled guilty. His position is more generic, that he needed to do these types of break-ins to maintain his skills so he would be of continued use to the government. In other words, he broke into those retail networks because he's a patriot.Read more...

Only 4 Reading Days Before Premium Launches

April 13th, 2011

StorefrontBacktalk will launch its Premium Edition on April 18, just four days from now, on Monday. The reason we’re mentioning this again is to remind everyone that we are offering special 50 percent off pre-launch pricing. In other words, the exact same Premium service on April 18 will cost half as much on April 17. If you want to still have full access to all of our top stories (and all of the other goodies that come with the Premium subscription), doing it now is the cost-effective move.

Our site license options are also half-off during the pre-launch period (which has barely four days left). Our fear is that many readers will not focus on this until April 18, when they start running into firewalls when they try to read key stories and columns. And when they then subscribe, they won’t be able to take advantage of the pre-launch deals. The pre-launch deals were created specifically to give our long-time readers a break, so we want to make sure we do everything we can to remind everyone before it’s too late. To take advantage of our pre-launch deal, please click here.…

Forget Interchange Relief—Even Those Developing Mobile Payments Say Banks Will Still Be In Charge

April 9th, 2011
If you think mobile payments will represent relief for retailers when it comes to interchange fees, think again. It increasingly appears that those most involved in mobile payments—the companies developing mobile-payment systems—believe that when mobile wallets arrive, not much is going to change with interchange.

That doesn't mean mobile payments will be useless to retailers, says Columnist Nick Holland. But it's time to stop pinning retail hopes on the most boring part of mobile commerce.Read more...

The Legal View: When Google Grabs And Posts Your Password, Can You Sue?

April 6th, 2011
When something bad happens, whether it is a data breach or some other type of attack, it is common for a retailer to meet with its counsel and, in addition to determining its legal obligations, ask the stupidest question any client can ask a lawyer, "Can I sue?" The answer to that question is, of course, always "Yes." The more difficult questions are, "Who can I sue?" and "Will I win?"

Almost always with a data breach or hack, pens Legal Columnist Mark Rasch, some other party has contributed in some way, to either facilitate or exacerbate the breach. The question is, is it worth it to sue? Unfortunately, in most cases, the answer is no. A few recent breaches may be illustrative. Last week, we wrote about a .pdf document of a company that was placed in a Web-accessible location that was not intended to be public. Think of this as leaving an important document in an unlocked office adjacent to your retail location. The public "can" but "shouldn't" go there. Read more...

Heartland Breach Still Generating New Compromised Accounts

April 6th, 2011

Old breaches never die, they just—well, they never die. A small bank in Illinois on April 1 announced that some customers’ payment card information had been compromised at card processor Heartland Payment Systems. Yes, that Heartland. And yes, that breach—the one in 2008. “MasterCard and Visa, along with the FBI and Secret Service, have been investigating the incident for several years, and although the security breach is reported to have occurred between May 2008 and November 2008, the compromised information is only now being used to conduct fraudulent transactions,” Freestar Bank President Scott Bauknecht told a local newspaper.

That means that, more than two years after the breach was closed and the first arrests were made in the Heartland case, the thieves are still working their way through the trove of stolen card numbers. Holding onto the numbers that long is a gamble for the thieves, of course, because many of the cards could expire or be canceled over that much time. Then again, after two years without any fraudulent activity, banks and retailers will almost always assume that a card number hasn’t been stolen. That assumption may not be safe again for a long time.…

Mobile Muddle: When Will ISIS Start Making Sense?

April 6th, 2011
The muddled mobile-payments scheme from Verizon, AT&T and T-Mobile, dubbed ISIS, just keeps getting more puzzling. On Tuesday (April 4), the group announced a pilot project to let mobile phones be used to pay for rides on Salt Lake City's buses and local trains, in addition to purchases at local retailers. But the big announcement is for a project that won't go live for more than a year—and for a public transit system that already allows customers to use contactless credit and debit cards to pay for rides. This will take a year?

Meanwhile, Sprint—which was left out of ISIS' announcement of its formation in November—now says it was originally part of the group, but left. Although ISIS member Discover was originally presented as the only payments network ISIS needed, it now appears that Discover may not have an exclusive deal with ISIS after all. All this confusion comes in the face of one clear fact: Mobile operators should have the easiest time doing true mobile payments. When will they get their collective act together?Read more...

Restaurant Data Breach Probe Filing: Card Data In Plain Text, Default Passwords And Wide Open Wireless Access

April 6th, 2011
A Massachusetts restaurant chain, which was just fined $110,000 by that state's attorney general as a result of a substantial data breach, is a textbook example of how not to handle payment security. Court filings from the case paint a classic picture: unchanged default passwords, wide open wireless access, full card data stored in plain text and an impressive lack of concern about the breach, with restaurants continuing to accept payment cards after the chain knew of the breach and malware that had not yet been deactivated.

The breach at the chain, The Briar Group (The Lenox, MJ O'Connor's, Ned Devine's, The Green Briar and The Harp), impacted at least 125,000 MasterCard and Visa customers, the state filing said. Other security naughtiness alleged: using the default usernames and passwords from its Micros POS systems, opting to not change network passwords "for more than five years," allowing those username/password combos to be "used system-wide for all users" and then not changing passwords after employees quit or were fired.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.