Top Stories


Payment Systems

Thinking About Security ROI From The Thief’s Perspective

June 24th, 2010
Retail IT execs have always been very good at making risk-based security budget decisions. They know how to calculate the probability of a certain attack method being used against them, its chances for success and the likely cost to the chain if it succeeds. And they know how to use that information as a way to negotiate with the CFO's people to justify security investments. Security return-on-investment (ROI) arguments are old hat when dealing with black hats and bean counters.

But what about looking at the security ROI challenge from the cyberthief's perspective? That means examining the techniques and seeing which delivers the best value for the profit-oriented criminal. A good example of this approach is differential power analysis (DPA) and Chip-and-PIN payment cards.Read more...


Will Senate Bill Force The U.S. To Go Chip-And-PIN?

June 24th, 2010
With Wal-Mart's recent push for Chip-and-PIN in the U.S., the debate has been what could possibly push the banks into supporting such a costly move. One financial blog is making a compelling argument that the U.S. Senate may be about to jump into the U.S. EMV case.

Todd Ablowitz, president of the Double Diamond Group and one of the more interesting payment experts in the U.S. (for us, "interesting" is someone who thinks a well-balanced presentation is where all audience members are pissed-off equally), has been sitting with lobbyists and studying the Durbin bill, currently scheduled to go before a House-Senate conference committee on Thursday (June 24). His conclusion, with a little bit of mildly tortured logic: The bill will strongly incentivize banks to accelerate their acceptance of Chip-and-PIN in the U.S.Read more...


Dave & Buster’s Gets 20 Years In Gonzales Settlement

June 24th, 2010
Dave & Buster's will spend the next 20 years under the watchful eye of the FTC, according to a consent agreement finalized this month. The Federal Trade Commission accused the entertainment restaurant chain of failing to protect the credit and debit card numbers of 130,000 customers after Albert Gonzalez and his associates hacked into the company's networks and stole their card numbers.

Interestingly enough, different sets of federal employees (FTC investigators, Justice Department and U.S. Attorney prosecutors, and three different federal judges) looking at this case from very different vantage points all arrived at roughly the same figure: 20 years, for both the crime's victim and its perpetrator. And who says the law doesn't have a sense of humor—and of the absurd.Read more...


Major Mobile Move: Nokia To Ship Phones With NFC

June 24th, 2010

Arguably the biggest stumbling block for the acceptance of any of the mobile-device-to-barcode/tag efforts (Near-Field Communication [NFC], 2D barcodes, Microsoft’s Tag Reader) has been the shortage of any phone manufacturers shipping units with any of these capabilities natively. Nokia has now become the first manufacturer to agree to include NFC chips in its phones, as of next year.

A report in PaymentsSource has Nokia saying that the phones will support the Single Wire Protocol and MicroSD cards. “With the Single Wire Protocol, a wire connects the NFC chip to a mobile phone’s SIM card, which is used to identify a subscriber on the carrier’s network. MicroSD is a memory card used in mobile phones and digital cameras,” the piece said. Nokia has been using the chipped-phones in some aggressive trials in India, but shipping all phones with it is a key move. The story also pointed to an unmet expectation that Apple might have been the first to ship NFC-ready phones. “Many observers had speculated Apple’s new iPhone would contain an NFC chip, but that was not the case when it was revealed June 7. It was a mild surprise because Apple had been filing patents for different NFC uses, including using an NFC-enabled phone to interact with an ATM.”…


Chip-And-PIN Breach: Bluetooth, Burned Hole In Back Of Card Reader

June 24th, 2010

For those who are arguing that Chip-and-PIN represents the gold standard in card security, there was a cold splash of reality this week. Four fraudsters from London were sentenced to jail for their parts in a nine-month string of thefts that netted almost $1.1 million by tampering with Chip-and-PIN card readers at gas stations. According to a BBC report, the group burned a small hole in the back of each reader and then inserted a memory device and BlueTooth reader that allowed it to capture information and then clone customers’ cards.

One gas station owner saw business drop by 47 percent once customers realized money was being taken from their accounts after visiting the station. The gang’s 29-year-old leader, software engineer Theogenes De Montford, was arrested with information from 35,000 cards on his laptop–7,000 of them from a single gas station.…

MasterCard Experimenting With Card That Displays One-Time Password

June 17th, 2010

In a MasterCard experiment announced this month with a bank in Turkey, the payment powerhouse has radically revamped what a credit or debit card should look—and act—like. Beyond a one-time-password displayed on a small screen on the card itself (which has been prototyped for years but never mass deployed), the trial cards will be able to display account balance, current loyalty points balance, updated credit/spending limits and a list of recent transactions.

“Turkish bank TEB, a subsidiary of BNP Paribas, will be the first issuer to bring the display card to consumers with a Maestro eCommerce authentication programme that kicks off in July across Turkey, with new features to be added onto the card in the near future,” said a statement from MasterCard Europe. “The UK’s Newcastle Building Society has also committed to the first pilot of the balance display functionality later this year.”…

Visa To Franchisors: “We’re Here To Talk, Not To Listen”

June 17th, 2010
When it comes to PCI compliance for franchisors, Visa is completely out of touch with reality. That's from the pen of Franchisee Columnist Todd Michaud, who spent 9 hours with Visa execs at a franchisee symposium on Wednesday (June 16).

The morning was spent providing horror stories about how the sophisticated Russian organized crime syndicates responsible for the lion-share of breaches operate. The afternoon, meanwhile, was spent talking--indirectly--about what role tokenization and encryption may or may not play in the future of card data protection. Retailers representing more than 50,000 domestic locations were all in the same room, and not once were they asked their thoughts and opinions on the matter. "What a wasted opportunity," Michaid wrote.Read more...

Will Wine Kiosks Open Pandora’s Bottle?

June 17th, 2010
A woman walks into the Brix liquor store in Omaha, Neb., goes directly to the Enomatic (an Italian vendor) kiosk and inserts a store-issued card. She selects a favorite wine, and the kiosk pours her a glass. She wants a second glass, and the kiosk complies. As she walks out of the store—perhaps a bit more tipsy than when she entered—she swipes the card at a POS station and then pays for her drinks.

This kiosk is in place at quite a few wine stores across the country. It is part of a trend by fermented grape sellers who are leaning more heavily on kiosks in a wide range of ways, such as determining who is too drunk to buy more alcohol. But these Enomatic machines go much farther, with a device that actually prepares and serves food or drink.Read more...

Microsoft’s Mobile Catch-22 Is Getting Consumers To Not Give Up

June 17th, 2010
In the evolving world of mobile and barcodes, one of the most daunting challenges is training consumers to use the technology properly. Of course, you can't really train consumers on Near-Field Communication (NFC), 2D barcodes and Microsoft's Tag Reader. What retailers need is an interface that is so intuitive consumers simply guess how to use these tools correctly.

But therein lies a delicious Catch-22: Once consumers use a technology four or five times, they typically master it and can then proceed effortlessly. The first one or two times, of course, will likely be rough.Read more...

Toxic Waste: Old PIN Pads Never Die, But They Really Should

June 16th, 2010
Do you accept PIN-based debit cards at your stores? Have you been accepting these PIN transactions for more than, say, six years? Lastly, are you aware that the first Visa-mandated sunset date for your old PIN Entry Devices (PEDs) is July 1, 2010? If you are like most major retailers, you will answer "yes" to the first two questions, but you might answer "no" to the last question. If that is the case, you are taking on increased risk and liability from these old PIN devices, pens PCI Columnist Walter Conway.

POS equipment, including PEDs, can last a long time. Older stores or POS locations that have not been upgraded may still have equipment that increases the risk of a data compromise. Therefore, retailers with locations or equipment over eight years old should check each of their PEDs against the currently approved lists.Read more...

Now On StorefrontBacktalk: One-click Print Formatting, Automatic URLs

June 15th, 2010

Starting this week, each StorefrontBacktalk article has two new features. First, in response to many reader requests, we have now added a print function for each article. Just click on the Print icon (right across from the article’s date) to generate a web page formatted for printing, without page breaks, sidebars or reader comments.

Second, we now automatically add a URL to any content that you copy and paste from an article. Yes, it’s a feature: Instead of copying an entire article to send to someone, now you can copy just the most relevant part and paste it into a message; the URL for the full article is included at no extra charge. Tipping, of course, is always encouraged.…

The M-Commerce Paradox: If You Succeed, You’ll Fail

June 10th, 2010
After we ran a story in the last issue about some Mobile-Commerce experiments at Macy's and Best Buy, one retail exec at a very large chain who has worked extensively with mobile expressed skepticism that some of these projects would ever work at full scale.

"I wonder when people will realize that mobile devices communicate via, ummm, radio?" asked the IT exec. "And that microwave radio signals (which GPS, mobile phones and microwave ovens all use) don‘t transit solid surfaces, especially conductive ones like metal mall roofs, all that well? And that carriers make no promises relative to in-building coverage (and virtually no promises relative to out-of-building coverage)? And the U.S. government makes no promises at all relative to GPS signal penetration or even availability?"Read more...

Why Open Source Drives PCI Nuts

June 10th, 2010
The big advantage to open-source software is that anyone can change it. And the big disadvantage to open source? Anyone can change it. Case in point: osCommerce, one of the applications on the PCI "Bad Apps" list. It's not a surprise that this open-source app hasn't passed PCI's validation. Considering that it can be changed so easily, would you really want it to?

Most of the software packages on the Bad Apps list come from conventional commercial software vendors. If there's a problem with their applications--specifically, if those apps keep sensitive authentication data after a transaction has been authorized--the vendors are usually quick to create a new version or a patch that solves the problem. Result: Only older versions of the software contain the security problem that makes PCI unhappy. And next to the bad version of the app is a note listing the later versions that don't have the problem.Read more...

Forgotten Apps Pose PCI Danger, Visa List Shows

June 10th, 2010
Tucked away in forgotten corners of your network sits a wide range of old, forlorn applications. Beyond collecting electronic cobwebs, these apps potentially pose one of the most serious threats to your data security.

Visa routinely compiles a list of applications that, it believes, store sensitive authentication data after a payment has been authorized. Many app versions on this "Bad Apps" list are outdated and no longer being sold. But that doesn't mean they are not lying around in hidden corners of quite a few major—and some not-so-major—retail chains.Read more...

Target Cuts Its Discount In Half And Customers Buy More. What A Country!

June 10th, 2010
It's unusual for a major chain to publicly discuss how a change of tender method will impact revenue, so when the 1,740-store Target chain did so Thursday (June 3), it's worthy of note. In this case, the program—a 5 percent instant price cut when customers use the chain's branded payment card—delivered not merely lower costs but a material revenue boost. And when something is material for a $65 billion company, that's really worth noting.

This effort replaced an earlier rewards program where cardholders were given 10 percent off, but the savings could only be used for a subsequent shopping trip. In short, when the discounts were cut in half—from 10 percent to five percent—purchases sharply increased. That's how powerful a difference there exists in consumers' minds between "give it to me now" and "give it to me later."Read more...

Complying With Visa’s July 1 PA-DSS Mandate

June 10th, 2010
In the same way you wouldn't buy your gold Rolex from a street vendor, you shouldn't buy a software payment application that is not on the PCI Council's list of PA-DSS validated applications, writes PCI Columnist Walter Conway.

His advice to retailers: If an application is not on the list, don't even include it in an RFP.Read more...

Quit Complaining And Just Do The Bloody Training

June 10th, 2010
Technology training is about as popular as a die-hard Lakers fan in a South Boston bar, pens Franchisee Columnist Todd Michaud. It also costs money. A good chunk of money. When you take something people don't like and then make it cost what the operator believes is a lot of money, you end up trying to cram the proverbial 10 pounds of stuff into a 5 pound bag.

When it comes to running a restaurant, investing time and money into learning the store's technology can mean the difference between a money-making hit and a bankruptcy-inducing nightmare. Technology plays a critical role in both the front and the back office. Michaud says he is befuddled by the notion that the same operators who clamor for a Limited Time Offer that may bump sales 1 percent won't invest their energy in systems they already own that could easily save them 3 to 5 percent.Read more...

Mobile Instant Payments: An Opening For Chains To Truly Avoid Interchange?

June 10th, 2010
The Holy Grail of mobile payments is the instant payment, something similar to Amazon's one-click or Apple's iTunes, perhaps enhanced by a short, memorized PIN. But no credit card numbers, street addresses or anything else cumbersome is required. That idea has prompted many to suggest this will be the direct-payment-to-carrier play. Why not have software loaded—or a chip inserted–into the hardware?

This payment might be made to the handset manufacturer, but more likely it would go toward a pre-arranged credit or debit card. Let's take this approach one step further. Why not buy from Wal-Mart a Wal-Mart phone—or from McDonald's a McDonald's phone—that allows one-click purchases for anything at all? The consumer would then receive a monthly bill with everything itemized. That's one way to get around interchange and to build some wonderfully deep CRM databases—with lots of your rivals' sales—at the same time.Read more...

Is It Time To Stop Mailing Fully Activated Gift Cards?

June 3rd, 2010
Why are we still permitting the mailing of fully activated gift cards? People aren't sending $20 bills in the mail anymore, so why are they still sending the plastic equivalent?

When someone sends someone else a gift card, why not first send an E-mail alerting the recipient to the card's imminent arrival and have that E-mail include a password to activate the card after it arrives?Read more...

The Mobile Choices At Macy’s, Best Buy

June 3rd, 2010
Macy's and Best Buy this summer will launch programs that let the retailers interact with customers while they are using their mobile phones. Both programs will leverage consumers' GPS-revealed exact location and the barcode-scanning capabilities of their phones.

But which of several approaches each chain will use has yet to be determined, according to the CEO of the vendor (Shopkick) providing the software.Read more...

Sam’s Club Finds Dollars In Charging Customers For Loyalty

June 3rd, 2010
When Wal-Mart's Sam's Club—which makes $47 billion a year on its own—added personalized discounts last summer, it was seen as a traditional way to boost sales through discount coupons.

But what Sam's Club discovered is that it quickly became its own direct revenue stream.Read more...

Will The Subway Save Contactless?

June 3rd, 2010
Contactless payment cards still can't catch a break. This week, New York City's mass transit system began what may be the largest push for contactless payment yet in the U.S. In a trial program that began on Tuesday (June 1), a million riders can use MasterCard contactless payment cards at turnstiles for fares on parts of New York's subway and bus system, along with commuter trains across the Hudson River and some bus lines in New Jersey. It's a six-month, highly visible demonstration of the benefits of contactless cards that might actually get consumers to use the cards that have been sitting in their wallets.

But the next day (June 2), a self-proclaimed hacker was on Canadian television demonstrating once again that both MasterCard and Visa contactless cards can be read with a $10 commercial RFID reader available on eBay.Read more...

PCI PTS: The “Other” PCI Standard

June 2nd, 2010
PCI Columnist Walt Conway wonders if PCI PTS might be the Rodney Dangerfield of PCI. It is a shame. Even though PCI PIN Transaction Security (PCI PTS) is primarily aimed at device manufacturers, it has implications for every retailer with PIN pads at the point of sale (POS). This standard defines the security requirements for both attended and unattended terminals.

The new PTS specs become effective in one year (May 2011). Although you can buy currently validated equipment up until that time, why would you? If you are looking at a terminal (think kiosk, gasoline pump, vending machine) that combines several individual components, you'll want to check each component (including software) against the Council's list, noting version numbers. Walt also suggests getting something in writing from the seller that indicates every component associated with the PED has been assessed by a PCI PTS lab and is compliant.Read more...

Kindle Problems Offer Insight Into Kiosk, M-Commerce Strategies

May 27th, 2010
A good kiosk tries to replicate the charm and persuasiveness of a veteran sales associate in much the same way a well-developed mobile app tries to deliver on the best of in-store and online, enhanced with complete mobility. But what undercuts most of these development efforts is that IT gets so excited by the prospect of leveraging the new, the department is too quick to ignore or give up on the current.

Then customers, who are used to the niceties of that sales associate interaction or the tactile feedback from inside a high-end clothing store, show no interest and developers are baffled. That's where a bunch of Amazon Kindle developers find themselves today.Read more...

MasterCard Taking Development Lesson From Tom Sawyer

May 27th, 2010

On Tuesday (May 25), MasterCard announced it plans to release Open APIs so developers “will be able to create a new wave of E-Commerce and mobile payment applications.” The only problem: Why would it? MasterCard officials spoke of the power of M-Commerce and E-Commerce platforms, but failed to explain why an Open API approach would help. Unlike PayPal and Apple, where developers have expressed strong interest in creating their own apps to sit atop those platforms, there is little such enthusiasm surrounding Visa and, given its smaller marketshare, even less for MasterCard.

It’s hard to look at this MasterCard statement and not envision Mark Twain’s Tom Sawyer whitewashing his fence by tricking every other kid in the neighborhood into doing the hard work for him, while he made the money. Tom gave them the tools and let them finish the job. To paraphrase MasterCard’s current tagline: There are some things money can’t buy. But custom apps and marketshare ain’t among them. Use that plastic and pay for your own development. Don’t see the development community whitewashing your fence for you this time.…


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.