advertisement

Top Stories


advertisement

Payment Systems


Best Buy Pricing Glitch Raises Reasonableness Issue

February 27th, 2013
When a California county judge hit Best Buy (NYSE:BBY) on February 22 with an $875,370 fine for having the wrong price on an item, it re-raised an old debate: What is fair, reasonable and practical when it comes to precisely updating every price in every store in a major chain? With municipalities starving for budget, and given the fact that no one ever lost votes by squeezing fines from chains accused of posting the wrong price, does it make sense to set up any type of practical test?

The bigger the chain, the better the target, as Walmart (NYSE:WMT) knows only too well. Just last month, another judge in this same California county hit grocery chain Fresh & Easy with a bill for $833,136 for similar price-tag problems. How about drawing legal distinctions between intent to defraud and unintentional human error or computer glitch? Frustratingly, these weights-and-measures cases are usually painful enough to sting but not financially worth fighting. That cost-of-doing-business reality is something cash-strapped agencies rely on.Read more...


advertisement

Visa’s Mobile-Payment Moves: Still Solving The Wrong Problems

February 26th, 2013

The big announcement Visa (NYSE:V) made at the Mobile World Congress on Monday (Feb. 25) was a deal to put its mobile-payments app on Samsung’s NFC-equipped smartphones, and for banks to easily install payment-card numbers in the phones’ NFC Secure Element. Analysts made the usual noises about how these moves will give NFC a much-needed boost. Are these people delusional? We hope not, but it remains true that there’s only one show-stopping problem facing pay-by-tap: Customers just don’t want it. Solve that one, and the other problems are trivial. Fail to solve it, and nothing else matters.

Actually, Visa probably isn’t delusional, just desperately optimistic, like it is when it reports contactless payments of all types (including NFC) have quadrupled in the past year, to 13 million per month. The missing context: VisaNet handles 130 million transactions per day. That means contactless is roughly one-third of 1 percent of the total. Visa knows that’s pathetic. It just doesn’t know how to convince chains to train cashiers to encourage customers to use contactless and mobile payments. Maybe Walmart (NYSE:WMT) will actually do that when its MCX finally arrives. After all, in retail, nothing cuts through the fog of optimism—or delusion—quite like hatred of interchange.…


advertisement

Another Grocery POS Attack, Compromising Compromise

February 26th, 2013
Add Sprouts Farmers Market, a 151-store regional grocery chain that sells in eight U.S. states, to the list of chains learning that POS attacks are today's favorite cyberthief way to get card data. Sprouts confirmed on February 22 that it found spyware in the POS systems of 19 stores (13 in Arizona, six in Southern California), during a five-day sweep between January 25 and January 29. The statement included this wonderfully comforting line for Sprouts' shoppers: "After an investigation conducted by Sprouts along with FishNet Security, a nationally recognized data security firm, Sprouts is unable to confirm with certainty at this time whether any accounts were compromised."

That's a rather perplexing utterance. Given that the chain said data-capturing software was found in the POS systems of some 19 stores, it's pretty easy to declare the security of every card used in those machines during that timeframe was compromised. That's not to say that the thieves successfully captured that data in a usable form or that they have actually tried to use that data yet. But in terms of the data being compromised, that debate was pretty much over when the software was found.Read more...


advertisement

Amex Experiment: Replace Cards Online With Passwords

February 22nd, 2013
American Express on Thursday (Feb. 21) took a page from both Apple iTunes and Amazon 1-Click, launching a program in India that allows online shoppers to use a password instead of having to type in card number, expiration date and security verification number. Beyond speed for shoppers, this approach takes all of that sensitive data out of the retailer's servers. The India rollout is the first test of this tactic worldwide.

The program, called ezeClick, was developed by the Amex India group and is being closely watched by Amex corporate. "We let each market develop what they need and what they think will work for them," said American Express Spokesperson Jim Tobin. "I assume it will start showing up in other markets."Read more...


advertisement


Why Would Google Open A Chain? Ask Apple

February 20th, 2013
Rumors this week that Google (NASDAQ:GOOG) is on the verge of launching its own chain of brick-and-mortar retail stores mostly seemed to focus on how much better Google is at creating buzz than Microsoft (NASDAQ:MSFT), and how the search giant could give Apple (NASDAQ:AAPL) real competition in the tech-vendor retail-chain sweepstakes. We also liked hearing pundits not insisting, for once, that Amazon (NASDAQ:AMZN) will be the next online retailer to jump into physical stores.

But largely missing from the rumor mill is a blunt reality: Google isn't actually a retailer at all. It could probably put up a chain of good-looking stores and find things to put in them—Nexus phones and tablets, Chromebook computers, Google Glass electronic glasses, driverless cars. But what, exactly, would what is fundamentally a huge online advertising company get from opening its own chain? One possible answer: some actual payments.Read more...


Abu Dhabi Addresses Go E-Commerce Friendly. Only 6 Billion More Addresses To Go

February 20th, 2013

Abu Dhabi is going to an E-Commerce-friendly street address system. The capital of the United Arab Emirates announced on Sunday (Feb. 17) that, over the next 30 months, every building will get a number and every street will get a unique name (in many cases a much shorter name, in part to satisfy the needs of online forms), along with a short postal code. Currently, streets may be known by multiple names. For example, 7th Street is also Zayed the First, but it’s commonly known as Electra. And although the street Abu Dhabians call “Bank Street” is lined with banks, it’s formally named Khalid bin Waleed Street. Even some new glass-and-steel hotels have addresses like “Between the Bridges.”

Although local couriers are currently able to navigate the city to make deliveries, U.S.-style addresses should simplify things for E-tailers using addresses or postal codes for things like payment-card verification. It’s also a useful reminder for E-tailers that online forms designed for U.S. addresses aren’t necessarily going to work well in the rest of the world. With its population of 2.4 million people and a per capita income just below that of the U.S., Abu Dhabi is hardly a little desert oasis. But having three names for every street may not be so bad—just ask anyone who has tried to find an address on Peachtree in Atlanta.…


Why PCI DSS Compliance Is Not Like The Flu

February 20th, 2013
PCI DSS compliance is not like the flu. You can't "catch" it from your service provider, even though that provider might be PCI compliant. Merchants must go beyond reading the marketing materials and taking a quick glance at the service provider's attestation of compliance (AOC). The path to PCI compliance starts with PCI-compliant service providers, but it then takes the extra step of performing effective due diligence.

This lesson has been reinforced at least three times in the past few weeks in separate PCI Security Standards Council (PCI SSC) guidance documents. One question is whether merchants—particularly small and midsize merchants—will ever hear this advice. As a QSA, PCI Columnist Walter Conway occasionally gets the impression that clients might not spend more time researching their next smartphone, laptop or sailboat than they do reviewing service provider contracts and service-level agreements (SLA). It is particularly important for merchants to realize the source of the advice. It comes not from the PCI SSC staff but from active PCI practitioners with first-hand experience. Read more...


PCI’s New Mobile Guidelines Acknowledge Huge Hurdles

February 15th, 2013
The PCI Council officially released its mobile payment guidelines Thursday (Feb. 14), a document that turned out to be anything other than a Valentine to retail IT execs who'd love to know the "all-clear" path to doing mobile payments and staying PCI compliant. Instead, it's more of a pragmatic acknowledgement of the various mobile hurdles that the council sees as currently insurmountable.

The recommendations, of course, also offer the generic list of best practices for mobile device security (such as strongly encouraging full-disk encryption), which is certainly a handy checklist for chains just starting to seriously explore mobile payments. One key point of the report is to acknowledge the very complex nature of mobile systems, which have far more players than traditional fixed POS systems. For example, the report speaks of the desirability of lab validation for mobile devices and why it's simply—and regrettably—not practical.Read more...


PCI Security Problems: The Practical Versus The Perfect

February 13th, 2013

Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it delivers security edicts in a vacuum, with minimal regard to how different types of merchants function in the so-called real world. Such critics were given three golden examples this month. The examples, in the areas of cloud guidance, P2PE validations and Windows XP end of life, illustrate the types of collisions that are inevitable when committees seeking ideal security approaches run into chains with razor-thin margins (or losses), workforce reductions and store closings. Put more bluntly, it’s the age-old battle of the ideal versus the pragmatic.

This is explored in StorefrontBacktalk‘s February monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.…


PCI Cloud Guidance: Private Cloud Is The Preferred Way To Go

February 13th, 2013
The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. The guidance document begins with a simple statement: "It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud." Using the phrase "particularly challenging" communicates that a merchant's PCI compliance will be easier or harder depending on the chosen cloud deployment model, pens PCI Columnist Walter Conway.

One gem tells retailers they need to "obtain the details of the CPS's [cloud service provider's] compliance validation." This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed." Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.Read more...


PCI’s New Cloud Guidance: Great Ideas, Short On Realism

February 11th, 2013
When the PCI Council rolled out its cloud computing guidelines on February 7, one element—dealing with introspection—has been heralded as sound practice while being slammed as unrealistic and impractical. The problem speaks to the very nature of clouds.

In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.Read more...


After Seven Months, Why Does The PCI Council Yet To Have Anyone P2PE Validated?

February 8th, 2013
For the past two years, the Payment Card Industry Security Standards Council (PCI SSC) has been taunting merchants with offers of a specialized (and simplified) Self-Assessment Questionnaire (SAQ) for those using "validated P2PE" approaches. At first, the council told merchants to wait while it drew up plans to validate the products. Then—finally—seven months ago, PCI SSC released its standards and told merchants to go right ahead and pick one of these validated options. There's only one problem: As of Thursday (Feb. 7), the council hadn't validated any.

That's right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.Read more...


Privacy Issues Galore Crop Up In California Supreme Court E-Commerce Ruling

February 7th, 2013
On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say "no," but the California Supreme Court says "yes." Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse—for both online and offline retailers, pens Legal Columnist Mark Rasch.

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.Read more...


California Opens CRM Goldmine For All E-Tailers

February 6th, 2013
The California Supreme Court on Monday (Feb. 4) ruled that online merchants have the right to ask for Zip code and other personal information about shoppers who buy electronically downloadable products, but physical retailers do not. Given the clout of the highest court from the country's largest state making such a ruling—which, in turn, makes it very likely that other states will follow—this decision could sharply change CRM and POS strategies.

Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.Read more...


NRF And EPC’s Swipe-Fee Flame War: Full Of Sound And Fury, Signifying Nothing

February 6th, 2013
The NRF and the Electronic Payments Coalition (EPC) have launched what is essentially a flame war over the swipe surcharges that are allowed under the interchange settlement as of January 27. NRF launched the first broadside, calling surcharges a "ridiculous concept" and deriding "propaganda" suggesting any retailer would use them. EPC fired back on Tuesday (Feb. 5), calling NRF's statements "false and misleading."

This isn't complicated—the retailers most likely to adopt swipe-fee surcharges are the ones currently offering discounts for using cash, and that group doesn't include most big chains. But NRF is also fighting the interchange settlement and EPC is supporting it, which goes a long way to explain some otherwise pretty incomprehensible flaming.Read more...


Windows XP End-of-Life Could Cripple PCI Compliance

February 6th, 2013
PCI DSS has two sunsets coming up. The first is the well-documented end of PA-DSS v1.2 this October. The second, and equally significant, sunset is Windows XP's end-of-life just a few months later, and this event may have an even more direct impact on retailers. The demise of Windows XP will challenge retailers with POS or other payment applications running in that environment. These retailers will fall into one of three scenarios. How they choose to address the situation will affect their PCI compliance and, more importantly, their security. There may even be a little fallout for the PCI Security Standards Council (PCI SSC) itself, pens PCI Columnist Walter Conway.

On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant. Read more...


Duane Reade Gets Lots Of Non-Obvious Value From A Mobile Game

February 5th, 2013
Duane Reade, the largest drugstore chain in New York City, announced on Tuesday (Feb. 5) it would be trying an unusual mobile effort: It is participating in an elaborate Google mobile-fueled virtual reality game. At one level, this is just silly fun. But from a retail mobile perspective, a lot more is going on here. The game, called Ingress, is from Google's Niantic Labs and involves hiding barcodes throughout the stores. From the chain's perspective, is it about getting shoppers to walk inside its 250 stores? No, although the game certainly does that. Is it about getting shoppers to not merely enter but have to go deep into the store, searching through shelves of products to find the game barcodes? Yes, but that's not the biggest element.

The real payback for Duane Reade, owned by Walgreens, is about changing customer mobile behaviors. In English, that means getting shoppers comfortable with scanning barcodes and interacting with the resultant data. It will increase participation in more explicit mobile programs. This will mean more price comparisons—which Duane Reade is confident it will usually win—and, soon, it will soften resistance to mobile payments.Read more...


Survey Says Consumers Worry About Mobile Wallet Security. But Does That Matter?

February 4th, 2013

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?…


PCI’s Potential Black Friday Nightmare

January 30th, 2013
October promises to be a big month for everyone involved with PCI, but maybe not for the expected reason. On Oct. 28, 2013, every payment application validated under Payment Application Data Security Standard (PA-DSS) version 1.2—and there are a lot of them—will see its validation expire. The applications will no longer be acceptable for new deployments, a potential nightmare for every retailer using a validated payment application. If a retailer has any payment app that glitches in early November, it could have far fewer—if any—choices as a replacement. The problem: A large number of applications still haven't been revalidated under PA-DSS 2.0. Given the time that has already elapsed, coupled with the human tendency to delay the unpleasant, we're looking at a likely crush of last-minute validation renewal requests that could strain both PA-QSA and PCI SSC resources.

For retailers, says PCI Columnist Walter Conway, this means applications that may still be secure won't necessarily be supported by vendors. Much worse, this situation could create a huge backlog of applications to be evaluated by PA-QSAs and then approved by the PCI Council. That process will take weeks, and quite possibly months, to work through. Retailers should note that this will be happening barely one month before Black Friday. Fear not, though. All of these problems can be averted if software vendors all act quickly, well ahead of deadline. (Editor's Note: In other words, we're all doomed.)Read more...


Starbucks Dominates Mobile Payments. Why Isn’t Anyone Else Even In The Game?

January 30th, 2013
Starbucks revealed just how far it is ahead of everyone else in mobile payments last week, and the answer should be both terrifying and heartening for other retailers. The coffee-house chain said its customers do 2.1 million mobile transactions at Starbucks every week—about 5 percent of all its sales transactions in U.S. stores.

That's the terrifying part: No other brick-and-mortar retailer comes remotely close to those numbers in mobile payments. The heartening part: It's possible. Despite all the wheel-spinning from PayPal, Google and Isis when it comes to getting customers to use mobile payments, it can be done. And it's not something unique to Starbucks customers.Read more...


Apple’s Movie-Ticket-Purchase Move Has (Broken) Promise For Mobile Payments

January 30th, 2013
When Apple on Monday (Jan. 28) announced new features in its mobile OS—including what it described as "the ability to use Siri to purchase movie tickets in the U.S. through Fandango"—it seemed like the iPhone maker's first movement into mobile payments. Alas, no. Turns out that the system doesn't give Siri (the phone's virtual assistant with comically bad voice recognition) the ability to purchase movie tickets at all. It simply does what it's always done, which is to find local movie showtimes. After that, it's up to the user to click and tap on options, which will eventually bring up the Fandango app (assuming the user has already installed it). That's more a marketing deal than IT magic.

But it does raise the question of why the app doesn't deliver the type of true integration that it promises. Why not enable movie tickets to be purchased—without leaving Siri—and charged to the user's iTunes account?Read more...


Wait, You’re Saying That A Hostage Video Is Not Credible?

January 25th, 2013
Major electronics E-tailer Newegg received some good news Tuesday (Jan. 22), when a federal appellate panel overruled a $2.5 million patent ruling against the retailer. The most interesting part of the case, though, was when Soverain Software—the software firm trying to protect its E-Commerce patent—tried to argue that its success is proof that its patents are worthwhile. The Appellate judges looked into that claim.

"Soverain argues that obviousness of all of the claims in suit is negated by the favorable market response that was achieved by Open Market's Transact product, which Soverain states received 'widespread recognition in the general media,' 'an excellence award from the industry' and was 'widely licensed.'" Sounds good. So it would appear that the wide licensing meant Soverain had a lot of fans, right? The Appellate judges' written decision continued: "Newegg responds with evidence that the Transact system was abandoned by its developers and almost all of its original users. Newegg points out that licenses were taken to avoid the costs of litigation, and not to use the flawed Transact system embodied in its software."Read more...


MCX Sees ACH As Interchange Salvation. Many Chains Not So Sure

January 23rd, 2013
The secret sauce for beating interchange is ACH. That, at least, is the plan of the Walmart-led Merchant Customer Exchange (MCX), according to sources familiar with the payment system being developed by the retailer consortium. By using ACH transactions to debit bank accounts or credit lines instead of going through payment-card brands' networks, MCX expects to reduce transaction cost to as little as four cents—and cut Visa and card-issuing banks out of the loop.

MCX still hasn't revealed most of the details of the system, but some things are becoming clear. Others are still up in the air—like whether banks will accept a few pennies per transaction when an ACH withdrawal typically costs them more than that. Also, will banks want to get into such an effort, knowing the toxic politics surrounding any effort to knock out Visa and MasterCard? The much more fundamental issue for MCX is whether it can come up with—and agree to fund—a compelling reason for shoppers to participate. That, coupled with what some retailers—namely, those who have been pitched—see as an overly aggressive approach, has prompted some to question whether MCX can deliver the interchange relief it promises. One example of the pitch approach some have cited: MCX demanding $30,000 from retailers just to see the official PowerPoint. Chains are also being asked to commit to three-year mobile payment app exclusivity, meaning they won't support any non-MCX mobile payment other than any mobile payment app they have already deployed.Read more...


Alipay’s Retro Pay-By-Noise System May Be More Useful Than It Sounds

January 23rd, 2013

In-store mobile payments are still looking for the right technology, with NFC struggling for a foothold and QR codes only successful in pockets (or, more accurately, in Starbucks). But a new smartphone mobile wallet announced on January 18 by China’s Alipay takes a new tack: It communicates via what Alipay describes as “white noise.” (We’re pretty sure what that really means is “it sounds like the hiss of a dial-up modem, just without all the screeching.”) The Alipay wallet isn’t currently supporting POS payments, just data transfers between phones. But there’s no special reason it couldn’t be used for transactions, especially because that’s the business Alipay is in.

True, a hissing phone would be really easy to eavesdrop on, but you’d want that transaction data encrypted anyway. And as retro (and annoying) as it would sound at a POS, a pay-by-hiss system would work even for smartphones without a camera and high-resolution screen—all the phone needs is a speaker and microphone. Still, there’s that hiss, which certainly would be out of place in a tony store and might be inaudible on Black Friday. But maybe there’s a retro solution for both those problems. Acoustic couplers, anyone?…


PayPal Mobile Payment Trial Tripped Up By Lack Of Training

January 23rd, 2013
As retailers struggle with how to get shoppers to try mobile payments, PayPal has been experimenting with different approaches. Last month, for example, PayPal set up a booth at a very large New Jersey mall and offered shoppers $10 to try its mobile payment system. But the trial ran into the same issues that have tripped up so many mobile trials: lack of associate and store manager training; an approach that made it awkward for some shoppers (already rushed during December holiday shopping at an extremely crowded mall) to get the incentive; and no reason for customers to try it again after the promotion.

The trial at the 2.1 million square foot Garden State Plaza (about 300 stores) involved six chains and managers at each of the stores discussed the trial, on the condition of anonymity. The chains involved were American Eagle Outfitters, Jamba Juice, Nine West, Champs, Aerie and Foot Action (part of the FootLocker chain). On the plus side, all of the stores reported that some shoppers tried using the app. On the down side, far from all of them were able to do so.Read more...


Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.