Top Stories


Security / Fraud

Gap’s Piperlime Problem: Online To Stores Isn’t So Easy

May 23rd, 2012
Moving a brick-and-mortar retail chain online is a pretty well understood process at this point. Gap is now facing the opposite problem: how to turn its online-only Piperlime store into a brick-and-mortar business. The verdict so far: This isn't as easy as it was supposed to be.

The irony is that opening new store brands online is easy, once a chain has its E-Commerce presence up and running. Infrastructure can be shared, and the challenge is mainly making the new brand distinctive. But if anything, going the other way is actually harder than opening a completely new physical-store brand from scratch.Read more...


Apple’s Mobile Payments: Not Bluetooth, But Maybe Closer Than You Think

May 23rd, 2012
Does Apple really plan to use Bluetooth instead of NFC for mobile payments? Probably not, but you'd think so based on the buzz over the past week from the Apple-watching echo chamber. The consensus: All iPhones and iPads now have Bluetooth built in. It will take years for NFC to get into enough phones to matter. Ergo, Apple will use Bluetooth for its mobile wallet and sweep the table.

That's unlikely—if widely deploying a technology was the problem, contactless cards would have wiped out magstripes years ago. But will Apple use Bluetooth for payments? We may know by the end of the summer.Read more...


SAP VP Caught Doing Very Original Research On Retail Security: Barcode-Swapping At Target

May 23rd, 2012
When an SAP Labs VP was arrested this week—charged with multiple burglary counts for supposedly sticking fake barcodes on Lego sets in California Target stores—it was a wonderful reminder of how vulnerable today's barcode security is.

On the down side: Police said they found "hundreds of unopened boxes of Legos" at the VP's home, strongly suggesting that he had had considerable success using switched barcodes. On the plus side: Target's loss prevention team coordinated with various stores and shared pictures of the VP, enabling him to be identified and followed before a barcode swap.Read more...


A Web PIN Pad That Changes GUI For Each Customer’s Card. Will That Make Shoppers Use It?

May 23rd, 2012
Here's an interesting interchange-fueled conundrum: How do retailers get consumers to enter their debit-card PINs online, a move that saves the retailers money but doesn't directly help the consumers at all?

One vendor is arguing that by visually making the screen image look identical to whatever card shoppers are using, the shoppers will be more inclined to enter their PIN. The company has added a nice security twist: rotating the key position so anyone sniffing the communication—or using keygrabbers or spyware—can't easily determine the numbers entered. But that twist has its own twist: By scrambling the number positions with each click, some consumers will take a lot more time to enter their PIN, because they have memorized it based on the ATM, retail in-store and computer keypads they are used to.Read more...


Should Forensic Tools Be Sold To Anyone?

May 23rd, 2012
When a software vendor creates a tool for forensic data-breach investigators, can it—should it?—take any steps to try and make sure that product is sold to legitimate investigators and not to cyberthieves? It's a tricky issue. Unlike limiting sales to government law enforcement, forensic investigators are not licensed and they can work for any retailer or consulting firm or security company. What type of test of legitimacy could possibly work?

This came to mind because of an interesting product rollout on Monday (May 21) by a vendor called Passware. Its launch involves a means of grabbing passwords from within any Excel spreadsheet or Word doc by quickly locating encryption keys in memory.Read more...

Yes, Virginia, We Really Do Need A QIR Program

May 16th, 2012
Integrators and resellers seem to be resisting a program that would provide stronger enforcement over, well, integrators and resellers. PCI Council General Manager Bob Russo talked with PCI Columnist Walter Conway about the resistance (the program is "sorely needed"), the pricing and the nature of the training. And given the number of industry insiders Russo worked with to create the program, he bristled at the suggestion that the Council worked in a vacuum on this one.

Russo said the training will be an online course so nobody should have to travel, Conway writes.Read more...

A Better Way To Search StorefrontBacktalk

May 16th, 2012

With more than 3,000 stories, columns and GuestViews in the content database here at StorefrontBacktalk, we thought it was time to do a little upgrading. Starting this week, readers (both free and Premium) can search for stories by limiting the search to just the story’s headline—as opposed to the headline and the full text. (Note: Right below the search bar, readers can choose HED Only or Story And Hed.)

The ability to isolate a search to the headline can be useful in two ways. If you happen to remember that the headline mentioned Target, for example, you need not see every story that mentioned Target (or even used the word “target”). The second way is practical. If you want a story that is primarily about tokens—and not a story that merely mentions the word somewhere—the headline-only search can be helpful.…

MasterCard Aims To Take Mobile Wallet Rivals Apart

May 9th, 2012
What Google, PayPal and ISIS are trying to assemble in mobile payments, MasterCard wants to dismember. On Monday (May 7), the number-two payment-card brand unveiled a mobile wallet and an E-Commerce payment system that are designed to cut out any middlemen horning in between customers and retailers and payment networks.

Ironically, while MasterCard's PayPass Wallet for NFC-equipped phones got most of the attention, that's still largely a pipe dream—MasterCard hasn't even talked any mobile operators into giving it access to the NFC chip. But the online payments effort will offer tokenization to reduce PCI scope for E-Commerce. The bad news: You can probably forget about any interchange relief.Read more...

Best Buy Facebook “Joke” Points Out The Risks Of Handling Smartphone Repairs

May 9th, 2012
Corporate data security policies have always been a challenge. In recent years, thumbdrives, corporate telecommuting and smartphones have made such controls problematic. But the assumption has always been that the data being protected was on the hard-disks or RAM of various systems.

A Best Buy incident this month, however, is a grim reminder that saved passwords or tokens can expose employees to sensitive data—and capabilities—far beyond the bits and bytes of that device.Read more...

32-Point Font Might Save Your IT Career

May 9th, 2012
It's you versus the sales guy in an epic battle over your IT career. The sales guy has a polished presentation about the features and benefits of his products and services. You have a status report. The sales guy has access to unlimited resources to make your business partners' wildest dreams come true. You have one really great guy who you've overworked to the point that you carry a ton of personal shame.

The sales guy says, "Yes. Yes. Yes." You say, "No. No. No." In this surreal world, pens Retail Columnist Todd Michaud, you are watching your hard-fought IT career be dismantled by an onslaught of companies that shake your hand and look you in the eye as they pitch your demise one product and service at a time. And you had better buckle-up, Buttercup; it's only going to get worse.Read more...

Level 3 PCI Compliance Increases Slightly, Even As Its Population Grows

May 9th, 2012
The latest PCI compliance stats—out this week—show trivial changes from the prior report, with Level 2 and Level 3 retailers slightly increasing compliance. Level 2 went from 91 percent at the end of December 2011 to 92 percent as of March 31, 2012, and Level 3 also increased by 1 percent, from 58 percent to 59 percent.

With changes as small as 1 percent, it's hard to determine what, if anything, caused the change. The number of Level 2s dropped slightly (from 1,066 to 1,060), so it's possible a couple of the chains that left might have had compliance issues.Read more...

P2PE: No Cakewalk for Merchants, But There May Be No Alternative For Reducing Scope

May 9th, 2012
When the PCI Council released version 1.1 of its Point-to-Point Encryption (P2PE) Testing Procedures late last month (April 27), it forced an interesting question: Will P2PE be the only way to remove encrypted data from a merchant's PCI scope?

Writes PCI Columnist Walter Conway: Current PCI Council guidance (FAQ 10359) holds that encrypted data can be out of a merchant's PCI scope "if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it." The important word here is "entity." That is, the ability to decrypt the data must rest with some unrelated third party. With the emergence of P2PE, could this scoping guidance be revised to where the only appropriate "entity" is an approved P2PE provider?Read more...

“Careless” Systems Integrators Now Directly Under PCI DSS

May 2nd, 2012
Mistakes made by careless or incompetent payment application installers or system integrators have led to far too many data breaches over the years. In each case, even though the reseller or integrator made the mistake, the merchant bore the ultimate responsibility.

Unfortunately, system resellers and integrators formerly fell in a governance gap in PCI, and their actions were outside the PCI Council's jurisdiction. PCI Columnist Walter Conway says "were," because that situation is about to change.Read more...

Walmart’s Online Cash Creates New Fraud Problem

May 2nd, 2012
When Walmart launched its E-Commerce cash program on April 26, did it open the door to evil-minded rivals by giving them the means to falsely lock up merchandise? That is just one example of the many implications behind Walmart's move to enable people to use cash to make online purchases.

Beyond new security holes on the risk side, the reward side is equally huge. While everyone seems to have focused on the general unbanked audience, a much more interesting prospect for this program is teenagers. Plus, this is sort of an anti-showrooming move, where online shoppers are being lured into the stores. Revenue sharing between Walmart channels is also a point of nervousness with this program. And a store's inability to cancel such online orders—even if the customer then finds the item on the shelf—is problematic, too. This is a rare example of the kinds of compromises—between online and in-store operations—chains must make these days.Read more...

Sears’ Move Into IT Services: A Baffling Step If You Think Of Sears As A Retailer

April 25th, 2012
Sears on Tuesday (April 24) launched a service to provide managed technology services for "brick-and-mortar enterprises across all industry verticals." It is a move partly aimed at Amazon's cloud service, with Sears promising much more customization and hand-holding. For many retail observers, this was a baffling step, another non-strategic distraction at a time when the 119-year-old retailer needed to do nothing more than focus on selling more products in its stores.

For Sears, though, the move made fiscal sense. With all of those dollars invested in IT systems—with more capacity than Sears needs—why not, in effect, lease out some of it? Put another way: Turn IT from a pure cost-center to a mostly cost-center that generates at least some revenue.Read more...

E-Nightmare: Minors May Not Have To Pay For Downloads

April 25th, 2012
In Mark Rasch's legal column this week, he points out that online purchases by minors are a potential legal nightmare and that a federal judge is now deciding the retail issue. But what if the case goes against retailers? Frighteningly, the way many digital purchases are processed makes it all but impossible to comply with the law.

How could iTunes refund an already listened to song or an already played game? That's not merely a business/profit question. From an IT perspective, there is often no mechanism to do it. What might start out as a legal problem will almost instantly morph into an IT problem.Read more...

Angry Nerds: The iTunes Youth Legal Nightmare

April 25th, 2012
It's not just those birds that are angry these days. The process by which Apple allows teens, pre-teens and even toddlers to download free apps, and then purchase game currencies within these free apps, may have landed the computer giant in hot water—with both parents and at least one federal district court in San Jose.

The case revolves around a longtime legal reality: Minors cannot agree to a contract. If they pretend to agree, it's non-binding and can't be enforced, writes Legal Columnist Mark Rasch. But what if an adult gives the child their password and permission to make a purchase? It's still the child doing it and the contract, therefore, probably can't be enforced.Read more...

Turning Back Office Into A Game, IT Style

April 25th, 2012
Why is it that the same people who will easily spend hours playing Angry Birds each week won't spend an extra hour improving their retail operations? Saving money just isn't sexy or fun. It's boring, and that's the biggest problem.

After many years in retail operations, Retail Columnist Todd Michaud is still surprised how little traction well-developed back-office applications receive. You would think that saving money on inventory, labor or marketing expenses would be all the motivation that a retail owner or general manager would need, but that rarely seems to be the case. That got Michaud thinking about some of the new social applications, like Foursquare, and what makes them successful: Gamification.Read more...

Home Depot’s SEO Furor

April 18th, 2012
What began as a Home Depot effort this month to get installers to boost the chain's Web traffic has morphed into a strange SEO Google mess, with a Home Depot E-mail encouraging those service providers to use invisible links on their sites.

This is not merely an issue of violating the rules of a major search engine. A lot of these partners—carpet installers, for instance—have minimal E-Commerce teams, which means they rely on partners such as Home Depot for E-Commerce guidance. And when chains give advice that is false and endangers the ranking of the sites of those partners, it is a problem.Read more...

Wal-Mart MoneyCard Break-In Offers Lessons For New Payment Tactics

April 18th, 2012
As retailers accelerate payment experiments, a recent Wal-Mart experience with a well-established approach offers a cautionary tale. A Buffalo, N.Y., woman this month walked into her local Wal-Mart, gave an associate $1,000 in cash and asked for it to be loaded onto a Walmart MoneyCard, in preparation for a vacation. A couple days later, the customer discovered that the money had been removed by a thief in another country.

The fact that it was a thief who stole the funds is undisputed. However, the immediate next actions of Wal-Mart and Green Dot—which manages MoneyCard for Wal-Mart—is a textbook example not of what should not be done, but how it shouldn't be done.Read more...

7-Eleven’s New Age-Verification Provides Proof For Police, But Is Far From Perfect

April 18th, 2012
7-Eleven on Monday (April 16) started a new age-check system, one that provides digital proof that a specific person's credentials were checked at a specific date and time. This will provide the nation's largest convenience-store chain with a new independent way to fight back when police say that an underage customer's driver's license had never been checked.

But it won't address many of today's age-ID problems, including waiving license checks if the associate thinks the person is old enough, license photos often being bad enough to fool weak authenticators, and under-age consumers using the driver's license of an older sibling. Still, 7-Eleven has crafted ways to deal with some of those gotchas with the new system.Read more...

Stealing From A Wal-Mart? Better Not Drive A Rental

April 17th, 2012
A pair of accused Wal-Mart thieves in North Carolina learned a valuable lesson last week: If you're going to shoplift from the world's largest retailer, it's not a great idea to drive to the heist in a rental car.

It seems that as they exited the Havelock Wal-Mart with multiple yet-to-be-paid-for HP desktop computers, store officials did not stop them, but they did jot down their license plate number. Police found that it was from a car rental company, which happened to be able to remotely shut down the engine. And GPS was involved, too. Yep, this was a dual-shoplifter takedown, ultra-geek style.Read more...

Appellate Court Limits Computer Fraud And Abuse Act

April 12th, 2012
In a major decision limiting corporate use of the federal Computer Fraud and Abuse Act (CFAA), the U.S. Court of Appeals for the Ninth Circuit on Tuesday (April 10) said the law is intended to address true cybertheft and other criminal hacking efforts and nothing else. At issue was whether companies could threaten employees with federal prosecution for violating company policies, such as playing games on a company computer.

Beyond the fact that retailers have to deal with many of these employee issues, the potentially bigger retail impact of this ruling is how it would strengthen prosecutions of actual cyberthieves, who tend to work where they shop.Read more...

New Jersey Giftcard Law Is Much More Complicated For Retailers Than Even Its Critics Believe

April 12th, 2012
The great New Jersey giftcard exodus continues. On April 5, Blackhawk Network and InComm announced they'll pull their giftcards from New Jersey retailers to avoid a new state law requiring them to collect and store the purchaser's ZIP code. (American Express giftcards are already gone from the state.) Their complaint: It's an IT project that's all cost and no business benefit. But in a merged-channel world, that's not the only problem with the new law.

In fact, what lawmakers probably thought was a simple idea runs into a buzzsaw of complexities—and the IT project is the easiest part of the problem.Read more...

Secret Service’s Home Depot Arrests Add To Self-Checkout Woes

April 12th, 2012
When the U.S. Secret Service arrested five men last week on charges that they stole hundreds of items from the self-checkout areas of 74 Home Depots in six states, it certainly didn't help the security reputation of self-checkout. This comes after Costco detailed its own self-checkout thefts and several chains abandoned self-checkout, citing theft as one key reason.

Some self-checkout advocates concede that these types of self-checkout thefts are very real, but that they are often the result of sloppy self-checkout deployments, with some stores not activating all security functions, using insufficient staff around self-checkout, not bothering with security cameras and ignoring other self-checkout best practices.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.