advertisement

Top Stories


advertisement

Security / Fraud


Still No Apple Mobile Wallet, But A Card-Number Keychain That May Be Just A Bit Too Clever

June 12th, 2013
Anyone who was expecting Apple (NASDAQ:AAPL) to jump into in-store mobile payments this week is probably feeling...well, comfortably disappointed. The big keynote speech at Apple's Worldwide Developers Conference on Monday (June 10) contained, as usual, no sign of the "iWallet" that some Apple fans insist will be coming any day now. But there was something just a little bit like a mobile wallet, and that's sure to keep the wishful thinking alive.

That something was the iCloud Keychain. Put simply, it's a cloud-based feature of both Apple's new iPhone operating system, iOS 7, that lets users store passwords, logins and payment-card numbers for use with mobile commerce sites. Yes, it does all the things password managers do these days, including automatically filling in the forms that make online retail so much more miserable for customers on a phone than on a PC. But it's adding card numbers that makes this interesting.Read more...


advertisement

PCI’s New PIN Rules: A New Document Is Issued To Require You To Create A New Document

June 12th, 2013
When the PCI Security Council issued new rules for PIN transactions on Friday (June 7), beyond the usual small tweaks and updates, there was essentially only one new rule impacting retailers: Device manufacturers need to specify how retailers need to use the devices to stay PCI compliant.

Andrew Jamieson, security laboratories manager for Underwriters Laboratories Transaction Security in Australia and a noted follower of PCI PIN procedures, said the new rule is actually a wise move. "The purpose of this document is to define the scope of the approval of the device, such that it is very clear what scenarios and environments the device is approved for use in. Conversely, which situations the use of the device steps outside of its approval, therefore negating its PCI PTS compliance," Jamieson said.Read more...


advertisement

Rakuten Breach: Live By The Web, Get Punished By The Web

June 12th, 2013
Please forgive the cliché, but when hundreds of online shoppers say that your site is sick, it should lay down. The Japanese E-Commerce powerhouse Rakuten, which is just months away from a planned major push against Amazon (NASDAQ:AMZN) in the U.S., is finding itself in the frustrating position of seeing literally hundreds of its customers posting about fraud problems traced to Rakuten. And yet the $4.7 billion global retailer—operating in 27 countries—can't seem to trace the problem.

An online publication of Consumer Reports magazine, the Consumerist, has taken the lead in this coverage, and Rakuten's shopper victims have created their own site, much to the presumed non-delite of Rakuten. The site's called simply Rakuten Fraud. What's worse than having a security hole on your site on the eve of a major rollout impacting lots of customers? How about being unable to figure out where the hole is? Bernard Luthi, the COO of Rakuten.com, has become the public face of this breach and is arguing that there's little his team can do until they can somehow replicate or trace the source of these breaches.Read more...


advertisement

GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?

June 7th, 2013
A recent story in a popular security newsletter featured a headline that got the blood boiling of GuestView Columnist Steve Sommers. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. Sommers vehemently begs to differ.

Something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work. Also, what are the real costs to the issuer? Key word here, "real" costs, not "inflated for a profit." Let's see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-75 "cost" to replace a card? Can you say exaggerated?Read more...


advertisement


Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

June 6th, 2013
Privacy policies, if written well, explain to customers exactly what data you are going to collect, and what you are going to do with it. Problem is, most retailers have no idea what data they are collecting, or what they are going to do with it. As a result, retailers end up writing privacy policies that are either false or misleading, and this can lead to big legal problems. In fact, it may be better to have a policy that says either "we have no idea what we are collecting and what we will do with it" or "we will collect everything we can and use it in any way we want." But that’s not good public relations, writes Legal Columnist Mark Rasch.

What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will they protect it?Read more...


Flaws in the Carbon Layer: Is a Penetration Test Without a Social Engineering Component Really a Penetration Test?

June 3rd, 2013
Every QSA gets asked the same question about penetration testing: What is acceptable (translation: what is the least I can do) for PCI compliance? In the current environment of criminal (and state-sponsored) hacking, that is the wrong question. Instead retailers should ask: How do I get the greatest value from the penetration testing I am already required to do? I would like to make the point that at least part of the answer is for every retailer and payment card merchant to include some form of social engineering as a part of their pen testing.

PCI DSS Requirement 11.3 has a lot of detail on when retailers need to conduct pen tests. It recommends, for example, "at least annually and after any significant changes to the environment." In practice, this means retailers need to perform and/or re-perform pen testing after such events as upgrading their operating system, adding a sub-network to the Cardholder Data Environment (CDE), or even adding a Web server to the CDE. However, the requirement does not specify details on what the pen test should cover other than it should include "network-layer" and "application-layer" testing, pens PCI columnist Walt Conway.Read more...


Visa To Genesco: PCI Compliance? What PCI Compliance?

May 31st, 2013
The predictable other shoe has dropped (please forgive that heel of a play on words) in the legal battle between apparel chain Genesco (NYSE: GCO) and Visa over PCI penalties, with Visa officially asking a federal judge to dismiss the retailer's lawsuit. The $2.6 billion Genesco chain, which owns Journeys, Lids and Johnston & Murphy, had been breached in 2010 and later had to reimburse its acquiring bank for about $13 million in fines charged by Visa. It sued Visa—with its acquirer's permission and blessing—saying that it hadn't violated any PCI rules.

Visa has now reacted, arguing to a federal judge that Genesco's complaint should be dismissed for three reasons. First, Visa said that Genesco cited the wrong California state law, one that cannot be used in cases where there is a contract dispute. Second, Genesco didn't claim sufficient facts to make its case. The third Visa argument was that one claim—that Visa had made fraudulent statements—wasn't valid as the statements didn't influence "consumers or the public," nor did even Genesco rely on them. (It's an interesting defense: Our lies didn't harm anyone because nobody ever believes us anyway. For the record, of course, Visa hasn't conceded that it lied, arguing that the law in question only envisioned lies that deceived the public.)Read more...


The Case Of The Walmart Drunk: Big Data, Big Duties, Big Headaches

May 30th, 2013
Walmart was very recently sued by a woman involved in a car accident. The driver of the car that hit her wasn’t a Walmart employee, it wasn’t a Walmart vehicle, and it didn’t happen in a Walmart parking lot. Rather, the victim alleged that the driver had recently been in a Walmart and had been kicked out for being drunk. The victim alleged that Walmart, knowing that its customer was both drunk and driving, had a duty to prevent the customer from driving, or to report that person to the police. The court considering the case refused Walmart’s efforts to have the case dismissed on summary judgment, finding that there was at least enough evidence of "negligence" to allow the case to go forward.

Even though nobody alleges that Walmart got the patron drunk, the idea is that Walmart was in a position to know about the potential harm and could have stopped it. Here’s where technology makes things messy. Once the drunk is tossed out of the Walmart, there’s a good argument that Walmart’s duty to third parties ends. Unfortunately, Walmart has installed and routinely monitors parking lot cameras. That's where data creates legal duty.Read more...


Walmart: Settlement ‘Worse Than Losing’

May 29th, 2013
In a last-minute interchange settlement objection filed on Tuesday (May 28), Walmart and more than 60 other retailers described the proposed settlement as worse than actually losing the case. The settlement will block future lawsuits over Visa and MasterCard rules, practices or actions—and that includes PCI and breach penalties.

That goes far beyond the original lawsuit, which only covered default interchange rules, honor-all-cards rules and anti-steering rules. If the case went to trial and lost every claim, that would still just lock in the card brands' control of interchange and card-acceptance rules. But the proposed settlement would go far beyond that—extending to block any challenge to PCI and breach penalties.Read more...


What You’re Missing: Urban Outfitters Charging More Online, Does Sears Want To Go Members-Only?

May 29th, 2013

Your friends here at StorefrontBacktalk editorial also now publish a daily retail site, called FierceRetail, and wanted to give you a sense of what you’re missing by not visiting or grabbing its free newsletter. Urban Outfitters discovers that it can get away with charging more online than in-store. See? Sometimes conventional wisdom is conventionally wrong.

A look into how federal judges are likely to force changes in how price anchors are set in-store plus some questions about whether Sears is thinking about becoming members-only. Was Best Buy’s Facebook promo a victim of its own great deal—and some we-should-have-seen-this-coming rip-off artists? We also threw in our take on Walmart’s $82 million hazardous waste settlement, where Walmart spoke of mouthwash and hairspray and the feds said they were pesticides. (You say tomato, I say Molotov cocktail…) All of that—and dozens more stories—and that was just this week. And Monday was a holiday! Drop by and check it out. It’s free and the snacks all have zero calories. (That may be because they don’t exist.)…


Virtual Retail Currency Could Translate Into Not-So-Virtual Legal Nightmares

May 23rd, 2013
In a bid to attract new customers, Amazon recently announced a new program in which it would give customers 50 Amazon "coins" to use in playing games and for other purposes. The idea is sort of like what happens at the boardwalk in the summer or at the gaming tables in Las Vegas. Rather than playing with real money (and risking losing real money), gamers play with coins or chips with an artificial "value." It’s easier to lose 500 Amazon coins than it is to lose actual cash.

But in creating an artificial currency, and allowing it to be transferred and exchanged, retailers like Amazon may be getting themselves into potential legal trouble, writes Legal Columnist Mark Rasch. In fact, they may be making themselves into an illegal unregistered money transfer company or even an unlicensed bank. Such is the problem with digital "money."Read more...


Mobile Point Of Sale Is Growing Fast And Turning Up Surprises

May 22nd, 2013
Use of tablets and iPods as point-of-sale devices is growing rapidly, but it's not going to knock cashwraps out of most stores anytime soon, according to an IHL Group report released Tuesday (May 21). More than 85 percent of big retailers say that for the next three years, mobile POS devices will be add-ons to—not replacements for—traditional fixed checkouts.

The most likely users of those devices: specialty retailers (both mall-based specialty chains and small independents), who are deploying about 45 percent of all tablets shipped to retail for POS, IHL said. But only 28 percent of U.S. retailers plan to roll out any mobile POS devices by the end of 2013, a drop from previous estimates. That suggests the reality of mobile POS is beginning to set in for early adopters, who are beginning to see some of the limits—and counterintuitive aspects—of the technology.Read more...


Marks & Spencer’s POS Charges Contactless Regardless, At Least Now And Then

May 21st, 2013
Some Marks & Spencer customers have reported that the U.K. chain's contactless payment terminals have taken money from contactless cards even when those cards were still in purses or wallets a foot or more away—and in at least one case, the grabby POS behavior was repeatable.

The retailer recently rolled out contactless point-of-sale terminals to 644 U.K. stores and reportedly processes more than 230,000 contactless transactions every week. But several customers told the BBC that they had the experience of inserting a chip-and-PIN card in the PINpad's slot, but being issued a receipt for a contactless card that was nowhere near the PINpad. The contactless system isn't supposed to work at distances of more than about two inches.Read more...


Retailers Can Put Anything In A User Agreement, But There’s A Huge Catch

May 16th, 2013
Legal columnist Mark Rasch recently received a $25 debit card as an honorarium for giving a speech. To "activate" the gift card from GreenDot.com, he had to give them his name, address, telephone number, Social Security number, user ID, PIN, and answer to three security questions – all that just for 25 bucks. In fact, what he really did was to open a bank account with $25 and a monthly maintenance fee of $4.95. He apparently agreed to all of this on the website of GreenDot.com under their terms of service. But that’s not all he agreed to.

Years ago, he got a Wachovia stored value card, which similarly had outrageous fees – fees for putting money in, taking it out, checking the balance, loading the card, not loading the card, as well as an annual fee, monthly fees, etc. It amounted to usurious interest rates and fees of over 3000 percent. When he called to dispute one of the fees, the person on the other end told him that his wife (who had just handed him the phone) had authorized the fee–she did not, and he knew this because he was standing right there. That's when Wachovia said they had recorded the call. To a litigator, them's fightin' words.Read more...


PayPal Offers Free Card Processing, But For Who?

May 15th, 2013
PayPal is offering free credit, debit, check and PayPal processing for qualifying merchants until the end of 2013. The catch: The retailer has to trade in a cash register for a PayPal-compatible point-of-sale system, according to a blog post by PayPal president David Marcus on Tuesday (May 14). The promotion will go live in June, although applications are being accepted now, Marcus wrote. He didn't give any other details of the deal, such as how much trade-in value a retailer will get in order to buy a PayPal-equipped POS from Erply, Leapset, Leaf, NCR Silver, ShopKeep or Vend, or exactly what "free" means when it comes to processing costs.

But to qualify for the promotion, merchants currently must be primarily using an old-fashioned system such as a cash register, and PayPal may send out employees to collect the register and verify the system upgrade.Read more...


Card Processor Hit In A $40 Million Breach. Was It Yours?

May 15th, 2013
A U.S. payment card processor was attacked in February as part of a $40 million cyberheist, federal prosecutors said last Thursday (May 9)—but they didn't identify who the processor was. That left retailers no way of knowing whether their processor was the one that thieves breached to gain essentially unlimited access to the processor's systems, potentially including merchant card data.

It wasn't until Sunday that the mystery breach victim was revealed to be EnStage, a processor that's headquartered in Silicon Valley but outsources its processing to a site in India. And it's still not certain whether any merchant card data was actually stolen in the breach.Read more...


Bank Using Voice Biometrics To Authenticate Customers. Could It Work In Retail Call Centers?

May 10th, 2013
Retail security experts have long argued that shoppers in-store provide more security identification potential than those online and that shoppers phoning into a call center offer the least. But a major U.K. bank is using biometrics to authenticate telephone customers by using the customers' pre-recorded vocal patterns. Could the same approach help reduce fraud pushed through retail call centers?

The bank, Barclays Wealth and Investment Management, uses 20 to 30 seconds of the conversation with the phone agent and compares the audio WAV file to a sample taken from that customer earlier. If the software thinks it's a match, the agent is silently signaled that the customer's voice has been verified. If the software does not find a match, agents are supposed to use their regular security questions to verify.Read more...


C-Store Chain Mapco Express Hit With Remote Access Breach

May 8th, 2013
Regional convenience-store chain Mapco Express (NYSE:DK) said on Monday (May 6) that thieves may have stolen credit and debit card information from all 377 of its stores during March and April.

"The hackers accessed the payment processing systems used in all of our stores from March 19-25, in certain stores from April 20-21, 2013, and at two stores in Goodlettsville and Nashville, Tenn., from April 14-15, 2013. If you used your credit or debit card at one of these locations during these time periods, you card data may have been compromised," the retailer said in a statement.Read more...


Nordstrom’s Typhoid Outbreak Used POS Data To Contact Individual Shoppers

May 8th, 2013
After a cook in one of its in-store restaurants was discovered to have typhoid fever, Nordstrom is trying to directly contact customers who might have been exposed to the disease. The retailer is sifting through point-of-sale transactions from the Nordstrom Cafe in the store at San Francisco's Stonestown Galleria mall in an attempt to identify specific customers who could have been exposed, but that's proving more challenging than expected, a spokesperson for the chain said on Monday (May 6).

The San Francisco health department notified the store late last Thursday (May 2) that an employee was diagnosed with typhoid and may have exposed customers who ate in the restaurant to it on April 16, 17, 18, 20 or 27. As of this week, no cases of customers or other store associates having the disease have been reported, according to the health department. But Nordstrom is still trying to track down anyone potentially exposed.Read more...


Best Buy, Home Depot, Gap And Others Lose Major Patent Gift Card Lawsuit

May 8th, 2013
A large group of major chains—Best Buy, JCPenney, Barnes & Noble, Gap, McDonald's, Toys R Us and Home Depot—has been dealt a major patent legal blow Friday (May 3) when a jury unanimously sided with a Texas company that owns a gift card processing patent.

Technically, the jury verdict didn't say that those chains had violated the patents, but merely that the arguments from those chains that the Texas company's (named Alexsam) patents should be ruled invalid failed. The next case will address the issue of whether those chains had in fact violated those patents. That said, much of the evidence that the chains used to indicate why the patents were invalid can be turned right back against them now to prove that their processes are so similar that it must be a patent violation. As a practical matter, it's unlikely that this case will see another jury trial, as the parties will almost certainly work out a deal, in which the chains would simply buy licenses for the Alexsam patent. The question will be how much they'll agree to pay for the patents.Read more...


In Kmart’s Armed Data Breach, Police Somehow Not Told Everything

May 8th, 2013
When a Kmart suffered the loss of sensitive pharmacy customer information in mid-March during an armed robbery, Sears officials and lawyers quickly reviewed details and made sure to follow all federal rules—especially HIPAA guidelines. Somehow, though, Kmart never got around to mentioning the data loss to the police, who were never able to find the gunman because the only physical evidence he took with him—a disk containing that day's data backup—was unknown to them, thanks to Sears.

The Little Rock, Arkansas, police investigating the armed robbery—where the gunman slashed the assistant manager's tires to distract him before ordering him at gunpoint to open the safe—were not happy about being kept in the dark and possibly lied to. The investigating detective, Det. Julio Gil, "only learned of the cartridges being stolen from Kmart when he was called by media," said Sgt. Cassandra Davis, who is in charge of the Little Rock Police Department's public affairs unit. The detective "called Kmart and Kmart only then confirmed. He had to call them and ask about it before he learned what (the gunman) had actually taken. No one from Kmart made a report," Davis said.Read more...


Can Ebay Pull Off A Giant Touch Window For New York Shoppers?

May 6th, 2013
Ebay and retailer Kate Spade are doing something this summer that would have been unthinkable just a few years ago: creating a pop-up store in New York that will feature a gigantic touchscreen store window. Let's be clear—what would have been unthinkable would be a relatively small (82-store) apparel chain taking on something this technically aggressive, even with a partner as big as eBay to help foot the bill.

Leaving aside all the obvious unanswered questions—from "how do you physically protect a giant touchscreen?" to "how much of an exhibitionist does a customer have to be to browse a web catalog that's taller than she is, right out in public?"—it's a testament to how inexpensive and physically tough this kind of technology has become that it's viewed as practical. Of course, that all assumes that the chain and eBay will actually get it to work as advertised.Read more...


Best Buy Exec Sets Up A Retail Site Outside IT, Gets Hacked

May 1st, 2013
This isn't something one sees every day. A senior Best Buy executive, instructed to create a blog to conduct Best Buy business, goes outside the Best Buy IT infrastructure to set it up herself—along with some colleagues in HR—using freeware and a $30/month hosting service. If the story stopped there, it wouldn't be that unusual, as frustrated managers have gone outside the corporate structure for decades, not wanting to wait for their project to rise to the top of someone else's priority list.

In this case, though, the executive was Best Buy's chief ethics officer, who wanted to have a site outside the direct control of corporate. And she learned a lesson about why one wants to be within the protection of a multibillion-dollar chain's IT department. She learned that when her Best Buy blog was shut down, possibly due to a cyberthief attack.Read more...


PayPal’s New Autofill Program Has Real Potential With Mobile

May 1st, 2013
EBay's PayPal (NASDAQ:EBAY) Tuesday (April 30) started pushing its new online login system, called Log In With PayPal. The essence of the new program is pretty much "autofill," in that it autopopulates the forms of any e-tail site that is part of the program. It also allows PayPal users to login in with their PayPal credentials—which is not new—a move that is intended to make it less necessary for shoppers to keep track of dozens of password/login combos for all of their favorite e-tail sites.

From the shoppers' perspective, that single login is not that exciting, as most have been doing a very insecure replacement: using the same login/password for those dozens of sites. In effect, that's what PayPal is doing. The security impact is that if there is a breach—at PayPal, at that shopper's computer, elsewhere—that password can now be used to access all of those sites. At least that's the hole until PayPal is contacted and the password is shut down or changed.Read more...


NCR’s Anti-Skimming ATM Tech Could Also Help Store PINpads

May 1st, 2013
New anti-fraud technology that NCR (NYSE:NCR) announced last week for its ATMs might find even broader use in point-of-sale PINpads—but not the way that most PINpads are currently designed. The new features, which NCR is calling SPS (for "skimming protection solution"), involve two elements. First—and most technically interesting—is a jammer that disrupts a skimmer that has been attached to the front of an ATM. When a motorized card reader pulls a payment card into the ATM, the electromagnetic jammer prevents a skimmer from reading the mag stripe on the card.

The second, more mundane technology is having the card-reading device send diagnostic information to the bank in real time when there's evidence of tampering. Read more...


Page 2 of 72123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.