advertisement

Top Stories


advertisement

Security / Fraud


Still No Apple Mobile Wallet, But A Card-Number Keychain That May Be Just A Bit Too Clever

June 12th, 2013

Anyone who was expecting Apple (NASDAQ:AAPL) to jump into in-store mobile payments this week is probably feeling…well, comfortably disappointed. The big keynote speech at Apple’s Worldwide Developers Conference on Monday (June 10) contained, as usual, no sign of the “iWallet” that some Apple fans insist will be coming any day now. But there was something just a little bit like a mobile wallet, and that’s sure to keep the wishful thinking alive.

That something was the iCloud Keychain. Put simply, it’s a cloud-based feature of both Apple’s new iPhone operating system, iOS 7, that lets users store passwords, logins and payment-card numbers for use with mobile commerce sites. Yes, it does all the things password managers do these days, including automatically filling in the forms that make online retail so much more miserable for customers on a phone than on a PC. But it’s adding card numbers that makes this interesting.

Read more...

advertisement

PCI’s New PIN Rules: A New Document Is Issued To Require You To Create A New Document

June 12th, 2013

When the PCI Security Council issued new rules for PIN transactions on Friday (June 7), beyond the usual small tweaks and updates, there was essentially only one new rule impacting retailers: Device manufacturers need to specify how retailers need to use the devices to stay PCI compliant.

Andrew Jamieson, security laboratories manager for Underwriters Laboratories Transaction Security in Australia and a noted follower of PCI PIN procedures, said the new rule is actually a wise move. “The purpose of this document is to define the scope of the approval of the device, such that it is very clear what scenarios and environments the device is approved for use in. Conversely, which situations the use of the device steps outside of its approval, therefore negating its PCI PTS compliance,” Jamieson said.

Read more...

advertisement

Rakuten Breach: Live By The Web, Get Punished By The Web

June 12th, 2013

Please forgive the cliché, but when hundreds of online shoppers say that your site is sick, it should lay down. The Japanese E-Commerce powerhouse Rakuten, which is just months away from a planned major push against Amazon (NASDAQ:AMZN) in the U.S., is finding itself in the frustrating position of seeing literally hundreds of its customers posting about fraud problems traced to Rakuten. And yet the $4.7 billion global retailer—operating in 27 countries—can’t seem to trace the problem.

An online publication of Consumer Reports magazine, the Consumerist, has taken the lead in this coverage, and Rakuten’s shopper victims have created their own site, much to the presumed non-delite of Rakuten. The site’s called simply Rakuten Fraud. What’s worse than having a security hole on your site on the eve of a major rollout impacting lots of customers? How about being unable to figure out where the hole is? Bernard Luthi, the COO of Rakuten.com, has become the public face of this breach and is arguing that there’s little his team can do until they can somehow replicate or trace the source of these breaches.

Read more...

advertisement

GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?

June 7th, 2013

A recent story in a popular security newsletter featured a headline that got the blood boiling of GuestView Columnist Steve Sommers. The essence of the piece involved the National Association of Federal Credit Unions (NAFCU) asking Congress to create laws to further punish victims of a breach. The upshot is that merchants do not have any skin in the game when they are victims of a data breach. Sommers vehemently begs to differ.

Something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work. Also, what are the real costs to the issuer? Key word here, “real” costs, not “inflated for a profit.” Let’s see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-75 “cost” to replace a card? Can you say exaggerated?

Read more...

advertisement


Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

June 6th, 2013

Privacy policies, if written well, explain to customers exactly what data you are going to collect, and what you are going to do with it. Problem is, most retailers have no idea what data they are collecting, or what they are going to do with it. As a result, retailers end up writing privacy policies that are either false or misleading, and this can lead to big legal problems. In fact, it may be better to have a policy that says either “we have no idea what we are collecting and what we will do with it” or “we will collect everything we can and use it in any way we want.” But that’s not good public relations, writes Legal Columnist Mark Rasch.

What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will they protect it?

Read more...

Flaws in the Carbon Layer: Is a Penetration Test Without a Social Engineering Component Really a Penetration Test?

June 3rd, 2013

Every QSA gets asked the same question about penetration testing: What is acceptable (translation: what is the least I can do) for PCI compliance? In the current environment of criminal (and state-sponsored) hacking, that is the wrong question. Instead retailers should ask: How do I get the greatest value from the penetration testing I am already required to do? I would like to make the point that at least part of the answer is for every retailer and payment card merchant to include some form of social engineering as a part of their pen testing.

PCI DSS Requirement 11.3 has a lot of detail on when retailers need to conduct pen tests. It recommends, for example, “at least annually and after any significant changes to the environment.” In practice, this means retailers need to perform and/or re-perform pen testing after such events as upgrading their operating system, adding a sub-network to the Cardholder Data Environment (CDE), or even adding a Web server to the CDE. However, the requirement does not specify details on what the pen test should cover other than it should include “network-layer” and “application-layer” testing, pens PCI columnist Walt Conway.

Read more...

Visa To Genesco: PCI Compliance? What PCI Compliance?

May 31st, 2013

The predictable other shoe has dropped (please forgive that heel of a play on words) in the legal battle between apparel chain Genesco (NYSE: GCO) and Visa over PCI penalties, with Visa officially asking a federal judge to dismiss the retailer’s lawsuit. The $2.6 billion Genesco chain, which owns Journeys, Lids and Johnston & Murphy, had been breached in 2010 and later had to reimburse its acquiring bank for about $13 million in fines charged by Visa. It sued Visa—with its acquirer’s permission and blessing—saying that it hadn’t violated any PCI rules.

Visa has now reacted, arguing to a federal judge that Genesco’s complaint should be dismissed for three reasons. First, Visa said that Genesco cited the wrong California state law, one that cannot be used in cases where there is a contract dispute. Second, Genesco didn’t claim sufficient facts to make its case. The third Visa argument was that one claim—that Visa had made fraudulent statements—wasn’t valid as the statements didn’t influence “consumers or the public,” nor did even Genesco rely on them. (It’s an interesting defense: Our lies didn’t harm anyone because nobody ever believes us anyway. For the record, of course, Visa hasn’t conceded that it lied, arguing that the law in question only envisioned lies that deceived the public.)

Read more...

The Case Of The Walmart Drunk: Big Data, Big Duties, Big Headaches

May 30th, 2013

Walmart was very recently sued by a woman involved in a car accident. The driver of the car that hit her wasn’t a Walmart employee, it wasn’t a Walmart vehicle, and it didn’t happen in a Walmart parking lot. Rather, the victim alleged that the driver had recently been in a Walmart and had been kicked out for being drunk. The victim alleged that Walmart, knowing that its customer was both drunk and driving, had a duty to prevent the customer from driving, or to report that person to the police. The court considering the case refused Walmart’s efforts to have the case dismissed on summary judgment, finding that there was at least enough evidence of “negligence” to allow the case to go forward.

Even though nobody alleges that Walmart got the patron drunk, the idea is that Walmart was in a position to know about the potential harm and could have stopped it. Here’s where technology makes things messy. Once the drunk is tossed out of the Walmart, there’s a good argument that Walmart’s duty to third parties ends. Unfortunately, Walmart has installed and routinely monitors parking lot cameras. That’s where data creates legal duty.

Read more...

Walmart: Settlement ‘Worse Than Losing’

May 29th, 2013

In a last-minute interchange settlement objection filed on Tuesday (May 28), Walmart and more than 60 other retailers described the proposed settlement as worse than actually losing the case. The settlement will block future lawsuits over Visa and MasterCard rules, practices or actions—and that includes PCI and breach penalties.


That goes far beyond the original lawsuit, which only covered default interchange rules, honor-all-cards rules and anti-steering rules. If the case went to trial and lost every claim, that would still just lock in the card brands’ control of interchange and card-acceptance rules. But the proposed settlement would go far beyond that—extending to block any challenge to PCI and breach penalties.

Read more...

What You’re Missing: Urban Outfitters Charging More Online, Does Sears Want To Go Members-Only?

May 29th, 2013

Your friends here at StorefrontBacktalk editorial also now publish a daily retail site, called FierceRetail, and wanted to give you a sense of what you’re missing by not visiting or grabbing its free newsletter. Urban Outfitters discovers that it can get away with charging more online than in-store. See? Sometimes conventional wisdom is conventionally wrong.

A look into how federal judges are likely to force changes in how price anchors are set in-store plus some questions about whether Sears is thinking about becoming members-only. Was Best Buy’s Facebook promo a victim of its own great deal—and some we-should-have-seen-this-coming rip-off artists? We also threw in our take on Walmart’s $82 million hazardous waste settlement, where Walmart spoke of mouthwash and hairspray and the feds said they were pesticides. (You say tomato, I say Molotov cocktail…) All of that—and dozens more stories—and that was just this week. And Monday was a holiday! Drop by and check it out. It’s free and the snacks all have zero calories. (That may be because they don’t exist.)


Virtual Retail Currency Could Translate Into Not-So-Virtual Legal Nightmares

May 23rd, 2013

In a bid to attract new customers, Amazon recently announced a new program in which it would give customers 50 Amazon “coins” to use in playing games and for other purposes. The idea is sort of like what happens at the boardwalk in the summer or at the gaming tables in Las Vegas. Rather than playing with real money (and risking losing real money), gamers play with coins or chips with an artificial “value.” It’s easier to lose 500 Amazon coins than it is to lose actual cash.

But in creating an artificial currency, and allowing it to be transferred and exchanged, retailers like Amazon may be getting themselves into potential legal trouble, writes Legal Columnist Mark Rasch. In fact, they may be making themselves into an illegal unregistered money transfer company or even an unlicensed bank. Such is the problem with digital “money.”

Read more...

Mobile Point Of Sale Is Growing Fast And Turning Up Surprises

May 22nd, 2013

Use of tablets and iPods as point-of-sale devices is growing rapidly, but it’s not going to knock cashwraps out of most stores anytime soon, according to an IHL Group report released Tuesday (May 21). More than 85 percent of big retailers say that for the next three years, mobile POS devices will be add-ons to—not replacements for—traditional fixed checkouts.

The most likely users of those devices: specialty retailers (both mall-based specialty chains and small independents), who are deploying about 45 percent of all tablets shipped to retail for POS, IHL said. But only 28 percent of U.S. retailers plan to roll out any mobile POS devices by the end of 2013, a drop from previous estimates. That suggests the reality of mobile POS is beginning to set in for early adopters, who are beginning to see some of the limits—and counterintuitive aspects—of the technology.

Read more...

Marks & Spencer’s POS Charges Contactless Regardless, At Least Now And Then

May 21st, 2013

Some Marks & Spencer customers have reported that the U.K. chain’s contactless payment terminals have taken money from contactless cards even when those cards were still in purses or wallets a foot or more away—and in at least one case, the grabby POS behavior was repeatable.

The retailer recently rolled out contactless point-of-sale terminals to 644 U.K. stores and reportedly processes more than 230,000 contactless transactions every week. But several customers told the BBC that they had the experience of inserting a chip-and-PIN card in the PINpad’s slot, but being issued a receipt for a contactless card that was nowhere near the PINpad. The contactless system isn’t supposed to work at distances of more than about two inches.

Read more...

Retailers Can Put Anything In A User Agreement, But There’s A Huge Catch

May 16th, 2013

Legal columnist Mark Rasch recently received a $25 debit card as an honorarium for giving a speech. To “activate” the gift card from GreenDot.com, he had to give them his name, address, telephone number, Social Security number, user ID, PIN, and answer to three security questions – all that just for 25 bucks. In fact, what he really did was to open a bank account with $25 and a monthly maintenance fee of $4.95. He apparently agreed to all of this on the website of GreenDot.com under their terms of service. But that’s not all he agreed to.

Years ago, he got a Wachovia stored value card, which similarly had outrageous fees – fees for putting money in, taking it out, checking the balance, loading the card, not loading the card, as well as an annual fee, monthly fees, etc. It amounted to usurious interest rates and fees of over 3000 percent. When he called to dispute one of the fees, the person on the other end told him that his wife (who had just handed him the phone) had authorized the fee–she did not, and he knew this because he was standing right there. That’s when Wachovia said they had recorded the call. To a litigator, them’s fightin’ words.

Read more...

PayPal Offers Free Card Processing, But For Who?

May 15th, 2013

PayPal is offering free credit, debit, check and PayPal processing for qualifying merchants until the end of 2013. The catch: The retailer has to trade in a cash register for a PayPal-compatible point-of-sale system, according to a blog post by PayPal president David Marcus on Tuesday (May 14). The promotion will go live in June, although applications are being accepted now, Marcus wrote. He didn’t give any other details of the deal, such as how much trade-in value a retailer will get in order to buy a PayPal-equipped POS from Erply, Leapset, Leaf, NCR Silver, ShopKeep or Vend, or exactly what “free” means when it comes to processing costs.

But to qualify for the promotion, merchants currently must be primarily using an old-fashioned system such as a cash register, and PayPal may send out employees to collect the register and verify the system upgrade.

Read more...

Card Processor Hit In A $40 Million Breach. Was It Yours?

May 15th, 2013

A U.S. payment card processor was attacked in February as part of a $40 million cyberheist, federal prosecutors said last Thursday (May 9)—but they didn’t identify who the processor was. That left retailers no way of knowing whether their processor was the one that thieves breached to gain essentially unlimited access to the processor’s systems, potentially including merchant card data.

It wasn’t until Sunday that the mystery breach victim was revealed to be EnStage, a processor that’s headquartered in Silicon Valley but outsources its processing to a site in India. And it’s still not certain whether any merchant card data was actually stolen in the breach.

Read more...

Bank Using Voice Biometrics To Authenticate Customers. Could It Work In Retail Call Centers?

May 10th, 2013

Retail security experts have long argued that shoppers in-store provide more security identification potential than those online and that shoppers phoning into a call center offer the least. But a major U.K. bank is using biometrics to authenticate telephone customers by using the customers’ pre-recorded vocal patterns. Could the same approach help reduce fraud pushed through retail call centers?

The bank, Barclays Wealth and Investment Management, uses 20 to 30 seconds of the conversation with the phone agent and compares the audio WAV file to a sample taken from that customer earlier. If the software thinks it’s a match, the agent is silently signaled that the customer’s voice has been verified. If the software does not find a match, agents are supposed to use their regular security questions to verify.

Read more...

C-Store Chain Mapco Express Hit With Remote Access Breach

May 8th, 2013

Regional convenience-store chain Mapco Express (NYSE:DK) said on Monday (May 6) that thieves may have stolen credit and debit card information from all 377 of its stores during March and April.

“The hackers accessed the payment processing systems used in all of our stores from March 19-25, in certain stores from April 20-21, 2013, and at two stores in Goodlettsville and Nashville, Tenn., from April 14-15, 2013. If you used your credit or debit card at one of these locations during these time periods, you card data may have been compromised,” the retailer said in a statement.

Read more...

Nordstrom’s Typhoid Outbreak Used POS Data To Contact Individual Shoppers

May 8th, 2013

After a cook in one of its in-store restaurants was discovered to have typhoid fever, Nordstrom is trying to directly contact customers who might have been exposed to the disease. The retailer is sifting through point-of-sale transactions from the Nordstrom Cafe in the store at San Francisco’s Stonestown Galleria mall in an attempt to identify specific customers who could have been exposed, but that’s proving more challenging than expected, a spokesperson for the chain said on Monday (May 6).

The San Francisco health department notified the store late last Thursday (May 2) that an employee was diagnosed with typhoid and may have exposed customers who ate in the restaurant to it on April 16, 17, 18, 20 or 27. As of this week, no cases of customers or other store associates having the disease have been reported, according to the health department. But Nordstrom is still trying to track down anyone potentially exposed.

Read more...

Best Buy, Home Depot, Gap And Others Lose Major Patent Gift Card Lawsuit

May 8th, 2013

A large group of major chains—Best Buy, JCPenney, Barnes & Noble, Gap, McDonald’s, Toys R Us and Home Depot—has been dealt a major patent legal blow Friday (May 3) when a jury unanimously sided with a Texas company that owns a gift card processing patent.

Technically, the jury verdict didn’t say that those chains had violated the patents, but merely that the arguments from those chains that the Texas company’s (named Alexsam) patents should be ruled invalid failed. The next case will address the issue of whether those chains had in fact violated those patents. That said, much of the evidence that the chains used to indicate why the patents were invalid can be turned right back against them now to prove that their processes are so similar that it must be a patent violation. As a practical matter, it’s unlikely that this case will see another jury trial, as the parties will almost certainly work out a deal, in which the chains would simply buy licenses for the Alexsam patent. The question will be how much they’ll agree to pay for the patents.

Read more...

In Kmart’s Armed Data Breach, Police Somehow Not Told Everything

May 8th, 2013

When a Kmart suffered the loss of sensitive pharmacy customer information in mid-March during an armed robbery, Sears officials and lawyers quickly reviewed details and made sure to follow all federal rules—especially HIPAA guidelines. Somehow, though, Kmart never got around to mentioning the data loss to the police, who were never able to find the gunman because the only physical evidence he took with him—a disk containing that day’s data backup—was unknown to them, thanks to Sears.

The Little Rock, Arkansas, police investigating the armed robbery—where the gunman slashed the assistant manager’s tires to distract him before ordering him at gunpoint to open the safe—were not happy about being kept in the dark and possibly lied to. The investigating detective, Det. Julio Gil, “only learned of the cartridges being stolen from Kmart when he was called by media,” said Sgt. Cassandra Davis, who is in charge of the Little Rock Police Department’s public affairs unit. The detective “called Kmart and Kmart only then confirmed. He had to call them and ask about it before he learned what (the gunman) had actually taken. No one from Kmart made a report,” Davis said.

Read more...

Can Ebay Pull Off A Giant Touch Window For New York Shoppers?

May 6th, 2013

Ebay and retailer Kate Spade are doing something this summer that would have been unthinkable just a few years ago: creating a pop-up store in New York that will feature a gigantic touchscreen store window. Let’s be clear—what would have been unthinkable would be a relatively small (82-store) apparel chain taking on something this technically aggressive, even with a partner as big as eBay to help foot the bill.


Leaving aside all the obvious unanswered questions—from “how do you physically protect a giant touchscreen?” to “how much of an exhibitionist does a customer have to be to browse a web catalog that’s taller than she is, right out in public?”—it’s a testament to how inexpensive and physically tough this kind of technology has become that it’s viewed as practical. Of course, that all assumes that the chain and eBay will actually get it to work as advertised.

Read more...

Best Buy Exec Sets Up A Retail Site Outside IT, Gets Hacked

May 1st, 2013

This isn’t something one sees every day. A senior Best Buy executive, instructed to create a blog to conduct Best Buy business, goes outside the Best Buy IT infrastructure to set it up herself—along with some colleagues in HR—using freeware and a $30/month hosting service. If the story stopped there, it wouldn’t be that unusual, as frustrated managers have gone outside the corporate structure for decades, not wanting to wait for their project to rise to the top of someone else’s priority list.

In this case, though, the executive was Best Buy’s chief ethics officer, who wanted to have a site outside the direct control of corporate. And she learned a lesson about why one wants to be within the protection of a multibillion-dollar chain’s IT department. She learned that when her Best Buy blog was shut down, possibly due to a cyberthief attack.

Read more...

PayPal’s New Autofill Program Has Real Potential With Mobile

May 1st, 2013

EBay’s PayPal (NASDAQ:EBAY) Tuesday (April 30) started pushing its new online login system, called Log In With PayPal. The essence of the new program is pretty much “autofill,” in that it autopopulates the forms of any e-tail site that is part of the program. It also allows PayPal users to login in with their PayPal credentials—which is not new—a move that is intended to make it less necessary for shoppers to keep track of dozens of password/login combos for all of their favorite e-tail sites.

From the shoppers’ perspective, that single login is not that exciting, as most have been doing a very insecure replacement: using the same login/password for those dozens of sites. In effect, that’s what PayPal is doing. The security impact is that if there is a breach—at PayPal, at that shopper’s computer, elsewhere—that password can now be used to access all of those sites. At least that’s the hole until PayPal is contacted and the password is shut down or changed.

Read more...

NCR’s Anti-Skimming ATM Tech Could Also Help Store PINpads

May 1st, 2013

New anti-fraud technology that NCR (NYSE:NCR) announced last week for its ATMs might find even broader use in point-of-sale PINpads—but not the way that most PINpads are currently designed. The new features, which NCR is calling SPS (for “skimming protection solution”), involve two elements. First—and most technically interesting—is a jammer that disrupts a skimmer that has been attached to the front of an ATM. When a motorized card reader pulls a payment card into the ATM, the electromagnetic jammer prevents a skimmer from reading the mag stripe on the card.


The second, more mundane technology is having the card-reading device send diagnostic information to the bank in real time when there’s evidence of tampering.

Read more...

Page 2 of 72123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Safeway Self-Checkout Security Hole Illustrates The Importance Of Button Sequence

It would have been interesting if you took a poll of the attendants before this went public about how many were trained and instructed to watch for this scenario. I wonder what the percentage of "yes, we look for that" vs. "Huh?" answer would have been. The retailer had no real incentive of fixing the problem. The items still get paid for, just by the previous customer. The only risk to the store was for some bad PR if this got out. They were gambling that it wouldn't. And for some length of time (I wonder how long...), it stayed hidden from the general public. Read more...
I have to disagree that the retailer had no incentive for fixing this. The revenue is the same, so there's no incentive for letting it happen or continue to happen. This is not merely a PR problem. The shoppers who have to pay double will be furious. Will they blame themselves for not clicking the right button? Of course not. They'll blame the retailer and likely think they were ripping them off. They might even assume that the next shopper paid for their goods, too, so it's really a double-charge. This glitch poses a huge threat to the retailer and offers no benefit. Will the customers who benefit thank the store? Will they appreciate the store? No, they'll likely think that store could just as easily have ripped them off. They'll probably avoid self-checkout, which also undermines the retailer. This is truly bad on so many levels. Read more...
I honestly think that customers should be more wary of what is on their self-checkout belt before going to pay. Although, a lot of that can be solved by having better designed kiosks. Read more...

Extremely Sad News

Walt will be greatly missed. He was a nice, approachable guy who made PCI a lot less scary in higher education. Read more...
Very sad to hear about Walt's passing. I had a chance to attend a couple of his talks and he still is the only one who could get people engaged and interested in PCI issues and make them less daunting without losing the seriousness of the subject matter. His columns on this sites were always very helpful and were frequently used by me to help explain this complex subject matter. Read more...
403Labs, Walt's employer for years, has just posted a very nice tribute: http://www.403labs.com/walt. Read more...
Walt's wit and wisdom will be missed by all. My deepest sympathies to his family & friends. Read more...
I never met Walt, but used his articles in presentations to clients frequently. Always a resources for accurate explanations that were easy to understand. He will be missed..... Read more...
I will always remember Walt's refreshing approach to PCI compliance when he worked with me at two institutions. Other consultants generally said, ok we saw what you have, here is the checklist to comply with SAQ D. Walt would turn it all around and say, for a campus your size you should be able to get your scope down to this, and by the way, here is what worked with your 3rd party on another campus I worked with... I will miss his wit and his gentle soul. Read more...
I was fortunate to meet Walt at a time when my campus was beginning the marathon known as PCI compliance. His knowledge was immense and his advice very simple. By the time he completed an engagement with our school, we had become friends. We enjoyed many conversations about things not related to work and shared a meal or two at professional meetings and symposiums. My deepest condolences to his sweet wife Meredith, his family, colleagues, and many friends. Read more...
ed
While I never met Walt Conway, his articles were very informative and he definitely left an impression with his knowledge. Read more...
What is it with PCI columnists at StoreFront BackTalk? Before Walt, we lost the amazing David Taylor in 2009, who enlightened so many with his crisp writing and insightful viewpoints. Read more...
I just cannot believe it. Walt and I had known one another for a number of years and I finally met him in person at the first PCI Community Meeting in Toronto. He and I bantered back and forth for years over the infamous session at that Meeting held by the card brands where they discussed whether pre-authorization data was in-scope. For the record, it was NOT in-scope, but was to be protected as though it were in-scope. I will miss him dearly as he was always will to tell me when I was getting things wrong. RIP my friend. Read more...
That is incredibly sad news indeed. Walt was extremely knowledgeable about information security (and PCI DSS in particular), but he also made the subject approachable to many (a very rare gift in the industry). He will be missed! Read more...
This is truly sad news. Walt helped educate us here at Intel about PCI and was a tremendous resource for us. He will be missed. Read more...
I've been absent from the world and just found out about this very sad news. In the few conversations I had with him I had very similar experiences: personable, intellegent and very nice. Walt will be greatly missed. Read more...
This is really sad news, I had met Walt when I started PCI work and has been a great resource to me and our Company. He will be really missed. Read more...
While I've been very behind on my reading, I am so sad to hear of this news. I absolutely loved Walt's style of writing, and of course the content was top notch. I appreciated that he even took a call or two to discuss a few PCI topics - and he had a great sense of humor as well. Walt - you will be missed! Read more...
In 1990 I worked closely with Walt in Visa EMEA/London office : he was our diplomatic pioneer to open doors with rather suspicious "rivals" like American Express, Diners Club, and MasterCard when we were building electronic transaction processing bridges to their hubs. None of them could resist his charm offensive! Now I realise that he had continued to use his ideal mix of personal charm and technical prowess to win hearts and minds in the PCI DSS world too. And it's very humbling to know that he was so involved with helping the homeless. Salute to you, Walt! RIP. Read more...

Macy's Wrongly Priced Necklace: The Problem That Was Never Supposed To Be Possible In-Store

A consumer who knowingly accepts change in excess of the amount due is no different than one who takes advantage of an honest mistake made by an store employee regarding pricing of an item. Macy' doesn't need to worry about customers with that ethos. They do need to better train their employees, though they should have common sense before they even show up for work. Read more...
Agreed that it applies to all, but there's no indication in this situation that the shoppers knew anything was wrong. Macy's had labeled it clearly as a huge discount--and it was--so there was no reason for them to suspect anything. Macy's associates, on the other hand, have access to their sales and should have seen that the price in the POS didn't match the ad. And if it did, how could it have? A typo in an ad that was replicated in the POS? Much of this doesn't add up, but have yet to see anything that shoppers were acting dishonestly. Read more...
Macy's should have handled this differently... on a number of levels. With all of the money Macy's has invested in new IT over the past few years, this error is a perfect example of how even the best new systems are susceptible to human error. Here, there were at least 2, maybe even 3 or 4 separate systems that contained the error. (MMS, POS, E-Com, Marketing) Was it a process breakdown? Sloppy data entry? Collusion among employees? Nobody knows for sure. Regardless of how the error was caused, it is not the customer's problem that the error happened. Any reasonable person, and in this case there were several, would not have thought anything amiss when the advertised one-day sale price matched the price scanned at the register. (Remember the problem grocery stores had with barcodes scanning at higher prices than labelled? Here, it seems the opposite problem occurred.) This should be a wake-up call for retailers to implement better controls in their IT systems and business processes. On a related topic, I wonder if the jewlery merchant at Macy's will get dinged when the GM$ for the department come in far under plan or if that will get written off as a marketing expense! Read more...
Cme
I work at Macy's in fine jewelry. I wasn't at work that day, but if I had worked, and if I had noticed the error, the process to report the error is so complex that it would have been challenging to report the error. Also, if I noticed the error and I was wrong, then I risk being viewed as a troublemaker. In other words, it's not a store employee's "place" to question a large corporate decision. Read more...

Why The SAQs Will Change This Year

I often hear ecommerce merchants say that because they use a transparent redirect or direct post method that tokenizes in the browser that they are totally compliant. And when I ask about securing their web servers that originate the payment form, there is usually a long pause, followed by "oh yeah, but we're still compliant". With the growing number of insecure sources pushing content to the browser, like ad servers, chat, and analytics modules, the number of attack vectors increase BEFORE the PAN is even input by the cardholder. Maybe in the new mandate, 'capture, transport or process' can be preceded by a word like 'isolate, prevent, segment, harden or protect' when it comes to the merchant web servers that get the payment acceptance party started in the first place. Read more...
Better clarification by the PCI council is good. It is still unclear to me how to deal with multiple vendors supporting the website -- each saying they have no access to PCI data. How is a merchant supposed to figure it out? And, by the way, in my experience, the bank/processor and assessors look for the easy way to grant compliance. Which may help in the short term but not in the long-term if there is an eventual breach. Read more...
I doubt they will be so strict. Let's see come October. I can't see a way all websites with a link to a compliant payments page could possibly be made in scope. Read more...
Level 4 merchants are the fastest growing target group suffering data breaches. There is a massive explosion of compromises where Level 4 merchant web applications are being compromised with the specific goal of hijacking payment mechanism redirects. This is a huge problem that is growing exponentially. Most Level 4's falsely believe they are too small of a target for a breach, but the criminal groups know that, and they know that "Bob's Comic Shop" can't afford an Imperva WAF, and can't use an open source WAF in their GoDaddy/Dreamhost/whatever $10/year hosting account, and they don't even know how to begin reviewing their logs. Read more...

PCI DSS: The Next Generation

I would expect this turnover to continue, and wonder what resource would be best to refer the new security team to for a thorough PCI orientation? Read more...
Forcing credit card processing sales people to be responsible would probably improve compliance. What if the salesperson had compensation withheld whenever a merchant is known to not be PCI Compliant? Read more...
A firewall is not network segmentation? What is? How do I keep my upstream ISP's router out of scope? Read more...
I do a lot of training, but if somebody is going to be responsible for PCI compliance, then an Internal Security Assessor (ISA) credential is pretty important, and the other key staff should at least attend some PCI security awareness training and maybe even go for the PCI Professional (PCIP) credential. The particularly attractive part of the PCIP is that it stays with the individual, not the company. Read more...
So if I'm running an e-commerce operation and my customer at home in his pajamas ordering a widget from my site can talk to my CDE (which he has to in order to submit his credit card info) his PC is in scope? Or my monitoring system which connects to snmpd on my order taking internet facing webserver is in scope? I can understand how an Active Directory or LDAP server which handles authentication for machines in the CDE would be in scope but to say anything which can connect to the CDE and anything which can be connected to from the CDE is in scope is greatly overstating the problem and renders lots of people's work to reduce scope via network segmentation and firewalls moot. Read more...
The option of a true Air Gap, i.e. a physically disconnected network is the ultimate segmentation but by no means the only way to segment. Firewalls and routing, switches and ACLs are all very valid ways to do so. All of these items mean that the assessor you or me must make a decision to the effectiveness and the adequacy of the segmentation. Read more...
Unfortunately, in the real world, firewalls often permit inbound or outbound connections, and therefore they do not achieve the desired segmentation and scope reduction. For example, there may be "holes" in the firewall to permit patching, AV updates, etc. My point is that if the rules on a firewall permit any access by another system for whatever purposes, then that other system is not segmented (isolated) from the PCI environment, and that other system is in your PCI scope. By permitting an inbound or outbound connection to the cardholder data environment (CDE), you expand your PCI scope. It all comes down to the actual specification of the firewall ruleset or router ACLs. An explicit "Deny All" rule achieves segmentation for PCI. About anything else risks expanding scope. Read more...
If the rules on a firewall permit any access by another system for whatever purposes, then that other system is not segmented (isolated) from the PCI environment, and that other system is in your PCI scope. By permitting an inbound or outbound connection to the cardholder data environment (CDE), you expand your PCI scope. If a system or device can initiate a connection into the cardholder data environment (CDE) or receive a connection from the CDE, that system or device is in the merchant’s PCI scope. It does not matter if there is a firewall controlling the access. It doesn’t matter if the connection is only for “a little while.” If a connection is possible, then the network is not segmented for PCI purposes and all the devices are in scope. Read more...

With POS Paper Supplies Vanishing, E-Receipts May No Longer Be Optional

oehler is leaving the market because they DEFRAUDED the US Government. They purposely lied and withheld information from the US Government to artificially lower the selling price of thermal receipt paper in the US in an effort to financially hurt domestic producers. That is a fact proven repeatedly in the court. Nobody likes a cheat. The price of thermal paper is returning to its true market clearing level now that Koehler has been prosecuted and found guilty. Regardless of the industry we compete, we all can agree that playing by the rules is a prerequisite, and when you don't the responsible party needs to be prosecuted to protect those who are playing fairly. Read more...
Beyond the issue of whether or not there is or will be a thermal paper shortage ... this post raises a number of valid considerations and obstacles for moving to totally digital receipts. I too have experienced the overly long receipts that hawk everything from my earned gas price discounts to a full-blown application for the retailer's co-branded credit card. Recently I experienced a FFS (fat finger syndrome)moment when an eager young clerk in a popular high-tech retail outlet keyed "n" vs. "m" in my email, and the receipt never arrived. I then had to call back and get a copy re-sent (once they found the transaction). I prefer to be given the option of getting both digital and on-site receipts such as a department store chain I frequent allows. That way, I can determine my comfort level on a case-by-case basis. And then there are the cases where you need a "gift receipt". How to best approach this will remain a topic of much discussion between the various constituencies. Read more...
No paper receipt, no sale. I don't give email or other personal info at the register. I left a full cart with 14 xbox games, two hard drives, flight control panel, and several dvd's at best buy this christmas because the check-out girl required my phone number to complete the transaction for a cash sale. I also left a over loaded cart at toy-r-us with almost $400 in toys because they demanded a phone number and zip code to complete the cash transaction. I didn't get angry, I just walked out and shopped at wal-mart and newegg.com. Read more...
Is the paper supply shortage real? Yes, but only temporarily as market production will correct itself with others filling the void in time. I'm with Bill. I'm not giving out my email address to every retailer, nor to even 40. It's very rare that I would give it out. Ditto for cell phone number, which stores have been increasingly asking for as a faster and less error prone alternative to typing an email address. Read more...

Today's Mobile Uncharted Territory Lesson: What Happens When Your Processor Is Ordered To Not Take Payments?

Good point regarding another factor to be considered when employing new payment vehicles. However, what seems to have been consistently missed in the posting/re-posting of the "ghastly accusation" regarding Square is the fact that the Illinois Department of Financial & Professional Regulation also filed C&D's in January 2013 against NetSpend, Skrill USA(aka MoneyBookers), and TouchPay Holdings. In contrast to Square, these three had applied for licenses, appeared to have been working with the IDFPR to provide requested information and somehow the process had not yet been completed. Perhaps this is not a major issue, but simply one where a governmental department is firing a warning shot to get the firms involved to bring the process to closure. Read more...
My read of the C&D in the context of the historical money transmitter exemption for merchant acquirers is that Square is in the line of fire (i) for its digital gift card program and (ii) because it allows consumers to receive payments (as opposed to merchants offering goods or services for sale). My guess is that Square can continue its pure play acquiring business for merchants, as that is a business that is typically not subject to these laws. It's the non-commercial role of individuals in this process that has attracted IL's attention. The C&D isn't really clear about that, but if this is the case as I suspect, Sq and the state of IL have outlined these parameters between themselves. Read more...
Agreed. Was merely making the point that states can and will issue these kinds of broad orders as the early days of mobile payments continue. Not saying it's right, but that it will happen regardless. Read more...

Phone Tracking And The Law: Clear Sailing

I think the idea that it is not difficult to opt out of being tracked by going to a web site and typing in your MAC address is a bit of a stretch. I'm not sure that most users can just grab their MAC addresses off their devices. Consider how much work the credit card industry has done in the past few years to get people to notice the three digits on the back of their cards (CSV#). Teaching people to learn what a new identifier is, how to find it, and what it is used for may not be as simple as you think. Read more...
I tried to opt out FROM MY iPhone. The problem was switching back and forth between the website (and the CAPTCHA) and the settings to get the MAC address. Also, there's a difference between a Nordstrom CUSTOMER opting out, and a passer by who has no idea that the data is being captured at all. How about a giant sign, "warning -- big brother is watching! To opt out, do the following...?" Read more...
You're the one who purchased and is voluntarily carrying the device that is continually spraying "I'm 12:34:56:78:90:AB" across the 2.4GHz band. You may have the device for your own convenience. It's entirely your choice to have the device and have the WiFi radio turned on. If you want to "opt out," turn off your WiFi. And your Bluetooth. And your cellphone. And remove any RFID responding devices you have from your person, including your credit and transit and door entry cards, any RFID tags sewn into your garments, and perhaps even your car keys. And if you're going that far, you might want to wear "CV dazzle" makeup to hide from all the cameras watching virtually every public space you enter. Read more...
I agree that surveillance is now ubiquitous in the public square. It doesn't make sense to ignore it. It does make sense to try to balance that with rights to privacy. I transmit my MAC address in order to obtain a signal and to log on to a service. In doing so, I do not expect to create a permanant record, available to everyone at all times of my location and movements. The logic of "you are broadcasting it so it can't be private" can apply to (and has applied to) location data as well as the contents of cordless phone conversations. IMHO, you CAN have an expectation of privacy in public spaces -- its a matter of defining its parameters. Read more...
Doesn't V/MC already market credit card data such that one retailer can see visits to various other retailers... Read more...

eBay's Day In Court: No Soup For You

So, eBay users have to follow eBay’s ever-changing, 270-page set of rules and, regardless, sell on eBay only at eBay’s pleasure. But, what about eBay following “the rules”? Or does the US Criminal Code on wire fraud and the facilitating thereof not apply to eBay? The ugly reality for consumers dealing with the clunky, unscrupulous eBay/PayPal complex. Read more...
So in other words, if eBay decides you are a risk to their continuing success and someone tips them off falsely (bearing false witness) about an honest merchant, it goes along with their perjury. Thanks for reminding me once again why I don't do business with eBay. It used to be such a friendly place, but I stopped using it in 2005 and have never looked back. As to small businesses not doing well, there are so many other online retail marketplaces to choose from. This small business person would be better off using Etsy, where supplies are not frowned upon. The listing fees are less than eBays, and the listing duration is three months, not 7 days. So, no soup for eBay. Read more...
I wonder why Genesta sued eBay rather than the competitors she believe engaged in a “sustained campaign ... to discredit [her] with eBay through unsubstantiated complaints about the authenticity of the antiques." I imagine Genesta was counseled by one who advised her to sue eBay rather than the competitors she claims libeled her, it seems to me she is suing the wrong parties, and that the CA courts are correct in dismissing her claim. Read more...
This frivolous lawsuit is still on-going, ebay has been cleared but some defendants - innocent former customers are still waiting for their case to be heard. This Plaintiff saw big dollars expecting ebay to roll over to shut her up. Now she wants the remaining defendants to offer a settlement to go away and help her pay ebays cost of defense... that's just wrong. Read more...
Without discussing the merits of Genesta's claim, or indeed why she was "booted off" eBay (or even whether it was a violation of eBay's TOS), the fact remains that an online marketplace provider is NOT required to have a TOS, not required to have an appeal process, and may ordinarily kick someone off the service for any reason (good or bad.) Whether Genesta SHOULD have been kicked off is not the issue, and the court did not consider that issue. The question is whether eBay has such market power that its decision to boot someone effectively denies them entry into the marketplace, and whether that is anticompetitive. Read more...

Nordstrom Phone-Tracking Trial Raises Customer-Theft Threat

ed
Tapping into customers wi-fi transmission not only is bad karma but totally unneccesary and not the most effective manner to get the end result. A better implementation would be augmented video analysis. There are several open source and commercial packages that can accomplish this. Take the existing recorded security camera video feed, run it through the video analytics engines that turns people into object squares like CBS "Person of Interest" and you can tag each "object" and track their activity in the store. The floor can have augmented markers (qr codes or special barcode paint on wall/column) for each departments and the video analytics can how long "objects" linger around them. Read more...
Is it better to remind people that their phones are continually broadcasting their presence by using that data commercially; or is it better to pretend that this isn't already being done? Google relies on GPS data from Android phones to measure current traffic speeds and to display them in Google Maps. People are already contributing their location data constantly without being aware of it. And all such data originates with enough information to uniquely identify the phone - although the services above assure us that the identity data is stripped prior to aggregation, that doesn't mean it doesn't exist. The only reason wireless data isn't being used for shopper tracking today is the fear of backlash. Offer someone a discount in exchange for tracking them, though, and I bet they'll let you follow them anywhere. Read more...

Windows XP End-of-Life Could Cripple PCI Compliance

Another possible solution - POSReady 2009, which we are currently investigating. Mainstream support will end April 2014, but extended support will continue to April 2019. Nothing like putting off the inevitable, but a few more years will certainly help. Read more...
This is an interesting issue, pivoting largely on the interpretation of PCI 6.1. One could argue - no new vendor patches means no missing patches therefore compliant. The truth is probably in the middle - vulnerability management, mitigating controls, and possibly the messy compensating control path. Read more...
While you mention a compensating control, and I tried to address that path in the column because it may technically be possible, actually I was doing my best to dissuade anybody from going there. I cannot see any comp control being effective. Beyond PCI DSS Requirement 6.1, another factor condemning Windows XP after April 2014 is contained in the ASV Program Guide. Read more...
POSready 2009 is based of the Windows XP SP3 codebase. It's the successor of Windows Embedded POS with was initially launched based on XP Embedded. Windows Embedded Standard 2009 ("standard" is the new name for the toolkit version of embedded, in this case based of XP Embedded SP3). Both solutions will add many years to your devices without any changes on you side. Read more...
We have no plans to move off XP after April 2014. Later Windows products do not meet our requirements. Read more...
First, Windows XP is still around because people like it! I wonder if anyone has considered Ubuntu Linx? The OS is straight forward and works extremely well and it's FREE! Well, except for the profesional online support but $250 per year no bad. Read more...
What about placing the XP POS terminals on an intranet network without any comunication or connection to internet by IPS, NAT, Firewall, etc.? They would only communicate with the main server on the intranet (running Windows 7 or 8) and only allow the main server communication to internet for needed functions like Credit Card transactions or like EDI to other main servers. Read more...
You may want to look at this article: http://storefrontbacktalk.com/securityfraud/out-of-date-os-causes-pci-violation-no-but-why-let-facts-trip-up-a-marketing-letter/ It is older but completely contradictory of this article. Change of opinion or interpretation? Either way PCI compliance doesn't clearly state one way or another. Read more...

MCX Sees ACH As Interchange Salvation. Many Chains Not So Sure

Why would customers want to sign up for yet another credit card? Why are not these systems already integrated with the rest of the retailers apps, ala Starbuck, so if you a loyal customer it is all integrated and I don’t have to hunt and peck to get it right? When I suggested that the consumer or merchant could just use Square, they shivered, and told me that were going to have a partner who can embed an NFC chip in the phone protector/case. So those that sounds useful—all in one phone cover/NFC. But wait…. you don’t get the phone, you don’t get the chip, and you don’t get the case…and you don’t get your existing credit card points!!! The consumer has to go then and get each one, and pay for it. Oh, I feel that ease of adoption, motivations slipping away away away. And that ongoing ‘up sell/side sell--fleecing sell--the model of the cell phone company. Read more...
The good, the bad, the ugly. A single, neutral, mobile payment app, such as MCX, to use at many stores is essential for the future growth of mobile payments. A single application for all consumers, driven by merchants deciding what that application is, is not the answer. Competition breeds security, excellence, innovation, and cost benefits; monopolies bring stifling mediocrity. Specifically regarding ACH, is the secret sauce really ACH, or is it interchange management? First, let’s consider would who opt-in to the MCX solution. Would a credit card user switch transactions to ACH? Doubtful. That means retailers will be converting the roughly 50 percent of customers using debit cards to some alternative payment method; three quarters of debit cards are qualified for low regulated debit rates at .05 percent and 21 cents per transaction. Read more...

Home Depot Privacy Pratfall: Spotting Web Shoppers In-Store

Multi-use tokens and what I would call repeatable tokens are two different aspects. Multi-use token simply means that a token can be used multiple times for multiple transactions, like card-on-file or express check-out. Multi-use tokes, provided they are not mathematically derived from PAN are very secure. On the other hand, repeatable token or a token mathematically derived from the PAN (hash or encryption for example), are not nearly as secure as their non-mathematically derived counterpart and if improperly implemented, can actually be fairly insecure. Multi-use and repeatable represent different aspects of tokenization. Read more...
If companies want to offer customized marketing while navigating around a backlash they need to understand where the lines is drawn for the consumer. There is a clear difference between learning about your customer and stalking them. Read more...
People who opt in sometimes aren't aware of it. Not everyone reads and scans everything in front of them. Sad, but that's how many businesses operate. Read more...
My own experience is that people are much less concerned about this type of privacy concern than they once were. More likely people expect that a store can find their old purchases, and like the extra catering to their desires and needs. Shoppers like it when they can come into the store and want a new line feeder for their weed whacker. And if they don't remember which one they need, the associate can look it up. Shoppers seems to expect that level of service. Perhaps THD should examine the use of guest shopping accounts for the same purpose though. Read more...
Apple does this as well. I bought an iPad at an Apple Store over the holidays using the payment card that I have on file with them and by the time I got home I had an email thanking me for my purchase and describing how to attach it to my existing Apple ID. I did not provide my email address or name or anything. Just the card. No idea if this is covered in the iTunes TOS or not. Read more...

Was Finish Line's New Site Disaster The Latest Cloud Casualty?

With what happened last holiday and with so many people greatly affected, I guess they will have a hard time building the credibility and gaining people's trust again. Read more...
Ed
Is this really Demandware's fault or the Finish Line CIO/CEO's fault? Why would anybody release new technology prior to their biggest activity season? The Finish Line made a risky bet and they lost. Retailers should stop the risky "just in time for the holiday season" mantra when implementing technology solutions. I've seen this over and over in Retail IT sector and they seem to end up with more eggs on their face than success stories lately. Read more...
M
Avid Finish Line (Online Shopper) & let me say first hand experience that site was absolutely horrendous...every link failed and timed out it was hellacious...The old site is just fine no need to change it. Read more...
This was a foolish move, and the fool that decided to switch from what they had to Demandware should be fired (or hire me to evaluate his next questionable decision). Even if I’m wrong about all of the above, they then had no control over their application, as their entire application is SaaS! SaaS has a habit of causing that problem. For a large B&M like FinishLine, this is an unacceptable decision. Demandware has crocs.com in its portfolio, I see — which is no doubt a bullet point that Demandware used to seal the deal, but Crocs isn’t FinishLine. Crocs is a manufacturer that dabbles in selling online. Finishline is a retailer with serious merchandising needs. Read more...
Conversion rate is driven by so many factors that it's impossible for an outsider to comment on what the problems were. Finish Line did a complete site redesign at the same time they launched a new eCommerce platform. If their design firm did a poor job with the usability of the site, that could cause conversion rate to plummet, regardless of what platform you're moving to. Calling this the problem of the SaaS infrastructure without any details of the problems doesn't make sense. Read more...
When you have a conventional E-Commerce site that's working fine, then replace it with a cloud-based site and conversion rates drop, you don't just blame site design. The site's new design didn't drive traffic away -- traffic went up slightly. It was just conversions that dropped. The fact that Finish Line didn't make the decision to simply fix the creative, but instead is taking a total of four months to assess whether the new site can be workable, suggests this isn't just the front end, but a more intractable technical problem. Read more...
No, this isn't a "Cloud Casualty." This is clearly just another example of a rushed launch. If you are re-platforming your entire e-commerce business, you should launch at least two months before the holiday season. Some pre-launch performance testing would help. It's that simple. Anyone with any decent experience at all with e-commerce platforms who doesn't have something to sell, knows I'm right. We've all been there. Read more...
After working in ecommerce for over 15 years I would bet there are several factors for this failure. But this is usually the most common. Performance usually takes a back seat to features and customizations. No one will step up and say to a retailer... you probably don't want to implement this feature because the very nature of it will kill your performance and possibly the site itself. Its a game of Quantity and not Quality. Do not implement anything until you have confidence it can perform well. Also, there are no perfect 'platforms'. I'll bet the Finish Line also has issues with their legacy system too, its just that over years of use... they are used to its shortcomings. Read more...

JCPenney's Christmas Pin Program: Channel Ping-Pong

What a ridiculous idea. Another example of a non-merchant playing games. Perhaps this was one of Johnson's kids ideas? I can hear other real retailers laughing, all the way to the bank. Read more...
JCPenney needs to get its act together fast. Very fast. I see a Diplodocus happily munching grass while the meteor is about to hit the ground. BTW: The "Apple" legal mention is probably related to the iTunes gift codes that are offered as prizes. Read more...
They need to make the site easier to find. I enter the jcp.com/christmas and it takes me to everything but. It has taken me 45 mins to find it and haven't won a darn thing. I have done a lot of shopping at Pennys and have gotten quite a few buttons but have won squat. Read more...
I have entered several codes and it keeps saying they have already been used. I just got them from the store. Read more...
I too have read the dim reviews for the past limited promotion of JC Penney on the button thing at this point it reminds me of the kid game " button, button who got the button" or was it 'button ,button who stole the button" in any case i had much trouble getting into the site and entering the code (needed a magnifying glass to see the code) which was ridiculous and not a good promotion at this time of transition ... I still have 8 buttons that i was not able to enter and I am mad. i hope I didn't win big shame on the marketing management of JC Penney. Read more...
This seems really insane. Why would you send a potential in store customer back home and to their computer. It doesn't make any sense. Read more...
Sol
I don't think this technique was a home run for JCPenny at all. Sounded like a big waste of time if you ask me. Jerry is right. Why remove the customer from the store and set them back home in front of their computers? Read more...

Sears Black Friday Confirmation Snafu: Just Check Inventory, OK?

Basic business processes are clearly missing here: 1. Realtime inventory locating across the warehouses and stores; 2. Before you offer a promotion you forecast the expected demand. And just like the police when going into tough situations, they call for backup! On hand inventory to support a special deal or integration to suppliers to check for additional stock if you run out. 3. Don’t commit to what you can't deliver--period! 4. Then save everyone money and honour your commitments, and drop ship the merchandize to the customer! Read more...
For some of these special campaigns, you also get into what should be a less tricky situation (but often isn't), namely that it might be that you are only permitting a small subset of your stock of a product to go at the super-low Black Friday price. In theory, that should be even easier to track, but it's often not. Read more...
Yes Kohls has the same issue on Black Friday the last week or so their facebook page is filled with complaints on orders being cancelled. Kohls also made a huge policy change on Kohls cash purchases returned will have NO CREDIT to the customers. Read more...
Ah, the trail of the fine point! Complex pricing methods, policies and fine print! Customers nor employees nor IT systems, it seems, can keep track of all this. Listen up retailers (or any other business): Why do things your customers HATE YOU FOR? Read more...
Ann, to answer your question (""Why do things your customers hate you for?"): Tradition. Read more...

Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads

Does PCI DSS care about skimming at the POS? While PCI DSS itself does not have much to say about skimming at present, that situation may be changing. The PCI Security Standards Council has an information supplement for retailers in its documents library. I wish more retailers would read it. Another hopeful piece of evidence is the extensive merchant requirements -- including checking the POS devices, maintaining an inventory, etc -- in the P2PE Program Guide. I'm hoping that with PCI DSS v3 coming in 2013, we'll see changes to the standard and the SAQs to have retailers inspect their POS devices regularly just like they conduct regular vulnerability scans now. Read more...
ed
Thanks to outsourcing, most of the latest model card processing and pin pad devices are sold white label through sites like Alibaba and can be bought in markets around Ghangzhou, China. It is my understanding that in Europe, they had organized crime rings operating this same card theft using white label POS devices for years. Obviously, there needs to be a way to detect a counterfeit card processing machine and I don't know if that conversation has happened yet. Read more...
Thieves today are getting more brazen in their tactics. Because of this, it’s important that retailers remain vigilant in their efforts to keep their PIN pads secure. PIN pads should be locked down at all times. (Amazingly enough, there are still some retailers that choose not to spend the extra money on locking stands, but it’s really a small price to pay for peace of mind, in my opinion.). Make sure you know exactly who will be servicing the devices, if necessary. Did the field technician properly identify himself/herself? Did he/she have an appointment? Did he/she sign in or check in with the proper person? Online monitoring is another valuable tool for round-the-clock network security. Not only can retailers be alerted if a device comes off the network, but can take immediate action to prevent the crime from progressing. Read more...
One way to avoid POS tampering is use inventory barcode or security rfid stickers on the POS devices and scan on a regular interval. If they are using the security rfid sticker, then the security gate should sound an alarm. Read more...
Not sure how other retailers do it but we (Debenhams) have a whitelisting app that knows what PEDs are in any given store and only allows those PEDS to be attached to tills in that store so stores can't move them between stores and no PED that hadn't been previously authorised would work. Read more...

The PCI Scoping Discussion Is Over. Now It's On To SAQ Roulette

I think this is a very strict interpretation of "connected" systems. You may be right in that PCI SSC views scoping in this purist view, but this is one of the problems with PCI. SAQ-C for example, creates a catch-22 for merchants. A requirement for SAQ-C is "Use and regularly update anti-virus software." Well, to do this, the AV application must have connectivity to another "connected" system. Yes, I know, a merchant can manually copy AV definitions to removable media and manually update the CDE, but how many are really going to do this and for the few that do, how up-to-date are they really? Read more...
A related problems for retailers can be the payment equipment supplied by the bank, ISO or integrator. For example, consider a dial-up terminal/PINPad without an integrated printer. This means receipt printing on a printer attached to the POS workstation which is in turn connected to the in-store LAN and thus may/may place the entire 'typical'store network in scope - because PAN is often printed on merchant receipts during offline/SAF modes as a result of business requirements of Acquirers. Read more...
Steve, I agree my position is a strict interpretation of the PCI SSC's guidance, but that is exactly what I as a QSA am supposed to do. The same goes for merchants, too. The only position that matters is that of the PCI Council's or maybe the merchant's acquiring bank. That is, if the acquirer wants to give the merchant a pass on a particular SAQ, I would have no problem with that. Otherwise, we all have to play by the house's rules. Read more...
I agree that you, as a QSA, you must use a strict interpretation. But with this strict interpretation, I argue that in the real world, with this strict interpretation, no merchant can qualify for SAQ-C and still comply with SAQ-C. Either PCI SSC needs to relax their "connected systems" definition, or drop SAQ-C -- the latter being a boom for alternative payments. Read more...
I don't have a single customer that qualifies for the shortened SAQ any more. I think the SAQ is getting to be such a burden that businesses are making decisions to not upgrade to new equipment and technologies. This stifles business growth and inhibits moving to solutions that encourage more secure practices, as well as other benefits. For example, I regularly encounter business to business companies that say they don't store credit data because of risk. But when employees are probed, they really do store data. They have all sorts of excuses- we only hold it for 30 days and it's in a locked file drawer, etc. I've heard it all. Read more...
I disagree; this is an issue of scoping as it applies to the unencrypted cardholder data. If the data is encrypted, and the retailer does not hold any of the keys or ability to access the keys, then the data is out of scope, and therefore the system that data is on is also out of scope. Read more...
I'm a little confused as to what a "connected to connected to" might mean. Did they use specific language or did they just speak generally in language affirming that scope of assessment extends out to two degrees of separation as a rule of thumb? Was this a formal written clarification (e.g. a FAQ)? Read more...

Apple Arrest Puts Heat On Mobile Checkout Policies

ed
Mobile check-out has the same challenges as self-checkout stations by putting trust on the customer to pick from inventory,conduct the transaction and walk out the store without interaction. Most shoplifters believe they are smarter than the retail security system and the shoplifter game goal is to outsmart the retailer with the prize of the shoplifted item. It wouldn't surprise me if this was the case, which was a very expensive pair of headphones. Read more...
Good point, Ed, but as the story points out, the security issues involving mobile go beyond self-checkout security. 'Tis not the same issues in the sense that self-checkout transactions are observed in one place, by the associate managing those SCO lanes. In the Walmart story this week, the associate merely sees the shopper scan the single barcode from her phone. This robs her of the ability to notice if she deliberately does NOT scan several items. (Granted, that can be detected with in-aisle cameras, but it's much more complicated. The system--or associates--needs to notice that a specific customer is using mobile and then notice she doesn't scan certain items in certain aisles.) In the Apple Store example, a scan can happen but the process may not be properly completed--deliberately or inadvertently. None of these issues are unsolvable, but the belief that mobile self-checkout presents no security issues beyond traditional POS self-checkout is a very dangerous thought. Read more...

To Survive, Retailers Need To Kill The IT Budget And Burn The Boats

The IT budget, strictly speaking, should be limited to managing personal computers, the network and the phone system. All other initiatives, anything attributable to a revenue stream, should be paid for and largely managed by a business unit. IT has a role to play of course: assisting business stake holders with system and vendor selection, ensuring the computing environment is coherent and secure, but ultimately the money needs to flow from the business and be controlled by the business. The CIO should be the gate keeper, not the purse holder. The world is moving too fast for organizations to be held back by their own bureaucracies. Make business units accountable and in charge of their own technology purchase decisions. Read more...
I think the issue is that all CIO's are not business people but typical IT people. As someone with a business background in IT, I want to and am capable of running IT as a business. Someone who has only come up from the IT ranks probably does not. Hence, it is ever important for companies today to find an IT leader with a business background who is a broad thinker and can see the bigger picture. Read more...
Part of the reason that IT does not tend to be the best “ladder” for becoming the CIO is because we are not focusing on the right training for our middle management. There comes a time in an IT leader’s career where training changes from technical in nature, to business in nature. Young leaders need to focus on P&L management, communications, people management and learning the business inside and out. Someone who is a Powerpoint wiz, with great interviewing skills that knows a balance sheet inside and out is going to be a better fit for CIO than someone who has written millions of lines of code or virtualized a datacenter. Read more...

RIP Payment Card Industry

The beginning of the end of the payment oligopolists really started in 1999 when several large retailers finally got fed up with the twice-yearly increases in interchange and fees and started pushing back - hard. Walmart tossed the first major salvo when they sued and won a $3 billion settlement in 2003. To all my friends on the banking and processing side of the business: Look at merchants not as an "inconvenience" between you and the cardholder, but as a client with growing choices to dis-intermediate you. Read more...
Jim
Being that these are transactions going through the Discover network, won't they still be subject to interchange rates and PCI-DSS requirements? Read more...
As for PCI, yes, in theory. Interchange will apply, but at what rate? Many questions remain. For example, PayPal's Don Kingsborough was asked Wed. about whether these transactions would be considered card-present or card not present. That's a very interesting question as the card is not really present. When asked directly, he said "it depends on the kinds of transactions. More to come about this as we get closer to the launch in the second quarter." Not especially comforting, but it does signal that interchange issues are far from solidified at this point. Read more...
The infrastructure did not exist 20 years ago so the fees justified the risk. Today, the merchants can use the same infrastructure and also now have closed loop payments well tested. At a very high level I think we are going to see two types of payment groups: 1)ubiquitous, Private, Open loop and 2) relationship, value add, closed loop. Visa like vs MCX like. Some consumers will want privacy and universal use, while others will want a relationship with the merchants (and receive extra value). They will likely do both. Mobile will turbo charge the the second group. So if the MCX like offers are reloaded via the consumers bank then the credit card players of today are headed for a huge volume haircut. Read more...
Todd, I empathize with you and I'm in the processing business. But, the end of the payment brand monopoly is just a dream, or for many a nightmare. With this announcement, PayPal has simply joined the payment brand club, which includes Visa, MasterCard, Amex, and Discover. In fact the winner here is Discover as PayPal cards will have Discover numbers and of course will be subject to Discover interchange. The payment brands have a near universal monopoly on payments and it won't be changing in my lifetime or yours. Read more...
If there is enough pressure on visa/mastercard, one would think they would react by lowering fees. Let's face it, those cards are going to be around a while. Looking back to 2001, cc processing fees were .2 of sales and now stands to reach .8 of sales, as that continues to rise, you will see opportunities to make money and to create competition amongst processing fees, which should in turn reduce the cost to the retailer. Where does that pressure come from, is it discover/paypal, or is it the retailer? Think of all the money spent on transaction fees in the grocery industry, roughly $5 to $6 billion a year, there is room for grocers to put the pressure on the cc companies, but it will take communication and promotion by the retailer to the consumer. Read more...
Why in God's name don't you have a "tweet this" option for your articles? Or at least summaries... It would make a big difference. You must be heard! Read more...
Combined with the news of the MCX network these two concepts signal a turning point in payment processing and I am confident that others will surface as the market / perception matures. I've always seen PCI compliance as only a stop-gap to plug holes in the insecure and some say "broken" credit card transaction processes we're all required to use. There will be a dilution of efforts as many proposed products and standards come online, only now available due to the advancement of communications and technology. Read more...

RadioShack Rep Used Customer Data To File False Tax Returns. Why Is RadioShack Even Still Collecting SS Numbers?

Without knowing all of the details of the specific case, it seems more likely the defendant did not use previously-stored data - she simply captured what she wanted on a piece of paper on her desk as she was working with the customers to obtain the information in the first place. Thus, it isn't a "data at rest" issue - but a "data capture" issue. The best way to handle this sort of situation is to have the agent briefly transfer the customer to an IVR system when the appropriate time in the call occurs so that he/she can enter their SSN via their phone's keypad - then have the call transferred back to the live agent when this is done. It's fairly straight-forward to implement and takes the agent out of the loop on data capture. Read more...
The problem is that identity data has value. If it wasn't SSN, what would you have them ask for in order to extend credit to an unknown person? No matter what information the industry asks for, the same information can be copied and abused. The technical answer is a chip embedded in your Orwellian identity card. Is the personal cost of privacy worth the price of corporate security? Read more...
Another issue apparently overlooked regarding social security numbers is the comfort level with giving/accepting the last four digits as some holy grail over identity validation. Anyone armed with this tidbit of info can wreak havoc on both consumer and data gatekeepers. I'm surprised more attention hasn't been paid to this. Read more...

Can Amazon Cloud Be PCI Compliant? Not Likely

Isn't this whole article missing the point of PCI 12.8.x? If the merchant is using a service provider (Amazon) then all the merchant needs to do is follow 12.8.x regarding the relevant PCI controls. I'm not sure I see the issue the article purports is present. Read more...
Indeed, 12.8 applies to service providers. However, the entirety of the DSS applies to the assessed entity's cardholder data environment's applicable scope. As such, all system components which process, store, or transmit cardholder data within a defined network segment are in scope of assessment. Further, in a virtualized or cloud hosted environment, those system components which serve as a hypervisor must also be assessed. Read more...
Ted
So are you saying that you contend that cloud providers in general (AWS in this case) have most likely not assessed all components that should be considered as "in scope" to have an accruate ROC and Level 1 Service Provider attestation? Read more...
Ted, I'll let Peter speak for himself, but my read on the column was that he wasn't saying that at all. The point of the piece was not that cloud providers haven't adequately performed assessments, but that retailers using those cloud sites might not be able to sufficiently prove their own compliance. Read more...
Ted, I fully believe that each cloud provider determined to be PCI compliant as a service provider by a QSA was compliant at the point in time of the assessment and should be sufficiently maintaining their environments so as to support similar findings in future assessments. However, as many service providers such as AWS do not themselves store cardholder data, the scope of their assessment is limited. Read more...
Tom
The whole process is to establish a trust framework of service providers, merchants, and assessors, and the reduce the waste that people spend on QSA's doing things for the sake of compliance that don't provide much risk protection. Should merchants be paying QSA's to do physical walk throughs of service providers that are already validated? I don't see much value in it. Why stop at physical walk throughs and not just assess the entire service providers against all PCI controls, since the merchant is ultimately responsible? Read more...
There is security, there is risk and there is compliance. Some of these objectives can be synonymous and some are not. PCI DSS is very stringent on what is required to be divulged as the breakdown between a service provider and a merchant as part of their own assessment utilizing the service provider. The onus is on the merchant and the QSA to establish that they understand the scope of the controls being provided by the service provider vs the controls that the merchant is responsible for. Read more...

Visa Joins MasterCard In Relegating PCI To An Afterthought

like fire codes in your community, the rules come after walking through a couple of deadly fires and seeing reasons to have rules. After the first major breach that is unique to a mobile payment scheme - we will see attention from the brands. Read more...
Agreed with the other poster. Very much a reactive system. Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way. Heck, even the DNC is out there in force using these device to get contributions for the presidential campaign. How many billions... yes as in "B" are being run through that type of setup with complete disregard to compliance? It's like tax cheats... when u see all your neighbors doing it, you start to wonder why you are following the rules. Read more...
"Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way." Most of those 'dang devices' do utilise P2PE in-hardware which still remains absent from the bulk of traditional POS terminals around the world. I'd actually be happier swiping my card through one of those, given they've been designed ground-up with the view that the smartphone it's being used on is an insecure environment, than in a traditional POS or integrated environment which is anyone's guess. Read more...
You point out the apparent inconsistency with which the brands view mobile for mid-size and large retailers, versus what they allow smaller merchants to get away with (in a PCI and risk sense, anyway). Will it take a major breach to apply the standards uniformly? I really hope not. But how else can one reconcile the evidence of increased card fraud at small businesses (Verizon Data Breach Report) with easing PCI compliance requirements for some of these same merchants. Or, to put it on a more personal level (as one client of mine did), the brands have thrown her/him into the "no" business. They need to be PCI compliant, so the Security team has to say "no" when their business divisions want to use these devices. Not a lot of fun for them (or their QSA). Read more...
I disagree as to whether *any* of the devices uses "P2PE in-hardware." P2PE is just rolling out, and there are precisely zero approved devices. What's more, some of the dongles in their original version did not even encrypt the mag stripe data. We have similar issues with the payment apps themselves (none of which is PA-DSS validated). As for the underlying operating systems, I don't think anyone knows what they do with the data passing through them. Do they retain the data? Are the data cached somewhere? Read more...

So Why Is M-Commerce Struggling So Much In The U.S.?

I work for a multi-brand franchisor and having looked at Google Wallet and ISIS, we decided not to participate at this time. What I can say is that from our evaluation neither of these is ready for prime time (although to be fair ISIS is still in the gestation period and not yet launched). One very serious consideration that concerned me is that neither effort works with the iPhone. Mobile commerce / payment will come to the U.S. it is a natural evolution of the mobile space and I believe it will be a natural extension of how we use our smart phones today. The early adopters will be the younger folks and they will drive this as they have the mobile market. What it will take is simplicity, convenience, and reasonable security. Read more...
ed
The problem in the USA is we are expecting status quo payment processors to disrupt their own industry with mobile payments. I cringe everytime I see an article on mobile payments and the desire to name drop Apple, Google, ISIS and PayPal. These firms see mobile payments as a novelty and want to keep it that way. It is going to take a true independent entity with the clear goal of disruption to transform mobile payments in the USA. Read more...
Mobile commerce is becoming popular in almost every nation. USA can't be behind the race. However, it is the users who can make it popular. Mobile commerce will increase at a rate of 65 annually to reach $24 billion in 2015. (Coda Research). So, let us hope USA will take part in the growth. Read more...

"Careless" Systems Integrators Now Directly Under PCI DSS

This exact issue has been bothering me for years, and I was JUST talking about it with someone only yesterday. This may well be my favorite article, mostly because I'm biased and have hated this particular problem forever. Read more...
Good article, but how does this have anything to do with the DSS? Read more...
Actually, the QIR program has a lot to do with the DSS (or PCI). Since merchants rely on their reseller or integrator to implement their PA-DSS validated application, these resellers and system integrators play a critical role in merchants achieving and maintaining PCI compliance. As far as I can tell, the QIR program is designed to help merchants stay compliant by making sure their payment applications are installed according to the PA-DSS Implementation Guide, for example ensuring default passwords are changed (and protected), that the data encryption keys are properly set and secured, that the merchant's data retention policy is set, that no sensitive cardholder data are stored, and often that a firewall is in place and properly configured. Read more...
Although this is a great move forward in pushing the issue of highly trained people, it is also a good marketing ploy for the council. It begs the question: How much do they stand to make? The problem for this is that for people (like myself) that are just starting out their own business venture, PCI has typically charged a premium for their training and certifications. This change will likely force those of us with less capital to spin into the abyss. I have more than 15 years in the security and compliance fields with heavy hitter certs like CISSP, CRISC, and Sec+. There should not be a guide but a free test or a pre-requisite of either the PCI cert OR other heavy hitter certs. I just don't want the good guys in small places to get flushed out. Read more...
The ETA recently launched the Certified Payment Professional program, which charges $425 for non-members to take the test, assuming they meet the 'experience' requirement, to PROVE they are a professional. And they'll have to take it every 3 years. Worthy program, but high cost. Plus, only a select few were allowed to be in the first class, and there are only 4 test windows per year currently. So being on the registry simply means, you were lucky enough to get picked, nothing to do with skill level. Read more...
@Cory: Thanks for your comment and question about the pricing of the QIR training. I raised that question in a conversation with Bob Russo last week, and I will address it in a follow-up column in a few days. While the pricing is not yet set, hopefully it will not be too great a burden for you or other integrators/resellers. We'll have to see, though. Read more...

Costco Self-Checkout Trial Setback After Store Losses

Not all self checkout works this way. One self checkout vendor is designed to work this way and it leaves a gaping security problem that can create this situation. There are 3 predominant providers of self checkout in the U.S. and this represents the lowest installed base provider of the 3 and their market share continues to shrink from reports I have seen. Read more...
Editor's Note; The vendor that Mark was referencing is IBM. His point is that other systems make it easier for any weight mismatches to require associate intervention--just like with alcohol or cigarettes or any other age-restricted item--rather than a more passive flag to the customer that the item was excluded. Read more...
Another angle on the challenges with self checkout which may come to the retail scene in the next year is the tap and go/NFC smart phones. Though these are all the rage in Japan, we have yet to adopt them in the U.S.. But that will change as the new phones emerge with the chips embedded this year. And the new demographic want to use this type of technology. A large retailer told us that NFC phone customers are getting their identities stolen, even though the self check-out requires proximity-- and they do not want to take responsibility for this occurrence in their stores, on their premises. So although they like the idea self check-out they are still experimenting with various approaches. Read more...
ed
For self checkout, item-level RFID or unique barcodes plus real-time tracking appears to be the missing component. Mail delivery companies use real-time tracking of mail with a barcode and assure delivery at a certain time. The public library embed books with RFID and track them through checkout. Retailers and SCO manufacturers are going to have to accept the fact they cannot rely on UPC and really need an item-level identifier that tract that specific product as a unique item from shelving to checkout. Read more...

Visa Yanks Global Payments' PCI Compliance. Catch-22 In Full Force

So PCI compliance can not guarantee that a provider will not be breached, but a breach is inherent evidence of non-compliance? Any comment from VISA as to whether they will continue to accept ROCs prepared by Trustwave? Seems like an inconsistent position. Read more...
Thu
Global Payments reported they were working toward being in compliance with PCI, despite already being on the list. In a backwards way, they admitted they were not previously in compliance. We can't really say that a breach is inherent in these type of situations without having a full investigation report. That's one reason why MasterCard is waiting to see what forensics finds before yanking them from their list. Read more...
In the past, Visa has stated, "No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach." This quote can be taken two ways. Either PCI is perfect and all-encompassing and compliance guarantees you won't be breached; or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way — and interpretations among QSAs vary so much — as to make it impossible for anyone to be 100 percent compliant 100 percent of the time. Read more...
PCI, TSA, IRS - obviously none of these functions as intended or as promoted. I've said it before and I say it again, hackers are free of personnel, budget, expertise, infrastructure and time constrains. Nothing, NOTHING, is ever fully safe. Visa and its attorneys simply choose to hide behind the false sense of security of the PCI veil. Truth be known, Visa has probably been hacked. Anyone see the similarities between VISA and the wizard of OZ? Read more...
This begs the question, how does this decision by Visa affect Third Party Processors (TPA's)? Our TPA agreement has wording to the effect that we can only send CHD to PCI compliant processors and banks. Now that Visa has deemed GPS non-compliant, are we breaking our TPA agreement by allowing our customers to continue using GPS? Read more...

How About A Little Service Provider Responsibility Here, PCI-Wise?

I appreciate the one-sideness issue highlighted in this article. I also understand how card brands have a contractual link to merchants - but only rarely do with service providers. I'd find it virtually meaningless for the PCI requirement to mandate actions by the service provider, when they have no contracted responsibility to a commercial entity. That said, 12.8.4 places an obligation on the service provider to demonstrate compliance to their customer the merchant (or service provider, Acquirer etc). Is not the combination of these 2 requirements having the same outcome? Read more...
Lem
PCI is like banging your head on the wall. When you complete the SAQ, it feels good stopping. Read more...
Actually, service providers do have direct links to the card brands. For example, many have direct system connections/access points to the card networks. More importantly, all service providers validate their PCI compliance to the card brands. The brands (at least Visa and MasterCard) also post lists of compliant Level 1 Service Providers on their websites. My point was not so much about the card brands, though. I was observing that since PCI already has a number of requirements that only apply only to Service Providers and not to merchants, there is precedent for one more Service-provider-only requirement to cure the imbalance I noted. Read more...
Walt, I'd suggest that perhaps you have a limited concept of who would be considered a Service Provider under the guidelines that you've suggested. The fact is that most resellers/integrators do NOT have direct links to the card brands or the card networks. They may work with processors to board new merchants or provide support, but there is no contractual or legal obligation at all. Your comment that all service provides validate their PCI compliance is also way off base if you include resellers & integrators. The limited number of Level 1 Service Providers probably do validate their compliance, but the vast majority of resellers/integrators are not that big. Read more...

The Never-Ending Dance Of Contactless Security

ed
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required? Read more...
Contactless card transactions are verfied online, if there is fraud the bank with take the liablity. This does not happen with checks, bills. Oh and contactless is faster than any other form of payment and you do not have to check the takings at the end of the day: so faster service and a bit more secure. Read more...
MC
To contaftless. Not completly true that the bank will take the hit for a fraudulant contactless transaction. When paying at the fuel pump with contactless, you will have a defined pre-auth limit which is set by the issuer and obtain an online auth number. Even with the issuer providing real time auth, should the customer dispute the transaction, the liability and burden of proof still lies with the retailer in most circumstances. To the issuer they claim this is a "card not present" transaction if completed out of sight of the store attendant. Add that to the fact that that a gas station forecourt allows the hiding of the necessary fraudulant transaction supporting equipment inside a vehicle, it creates the anoynmous environment that fraudsters prefer to operate under. Read more...

The PayPal Problem: Will It Impact Retailers' PCI Scope?

For the foreseeable future, retailers are not going to be transacting exclusively against PayPal accounts. Therefore, with the assumption that the payments are stored, transmitted and processed through the same systems as "regular" CHD, there will be no change in scope. Merchants will have to protect the PayPal payment information with the same rigour as PANs/CV2s/tokens, but this isn't arduous because they are doing it right now. (Or should be.) Read more...
This is the problem with the notion of the high value token wording in September's guidelines. As you rightly point out an email address, mobile no. or even a name can be considered a high value token. Yet by their very nature these are all readily available in the public domain, so I find it hard for them to be considered as a high value token. Read more...
Will Visa be including in their V.me system the additional ability for online payers to source funds via a “debit” transaction from their banking account, rather than only by a credit card transaction as has been the case in the past because of the PIN requirement for such a “debit” transaction? After all, what’s the difference between a PIN, that Visa/MasterCard already hold, and a password required to access a secure online payments gateway? Read more...
The PayPal user information is much more "high value" because it can be used across merchants to initiate transactions. If I have it or gain access to it via a merchant compromise, there is nothing to stop me from using it at another merchant. A properly designed tokenization system should have rules that prohibit tokens obtained from one merchant to be used at another merchant and/or prohibit initiating transactions unless the PAN and authentication data has been previously received by that merchant. Read more...
A big difference with PINs(at least in the debit world) is that they should only be entered into an encrypting PIN Pad. The feeling goes that if I steal a card with a valid PIN I can go to an unattended device(ATM) and pull out money w/o having to present a legitimate card to a person. I suppose you could make the same case(which you did) regarding an online transaction w/ a password. Read more...
PayPal's plan of POS attack is to entice merchants with below-cost credit and debit card processing, which is an offer no retailer will refuse. The company will subsidize its losses from the card transactions with the very high-margin profits it enjoys when its users fund the sales amount from their bank accounts. On the other hand, whether the consumers will be won over is another question altogether. If it is to stand a chance, PayPal will need to make the checkout process as uneventful as possible. As it is, the customer is asked to enter his or her cell phone number, in addition to a PIN, before the transaction can be completed. That's unnecessary and excessive. Read more...

Tokens Are Not The Same As Encryption. Honest

I agree with all your points on how the technologies differ. The only possible disagreement I have is that you are very generous in giving PCI credit for distinguishing the differences between the two technologies and scope whereas I think they caused the confusion (or at least didn't help). Read more...
I tend to disagree that tokenisation and encryption are different - indeed, I see tokenisation as a form of bespoke encryption. Many of the arguments I hear about tokenisation being different from encryption leads to concerns about the security of encryption, or that encryption can be reversed. Although it is true that encryption can be reversed with the key, I strongly dispute the arguments about the security of encryption, and personally I put much more faith in an algorithm that has undergone many decades of community research, where the security (key) can be isolated in approved hardware, than in a bespoke solution I have no visibility or independent assurance of. Read more...
"High-value tokens are those that can be used to initiate a new card transaction." Personally, I didn't understand this part of the doc. Surely that's the point of a token, so I'm assuming they mean a token that can be used independently of a 'vault' type of service to initiate and complete a transaction. Otherwise, every token would be a High Value token. Services like Square's card case where a person's name can trigger a payment, or PayPal's where an email and password trigger a card payment. In these cases a name and email would be tokens and as they are initiating a card payment could be considered a High Value token. Read more...
I disagree with you on the point you made about there being no way from a PCI scoping perspective to compare tokenization guidance to encryption clarification. The parallel that I see is not between tokenization and encryption, but between the token and the encrypted data values themselves. Semantics? Maybe, but I believe there is a significant if not subtle difference between these two statements. Read more...
How can QSA be comfortable determining if something is out of scope, if he or she does not know how the system providing that benefit explicitly works in all conditions over its lifetime, especially if its distributed and may its functionality and risk profile may change over time and can be explicitly guaranteed? A QSA takes liability for such a de-scoping claim. Only proofs of security and evidence can stand behind that something seriously lacking in most of the debate. Read more...
Tokenization is a use case of data transformation, not a specific technology. Humans have been practicing tokenization using multiple methods for centuries and claiming that one method of data transformation is the "real" tokenization and not some other way doesn't make sense. Tokenization must be reversible. Read more...
Promises of incremental sales and the ability to target loyalty have been completely worn out by endless pitches of card services, hardware, software, etc etc etc... Another watershed way of getting mobile payments introduced is to shift merchant's payment modes from higher to lower cost products. I think ISIS has started down a path that completely misses that opportunity by partnering with incumbents who have zero interest in reducing merchant payment costs. Read more...

Want To Push Social Media? Have You Considered Using Your Stores?

What about if the retailer is in a shared space (e.g., a food court in a mall or college campus) where there may be limited space and possibly limited flexibility (e.g., power, comms, lease restrictions)? Or in airports, where I see more and more retailers. Would your recommendations hold for those locations, too? By coincidence, I was at a conference this week and sat next to the person charged with building brand awareness for a national food chain on college campuses -- and therefore with the student demographic -- nationwide. After reading your piece, I was wondering, would your recommendations would hold for them? As for airports, I could see one school of thought that says customers don't live there, so get them in and out. But I also could see where the particulars of this demographic could be sufficiently compelling to want to reach out. Read more...
I agree that there are even deeper levels of engagement that you absolutely could drive in the store (I love the idea of floating coupons by the way). I think what is most important is using the store to start a conversation that could be then continued online (rather than always trying to start a conversation online that culminates with a sale in the store). Read more...
I think the statement "Then there is the small fact that the retail operator doesn’t feed his family based upon how well his customers are engaged online" speaks loads. Read more...

Publix Buy-Online-Pick-Up-In-Store Trial Nixed: Grocery Shoppers Are Different

Your take on the customer's view is right, however I wonder whether supermarkets can go a _long_ way towards resolving it with easy, quick refunds? My partner unpacked our home-delivered fruit and veg box last week, and discovered bruised fruit. Took a picture, emailed the company, and within 10 minutes had a refund. Happy customer all round - the company cares, etc. This requires very careful thinking on the merchant's part about how to invest in this area of customer service. However, since it is equally easy for my partner's picture of bruised oranges to be uploaded to a social media site as it is to email the company, the downsides for NOT doing this are quite large. Read more...
What about the other non tangible benefits of shopping at the grocery store - it gets you out of the house and you get to interact with the staff. for many people this might be there only "human contact" in a day, or at least human contact that doesnt come with the stresses associated with family/work colleagues/customers. And of course, there is the primeval "hunting and gathering food" aspect. Read more...
ed
The last poster hit it head on - there is a primal "hunter" instinct of us humans preventing the buy groceries online model to take off. Food, clothing and shelter are the three things we humans go out and scavenge for and that is in our primal instinct. It appears the next logical step is to focus on items that do not interfere with our primal instincts such as prepackaged food or personal hygiene. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.