advertisement

Top Stories


advertisement

Security / Fraud


Tesco Really Doesn’t Like NFC

April 26th, 2013
Near field communication (NFC) is retail's whipping boy these days, with almost every analyst and vendor going out of their way to point out how poorly it's done and how bleak the NFC future is. And although deep shopper apathy about NFC has justified many of those critiques, major chains—wanting to keep their options open—have hesitated in outright attacking NFC. That's why a blistering critique from the world's third largest chain, Tesco, is so potentially devastating.

"NFC was revolutionary 10 years ago but I think it just might have passed its sell-by date," Lyndon Lee (Tesco Enterprise Consultant Architect) told attendees at a mobile payments conference in London this week, according to a report in NFC World. "Is mobile NFC at the right place, at the right time? I don't see any real movement or activity. NFC usability is not really revolutionary and, for the general public, is it really that cool? I think the next generation won't think it's cool enough for them and they won't use it. Mobile NFC is unappealing."Read more...


advertisement

The Legal Risks Of External Surveillance

April 25th, 2013
The cooperation of retailers like Lord & Taylor in the Boston bombing investigation proved to be invaluable and provided the most important clues to catching the two terrorism suspects. But retailers should be wary about using that incident as an invitation to increase the amount of surveillance that they conduct both inside and outside of their stores. Video surveillance, although a very powerful tool for certain things, can lead to loss of customer confidence, and even to liability, writes legal columnist Mark Rasch.

In the United States, it is generally presumed that the use of video surveillance technology in non-"private" places ("private" as in bathrooms and changing rooms) is perfectly legal. Unlike audio surveillance, which is regulated by federal and state law, there appears to be little regulation of video surveillance technologies. Retailers regularly employ them for loss prevention purposes, inventory management, and to defend themselves in liability lawsuits such as workers’ compensation claims or "slip and fall" claims by customers. Video surveillance technology can also be useful in tracking customer behavior and traffic patterns; footfall analysis; to evaluate the effectiveness of advertising or displays; and even to evaluate the gender, age and behavior of customers.Read more...


advertisement

Data Breach At Gunpoint: Kmart Armed Robber Gets Pharmacy Files

April 23rd, 2013
It is IT's worst nightmare: What if an armed violent criminal hits the store and empties the safe and, perhaps unintentionally, takes our unencrypted data backup? It happened to Kmart at its store in Little Rock, Ark., according to a statement parent company Sears issued Monday (April 22). The statement, which came more than a month after the March 17 armed robbery, was forced by rules from the Health Insurance Portability and Accountability Act (HIPAA). At 8:55 PM, some 55 minutes after the store had closed, the intruder confronted the store's assistant manager, who had just closed the store for the night, when he went into the parking lot to get to his car.

The thief stabbed the assistant manager's car's front driver side tire, presumably so that the assistant manager would be occupied when the thief pointed a silver gun at him and ordered him to open the store and to then open the safe, according to the police report. The thief helped himself to the contents, including about $6,000 in cash and that day's backup disk. The disk, which was unencrypted and apparently not password-protected, included the full names, addresses, dates of birth, prescription numbers, prescribers, insurance cardholder IDs and drug names for some 788 customers, according to Sears. Read more...


advertisement

Amazon Issued Patent To Make Mobile Purchases Anonymous

April 19th, 2013
When Amazon was awarded a patent this week to allow for anonymous online purchases—anonymous from shopper to shopper, not anonymous to Amazon—it could be the world's largest e-tailer taking its next step into payments. The actual money part of the payments are still to be handled through the same means Amazon does today—payment card, bank account debits, gift cards, Amazon Store Card, etc.—so it's not about Amazon becoming a processor. What it does, though, is add a layer on top to allow consumer-to-consumer transactions to be done without sharing private information with strangers. (Or, much worse than strangers, relatives.)

When this approach would make sense depends on the nature of the transaction. If the purchase involves the seller sending a physical product to the recipient, the recipient has little choice but to reveal name and street address. But for digital purposes, it could work well. And it might even work with physical shipments, assuming the recipient uses a post office box or some similar alternative.Read more...


advertisement


New FTC Geolocation Ruling Will Force Retail Data Changes

April 18th, 2013
On Monday (April 15), the U.S. Federal Trade Commission (FTC) cut a deal with some manufacturers whereby they agreed not to include "phone home" software, which would tell the leasing company the address of the computer or other device without the express consent of the lessee. The retail bottom line: All of those apps you're using to gather shopper information may now legally require very specific notices. That, plus the always-feared opt-out for gathering any geolocation data. Uh-oh.

The FTC consent decree involves shoppers who lease computer equipment and other devices equipped with GPS tracking or other tracking software, pens legal columnist Mark Rasch. If a consumer fails to make a scheduled payment, or if they default on the terms of the contract, the leasing company would activate the software, which could do things like turn on the cameras on the computer, capture keystrokes on the computer, or use either Internet protocol or GPS tracking to determine the exact location of the computer. In this way, the retailer would be able to engage in a form of "electronic repossession" of the device, either shut it down completely, or sending someone in to actually physically retrieve the device. Read more...


Boston Bomber Caught On Lord & Taylor LP Camera?

April 17th, 2013
Loss Prevention security footage from a Boston Lord & Taylor located across the street from where two bombs had detonated near the Boston Marathon finish line on Monday (April 17) captured footage of someone leaving the bag with the bomb in position. This is far from the first time retail security video has been used to help solve a crime that does not directly involve that retailer, but it might go down as one of the most historic.

The bombing, which killed three people and injured 176 others, was one of the more devastating terrorist attacks in the U.S.. The footage from a surveillance camera at Lord & Taylor "has provided clear video of the area" but law enforcement officials were initially vague about what was captured, according to The Boston Globe. "The camera from Lord & Taylor is the best source of video so far," said Dot Joyce, a spokeswoman for Boston Mayor Thomas M. Menino.Read more...


As Many As 2.4 Million Card Numbers Stolen in Breach at Regional Grocery Chain Schnuck’s

April 17th, 2013
Who says regional chains can't compete with the big boys? On Sunday (April 14), the 100-store Schnuck Markets grocery chain revealed more details about the breach it reported in March, and the numbers are impressive: 79 stores breached, with as many as 2.4 million payment card numbers potentially stolen over a four-month period. That puts it in the same class as breaches in recent years at Barnes & Noble, Michaels, Aldi and Hancock Fabrics stores.

But unlike those attacks, Schnuck's said its PINpads were not tampered with—the attack was apparently done entirely through malware implanting somehow on Schnuck's payment-related systems. An even more troubling revelation: The breach activity seems to have begun on Dec. 1, less than a month after the chain's QSA validated its systems as PCI DSS compliant.Read more...


For The First Time, Amazon’s March Traffic Is Higher Than December. Figuring Out What That Means, Though, Is A Lot Trickier

April 17th, 2013
For years, it's been a given that major e-tailors see December as their most active month, and that's certainly been the case for Amazon (NASDAQ:AMZN). Until now, apparently. New figures from Comscore show March 2013 as Amazon's highest traffic month ever.

The significance of Amazon having its highest month ever is minimal, as the world's largest e-commerce site has repeatedly broken its own record, as its traffic has grown over time. But the fact that Amazon saw more traffic in March—a traditional ho-hum traffic month—than December is noteworthy. To be fair, the Comscore figures show that March only barely beat December (105.3 million unique visitors for March 2013 versus 104.8 million for December 2012), but that marks the first time March has even come close. March 2012 saw 90.2 million versus December 2011's 97.4 million, and March 2011 had 61.5 million compared with December 2010 at 76.7 million, according to Comscore figures.Read more...


The Hannaford Data Breach Case Lives On. Lawyers Ask For Judge To Reverse Himself

April 12th, 2013
Lawyers for consumers affected by a huge data breach involving the Hannaford grocery chain have asked a federal judge to reverse himself and to allow a class-action lawsuit against the grocer to proceed. In a twist, the attorneys are asking that any awarded money be given to the bank officials, who would then—in theory—distribute it to victim consumers.

Attorneys wrote to U.S. District Court Judge D. Brock Hornby that the Hannaford case allows for banks to be paid directly. "This can all be done without disclosure of the actual identity of any bank customer. It is hard to imagine that a card-issuing bank would not cooperate in a process that would provide cash benefits to its customers," the filing said. No, it's really not at all hard to imagine the likes of Chase Manhattan and Fifth Third not being at all cooperative with a new and untested method.Read more...


Lawyers To Interchange Judge: Tell Our Clients To Shut Up

April 10th, 2013
All those noisy complaints about the interchange settlement are apparently having an effect. A federal judge will hear arguments today (April 11) to decide whether some retailer groups can continue to blast away at the proposed class-action settlement on websites designed to convince retailers to opt out of it. And it's the lawyers representing those groups who are trying to shut them up.

On March 29, lawyers officially representing the class—that's merchants who have accepted Visa and MasterCard payments since 2004, which means virtually all retailers—complained to U.S. District Judge John Gleeson about the websites set up by the National Association of Convenience Stores (NACS) and the National Grocers Association. Such sites as MerchantsObject.com offer both arguments against the settlement and tools to let merchants automatically send opt-out letters to the court, so they won't be covered by the settlement.Read more...


Macy’s Thief Exploits Courtesy Hole

April 9th, 2013
Macy's has a courtesy policy in which if any Macy's card shoppers come into a Macy's and do not have their cards with them, they can still charge items to the card by inputting their Social Security number and showing the associate a government ID. It was precisely that policy that created a hole for an Indiana man to crawl through, charging thousands of dollars worth of merchandise to various Macy's customers.

The precise methodology of the accused thief, Mark A. Douglas, is not clear, but he apparently created a list of Macy's account holders and then used various techniques to learn their Social Security numbers. Making the false identifications—with the real shopper's name and a picture of Douglas—seems to have been the easy part. Although sophicated cyberthief techniques could have been used to create that list of Macy's cardholders, it might also have been done as easily as standing near a Macy's cashier and listening.Read more...


Care About Issues Beyond IT?

April 6th, 2013

One of the results of StorefrontBacktalk‘s being acquired back in December is that we are going to be expanding into coverage that goes beyond Retail IT into other areas of retail. The first example of this launched last week and is a daily newsletter and site called FierceRetail.

The site applies the same kind of perspective, analysis and bad jokes that StorefrontBacktalk has always delivered, but we can now explore issues way beyond IT. Consider our coverage of an unorthodox Apple patent, the reasoning behind the Sears Portrait shutdown, why Target’s Manatee mishap is a lot worse than it looked, Samsung’s real retail strategy, why Best Buy and Target’s Geek Squad alliance was doomed and stats showing Visa having all-but-cornered the debit market. It’s all free, of course. If you’d like to sign up, our latest thoughts will be in your Inbox early each morning.…


Retail Employee Theft Databases Riddled With Inaccuracies

April 5th, 2013
On paper, it sounds like a great idea. Create a database of retail employees who are accused of theft and have its contents freely shared with other retailers. Two problems: One, what if the information is flawed, if employees who "confessed" actually argued that they were innocent, and what if this information is being used to deny people jobs? And two, what if it's depriving retailers of honest, falsely accused, talented retail associates?

There are quite a few reasons for the lack of accuracy in these databases. First, loss prevention officers are not there to establish the truth as much as they are there to protect the store brand and the store itself. If no police charges are filed and an associate is simply fired, there can often be an attitude that there's no reason to take a chance once an accusation has been made. Conducting a true investigation is time-consuming, and although some LP officers—especially those with a law enforcement background—have the training to conduct one, few can justify the time.Read more...


A Breached Chain Needs To Remember Its Shoppers Are Victims, Too

April 4th, 2013
When a cyberthief breaks into a retailer’s network and steals data and payment card specs, the retailer absolutely is a victim. But many chains tend to think of themselves as the only victim, an attitude that manifests itself in various ways when talking with their customers who are also victims. Just because a shopper’s monetary losses are being covered by zero liability doesn’t make them feel less violated and, therefore, feel any less like a victim, pens legal columnist Mark Rasch.

When setting policies and when talking with shoppers after a breach, communicating the message that the retailer is the only victim may prove to be self-fulfilling, as you'll quite likely be an imminent victim of lost revenue and thrown-away loyalty. When a crime has been committed, attitude and empathy go a long way — and they are among the hardest things for many chains to deliver.Read more...


Macy’s Wrongly Priced Necklace: The Problem That Was Never Supposed To Be Possible In-Store

April 3rd, 2013
A strange recent incident involving Macy's (NYSE:M), an impressively—and unintentionally—marked down necklace and a POS system is noteworthy not merely because of what happened, but where it happened: namely, in-store. The recent Macy's (NYSE:M) print ad certainly spoke the truth. It described as a "super buy" a $1,500 diamond-silver-and-14-karat-gold necklace on sale for $47. It was indeed a super buy — and it was also a major mistake. But Macy's didn't catch its own mistake for some time, until well after quite a few customers made good on the purchases in-store.

The $1,500 necklace was indeed supposed to be marked down, but only to $479, not $47. Things like this happen online with annoying frequency. But in-store? This raises several questions: Macy's described the error as "a mistake [that] was made in a recent Macy's advertisement," according to Holly Thomas, a Macy's VP for national media relations. Was that mistake replicated in the pricing database, accessible through POS? If the wrong price existed only in the print ad, what happened with the checks-and-balances that are supposed to exist in-store? When an associate did a scan and saw $479, didn't a $47 ad activate any alarm bells? No one thought to check with a supervisor?Read more...


It’s OK To Pay Cash. Really.

April 2nd, 2013

In an interesting small piece out of Washington, it was noted that U.S. Supreme Court Chief Justice John Roberts had been hit by a credit card breach. It happens. What made this piece interesting is that the Chief Justice was apparently overheard telling his Starbucks barista and his local D.C. barber about the breach, by way of explaining why he wasn’t using his usual credit card.

Our initial reaction was, “How times have changed. It wasn’t that long ago that coffee and haircut payments were almost always done in cash. It’s certainly interesting that he felt the need to explain and justify his greenback move.” But it could have been for other reasons. By the way, clearly, the Chief Justice doesn’t use a Starbucks card or Starbuck’s mobile app. (Just saying.) Could the judge of judges have been trying to let people know that data breaches are widespread and that no one is safe, that if the Chief Justice can get hit, anyone can? Or maybe these were simply longtime associates and he would have felt the need to explain any change in behavior? (Seems the Chief Justice still has a little pull, as he told those colleagues that the suspect apparently attacked from Kentucky, which is more than most breach victims are told.)…


Why The SAQs Will Change This Year

April 1st, 2013
October is likely to see significantly revised Self-Assessment Questionnaires (SAQs) from the PCI Council. Few merchants will be more surprised than those E-Commerce merchants who have outsourced their card processing. Effective with PCI DSS version 3.0, many E-Commerce merchants will learn that their Web servers are in scope for PCI compliance and that SAQ A got a bit longer and a bit more complicated, writes PCI Columnist Walter Conway.

These merchants typically use the simplest SAQ, SAQ A. They also always (in Walt's experience) consider their Web server out of their PCI scope, because that server does not "store process, or transmit" cardholder data. Instead, the server redirects the user to a PCI-compliant third-party service provider that processes the card transaction for the merchant. The conclusion is understandable. An E-Commerce merchant's SAQ A addresses a very small subset of PCI DSS. It includes parts of only two requirements: physical security of backups and paper records that may contain cardholder data; and managing the PCI service provider. Processing is outsourced, and it is outsourced to a PCI-compliant service provider. What could be simpler? Oh, and we should add: What could be more wrong than that conclusion?Read more...


Supreme Court: Yes, You Can Resell Products You Bought Overseas

March 28th, 2013
On Tuesday (March 19), the U.S. Supreme Court ruled that merchants can purchase products intended for distribution outside the United States and then import those products into the United States for resale without violating copyright law. That's a blow against manufacturers, who wanted to use copyright law as a way of keeping out those cheaper versions of their products, writes Legal Columnist Mark Rasch.

Manufacturers have long been using copyright law, which is intended to protect certain types of expression, to prevent this practice. The Supreme Court said no.Read more...


MasterCard’s Retail Data Grab: Forget PayPal, It’s About Chains

March 26th, 2013
MasterCard (NYSE:MA) wants your customer data. That's the bottom line when it comes to the new fee that the number-two card brand will start slapping on PayPal, Google (NASDAQ:GOOG) and other digital wallet operators in June. It's not really about digital wallets, which represent a tiny fraction of big chains' transactions. MasterCard just wants to put pressure on anyone who might keep customer data out of the hands of itself and its issuing banks.

Wait—isn't losing control of CRM data the biggest reason chains aren't wild about digital wallets in the first place? Wasn't everyone worried that Google might somehow share transaction data with a chain's competitors? Apparently, that fear was well-founded—just misplaced. It turns out the people who will do anything to grab CRM data are the card brands and issuers.Read more...


With Starbucks’ Grocery CRM Plan, It Had To Get Clever About Fraud

March 26th, 2013
When Starbucks (NASDAQ:SBUX) announced Wednesday (March 20) it would spread its CRM program to grocery stores that sell its bagged coffee, it wasn't merely an industry first. It was Starbucks' attempt to track shopper activity beyond the limits of the chain's stores, site and mobile app—as if CRM deployments aren't already complex enough.

Given that its program would deliver expensive value in the form of free food and drink at its stores, the first priority of the rollout was to try and discourage fraud. And that involved some creative packaging and identification mechanisms. And a choice to exclude mobile from the launch.Read more...


PCI DSS: The Next Generation

March 25th, 2013
PCI DSS is going through a generational change. That change has nothing to do with the upcoming release of PCI DSS version 3.0 this fall, pens PCI Columnist Walter Conway. Instead, the generational change is in the security professionals he works with everyday, the people who are managing their organizations' PCI compliance. Most of these professionals are very qualified, but they are new to their job and often also new to PCI.

One result of this generational change is that Walt is being asked some of the same questions he was asked five or more years ago. The questions range from whether pre-authorization data is in scope (treat it like it is) to the feasibility of E-mailing card data (a seriously bad idea) to what constitutes effective network segmentation (think "air gap"). Fresh perspectives are always welcome, so the implications of this generational change for merchants and QSAs alike are generally positive. But with new compliance staff and assessors come fresh challenges and approaches that can impact every merchant and service provider. Read more...


Walmart Protects Cyberthief Privacy While Choosing To Not Prosecute

March 21st, 2013
When Legal Columnist Mark Rasch's wife had her credit card stolen, it was used to make bogus purchases from Walmart (NYSE:WMT) . Walmart not only chose to not prosecute—typical when the fraud falls below a threshold that thieves know very well—but it went out of its way to protect the privacy of the thief.

"All that is necessary for evil to triumph is for good men to do nothing." So said Sir Edmund Burke. But the phrase could equally apply to merchants, and their failure to adequately and aggressively investigate and prosecute online payment-card fraud. Rather than aggressively going after these carders, most retailers consider such losses a "cost of doing business." Where does that leave the honest shopper? From the shopper's perspective, whose back is Walmart seeming to protect more?Read more...


Amazon’s Secret Weapon May Be A Mystery To Amazon, Too

March 20th, 2013
Is Amazon Marketplace really the E-tail giant's "secret weapon"? That's reportedly how a Walmart (NTSE:WMT) executive described it at a top-management meeting in February. Amazon (NASDAQ:AMZN) itself may not hold its collection of third-party sellers in quite such high esteem—especially since March 15, when two of them launched a class-action lawsuit complaining that Amazon routinely holds up payments it owes to the sellers.

In fact, Amazon Marketplace now brings in almost 12 percent of Amazon's retail revenues. But it also represents more than 40 percent of the goods sold on Amazon's site, which makes the Marketplace merchants both competition and a huge market-research pool for Amazon—and, potentially, a legal time bomb.Read more...


NeimanMarcus.com’s Fake Faux-Fur Fiasco Draws A Real 20-Year Consent Agreement

March 20th, 2013
In what is probably a sign of the real-vs.-fake end times, Neiman Marcus agreed on Tuesday (March 19) to stop labeling real fur as "faux fur." According to a very real FTC complaint, between October 2009 and November 2012, the luxury chain's NeimanMarcus.com and BergdorfGoodman.com websites sold a Burberry jacket, a Stuart Weitzman shoe and an Alice + Olivia Kyah coat described on the sites as trimmed with faux fur, when actually the trimming was real fur.

Part of the reason Neiman Marcus got into trouble here is that it started selling the fake faux fur products less than six months after settling a previous FTC fake faux fur investigation. But the bigger problem may be the fact that physical stores have human beings who can catch some of these labeling problems before they become a federal case. Online stores don't.Read more...


Federal Appellate Panel Backs Walmart On Obscenity Case, But It Was One Malice Claim From Going In The Opposite Direction

March 20th, 2013
A federal appellate panel on March 15 backed Walmart (NYSE:WMT), ruling that the chain had no need to train employees on when they should or shouldn't call police after seeing customer photographs. The test case involved a couple who had their children taken away for a month, until a judge saw the actual photographs and the results of an examination of the children and then ordered the children to be returned to their parents and no charges filed.

The decision from the U.S. Court of Appeals for the Ninth Circuit also flagged to retailers their Achilles heel in such cases, pointing out that the parents' case fell apart when they didn't allege that the store associates had not acted in good faith. In other words, had there been evidence that the associates acted maliciously, things might have gone very differently for Walmart. The parents certainly wouldn't have had difficulty establishing harm that resulted from the associate's actions.Read more...


Page 3 of 72123456102030Last »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.