Top Stories


Security / Fraud

Sam’s Club’s Wi-Fi Effort A Dangerous–Although Inevitable–Move

August 12th, 2010
When Wal-Mart's Sam's Club announced Tuesday (August 10) that it planned to have all of its U.S. locations support Wi-Fi for customers by November 2010, it was just the latest in a long line of retail conversions to consumer Wi-Fi. Such moves, although designed to improve the customer experience in-store, have the potential for actually causing the opposite impact.

But if Wi-Fi becomes popular, its in-store speeds could quickly slow to 9,600-baud analog modem level. Indeed, if Wi-Fi becomes popular, it could quickly become very unpopular. Customers will be annoyed because their smartphones won't work well. And Wal-Mart won't be happy because none of those annoyed customers will buy an Internet TV that looks lousy when it's demonstrated.Read more...


Web Browser Private Modes A Little Leaky

August 12th, 2010
In Web browsers, privacy isn't all it's cracked up to be. A university study released Wednesday (August 11) says the "privacy mode" available in Internet Explorer, Firefox, Chrome and Safari Web browsers aren't as secure from prying eyes as users might hope. All four browsers can leak information to some degree, ranging from leaving traces in a PC's memory to displaying cookies when in private mode, according to a report from the research teams at Stanford and Carnegie Mellon.

The study also points to an interesting project by the Electronic Freedom Foundation (EFF) called Panopticlick, which tries to uniquely identify a user through information the Web browser can't hide, such as screen resolution, plug-ins, time zone and fonts. The EFF claims it can use that information to identify a browser returning to the site 99 percent of the time, even if it's in private mode. Fortunately, that still doesn't expose more information than a cookie.Read more...


I Wonder If My Card Issuer Has A ROC?

August 11th, 2010
The PCI Council's Frequently Asked Questions (FAQ) #5391 states that "PCI-DSS applies to any entity that stores, processes or transmits cardholder data and any such entity is expected to comply with PCI-DSS, including issuers." Because that is the case, PCI Columnist Walt Conway wonders if his card issuer has validated its compliance with a Report on Compliance (ROC) prepared by a QSA. In addition to being retailers or service providers, everyone reading this column is a cardholder, so we all have a stake in this issue.

Conway wants to make it clear, though, that he does not believe card issuers should be ordered to validate PCI compliance. Rather, he believes issuers should voluntarily validate their compliance. And they should do it for three reasons: It is smart; it probably won't be that difficult; and, most importantly, it is the right thing to do. Read more...


Franchise IT: Trying To Not Knock Over The House Of Cards

August 5th, 2010
Implementing retail technology in a franchise environment can be like building a house of cards. Each franchisee is likely to be slightly different than the next or have a slightly different requirement or slightly different existing technology. Although each of these variances may be small and seemingly unimportant when viewed alone, the more variances there are--and the longer they remain outside the standard--the more unstable the foundation of the "house" becomes.

But, argues Franchisee Columnist Todd Michaud, this situation gets even more challenging because the person who had the implementation role before you could have stacked the deck against you. It is much easier to say "yes" to a request for something different than it is to say "no." In most cases, these requests will genuinely move the business in the right direction. But that's a double whammy: It means your predecessor may have created a field of variance landmines that you must painfully discover on your own.Read more...


RFID: Combining Low Read Rates With Cyberthief-Friendly Long-Distance Accessibility

August 5th, 2010

Among the more fascinating tidbits to come out of the Black Hat/Defcon show in Las Vegas last week was a demonstration that an RFID tag could be read from 217 feet away. The tester used two large antennas and ham radio equipment, reported Dark Reading

But retailers have been discovering the ability to monitor RFID at very long distances for years. That’s the irony of RFID. How can something with such low read-rates at a distance of two inches—when you absolutely need it to be read—also be readable by a corporate spy across the parking lot? Admit it: Technology (and cats, by the way) not so secretly wants us all to fail.…

Do We Have To Sneak Audit Site Hosts Now?

August 5th, 2010
For retail IT directors, the end of American Eagle Outfitters' 8-day E-Commerce collapse just marks the start of a new fear: that they'll have to begin dispatching staffers to do sneak inspections of outsourcers. Will they need to burn precious staff time in unannounced audits, looking over the shoulders of service providers to make sure those techs are doing their jobs?

Will they eventually have to turn to a whole new class of outsourcers who do nothing but check up on the big outsourced teams? And who will watch those watchers?

Or is this an overreaction to a disastrous but highly unusual event? A wholesale failure like the American Eagle debacle is big news because it's so rare. Datacenter disasters happen. There's no way to bring the risk to zero. And beyond making sure good practices are being followed, returns diminish quickly--you can suddenly find you're spending a lot of money to prevent something that almost never happens.Read more...

iPhone Payment Peril: Mobile Mayhem Omen?

August 5th, 2010
The iPhone retains everything typed into it through its onscreen keyboard, including payment-card data, for as long as a year. And that penchant for holding onto payment-card data is only the latest in a long line of mobile data catastrophes that are slowly materializing as mobile deployments start in earnest. Many apps are simply sloppy about the security of sensitive data. Last week (July 27), Citigroup admitted its iPhone mobile banking app stored account numbers and passcodes on the phone. We're just beginning to understand how little we know about mobile phones and how much more data they retain than we expect.

PCI guidelines and a whole slew of privacy laws are based on the assumption that a retailer might do something bad to expose payment-card data to a thief. A retailer's logical response in a case like this: "I didn't do it. The phone's operating system did." But that defense might not hold up if the retailer was aware of the problem and did nothing to avoid it. Further complicating the situation is the fact that there are ways to keep sensitive information out of the keyboard cache. Apple, however, is likely to bounce any app from its iTunes Store that uses such a workaround.Read more...

AT&T And Verizon In A Mobile Payment Alliance. Yeah, That’ll Last

August 5th, 2010
With word spreading rapidly of a mobile contactless payment alliance between AT&T and Verizon--with T-Mobile thrown in, pretty much so that the first two carriers have someone to complain to about each other--the analysis generally has leaned to this being groundbreaking. In reality, this grouping is not likely to last long, nor will it make much of an impact while the companies stick it out. The alliance does bring together some key players in an attempt to challenge Visa and other card brands. But this deal has all the markings of something that five executives sketched out--five people who will never get within 5,000 yards of the conference rooms where the hard details will be worked out.

Please don't get me wrong. Mobile payment is a huge issue and some major players will need to jump in, but retail is the key. More precisely, retailers are the key. The issue of mobile payments comes down to sharing revenue, and it will require lots of trust. Now there's a word not typically associated with AT&T. Asking retailers "Who do you trust more, Visa or AT&T?" is like giving parents of 3-year-old twins a babysitting choice of Jeffrey Dahmer, Idi Amin or Osama bin Laden.Read more...

Best Buy’s Mobile Oath: Do No Privacy Harm

August 5th, 2010
In a sign of the times, when Best Buy officially introduced its new mobile application on Tuesday (August 3), the key point being touted was not the app's capabilities, convenience or free price. It was that the nature of the app is such that it doesn't violate privacy.

The app itself—which is also due to be released shortly by Macy's, among other chains—comes from a vendor called Shopkick. Its approach involves devices in the store broadcasting a constant audible signal announcing that store's identification number, but nothing else. That sound—theoretically undetectable by humans—would be picked up by any mobile phones in the store, assuming those phones have the Best Buy mobile app launched.Read more...

PCI Level 1 Merchant Compliance Up Slightly

August 4th, 2010

The latest PCI-DSS compliance stats for the U.S. released by Visa on Monday (August 2) show a tiny increase in the compliance rate for Level 1 retailers since the last report, from 95 percent to 96 percent. The increase, though, may be a statistical anomaly: The number of merchants in that category dropped from 360–where it had been for the last two reports–down to 358. If one of those retailers was non-compliant, that might explain the difference right there.

Level 2 also saw a one-percent increase, from 94 percent–where that group had been for the last couple of reports–to 95 percent. The compliance stats for Levels 3 and 4 were again not reported, beyond the vague level of “moderate.”…

Are Data Backups Unintentionally Expanding Your PCI Scope?

August 4th, 2010
Are your automated backup systems expanding your PCI scope? Almost everyone agrees that backing up your important data is a smart thing to do. Except, that is, when it's not. The problem starts when your sensitive data seeps into places you don't expect.

Your backup systems then unintentionally spread cardholder data to locations you don't suspect and expand your PCI scope in the process, pens PCI Columnist Walt Conway. Should you be concerned? Walt thinks you should be, and he's not the only one--the PCI Council thinks retailers might have a problem, too.Read more...

Oracle Backup Failure Major Factor In American Eagle 8-Day Crash

July 30th, 2010
It seems a failure in an Oracle backup utility coupled with the failure of IBM hosting managers to detect it and to verify that a disaster recovery site was operational were the key factors in turning a standard site outage at American Eagle Outfitters into an 8-day-long disaster, according to an IT source involved in the probe.

The initial problem was pretty much along the lines of what StorefrontBacktalk reported on Thursday (July 29), which was a series of server failures. But the problems with two of the biggest names in retail tech--IBM and Oracle--are what made this situation balloon into a nightmare.Read more...

Wal-Mart’s Item-Level Strategy: Better That Tags Should Be Thrown Out Than Dealt With

July 29th, 2010
When Wal-Mart this week confirmed it has been quietly testing item-level RFID in two Arkansas stores for several months—along with plans to "incrementally roll out [item-level RFID] throughout the chain"—it raised quite a few eyebrows because of the way it's being done. The company is initially only tagging denim jeans, socks and underwear (let's try and ignore the fact that a radio transmitter inside a guy's boxers is nothing shy of creepy), and it's leaving the tags active until customers opt to throw them away.

The reality is that Wal-Mart's gradual deployment makes a lot of sense. The media-repeated cries of privacy invasion are simply silly, based on ludicrously unrealistic assumptions of how easy this data would be to access, assuming anyone had any reason to even try. The most interesting part of the rollout, though, is the tag disposal question.Read more...

Double-Check Your PCI Service Provider Contract

July 28th, 2010
Have you read your contracts with all your PCI service providers lately? These are the third parties that store, process or transmit cardholder data for you. PCI Columnist Walter Conway thinks you should check your contracts to know whether your service providers are doing all they can to help you become PCI compliant. He is specifically thinking about one particular PCI Requirement.

That Requirement is 12.8.2, which states that merchants need to "maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess." Some disappointing service providers seem to treat this requirement as an annoying inconvenience. They either pretend it does not exist or isn't their problem. The result is that you, the retailer, are caught in the lurch. Read more...

Information Supply Chain, What It Is And Why You Need To Start Talking About It

July 27th, 2010
Make no mistake, the number-one challenge IT teams will be faced with over the next five years is helping their business partners extract meaningful information from the yottabytes of data being shoved into their archives. And when Franchisee Columnist Todd Michaud uses the term "meaningful information," he defines it as information used to create action.

We are at the dawn of an age where great companies will figure out how to successfully combine operational, marketing, customer service and social media data sources into systems and tools that enable the business. These firms need to clearly define their Information Supply Chain. Companies that don't figure it out will be left out in the cold.Read more...

WPA2 Broken Again And, This Time, No Patch

July 21st, 2010

Wireless security is broken—again. And this time, it’s WPA2, the WiFi security protocol that meets PCI-DSS requirements. Attendees at next week’s Black Hat and Defcon security conferences in Las Vegas will hear how it’s practical to break into a WPA2-encrypted network without brute-force encryption cracking. The only requirement: The attacker must be an authorized user of the network. According to the researchers from AirTight Networks who unearthed the problem, a malicious insider can simply send spoofed packets encrypted using the shared group key directly to other users on the WiFi network, tricking them into redirecting their data to the insider.

Unfortunately, that makes the “Hole196” attack —named for the page where the vulnerability is specified in the IEEE 802.11 standard—difficult to detect and almost impossible to defend against. In fact, the researchers don’t have a fix for WPA2 —and they don’t believe there is one. The only defense may be to start layering other security measures, such as VPNs, under the WiFi protocol. That’s fine for laptops running WiFi. But it’s likely to be a challenge to implement on scanners, card readers and other wireless devices that retailers commonly use.… Blocked, SSL Certs Blamed

July 21st, 2010
On Wednesday (July 21),'s gift-card site started the day virtually off-limits to its customers, courtesy of a "This Connection is Untrusted" warning due to an expired security certificate. Target may be the most recent example of retailers inadvertently letting their certificates expire, but it's far from alone. Such lapses are becoming an almost weekly E-tail occurrence.

The problem is easy enough to fall into, which is the real issue. The nature of the certificates forces them to have strict expiration dates, which means that a 2- or 3-year-old certificate is likely to expire on the watch of someone other than the person who initially arranged for it.Read more...

Sears’ $1.1 Million Wrong-Price Penalty: No Simple Tech Fix

July 21st, 2010
Sears and its Kmart subsidiary on Monday (July 19) agreed to write a $1.1 million check to various California law enforcement agencies to settle charges that the company repeatedly charged consumers much higher prices than advertised. Officials said the overcharges appeared to be human error--as opposed to a technology glitch. But the overcharges happened so often and in so many locations that they seemed to be systematic.

The frustration for other retailers trying to avoid Sears' fate is that technology can only go so far and that without extraordinary vigilance, pricing errors are almost unavoidable. A relatively tiny number of chains in the U.S. have toyed with electronic shelf label (ESL) packages—including TJX, Wal-Mart, Albertson's, BJ's Wholesale, Costco, Kohl's, Pathmark, A&P, Whole Foods, Waldbaum and Kmart itself—but few have been deployed in a meaningful way.Read more...

Is A Rewritable Mag-Stripe The Answer To Cloned Cards?

July 21st, 2010
The security worlds of bankers and retailers (ATMs and POSes/card swipes) have as much in common as they have differences. But some security work the Bank of New Zealand is doing--its version is called Liquid Encryption Number (LEN)--may hold a clue for the best way to combat cloned payment cards.

The idea, which isn't especially new in security circles, has LEN rewriting "the data on a valid mag-stripe whenever a customer completes a transaction," thereby making cloned card attempts somewhat pointless.Read more...

PCI Compliance: An Updated Version Of The Newlywed Game

July 21st, 2010
Franchisee Columnist Todd Michaud has a little game he likes to play when meeting QSAs. It's called "Is It Compliant?" In this game he provides the QSAs with a fairly common situation in his restaurants and asks them to tell him if they think it is compliant or not. It doesn't matter if these QSAs are under contract (paid) or if he just bumped into them at an industry event. They could be doing a full audit or an assessment, providing paid-for advice or shooting the bull over a beer.

To date, Michaud has not received three answers in a row that match.He encourages StorefrontBacktalk readers to play his game at home. Find a few different QSAs and ask them some tough questions. Here are some fun ones to get you started.Read more...

PCI Self-Assessment Questionnaires Need Some Major Updates

July 21st, 2010
While the PCI Council debates changes for their self-assessment questionnaires, PCI Columnist Walter Conway has listed some sorely needed changes. For example, how about SAQ A requiring that service providers be not merely PCI compliant, but certified as a Level 1 Service Provider.

Or requiring these merchants to have vulnerability scans to prevent the bad guys from hijacking their customers. Or how about addressing mail order/telephone order (MOTO) transactions and requiring that you cannot do MOTO and still qualify for SAQ A. Read more...

Retailers Need To Defend Themselves In Colorado

July 19th, 2010
Corporate identity thieves are getting more ambitious by the month. In June, the FTC shut down a crime ring who created bogus companies with names that sounded similar to legitimate businesses, then opened merchant accounts to steal money from compromised payment-card accounts.

Now the state of Colorado is warning that its official business-registration records are being changed by crooks who then use the forged data to get lines of credit and steal from other businesses.Read more...

Retailers Need To Protect Themselves From Lying Vendors

July 14th, 2010
PCI Columnist Walter Conway is not a boxing fan, but he wants retailers to remember the fight referee's opening instruction: "Remember to protect yourself at all times." Why? Because, he is discovering that the number of vendors lying about PCI is soaring.

"I guess I could be diplomatic and say these vendors just don't understand what PCI requires, but it is a bit late for that. PCI has been in effect for several years, so ignorance is no longer an excuse. That train has left the station," he penned. "Any vendor that can't properly describe how its application or service will impact a merchant's PCI scope or compliance is--in this QSA's opinion--simply not telling the truth." Do we have examples? Oh, yes!Read more...

Visa To Acquirers: Stop Forcing PAN Retention

July 14th, 2010
Visa on Wednesday (July 14) sent a direct message to acquiring banks: Stop making retailers retain credit card information unless you want to stop servicing Visa. A key Visa security executive (Eduardo Perez, the head of global payment system security) said the brand is now merely "strongly encouraging [acquirers] to not require" retailers to store PANs but, by September, that might become an official edict.

This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, "We don't require that." But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.Read more...

Enough With The PCI Finger Pointing Already

July 12th, 2010
When it comes to PCI compliance, Franchisee Columnist Todd Michaud is sick and tired of everyone pointing fingers at someone else. Nobody wants to be in the line of fire when (not "if") a breach happens. As a result, they spend most of their energy trying to figure out how to avoid liability rather than actually addressing the problem.

The majority of credit card breaches in 2009 were with Level 4 Merchants (under a million Visa transactions). Very few of these small merchants understand PCI compliance. Even fewer are actually compliant. Only a handful of small merchants are actually secure (at least relatively). Everyone in the payments ecosystem knows it is a huge problem, the 800-pound gorilla in the room. But no one has an answer. Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.