Evan Schuman's StorefrontBacktalk

This lesson has been reinforced at least three times in the past few weeks in separate PCI Security Standards Council (PCI SSC) guidance documents. One question is whether merchants—particularly small and midsize merchants—will ever hear this advice. As a QSA, PCI Columnist Walter Conway occasionally gets the impression that clients might not spend more time researching their next smartphone, laptop or sailboat than they do reviewing service provider contracts and service-level agreements (SLA). It is particularly important for merchants to realize the source of the advice. It comes not from the PCI SSC staff but from active PCI practitioners with first-hand experience. Read more...

Is it a better program (other than the strange halving of the time for a return)? Absolutely. Will it likely reduce Best Buy sales lost to showrooming? Yes. Will it eliminate all showrooming losses? Of course not. And the fact that Best Buy is trying to argue it will is mind-boggling.Read more...

Linda Genesta was a long-time eBay seller. For 18 years, beginning in 1999, she sold what she described as "high-end, high-quality, imported authentic European and American antique and vintage textiles, fabrics, pillows and trims," Everything was fine until July 2008, when eBay allegedly removed Genesta's items from the marketplace, alleging "unspecified 'misrepresentations'" in violation of its Terms of Service. As a result, Genesta says, she is effectively "out of business."Read more...

Electronic shelf tags have gone pretty much nowhere in recent years, but U.K. department store chain John Lewis is doing an interesting trial at one of its newest stores. The Exeter location, which the 39-store chain uses as a testbed for new technologies, has put in hundreds of e-paper shelf tags that will display both prices and QR codes that customers can scan to get offers and product information. John Lewis is calling this an omnichannel test, the idea being that if customers are going to have their phones out in the store, shelf tags are a good thing for them to scan.

True, there’s nothing in that part of the trial that couldn’t be done with paper tags, and that is part of what’s so interesting: Unlike a more traditional electronic shelf tag, customers won’t necessarily notice that these tags are electronic. That makes them less distracting and possibly less likely to be stolen, both of which have been problems with electronic tags in the past. In-store technology that all but hides the fact that it’s new technology sounds strange, but if it finally gets easy-to-update electronic tags on shelves—and maybe eventually into John Lewis’ 290-store Waitrose grocery chain—so much the better.…

Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it delivers security edicts in a vacuum, with minimal regard to how different types of merchants function in the so-called real world. Such critics were given three golden examples this month. The examples, in the areas of cloud guidance, P2PE validations and Windows XP end of life, illustrate the types of collisions that are inevitable when committees seeking ideal security approaches run into chains with razor-thin margins (or losses), workforce reductions and store closings. Put more bluntly, it’s the age-old battle of the ideal versus the pragmatic.

This is explored in StorefrontBacktalk‘s February monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.…

One gem tells retailers they need to "obtain the details of the CPS's [cloud service provider's] compliance validation." This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed." Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.Read more...

Short answer: apparently so. And with digital content a potential CRM goldmine, more chains may soon start selling digital books, movies, music and audio books—which could get very sticky, for both customers and retailers.Read more...

In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.Read more...

That's right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.Read more...

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.Read more...

Unfortunately, what this API currently does is pretty primitive: It accepts a prescription number and then reports back to the app that it has (or hasn't) successfully requested a refill. Just the fact that there's an API is a big step forward, because it means Walgreens can extend that API without breaking any apps that use it.Read more...

Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.Read more...

That's all in line with Amazon's recent delay-and-get-concessions approach to sales taxes. But the point of the exercise was always to give Amazon more flexibility when it comes to delivery—and with 16 states now potential locations for Amazon DCs, it may already have almost everything it needs. Amazon's deal-cutting days may be almost over.Read more...

On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant. Read more...

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without

that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?…

On Thursday (Jan. 31), Amazon was down for about 49 minutes, which is certainly a notable event. One cyberthief group tweeted responsibility, claiming "we used a 7kbotnet running hoic 100 threads each. 80servers in botnet and a 16gbps booter." Does it make much of a difference whether the outage was caused by an internal IT screw-up, an unexpectedly huge number of shoppers looking at a specific sale or an outside malicious group? Absolutely.Read more...

But of much greater significance is the digital domino effect. In this case, JCPenney was building its in-aisle checkout on the premise that it had item-level RFID fully in place. And if remodeled stores have dramatically scaled back the number of cashwraps (because customers would be doing in-aisle checkout), does that mean all those customers will have to line up for the limited number of cashwraps? That's not going to be pretty—presuming JCPenney can actually get enough returning customers to make it a problem.Read more...

For retailers, says PCI Columnist Walter Conway, this means applications that may still be secure won't necessarily be supported by vendors. Much worse, this situation could create a huge backlog of applications to be evaluated by PA-QSAs and then approved by the PCI Council. That process will take weeks, and quite possibly months, to work through. Retailers should note that this will be happening barely one month before Black Friday. Fear not, though. All of these problems can be averted if software vendors all act quickly, well ahead of deadline. (Editor's Note: In other words, we're all doomed.)Read more...

This power consolidation happened when Thomas L. Cole retired as chief administrative officer following a 41-year career at Macy's (and companies that Macy's acquired). That gave Macy's the ability to promote Robert B. "RB" Harrison from EVP for omnichannel strategy to his new chief role. "Among his duties, Tom has been responsible for systems and logistics for many years. As Tom's duties were re-assigned, it was decided that systems and logistics fit best under R.B. Harrison, given the increasing omnichannel nature of our business," said Jim Sluzewski, Macy's SVP of corporate communications. "In that process, R.B. was promoted to a chief and he joined the company's executive committee. Tom's retirement was the trigger point."Read more...

But it does raise the question of why the app doesn't deliver the type of true integration that it promises. Why not enable movie tickets to be purchased—without leaving Siri—and charged to the user's iTunes account?Read more...

The chain denied any fakery, but the real shock is that JCPenney bothered. Customers don't care about the Manufacturer's Spurious Retail Price. They care whether JCPenney's price is lower than Macy's or Kohl's, and they can get that information online. Why isn't JCPenney doing the same thing? Read more...

The essence of the London case is that Google and Apple made privacy promises that are being broken. That fact may make it more of a contract law and a deceptive trade practices claim than a criminal case. And even that is dicey, because the news release from the first plaintiff to file a suit indicates it's less a matter of Google or Apple lying than it is about the companies being vague. But all of that is an issue for the lawyers at Google and maybe Apple. How does this make retailers' lives miserable? Quite easily.Read more...

"Soverain argues that obviousness of all of the claims in suit is negated by the favorable market response that was achieved by Open Market's Transact product, which Soverain states received 'widespread recognition in the general media,' 'an excellence award from the industry' and was 'widely licensed.'" Sounds good. So it would appear that the wide licensing meant Soverain had a lot of fans, right? The Appellate judges' written decision continued: "Newegg responds with evidence that the Transact system was abandoned by its developers and almost all of its original users. Newegg points out that licenses were taken to avoid the costs of litigation, and not to use the flawed Transact system embodied in its software."Read more...

What was different this time, though, is that members were more candid in explaining why they have the goals they do, even if they were not especially forthcoming in how they plan on achieving those goals. The group, for example, re-stressed its intent that data from one chain will not be shared with another chain. Jay Culotta, the treasurer at regional convenience chain Wawa, said many of the mobile vendors say they are not—today—planning on sharing data, but they refuse to say what will happen down the road. "It's not a forever situation," Culotta said, adding that the temptations for leveraging such data will likely be overwhelming. "It's unclear what their business case would be without monetizing that data."Read more...

Home Depot's use of the card-matching procedure is not that unusual among major chains, but the norm is for the effort to be kept internal, to help improve general marketing. It was Home Depot's reaching out to customers that made some of them realize what was going on. And therein lies the problem.Read more...