Evan Schuman's StorefrontBacktalk

A retailer could, for example, validate compliance against the outgoing version 1.2 of the DSS in the fourth quarter of 2010 and use that same version again in the fourth quarter of 2011, just beating its retirement date, writes PCI Columnist Walt Conway. The implication is that such a retailer would not have to validate against the new version until the fourth quarter of 2012. This quirk of timing is more of a curiosity than a flaw resulting from the extended lifecycle. Conway doesn’t think anyone would recommend this strategy and, as a QSA, he argues very strongly that retailers--for their own sake--comply with the latest version of PCI as soon as possible. Read more...

Todd Ablowitz, president of the Double Diamond Group and one of the more interesting payment experts in the U.S. (for us, "interesting" is someone who thinks a well-balanced presentation is where all audience members are pissed-off equally), has been sitting with lobbyists and studying the Durbin bill, currently scheduled to go before a House-Senate conference committee on Thursday (June 24). His conclusion, with a little bit of mildly tortured logic: The bill will strongly incentivize banks to accelerate their acceptance of Chip-and-PIN in the U.S.Read more...

Interestingly enough, different sets of federal employees (FTC investigators, Justice Department and U.S. Attorney prosecutors, and three different federal judges) looking at this case from very different vantage points all arrived at roughly the same figure: 20 years, for both the crime's victim and its perpetrator. And who says the law doesn't have a sense of humor—and of the absurd.Read more...

Arguably the biggest stumbling block for the acceptance of any of the mobile-device-to-barcode/tag efforts (Near-Field Communication [NFC], 2D barcodes, Microsoft’s Tag Reader) has been the shortage of any phone manufacturers shipping units with any of these capabilities natively. Nokia has now become the first manufacturer to agree to include NFC chips in its phones, as of next year.

A report in PaymentsSource has Nokia saying that the phones will support the Single Wire Protocol and MicroSD cards. “With the Single Wire Protocol, a wire connects the NFC chip to a mobile phone’s SIM card, which is used to identify a subscriber on the carrier’s network. MicroSD is a memory card used in mobile phones and digital cameras,” the piece said. Nokia has been using the chipped-phones in some aggressive trials in India, but shipping all phones with it is a key move. The story also pointed to an unmet expectation that Apple might have been the first to ship NFC-ready phones. “Many observers had speculated Apple’s new iPhone would contain an NFC chip, but that was not the case when it was revealed June 7. It was a mild surprise because Apple had been filing patents for different NFC uses, including using an NFC-enabled phone to interact with an ATM.”…

For those who are arguing that Chip-and-PIN represents the gold standard in card security, there was a cold splash of reality this week. Four fraudsters from London were sentenced to jail for their parts in a nine-month string of thefts that netted almost $1.1 million by tampering with Chip-and-PIN card readers at gas stations. According to a BBC report, the group burned a small hole in the back of each reader and then inserted a memory device and BlueTooth reader that allowed it to capture information and then clone customers’ cards.

One gas station owner saw business drop by 47 percent once customers realized money was being taken from their accounts after visiting the station. The gang’s 29-year-old leader, software engineer Theogenes De Montford, was arrested with information from 35,000 cards on his laptop–7,000 of them from a single gas station.…

The first allows consumers to easily impersonate other users—and thereby access their rewards, which means the stores are not attracting the consumer they wanted to attract—and the second defeats users' efforts to go into a confidential mod,e where their whereabouts are not supposed to be distributed.Read more...

This kiosk is in place at quite a few wine stores across the country. It is part of a trend by fermented grape sellers who are leaning more heavily on kiosks in a wide range of ways, such as determining who is too drunk to buy more alcohol. But these Enomatic machines go much farther, with a device that actually prepares and serves food or drink.Read more...

But therein lies a delicious Catch-22: Once consumers use a technology four or five times, they typically master it and can then proceed effortlessly. The first one or two times, of course, will likely be rough.Read more...

POS equipment, including PEDs, can last a long time. Older stores or POS locations that have not been upgraded may still have equipment that increases the risk of a data compromise. Therefore, retailers with locations or equipment over eight years old should check each of their PEDs against the currently approved lists.Read more...

Starting this week, each StorefrontBacktalk article has two new features. First, in response to many reader requests, we have now added a print function for each article. Just click on the Print icon (right across from the article’s date) to generate a web page formatted for printing, without page breaks, sidebars or reader comments.

Second, we now automatically add a URL to any content that you copy and paste from an article. Yes, it’s a feature: Instead of copying an entire article to send to someone, now you can copy just the most relevant part and paste it into a message; the URL for the full article is included at no extra charge. Tipping, of course, is always encouraged.…

"I wonder when people will realize that mobile devices communicate via, ummm, radio?" asked the IT exec. "And that microwave radio signals (which GPS, mobile phones and microwave ovens all use) don‘t transit solid surfaces, especially conductive ones like metal mall roofs, all that well? And that carriers make no promises relative to in-building coverage (and virtually no promises relative to out-of-building coverage)? And the U.S. government makes no promises at all relative to GPS signal penetration or even availability?"Read more...

Most of the software packages on the Bad Apps list come from conventional commercial software vendors. If there's a problem with their applications--specifically, if those apps keep sensitive authentication data after a transaction has been authorized--the vendors are usually quick to create a new version or a patch that solves the problem. Result: Only older versions of the software contain the security problem that makes PCI unhappy. And next to the bad version of the app is a note listing the later versions that don't have the problem.Read more...

Visa routinely compiles a list of applications that, it believes, store sensitive authentication data after a payment has been authorized. Many app versions on this "Bad Apps" list are outdated and no longer being sold. But that doesn't mean they are not lying around in hidden corners of quite a few major—and some not-so-major—retail chains.Read more...

Outsourcing is a great way to get into a new technology, because someone else has already made the investment, built the infrastructure and collected the necessary expertise. As a retailer, you don't have to reinvent that particular wheel?just pick the right outsourcer for the job. But you can't assume that the outsourcing deal will last forever, or even that you can trust it just to keep doing what you need.Read more...

This effort replaced an earlier rewards program where cardholders were given 10 percent off, but the savings could only be used for a subsequent shopping trip. In short, when the discounts were cut in half—from 10 percent to five percent—purchases sharply increased. That's how powerful a difference there exists in consumers' minds between "give it to me now" and "give it to me later."Read more...

His advice to retailers: If an application is not on the list, don't even include it in an RFP.Read more...

This payment might be made to the handset manufacturer, but more likely it would go toward a pre-arranged credit or debit card. Let's take this approach one step further. Why not buy from Wal-Mart a Wal-Mart phone—or from McDonald's a McDonald's phone—that allows one-click purchases for anything at all? The consumer would then receive a monthly bill with everything itemized. That's one way to get around interchange and to build some wonderfully deep CRM databases—with lots of your rivals' sales—at the same time.Read more...

When someone sends someone else a gift card, why not first send an E-mail alerting the recipient to the card's imminent arrival and have that E-mail include a password to activate the card after it arrives?Read more...

But which of several approaches each chain will use has yet to be determined, according to the CEO of the vendor (Shopkick) providing the software.Read more...

But what Sam's Club discovered is that it quickly became its own direct revenue stream.Read more...

The new PTS specs become effective in one year (May 2011). Although you can buy currently validated equipment up until that time, why would you? If you are looking at a terminal (think kiosk, gasoline pump, vending machine) that combines several individual components, you'll want to check each component (including software) against the Council's list, noting version numbers. Walt also suggests getting something in writing from the seller that indicates every component associated with the PED has been assessed by a PCI PTS lab and is compliant.Read more...

Then customers, who are used to the niceties of that sales associate interaction or the tactile feedback from inside a high-end clothing store, show no interest and developers are baffled. That's where a bunch of Amazon Kindle developers find themselves today.Read more...

On Tuesday (May 25), MasterCard announced it plans to release Open APIs so developers “will be able to create a new wave of E-Commerce and mobile payment applications.” The only problem: Why would it? MasterCard officials spoke of the power of M-Commerce and E-Commerce platforms, but failed to explain why an Open API approach would help. Unlike PayPal and Apple, where developers have expressed strong interest in creating their own apps to sit atop those platforms, there is little such enthusiasm surrounding Visa and, given its smaller marketshare, even less for MasterCard.

It’s hard to look at this MasterCard statement and not envision Mark Twain’s Tom Sawyer whitewashing his fence by tricking every other kid in the neighborhood into doing the hard work for him, while he made the money. Tom gave them the tools and let them finish the job. To paraphrase MasterCard’s current tagline: There are some things money can’t buy. But custom apps and marketshare ain’t among them. Use that plastic and pay for your own development. Don’t see the development community whitewashing your fence for you this time.…

The exact number of retailers in Level 1 was 360 chains in the figures released this week, which is the exact same number that Visa reported last month. Last month's report covered activity through Dec. 31, 2009, and this week's figures are current as of March 31, 2010. Those results suggest that four of last year’s compliant chains no longer are, bringing the number of non-PCI-compliant major chains up to about 18.Read more...

Visa has given ExxonMobil branded retailers an extension from July 1, 2010, until Dec. 31, 2010, to update their EPOS systems. This change is a big part of the perception problem with PCI enforcement. Deadline exceptions need to be rare. But when they happen, they should be announced by the card brands—not via a leaked letter—along with the specific reasons for the extension.Read more...