Evan Schuman's StorefrontBacktalk

Andrew Jamieson, security laboratories manager for Underwriters Laboratories Transaction Security in Australia and a noted follower of PCI PIN procedures, said the new rule is actually a wise move. "The purpose of this document is to define the scope of the approval of the device, such that it is very clear what scenarios and environments the device is approved for use in. Conversely, which situations the use of the device steps outside of its approval, therefore negating its PCI PTS compliance," Jamieson said.Read more...

An online publication of Consumer Reports magazine, the Consumerist, has taken the lead in this coverage, and Rakuten's shopper victims have created their own site, much to the presumed non-delite of Rakuten. The site's called simply Rakuten Fraud. What's worse than having a security hole on your site on the eve of a major rollout impacting lots of customers? How about being unable to figure out where the hole is? Bernard Luthi, the COO of Rakuten.com, has become the public face of this breach and is arguing that there's little his team can do until they can somehow replicate or trace the source of these breaches.Read more...

The argument really comes to a simple choice: scrolling versus clicking. The argument for clicking is that it makes for a cleaner and shorter page and that all of the additional detail is there, but it's not cluttering up the page until the shopper wants to see it. There might be a link for technical specs, but those numbers will only appear when it's clicked on. No need to distract the reader who doesn't care about those specs. The argument for scrolling (or using a lot of the PageDown button) is user apathy or lack-of-awareness. If the shopper truly thinks the product is complicated, that shopper would have no interest in clicking the demo button. But if that really-simple demo just autoplays, it might persuade the exact shoppers who would have never been likely to click. The other key part of this debate is shopper desires/expectations.Read more...

Something these banks seem to miss is that merchants pay them for risk management. Issuers want to just sit back and collect all the free-flowing money that magically appears, forgetting that some of it actually requires them to work. Also, what are the real costs to the issuer? Key word here, "real" costs, not "inflated for a profit." Let's see: $2 for the plastic, $1 mailer, $1 postage, a generous $4 for labor and overhead. That works out to $8 total and these numbers are grossly padded. So why do I see reports by issuers claiming $25-75 "cost" to replace a card? Can you say exaggerated?Read more...

What does this mean for retailers? Retailers collect, store, collate, share and use a great deal of personal information and personally identifiable information. Whether through PCI terminals, CRM databases, loyalty programs, surveillance cameras, credit checks or credit reports, website and e-commerce operations or marketing activities, they have a lot of personal information. They also share it with people that they never consider in their privacy policies. For example, they may state that they share information with vendors and suppliers to deliver goods and services. But what about lawyers, accountants, auditors, regulators, consultants and others? And how will those parties use the information? How will they protect it?Read more...

Let's be clear: None of that uncertainty was Blum's fault. The decision to rip out 500 legacy systems and replace them with Oracle came from Johnson and former COO Michael Kramer. Kramer was the exec who ripped into the chain's culture and called its systems and IT infrastructure "a mess" last year. Blum's job was to retire systems, streamline processes and push forward into Oracle—and she reportedly managed to do that without creating nearly as many enemies as some of Johnson and Kramer's executive hires.Read more...

The interesting background to these trials is that Target—as its name implies—has always been precisely focused. These trials, as the CFO pointed out, are the chain admitting that many fundamental shopper assumptions may no longer be valid. "We spent 50 years honing, moving products one direction to our supply chain and ultimately to the back door of the store. Then through the front door and trying to do that as quickly as possible. Now we're moving product different directions depending on what our guest wants and for us, we need to learn how to operationalize that," Mulligan said.Read more...

In practical terms, that's not exactly falling off a cliff. But loyalty programs have been growing at a rate that means memberships would double every decade. If your CRM plans were based on needing the processing power to handle all those extra members' data, it's time to adjust those plans.Read more...

PCI DSS Requirement 11.3 has a lot of detail on when retailers need to conduct pen tests. It recommends, for example, "at least annually and after any significant changes to the environment." In practice, this means retailers need to perform and/or re-perform pen testing after such events as upgrading their operating system, adding a sub-network to the Cardholder Data Environment (CDE), or even adding a Web server to the CDE. However, the requirement does not specify details on what the pen test should cover other than it should include "network-layer" and "application-layer" testing, pens PCI columnist Walt Conway.Read more...

Visa has now reacted, arguing to a federal judge that Genesco's complaint should be dismissed for three reasons. First, Visa said that Genesco cited the wrong California state law, one that cannot be used in cases where there is a contract dispute. Second, Genesco didn't claim sufficient facts to make its case. The third Visa argument was that one claim—that Visa had made fraudulent statements—wasn't valid as the statements didn't influence "consumers or the public," nor did even Genesco rely on them. (It's an interesting defense: Our lies didn't harm anyone because nobody ever believes us anyway. For the record, of course, Visa hasn't conceded that it lied, arguing that the law in question only envisioned lies that deceived the public.)Read more...

Even though nobody alleges that Walmart got the patron drunk, the idea is that Walmart was in a position to know about the potential harm and could have stopped it. Here’s where technology makes things messy. Once the drunk is tossed out of the Walmart, there’s a good argument that Walmart’s duty to third parties ends. Unfortunately, Walmart has installed and routinely monitors parking lot cameras. That's where data creates legal duty.Read more...

That goes far beyond the original lawsuit, which only covered default interchange rules, honor-all-cards rules and anti-steering rules. If the case went to trial and lost every claim, that would still just lock in the card brands' control of interchange and card-acceptance rules. But the proposed settlement would go far beyond that—extending to block any challenge to PCI and breach penalties.Read more...

But a recent case with Neiman Marcus takes these retail defenses to the next level. When Neiman Marcus received its letter, the retailer didn't respond. It sued immediately, even before knowing the name of whom it was suing. And as if to underscore how big a mess this all is, the day Neiman Marcus sued that patent troll, an unrelated patent troll sued Neiman Marcus.Read more...

But Saks, according to Citi, is only deploying one iPad for every three associates. That suggests some 66 percent of associates either won't have a tablet to help their customers or they will have to awkwardly borrow one from another associate. But one associate can't borrow a tablet from another associate who is working with a customer, so an idle associate will have to be located. On a busy Saturday afternoon, that could be almost impossible. Does Saks really want some of its associates to have tablet-powered capabilities while others do not? Will some shoppers be at a disadvantage? Wasn't the whole point of tablets that their pricepoint is such that it's economical for every floor associate to have one while they are actively working the floor?Read more...

On Wednesday (May

29) morning, we ran into a strange error on Target.com (NYSE:TGT) that seemed to be more accusing of the retailer’s shoppers than it probably intended. The problem was a big one, namely that products marked to be purchased were not showing up in the shopping cart. When we clicked New Guest, it delivered this delightfully phrased text-only Internal Server Error: “The server encountered an internal error or misconfiguration and was unable to complete your request. Please contact the server administrator (no address given) and inform them of the time the error occurred, and anything you might have done that may have caused the error. More information about this error may be available in the server error log.”

Beyond the obvious that this is not an error message a retailer wants to show its shoppers—who hopefully don’t have access to its server error logs—the best part is the “anything you might have done that may have caused the error” line. Love how the system just assumes it’s the shopper’s fault. This is like a bank that automatically responds to any error with a form to the teller that asks, “OK, what the —- did you do this time?!” (The glitch seemed to go away about an hour after we first detected it.)…

Your friends here at StorefrontBacktalk editorial also now publish a daily retail site, called FierceRetail, and wanted to give you a sense of what you’re missing by not visiting or grabbing its free newsletter. Urban Outfitters discovers that it can get away with charging more online than in-store. See? Sometimes conventional wisdom is conventionally wrong.

A look into how federal judges are likely to force changes in how price anchors are set in-store plus some questions about whether Sears is thinking about becoming members-only. Was Best Buy’s Facebook promo a victim of its own great deal—and some we-should-have-seen-this-coming rip-off artists? We also threw in our take on Walmart’s $82 million hazardous waste settlement, where Walmart spoke of mouthwash and hairspray and the feds said they were pesticides. (You say tomato, I say Molotov cocktail…) All of that—and dozens more stories—and that was just this week. And Monday was a holiday! Drop by and check it out. It’s free and the snacks all have zero calories. (That may be because they don’t exist.)…

The idea, which Thomas made a passing reference to during a keynote speech at CTIA Wireless, was referenced this way: "The best shopping list is the one you don't have to create and that's what we're working on." (Technically, the best shopping list is the one that someone else has to shop and pay for, but I digress.) Presumably, this mobile app would be built atop the chain's experimental Scan & Go mobile app, which prepares in-aisle checkout leveraging existing self-checkout units. Given that Scan & Go—by its very nature—requires the shopper to register beforehand and to be associated with a verified payment method, it delivers an ideal CRM platform. This is a nice backdoor way to get into CRM for Walmart, which doesn't have a traditional CRM program and never has had one. That is a crucial element of Thomas' self-populating shopping list.Read more...

Also on Friday, Visa and MasterCard sued a group of merchants and trade groups who have opted out of the settlement—but that's less impressive than it looks. The card brands' suit is a mirror image of the lawsuit that Target and 16 other retail chains filed last Thursday (May 23), which claimed the card brands' entire rule structure violates antitrust laws. The card brands are asking a court to declare that its rules don't violate antitrust laws.Read more...

What brings this up is the recent debate—best articulated by our friends at The New York Times—about whether the graphical standard GIF should be pronounced as a homonym with Jif, the peanut butter. (Never quite understood the campaign "Choosy Mothers Choose Jif." Did that mean that less uptight, less anal-retentive mothers chose Skippy? But I digress.) For decades—since 1987—it's been pronounced with a hard G, as in the word graphic. Seems that Steve Wilhite, the inventor of the popular graphic approach back when he worked at CompuServe, now has opted for the peanut-butter pronunciation.Read more...

But in creating an artificial currency, and allowing it to be transferred and exchanged, retailers like Amazon may be getting themselves into potential legal trouble, writes Legal Columnist Mark Rasch. In fact, they may be making themselves into an illegal unregistered money transfer company or even an unlicensed bank. Such is the problem with digital "money."Read more...

The most likely users of those devices: specialty retailers (both mall-based specialty chains and small independents), who are deploying about 45 percent of all tablets shipped to retail for POS, IHL said. But only 28 percent of U.S. retailers plan to roll out any mobile POS devices by the end of 2013, a drop from previous estimates. That suggests the reality of mobile POS is beginning to set in for early adopters, who are beginning to see some of the limits—and counterintuitive aspects—of the technology.Read more...

The group also said its members were considering "additional legal action to recover damages from Visa and MasterCard under U.S. antitrust laws." A key point in the settlement is that Visa and MasterCard won't be subject to future interchange-related litigation. K. Craig Wildfang, one of the attorneys who negotiated the settlement, said he wasn't surprised by the announcement from Walmart and the other chains. "These merchants have been publicly critical of the settlement, and we always thought that many of them were likely to opt out," Wildfang said. "We remain confident that the vast majority of merchants in the class will not opt out."Read more...

The trial was controversial for a reason other than consumers' fears that their privacy was somehow being invaded.The problem is that Euclid was able to see cross-retail activity. That means that it saw when, for example, a Nordstrom shopper left Nordstrom without visiting POS and then her mobile signal appeared 20 minutes later inside Macy's, where she ended her visit with that always-desired visit to POS. (Note: That was just an example. Other than Nordstrom, we're not identifying which retailers are using Euclid.) The fact that Nordstrom is only receiving anonymous data (or so it says) doesn't mean that its rivals all are similarly limited. This is a key industry problem with many forms of mobile information gathering. Read more...

The retailer recently rolled out contactless point-of-sale terminals to 644 U.K. stores and reportedly processes more than 230,000 contactless transactions every week. But several customers told the BBC that they had the experience of inserting a chip-and-PIN card in the PINpad's slot, but being issued a receipt for a contactless card that was nowhere near the PINpad. The contactless system isn't supposed to work at distances of more than about two inches.Read more...

The problem comes down to the fact that anyone can object to a TLD that has special significance beyond being a trademark, and far more objections have been filed over the nearly 2,000 applications for the new TLDs. In .amazon's case, there's a South American river with the same name (what a coincidence, huh?)—and several South American countries believe that's a good reason for Amazon not to get control of .amazon. Read more...