Evan Schuman's StorefrontBacktalk

PayPal has come up with yet another payment-related use of a cellphone: to authenticate a non-mobile E-Commerce transaction. Customers of the payment giant “can now choose to receive a unique six-digit security code via text message to their mobile phones prior to logging in to their accounts,” PayPal said in a Nov. 24 statement.

PayPal has already been using two-factor authentication with a physical device (the PayPal Security Key), but using SMS and mobile leverages hardware consumers already have. Consumers would have to use the codes in addition to their regular username/password combos. …

The IT struggle with knowing where all payment data is—let alone trying to enforce rules that pretty much try and keep it there—was the topic of a StorefrontBacktalk podcast this week with our own PCI columnist, David Taylor, and security specialist J.D. Oder, the chief technology officer at Shift4.

Oder said most payment data security problems start with an employee error. These are typically employees who truly thought they were doing everything right, but they were undercut by a failed corporate infrastructure. Taylor’s approach was more basic: Retailers must put much less payment data into the hands of employees and return to a centralized approach, as painful as it will be and as backward as it will feel. To listen to these folks argue it out, please click here.…

In theory, this would allow people who only want to buy American products an easy way to do that. The only problem is that the trick doesn't always work, which means it could have the opposite effect.Read more...

The trial is only available to a little more than one-fifth of TiVo's 3.6 million subscribers (just those who pay for broadband TiVo) and is limited to those willing to pay cash. Still, the approach is quite interesting, at least for those who believe that convergence was a good idea ahead of its time. Read more...

In response to a contest—OK, a very weird contest, even by the relatively loose digital signage standards—one industry CFO chose to try and explain the difference in poetic verse. The result was decidedly less Shakespeare, Byron, Keats or Poe and much more Dr. Seuss and Burma-Shave. Even so, his poem is worth reading, if for no other reason than to make yourself feel better about your poem-crafting skill. (A free gift of decidedly little value to the first five readers who can correctly identify the Burma-Shave reference. Extra credit if you can cite an example.) Read more...

Some 30 meters below solid bedrock underneath Stockholm, an abandoned nuclear bunker has been transformed into what could only be described as the world’s coolest datacenter. The 16-inch thick entrance doors lead to a facility that, to quote this wonderfully illustrated Hot Hardware.com story, is “replete with waterfalls, greenhouses, German submarine backup engines and simulated daylight (and) this facility has the added benefit of being able to withstand an almost direct hit by a hydrogen bomb.”

The story is nice, but the pictures of this underground computer facility inside a cave are stunning. It almost makes me want to give up telecommuting. As fellow blogger Jason Perlow commented, “This is what a Bond villain’s datacenter would look like.”…

The crash itself, resolved by the end of the day, was caused by a hardware problem with Cisco routers in the company's San Jose datacenter, said Ranjith Kumaran, YouSendIt's chief technology officer. But the bigger problem was twofold: When the file transfer systems died, that also brought down the Web site. And the system crashed in such a way that customers weren't sure if their files had been transmitted or not.Read more...

The Web is overflowing with analysis of the TJX data breach disaster, but this posting from Plausible Deniability does a better job than most. What’s intriguing is the possibility that some of the indicted suspects may have worked as code writers in the light of day for some major companies, including Morgan Stanley.

With so much security outsourcing today, it raises some uncomfortable questions about how much you really know about the security specialists you now have working in your computer room.…

But deciding what to do about abandoned carts, that gets complicated. The innocuous-looking store locator is akin to waving a red cape in front of the face of an E-Commerce manager bull. In this case, even the bull is very real. And, yes, it all comes down to incentive plans, the least focused-on reason why Merged Channel programs so often fail.Read more...

The credit database giant argued that such a card could potentially reduce "the need for companies to retain customers' personal identification information, which could also result in the reduction of risks posed by data breaches." Although that theoretically could be the case, the only way such a card—dubbed the Equifax online identity card—will be successful is if it's adopted by a large number of retailers. And each of those retailers would have to be willing to surrender one of their most precious pieces of data: customer history. Read more...

Wal-Mart will insist that its Chinese suppliers comply with RFID tagging by January 2009. And given various recent safety problems reported from China, Wal-Mart is also requiring sub-contractor information be included with every tagged product. The move, according to this nicely detailed piece in RFID News, “is expected to cost the suppliers roughly 20 times more than the bar-coding system now in place.” But China Retail News is quoting Chen Chang’an, general manager for the Shenzhen-based RFID provider Invengo Information Technology, as saying that the move will save Wal-Mart some $8.35 billion. No problem, given that Bentonville always passes such savings along to suppliers, right?

That China Retail News story also quotes Wal-Mart VP Mike Duke confirming that Wal-Mart would “not only ask its Chinese suppliers to report the name and factory location of their products, but also require them to take the responsibility for their subcontractors’ work and products. Suppliers who failed to meet these standards would be dropped from Wal-Mart’s Chinese supply chain if no improvements were made. He said the new standards would be put into effect in the apparel sector from November 2008 and gradually cover all products in its stores.”…

At a glance, Best Buy's efforts sound similar to the social networking site widget efforts pushed recently by rival national pizza chains Pizza Hut and Papa John's. But Best Buy's plans are far more adventurous; the retailer envisions pushing its content out to mobile, blogs and video sites in addition to social networking sites. But the company also plans to create wiki-like rich content by leveraging what one Best Buy exec dubbed "150,000 tech-savvy employees, some 65 percent of whom are 16 to 25" years old. Read more...

While the headlines in the United States tell of store closings and expansions being back-burnered, it’s a very different story in at least one part of the Middle East. In Dubai in the United Arab Emirates, Tuesday (Nov. 4) saw the world’s largest mall opening ever. The mall opened that day with almost 600 retailers, which is barely half the number of retailers mall developers say it will have once it’s “fully operational.” The retail mix includes two anchor department stores (Galeries Lafayette and Bloomingdale’s), 220 gold & jewellery outlets, 160 food & beverage outlets, a supermarket and an organic food mart.

When consumers get bored with shopping, the mall will house an Olympic-sized ice rink and an aquarium that is supposed to have the Guinness World Record for being the “World’s Largest Acrylic Panel.” Heck, that’s worth the trip right there.…

The defendant pleaded guilty to heading a conspiracy that netted more than $1million by using phony UPC labels to obtain products and then sell them on eBay, according to this story in The Register.

Tommy Joe Tidwell, 35, of Dayton, Ohio, pleaded guilty to three felony counts, including conspiracy to use unauthorized access devices, use of unauthorized access devices, and mail and wire fraud. The best part of the story, though, is that it shows the ineffectiveness of using ratings to sort out legit from non-legit sellers. “As was the case with an airport baggage handler charged with stealing passengers’ stuff, Tidwell’s eBay account enjoyed a stellar reputation. Out of 522 comments left, only four were negative, giving him a positive feedback rating of 99.2.”…

Federal prosecutors have apparently accused a New York man of providing a sniffer program to help the TJX cyberthieves steal payment data. The fact that 25-year-old Stephen Watt has been charged with unlawful access to computers, wire fraud, aggravated identity theft and money laundering is not in dispute, nor is the fact that he has been accused of delivering a sniffer program to accused TJX mastermind Albert Gonzalez.

But the feds have been vague about whether Watt was involved in the TJX data heist, even though the timing of the accusations would seem to place him in the middle of the largest payment card data breach ever, according to this Computerworld story. Watt allegedly provided a sniffer program that allowed Gonzalez and other gang members to identify and capture credit and debit card data traveling over the networks they had broken into. In January, Watt edited and modified a sniffer program dubbed “blabla” that was used by the gang and stored in a server with a Latvian IP address, according to the story.…

RFID sales globally will be more than $5.3 billion this year, with supply chain management, ID documents, ticketing and contactless payment drive shipments leading the way, according to a report released Monday (Nov. 3) by ABI Research.

If you take automobile immobilization out of the picture, RFID is slated to grow at a 15 percent compound annual growth rate (CAGR) from 2008 through 2013, and ABI projects the market will be worth about $9.8 billion in 2013. Said Research Director Michael Liard: “To a casual observer, the five-year CAGR for the RFID market as a whole may not seem impressive at face value. In this case, however, traditional applications with single-digit and low-double digit five-year compound annual growth rates continue to dominate current and near-term RFID market revenue share. If these traditional applications—access control, automatic vehicle identification, automobile immobilization and ID documents—are removed from the equation, the 2008-2013 CAGR for total RFID systems revenue exceeds 20 percent.”…

Whether you call it outsourcing or tokenization, software-as-a-service, virtualization or even, gasp, cloud computing, it's essentially a "risk avoidance" strategy. However, most of what we see is more avoidance than strategy.Read more...

Let's not get too optimistic here. "Mostly unharmed" doesn't mean escaping untouched. But it does mean that when large companies—especially retailers—have to suddenly make do with a lot fewer people, they need that good ole IT magic more than ever. They need the efficiencies that IT promises and the employee-replacing devices that IT enables. Read more...

Pet product maker Normerica opted for an unorthodox combo of smart boxes with embedded RFID tags and a mobile reader to comply with Wal-Mart’s RFID requirement. The application, described in wonderful detail in this RFID Update story, was attractive because it reportedly involved “no significant retooling of its packing or shipping lines.”

“If you compare the print-and-apply process at consumer goods manufacturing with eight packaging lines, you’d have to have eight applicators and printers,” said Paul de Blois, HIDE-Pack vice president and general manager. “We can produce the boxes on flexo-folder-gluer at a speed of 300 per minute, which is much faster than the throughput of a typical print-apply system.” A story worth checking out.…

A Hong Kong RFID vendor is boasting about a new $1,950-$2,500 handheld UHF reader “with a read range exceeding 25 feet with standard dipole passive tags and a throughput reaching 400 tags per second.” That claim is usually reserved for fixed readers, a very sharp claimed performance boost.

Convergence Systems Limited has dubbed it the CS101, and it eked out an endorsement from the normally publicity-shy folk at Boeing. Boeing Research Engineer Steve Villa praised Geiger counter mode. “In this mode, the reader’s ability to singulate and locate tags, even in a highly reflective environment, is excellent.”…

Genesco, which owns more than 2,000 stores operating as nine different chains including Johnston & Murphy, Dockers and Journeys, learned this week how POS receipt customization can be remarkably dangerous.

Seems that an associate programmed a series of options for a cashier to choose when identifying the customer. One of the choices programmed? “Dumb Ni**er.” Yes, the forbidden racial slur, and a 22-year-old Missouri man found it printed on his receipt at a Journeys. There’s a nice story about the incident on ABCNews.com and the video link shows much more detail. Doesn’t a manager check these things? And if it was approved, that store has a lot of explaining to do.…

Simply put, retailers selling very high-priced items to a decidedly well-to-do clientele often invest much more heavily in creating a comfortable environment with an abundance of personal attention. There's a reason retailers such as Nordstrom, Neiman Marcus, Armani, Coach and high-end jewelers tend to be the last to embrace kiosks, mobile-commerce and online promotions. Read more...

Are they ignoring the product or are they picking it up, reading the label and then quickly putting it back? Does the timing and eye movement indicate they were repulsed by the sugar content (near the bottom) or the low fiber count?Read more...