Evan Schuman's StorefrontBacktalk

That kind of insider theft would never have gone unnoticed if it involved payment cards. But when retailers think about the security of loyalty-card data at all, they're usually focused on protecting personal information. Customer loyalty points have such a low value—typically 1 or 2 cents for each dollar spent—that it's easy to dismiss the risk of counterfeit points. Unless those point totals are treated like cash; in which case, an insider with the right kind of access can generate enough to cost a store real money.Read more...

IT executives know in their hearts that they have lost the battle to control users. Ubiquitous personal smartphones (usually better than the ones companies provide for their employees), social networking, cloud applications and removable media are here to stay. Business requirements will trump security every time. That means we need to focus on the one thing we can still control: protecting the data. That is where PCI becomes increasingly valuable. Read more...

Retail CIOs have enough trouble keeping their own line-of-business executives and managers in line while trying to enforce IT edicts among employees who would rather ignore them. But when corporate CIOs move from a traditional chain to a franchised one, they suddenly discover how good they had it before. Line-of-business employees may try to ignore those rules but, ultimately, they’ll have to comply.

Not so with franchise owners. They paid their money for their stores, and they need to be convinced that a particular IT investment makes sense. Tell them they need to upgrade POS to collect more data for projections, and they’re likely to respond, “That’s to help you, not me. You think these upgrades will be so helpful? Fine. You pay for them.” That perspective forces CIOs to have arguments that speak to the benefit of the individual store, and it’s the topic of StorefrontBacktalk‘s monthly retail payments column on S1’s blog.…

American Eagle Outfitters experienced a couple of major site slowdowns on Cyber Monday, according to AlertBot, a traffic monitoring firm. "American Eagle's problems began around 6:36 PM EST when the Web site began loading very slowly. It seemed like the problem was resolved 30 minutes later, when the Web site starting loading within is usual time period only to have the problem occur again beginning at 7:30 PM EST," said AlertBot's Justin Noll. "The second failure was much worse, lasting over two and a half hours. The issue was finally resolved around 10:08 PM EST."Read more...

Even though many chains for years have price-matched any legitimate rival offer—including, of course, online deals from their own chains—Wal-Mart's new program excludes all online offerings, even those from walmart.com. How is that the industry's best price-match program? More importantly, though, let's explore what this online-exclusion means.Read more...

In a standard Black Friday sale promotional news release, Borders on November 24 implored customers to join its Borders Rewards Plus program by November 30 and receive a $10 credit, which had to be used by Jan. 11, 2011. The good news is that customers listened and did what they were told. The bad news is that customers listened and did what they were told.Read more...

More than two years ago, Visa mandated—effective July 1, 2010—that "Acquirers must ensure their merchants, [VisaNet Processors] and agents use only PA-DSS compliant applications." With nearly 800 PA-DSS validated applications listed on the PCI Council's Web site, retailers have a wide choice. Unless, that is, they are looking for a mobile commerce application. Read more...

If your employees are complaining about PCI requirements, you’ll be glad to hear that—until this week—even the Pentagon’s classified systems had looser security. On Sunday (Nov. 28), in the wake of the WikiLeaks leaks, the Defense Department announced it was finally disabling the capability to write data to removable media such as thumb drives or disks on classified computers “as a temporary technical solution to mitigate the future risks of personnel moving classified data to unclassified systems.” Translation: We don’t want anyone else copying 250,000 sensitive items to a CD.

That, of course, would fall under PCI-DSS Requirement 9—if the Defense Department was handling payment card data, anyway. Fortunately for the Pentagon, it’s not, so it doesn’t risk having to pay higher interchange fees for transactions. To be fair, the Pentagon already had strict rules in place for the use of removable media on all military computers. It just didn’t use technology to actually enforce those rules—and block reams of classified data from being copied to removable media and then carried out the door by a trusted but untrustworthy user. Not that anything like that could ever happen to retailers.…

StorefrontBacktalk is moderating these two panels at the show, and we'd love for any readers to drop by. (If you don't boo, who will?) We actually have these wonderful IT giants discussing two of the most critical retail tech issues: Security and Mobile.Read more...

Here’s another reason banks should crack down on restaurants about security: to protect the bank. Seattle police and the U.S. Secret Service are investigating an Oct. 22 cybertheft in which a thief from outside the U.S. broke into the systems of a privately owned Seattle restaurant, the Broadway Grill. From there, the attacker tunneled into servers of the restaurant’s payment-card processor and stole at least 1,000 stored card numbers from the acquirer. Investigators won’t identify the card processor or the country the attack was launched from, but they said the data was definitely taken from the acquirer and not the restaurant.

The National Retail Federation has been saying for years that retailers should get out of the payment-card protection game entirely. NRF’s thinking is that banks are inherently more secure than retailers and that just keeping card data off retailers’ systems will make everything safe from attackers. True, the restaurant’s first-time owners, who bought the place in June, aren’t security experts. But they’re not the ones who lost the card data. Until retailers get rid of card numbers and beef up security and acquirers harden their own systems a lot further, those attacks will just keep coming.…

They stressed everything except the only thing that will ultimately persuade any major chains to support them: Revenue share, processing fees and other ways for retailers to say "Put a deal on the table that is sharply better than what I now have with Visa and I'll sign."Read more...

On the "not much at all" side, we have the fact that it's barely 5 seconds worth of effort. Isn't $2 for a 5-second mobile swipe pretty good money? On the "quite a bit" side, it's a very different shopping action. To get consumers to engage in this beyond-comfort-zone new behavior will take a meaningful incentive. That will be triply-true once the novelty wears off.Read more...

How far can standardization go when it comes to mobile commerce? The applications for mobile in retail seem endless, from geolocation and product information to coupons and payments. But they all depend on standards that can be used by many retailers, service providers and other partners. And with so many different opportunities and so many players—along with the chicken-and-egg dance that always surrounds early standards efforts—getting them all to work together seems almost impossible.

One way to think about where to start on mobile standards is to step back and ask a few basic questions: What does a retailer expect customers to use their mobile devices for? How will they use mobile? When will they use it—and when won’t they? We dig into these and other issues in the latest StorefrontBacktalk podcast on mobile standards. To listen to the podcast, please click here.…

In theory, that puts merchants using tens of thousands of TSYS POS terminals at risk—their payment-card data could be hijacked! Or leaked! Or lost! In practice, that's not going to happen. For now TSYS still controls those phone lines while it mulls an appeal of the judge's order. But the case is a reminder that all third-party services depend on how well someone else is running another company. When a card processor gets sloppy and just a bit too arrogant with one customer, that can have effects that ripple out to many other retailers.Read more...

That's great for PayPal users. For PayPal, it's a problem. The success of its iPhone app means there are millions of users at risk. And PayPal's promise to reimburse any fraud loss related to that risk means there's nothing to motivate users to upgrade from the old version that, to users, seems to be working just fine. Result: All the risk is on PayPal—and the only way to get out from under that risk is to irritate its customers.Read more...

In a look at how many of Visa's fraud reports came from its top five franchisee verticals (restaurants, apparel, direct marketing, sporting goods and lodging) over three years (2008 to 2010), the biggest short-term change was with restaurants, which plunged from 24 percent in 2008 to 9 percent in 2009.Read more...

Starbucks' up-and-down history on CRM, mobile and the Web makes these latest stats historically interesting. Whether it is up or down, this chain is hard to count out. That's especially true when a $10.7 billion coffee house is reporting a loyalty program growing at 20 percent.Read more...

PCI Columnist Walt Conway has to ask, though, whether it is possible that Visa's effort might have the unintended and clearly undesired consequence of actually reducing franchisee security—at least in some situations. That might happen if corporate franchisors segment their networks in an effort to bypass the new program and its increased costs. The decisions corporate franchisors make in the coming months could determine the ultimate effectiveness of Visa's well-intentioned effort to reduce data compromises and increase PCI compliance among franchise locations.Read more...

As part of the ordered manual review, Target shut down its POS Cashier Speed-O-Meter devices to accommodate the additional time for the manual reviews. That review will cost the chain between $2 million and $5 million in additional labor costs, said IHL President Greg Buzek, who calculated that fee based on an additional minute for every transaction and the number of stores and checkout aisles that Target is using, plus Target's efforts to add more people to keep the lines moving.Read more...

The problem? Barely two percent of them have scanners today that can do the job. "There's going to be a massive replacement of optical scanners," said IHL President Greg Buzek.Read more...

Cyberthief Extraordinaire Albert Gonzalez’s crew targeted at least one of the retail chain victims they hit partially because they didn’t like the chain. Forever 21 was targeted because “the clothes were poorly made and the employees were poorly paid,” Gonzalez Co-Conspirator Patrick Toey is quoted as saying in a profile of Gonzalez by The New York Times Magazine. In the Times piece, Toey described how the Forever 21 attack began with a flaw in the chain’s shopping cart software.

He also spoke about some of the other many retail victims of the Gonzalez crew. Another member of the gang walked into an Office Max near Los Angeles and simply “loosened a terminal at a checkout counter and walked out of the store with it” for intelligence gathering. Once in, Toey said, the system was foolproof: “Every time a card was swiped, it would be logged into our file. There was nothing anyone could do about it.” More intriguingly, Toey said the crew had attacked “major chains and [orchestrated] big hacks that would dwarf TJX,” none of which were ever the subject of the federal probe. “I’m just waiting for them to indict us for the rest of them,” he said. So, the saga isn’t over yet. As if it we didn’t already suspect that.…

Yes, it's just as illegal in New Zealand to display one price on the shelf and charge a higher price when it's time to check out. And it's the machines that customers will blame for the foul up—even if it turns out they're overcharged the same way at the regular checkout counters.Read more...

Litan spoke of additional security measures being better than the alternative of "having the customer account drained." But that's just it. These thieves are not stupid enough to kill the goose that laid the golden mag-stripe. Just as the typical consumer needs to see enough fraud to make a phone call to a bank—and endure the inevitable series of hold music performances—worthwhile (for some, that's more than $5, and for others, it can be more than $20), the typical bank needs to see enough of its customers get hit to make a call to its fraud department worthwhile.Read more...

Even if nothing had gone wrong technically, it's worth remembering that every time you change what a user has to do, you're creating slowdowns and glitches. It's true of E-tailers dealing with processors, programmers with APIs and customers with E-Commerce sites (or even brick-and-mortar stores): Move things around or change the way things work and you may impress some users with your shiny new features—but you will confuse and irritate people whose highly productive habits have stopped working. And to Sage Pay's credit, it eventually found a temporary workaround for that problem.Read more...