Evan Schuman's StorefrontBacktalk

"3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol," wrote Cambridge University's Steven J. Murdoch and Ross Anderson. "It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It's bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent." The pair, however, found that 3DS did get one part right: the money and where it comes from. Although "other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts."Read more...

As eBay has discovered, there’s a lot of money to be made in them thar online auctions. So it’s no surprise that lots of startups are trying to creatively find their own slice of the auction pie. But a site called Biddees, from the people who brought you shoes.com, is taking an unusual approach that just may prove to be the most needlessly complicated auction site in quite some time.

This wonderful story from Internet Retailer does a nice job of detailing this cocoon of complexity: “In order to see the current price of a prepaid card, which is guaranteed to be at least $1.50 less than the card’s face value, shoppers first have to use a token called a Little Biddee Thing, which costs 99 cents. Each time a customer views the current price of a card, the price automatically drops 50 cents. If the shopper is the only person viewing the card, he has 30 seconds to buy the card at the current price,” the story said. “If another person is already viewing the card, the shopper enters a queue before he can see the card’s price. If the card is purchased while the shopper is still in the queue, the shopper will be transferred to the next auction for the same product. An auction ends when someone purchases a card or when its price reaches zero. The last shopper gets the card for free.” Of course. What could be more natural?…

Former Woolworth’s CIO David Wills is in the middle of a criminal trial, accused of accepting more than $3.7 million in bribes related to IT decisions about a POS system and some server upgrades. The fraud accusations involved approximately $37 million in IT contracts that were awarded by the retail chain.

According to The Australian newspaper, the executive “allegedly received $1.78 million between February 1997 and January 1999 in exchange for awarding an IT contract to Israeli software firm Az-Ben. He is accused of accepting a further $1.92 million from Az-Ben for giving advice to NCR that was likely to influence NCR to enter into a contract with Advance Retail Technology.” The newspaper story added that the “contracts were for Woolworth’s APOS2000 project, an upgrade of its point of sale systems and servers for the Millennium rollover. In December 1997, the retailer began a $130 million overhaul of its systems.”…

Although it’s hardly a stunning revelation that retail IT will be spending more on POS software maintenance this year than they expect, it’s unusual for a research report to quantify it precisely. A new report from the IHL Group and RISNews, however, tries to do just that.

Beyond showing a modest IT spending increase at both the store and enterprise level, the report found a “disconnect between what retailers are claiming they are paying today for software maintenance” and what the vendors they are considering for their next POS are actually charging, said IHL President Greg Buzek. “So those people considering buying Oracle for POS their next time, they are currently only paying 10.1 percent of license fees towards maintenance. If they actually buy Oracle, they will be adding an additional 11.9 percent to their annual software maintenance cost for POS. If they move to accounting/finance/HR, it would be an 8.4 percent increase. And if it’s Oracle merchandising and supply chain applications, it would be 8.6 percent more than what they pay today with their current vendor.” The vendors examined were Microsoft, SAP, Oracle, JDA, Micros, IBM, NCR, Retalix, Epicor and Fujitsu.…

The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won't say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.) The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details.Read more...

The CIO needs to sells ideas upstream to senior management and sideways to line-of-business peers, convincing them that the technology is the right move and that it needs to be approved and funded. If that works, it's barely 30 percent of the battle. If the stores aren't sold on the idea, Franchisee Columnist Todd Michaud opines, the data won't be used and the project is doomed to fail. And you're to blame.Read more...

One key issue that both sides are arguing is timing. Some of the franchisees have argued that Burger King is being punitive by moving so quickly. They are pointing out that the chain's deadline was Dec. 31, 2009, and that the lawsuits started being filed within a few days of the deadline passing. Burger King argues that it has been extremely patient, having informed its franchisees of the POS upgrade rule back in April 2008--giving the stores a rather generous 20 months to arrange for and make new POS purchases. Indeed, Burger King is saying that it was even willing to give franchisees more time if they needed help raising the money, as long as they were truly trying to follow corporate's edict.Read more...

In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains considering such a heretical question are already putting in place security procedures that go well beyond current PCI requirements. This isn't a safety or security issue. It's a simple CFO's ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance. A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming. Read more...

A letter from a POS vendor making the rounds warns retailers—under the headline "Information Security Advisory"—that an out-of-date OS will cause lack of compliance with PCI. The warning isn't true, but the popularity of this and related PCI claims is moving beyond annoying. Are these vendors lying or is marketing being allowed to make the claims without anyone checking? A recession drives marketers to desperate measures. (OK, so does prosperity, but let's not go there.) Read more...

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.Read more...

The change was for several reasons, including "some functionality in the Fujitsu software that we really liked and needed" that wasn't offered by NCR and testing that showed Fujitsu's software on NCR self-checkout units performed about 20 percent faster than when NCR's own software was loaded on its units, said Cara Kinzey, Home Depot's Senior VP of IT. Read more...

"We consider CVS and (Walgreens) to be the most advanced, as they have already implemented chain-wide computer synchronization, advanced inventory management and pharmacy workflow optimization systems," said Deborah Weinswig, from the Citi investment research and analysis group. "The warehouse clubs are considered to be the least sophisticated of the group. However, BJ and (Costco) have fewer inventory management needs as a result of their unique business model."Read more...

The lawsuit, filed Tuesday (Jan. 19), hit Heartland hard for its "lack of Payment Card processing system security; its desire to use a 'lowest bidder' system of selecting its outsourced IT 'auditors'; its reliance on a 'snapshot' telling it that, at one identifiable point in time, its system supposedly complied with the bare minimum industry standards; its startlingly poor IT oversight in general; and (Heartland's) complete and utter disregard of the oversight responsibilities they had to their fellow members of the Associations that allowed the intruders to make trip after trip in and out of the Heartland Payment Card processing system." The lawsuit also referenced Heartland's initial response to the attack. "Thirteen months later, the 'clean up' efforts would be seen for what they were—worthless." (Pause. But other than that, Mrs. Lincoln, how was the play?)Read more...

The mobile retail world has now neatly morphed into three categories: consumer-used (with true M-Commerce, mobile research from home and on the road, etc.); retailer-used (for price checks, inventory inquiries, in-aisle supply chain inquiries, etc.); and consumer-in-store (2D barcodes, price comparisons, SMS communications with the chain, watching demos, mobile research from within the store, direct payment, etc.). To make matters worse, some applications sit in multiple categories, such as a retailer-used device that is temporarily given to a consumer for checking online inventory or seeing a demo.Read more...

Maybe tokenization and end-to-end encryption are just two closely related approaches that can, when properly implemented, accomplish the same thing: minimize your total PCI scope. One thing is for sure, though: Either way, you will need to bring your checkbook.Read more...

Frozen dessert chain Tasti D-Lite is getting creative with incentivizing customers to post nice thoughts on social networking sited to promote the chain: coupons. “Participants who register their loyalty programme ‘TreatCards’ online are given the option of allowing Tasti D-Lite to send an alert on their behalf, whenever points are earned or redeemed,” according to this wonderful Reuters piece. When the customer “swipes his card at the store’s point-of-sale system, his Twitter or Foursquare followers immediately get an update that reads: ‘I just scored 5 TastiRewards points at Tasti D-Lite Columbus, Circle, NYC! myTasti.com.’ The customer is then awarded points for the message, which he can later redeem for treats.”

Meanwhile, a few stores in the Subway chain are seeing whether online food orders via SMS are more accurate and more profitable. During the trial, one manager found that the “text ordering service alleviated all phone-in orders. Doing so improved operations because his employees no longer had to leave the sandwich counter to answer the phone,” said a story about the trial in QSRWeb. “He said he also found that order accuracy improved since customers were sending the orders in directly.”…

Home Depot will spend about $60 million on more than 10,000 handheld units that are designed to help associates perform mobile checkouts, process payment cards, stock shelves and make phonecalls, according to BusinessWeek. “This is the first big customer-service tool we’ve given our associates in a very long time,” said Home Depot CIO Matt Carey.

The chain has been trialing these devices since 2008, when we reported that they were initially tested along with an RFID-based loyalty card that flagged associates when certain high-priority customers entered the store and set off a door-based reader.…

On the Best Buy side, though, many attendees at the National Retail Federation (NRF) conference were wondering whether the change would have much of an impact at all. One attendee compared the move to a hypothetical apparel retailer that is furious about children working in overseas sweatshops. To put an end to it, the apparel retailer would tell the supplier, "That's it! No more. I want you to take the pink frilly tuxedos with the Mod Squad characters sewn into the chest and get them out of here and don't bring me any more pink frilly tuxedos with the Mod Squad characters sewn into the chest until your suppliers have changed their practices. You can bring me lots of other clothes, but I am now drawing the line at pink frilly tuxedos with the Mod Squad characters sewn into the chest. It's for the children."Read more...

According to a copy of a report that Discover prepared about its initial trial results, 69 percent of those participating in the Zip trial wanted the sticker hidden. "The pilot management team was impressed by the creativity demonstrated by participants in finding various ways of hiding stickers under the phone’s protective case ("skin”), under the battery cover and other unseen yet convenient locations."Read more...

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside – or even outside – their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. PCI Columnist Walt Conway can think of several merchants he works with that will be looking at these devices very seriously. But, he argues, the PCI implications are complicated.Read more...

But the bleeding won't stop there. HPS has yet to reach agreements with Discover, MasterCard or others. The Visa agreement, described in a filing with the Federal Securities Exchange Commission (SEC), calls for HPS to take out a $53 million loan to help it pay $59.22 million to Heartland Bank and KeyBank National Association, two of its sponsor banks. Visa will pay back to the banks $780,000 in fines it collected from them after the breach.Read more...

There's an interesting provision that turns a programmer into a criminal if the program permits usage beyond the Nebraska limits. "Intentional or grossly negligent programming by the programmer that allows for the storage of more than the age and identification number shall be a Class IV felony." Turning a careless programmer into a felon? I can just see new indemnification clauses being demanded by every programmer who is being aggressively recruited. What about shareware or freeware? Good luck tracking down which open-source programmer wrote that particular portion of a Linux program. ("Hey, Brenda, what's the term for grossly negligent programming in Nebraska?" "An Oracle upgrade." Rimshot.)Read more...

But as long as you're coming, we'd love to ask you to drop by some of the StorefrontBacktalk events and do what our readers do best: yell at us. The first shouting opportunity will be at the RetailROI event at the Marriott East Side (Lexington and 49th) on Saturday at 2:45 PM. This charity event (www.retailroi.org) is designed to raise money for global orphan care and adoption support. But to do that, we get geeky for awhile. Our panel is on retail security and it starts at 2:45 PM and features the CIO of the world's largest restaurant group: Delaney Bellinger from Yum Brands (Pizza Hut, KFC, Taco Bell and Long John Silver's, among others). Also on the panel are two of our esteemed columnists (Franchisee Columnist Todd Michaud and PCI Columnist Walt Conway) plus Mark Rasch, the former head of the U.S. Justice Department's high-tech crimes division.Read more...

But Conway sees the data discovery prediction the most significant. "If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1). If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search."Read more...

The controversy involves Visa forcing chains to accept more expensive signature—as opposed to the more retail-friendly PIN—authorization. Best Buy is still accepting Visa magstripe cards plus other brands' contactless offerings. "After several discussions with Visa produced no agreeable changes," the chain started removing its acceptance of Visa contactless cards in October, completing the cutoff in November, said one Best Buy executive involved in the decision. The cutoff happened store by store along with POS upgrades. "Our decision was based on the costs associated with requiring contactless debit transactions be processed as signature debit."Read more...