Evan Schuman's StorefrontBacktalk

It's a great theory. But as PCI Columnist David Taylor reports, things haven't quite worked out that way.Read more...

The research, conducted in May by Boston-based site analytics company Compete, found that Walmart.com enjoyed about 32 million visits during the month and Target.com was visited about 28 million times. Compete extrapolates information based on the activity of a 2,000-member panel, said Debra Miller, an associate in the company's retail consumer product department.Read more...

When the driver walks into the Nordstrom location, text alerts have told associates that he's the driver of a red 2009 S600. The scanner he walked by recognized his cell phone's unique identifier number as the same one that exited the Mercedes, which had its license plate number automatically logged as well. When he purchases a dress shirt 20 minutes later with his Visa card, the system can now attach a name (and the purchase of that shirt) to that license plate and that cell phone. If that customer happens to use a loyalty card, his complete purchase history is then associated with the car and his phone.Read more...

The letter to the council supported an end-to-end-encryption standard, seek more input from retailers at an earlier stage, give larger chains more time to implement new PCI requirements, let there be a list of the most important elements that really need to be done (rather than insisting on compliance with every one of the "more than two hundred detailed requirements of the PCI DSS") and allowing retailers to store fewer pieces of sensitive data.Read more...

The Macy's and Best Buy situations only involved debit card transactions, but the one-million Starbuck transactions involved both credit and debit cards, said Starbucks spokesperson Trina Smith, who wouldn't break down how many of each card type was involved.Read more...

About a week earlier, at a different conference hundreds of miles away, GuestView PCI Columnist David Taylor witnessed a similar exchange, with a group of about eight retailers and only one said he was using a QSA. And that guy was clearly on the defensive, half-blaming his management for forcing him to still use one.Read more...

As e-tailers have learned the hard way from E-Commerce, customers don't care about tidy legal contracts assigning responsibility and quality-of-service obligations. If they go to a Wal-Mart or a Home Depot site and they have a bad experience—whether it's with uptime, a FedEx delivery hiccup, incorrect status reports, a video consumer comment that glitches or anything else that the retailer may or may not be directly handling—those customers are going to blame Wal-Mart or Home Depot and might take their business elsewhere. If M-Commerce is on your plate, you need to get used to living by the carrier's standards.Read more...

But in a June 3 "assessment summary" regarding the plan to stop including the UPC-A on coupons, the group said "preliminary data" about retailer readiness for the change show the January target is unrealistic.Read more...

But new numbers just for May—showing Macy's online hitting 12.2 percent sales increases, compared with a 9.1 percent drop for in-store, which is a massive 21.3 percent spread for that month's $1.74 billion in revenue—make it hard to view those figures as anything other than powerful E-Commerce performance.Read more...

Victoria's Secret's new mobile experiment is more of an adjunct to its catalogue (paper and online), with the mobile app needing a catalogue number before an item can be purchased and tracked.Read more...

But when those consumers return to that Dairy Queen with those tags stuck to their wallets, their watchbands or the back of their cellphones, identical those tags shall be no more. Given the differing purchase histories of each customer, the tags will deliver sharply different discounts and offers. In effect, the tags will serve as digital coupons as well as makeshift CRM/loyalty programs.Read more...

Ahold Information Services Vice President of Applications Development Alan Williams argued that a January replacement of the current UPC-A barcode with the DataBar "would create a significant hardship for a large number of retailers." Ahold, a Netherlands-based grocery chain operator with sales of $40 billion, has about 1,400 stores in the U.S. including Stop&Shop and Giant.Read more...

"We're talking about companies opting to store and manage more credit card and other confidential data than necessary, and we suspect protecting jobs in technology, compliance and finance is the main reason for this," Taylor writes. "But is this necessarily bad?"Read more...

In the ongoing saga that is the Heartland data breach, a group that tracks such things has now tallied that at least 656 financial institutions have been impacted.

“The tally reflects many banks and credit unions with losses of thousands of dollars to fraud, along with the costs associated with monitoring and card replacement, which has led to several class action suits being filed against the payments processor” said the story in BankInfoSecurity.…

To be clear, the credit- and debit-card data sharing that Sears is accused of sharing happened between Sept. 9, 1995, and June 22, 2001, long before PCI even existed. But such a thing could never happen today, in our PCI-compliant environment, right? Think again, Breach Boy.Read more...

IT may not the only ones allergic to integrating new POS systems. A report in the May 28 New England Journal of Medicine found that some cashiers have been showing asthma symptoms after new POS installations, as they apparently react to chemicals on the receipt paper.

“The machines print on thermal paper coated with a chemical called N-propyl-acrylamide and acrylate tints,” said a report on the article in Health Day. “After performing all tests, we demonstrated that our patient was sensitized, meaning she is allergic to a specific substance, in this case, acrylates contained in the thermal paper.” Now there’s a TCO factor that most IT departments would have overlooked: the potential for increased sick time and lower productivity. Maybe upgrade the POS system but keep the old printers?…

The initial version of the kiosks collect payment card information as well as drivers license data. Even setting aside the potential future POS/CRM access, the payment and highly-sensitive driver's license data will force some of that debate right away. How secure are the kiosks? Who is ultimately responsible in the event of a security breach, both from a legal and PCI perspective?Read more...

"We all know that PCI compliance creates dividing lines," said GuestView PCI Columnist David Taylor. "Flat networks must be segmented. The number of databases that store—and applications that use—cardholder data needs to be reduced and the number of persons with full card number access needs to be reduced as well. The whole process of separating the “haves” from the “have nots” often leads to arguments and requires extensive justification on the part of those who maintain they must have the ability to see unencrypted card data in order to do their job."Read more...

According to officials involved in the case, Macy's is saying that it has only been able to locate about 40 percent of the data involving some 2,900 tainted necklaces sold. Let's set aside for the moment the possibility that Macy's officials are being less than candid with the L.A. officials because they simply don't want to reveal the data. If we assume that they are being absolutely candid, what does it say about their data management?Read more...

The scenario of consumers using their smartphones to barcode scan for everything from price lookups to quickly gathering more product information via the Web is nothing new. But despite all the talk, it hasn’t progressed much beyond being in a lot of hypothetical scenarios.

Is Google’s entry into the space likely to change that? U.S. and U.K. owners of mobile devices running the Google Android operating system can now download from Google a “Barcode Scanner” app that allows them to use their phones to scan UPC/ISBN codes with the phone’s digital camera. The application has been integrated into Google Product Search for Mobile. …

As part of a settlement for having violated the federal Fair and Accurate Credit Transactions Act (FACTA) by leaving too many payment card numbers on printed receipts, the 670-store Italian restaurant chain Olive Garden is giving consumer victims vouchers for $9 appetizers. But they are going out of their way to point the finger of blame at their POS vendor.

Granted, offering coupons good for just an appetizer sounds more like something that the chain’s marketing department would pay for than a punishment, but to the extent that there is any shame involved, Olive Garden issued a statement that it wasn’t their fault, but it also refused to identify the POS vendor involved. “We at Olive Garden take our guests’ data and our legal obligations very seriously. There was a mistake in a vendor-supplied system that produced receipts for the sole use of individual guests,” said the chain’s communications director, Mark Jaronski. “The problem was promptly remedied when it was brought to our attention and there is no indication that anyone has been harmed in any way by this error.”…

There has been no end to the list of the bad impacts of major retail data breaches, from fines and card-reissuance costs and paying for cleanup and forensics investigations, not to mention the inevitable legal fees. (Note: If law firms were really smart, they’d be underwriting the best cyber thieves. Come to think of it ….) But here’s an interesting one: a sharp drop in subscriptions (software, services, organization memberships as well as publications) facilitated by cards being reissued.

It’s a delicious unintended consequence example. As noted in The Washington Post, this trend is partly influenced by the recession. Most consumers won’t necessarily take the time to cancel subscriptions when times get tough, but if the issue is forced upon them—as would happen when they are issued a new credit card number because of a breach, forcing them to take action to continue the auto-billed service—they’re much more likely to choose to let the subscription lapse. It’s just another bullet point for that lengthy list of data breach financial costs. …

Similar to rulings from cases fellow data-breach retail victim TJX, Hornby said he couldn't allow almost any of the defendants to continue with the case because the consumers hadn't suffered out-of-pocket financial losses. In an ironic sense, this all stems from the card brands' zero liability programs. Those programs guarantee that consumers will have all fraud losses wiped clean. (The one defendant who can continue is a consumer whose fraud loss costs—for reasons unknown—were not covered by her bank.) It's ironic because the programs to created to make consumers feel safer about their payment security. Today, that program is preventing consumers from successfully suing retailers that mishandle their data, which in turn makes it more difficult for retailers to justify spending more than the minimum on data security.Read more...

Beyond focusing on avoiding "Beyond PCI Lock-in," pens GuestView PCI Columnist David Taylor, retailers also need to focus on ensuring that these new security efforts don't break their existing applications. Some of the tokenization and end-to-end encryption approaches currently (or soon to be) on the market don't always play nice with existing ERP, CRM and other enterprise applications.Read more...

Like everything in retail payment security, the issue is much more nuanced than it initially seems. But the micro-payment version is clean: We materially improve security, proprietary hooks are needed. That said, retailers will soon have a lot less negotiating power than they've gotten used to.Read more...