Evan Schuman's StorefrontBacktalk

The cloud move, like last fall's quadrupling of the number of Best Buy IT project managers, is an effort to control IT costs without rolling back IT initiatives—absolutely critical in the face of Dunn's inability to stem the chain's loss of sales to Amazon. Amazon, ironically, is among those that Best Buy is writing checks to for its cloud efforts.Read more...

As a result, pens Legal Columnist Mark Rasch, Apple, PayPal and a host of other payment processors may find the need to hire new teams of lawyers to help them comply with the inevitable subpoenas and discovery requests that will befall them.Read more...

After all, even the hottest things in retail-chain POS today—iPads and iPods outfitted with sleds—still only handle one type of payment device: a magstriped card.Read more...

The PCI Council states that no breached merchant or processor has been found to be PCI compliant at the time of the breach. PCI Columnist Walter Conway has never liked that statement. It seems to be either tempting fate or challenging the bad guys. Although it stopped short of promising a safe harbor, at least the statement acknowledged the possibility of suffering a data breach while still being PCI compliant. Visa's suspension of Global Payments has swept aside that distinction.Read more...

One of the problems with the Costco system in various stores was either inadequate or non-existent notification to customers when a purchase was rejected. If an item's weight was different than expected, the system would void the purchase and not charge the customer. But many customers didn't notice the item was rejected, so they placed it in their cart, took their payment-card receipt and left the store.Read more...

Holding up each vegetable or piece of fruit in front of the scanner for one second? That's not a recipe for efficiency, even once the system actually works.Read more...

PCI's current rule "imposes new obligations on vendors that are extraordinary and extraordinarily bad, short-sighted and unworkable. Specifically, PCI requires vendors to disclose—dare we say 'tell all?'—to PCI any known security vulnerabilities and associated security breaches involving VPAs. PCI is asking a vendor to disclose specific details of security vulnerabilities, including exploit information or technical details of the vulnerability and whether or not there is any mitigation available, as in a patch."Read more...

Visa has now yanked the PCI compliance away from processor Global Payments, following word of a potentially huge data breach. Visa's move, based on its initial comments, both supports the seriousness of PCI and simultaneously makes it seem worthless.

The problem is not Visa removing a company that is not compliant from its compliance list (note that MasterCard hasn't. More on that in a moment). The problem is the perception that Visa is doing this as a kneejerk reaction to a breach, not because it established anything concrete and specific.Read more...

We've been here before. Asking "security" questions based on easily discoverable or guessable answers is no longer a good idea for general consumer access, but for administrative access? You're really protecting super-user privileges by asking for their favorite ice cream flavor?Read more...

There's an easy way to overcome that customer (and cashier) inertia: a redesigned PIN pad that doesn't feel much different to customers but still makes swipes obsolete.Read more...

Almost as unsettling was a rather reckless statement from the department's director, where she offered unwarranted confidence in the impregnable nature of disk formatting.Read more...

That means the government will ask for—and Congress might insist on—extensive additional limits on using and even collecting such data. If a chain is going to collect specific geolocation data, the retailer needs to do more than inform those shoppers, said Peder Magee, an attorney in the FTC's division of Privacy and Identity Protection. "You need to ask for permission," he said.Read more...

This situation can be addressed with one simple change to 12.8.2. It would apply to service providers only. The change is to add wording that requires service providers to deliver this "acknowledgement" in writing to their customers, pens PCI Columnist Walter Conway.Read more...

And the thing that made the systems interact was something that Nordstrom's software developers had no control over: the homegrown system that the affiliate site used to handle Nordstrom orders. That's what couldn't be tested until a problem actually showed up.Read more...

Ironically, it's Starbucks—which was one of the first to try mobile payment and intrinsically understood the social media concept years before Facebook launched—that has embraced sending giftcards (for customer birthdays, which is another clever CRM touch) through the hail/sleet/dark-of-night people. This issue actually combines two marketing devices popular throughout the 20th Century: snailmail and plastic giftcards/loyalty cards.Read more...

One answer: Nothing—in fact, TJX has been doing E-Commerce since 2009 in Europe. A different view: TJX really doesn't want to be the next Target.com.Read more...

Maybe Android phones are more secure for mobile payments than we thought. Earlier this month, an FBI forensics lab was unable to unlock a Samsung Galaxy W smartphone after it got a warrant to examine the phone belonging to a suspected pimp in San Diego. According to Ars Technica, the phone was locked with Android’s “pattern lock,” which involves dragging a finger along an onscreen keypad, rather than specifically punching in a PIN. That seems to have been enough to keep out the feds, who had to get a court order to ask for Google’s help to access the phone.

Four-digit PINs are notoriously insecure, but they’re still the default security mechanism for both payment cards and alternative payment schemes—in part because they can be entered using a POS device, computer keyboard or phone keypad, and in part because they’ve been around for 40 years. The total possible choices for four-digit PINs are 10,000, while the pattern-lock options could top more than 150 million. Considering that smartphone screens and many POS devices can now handle pattern-lock style security, maybe it’s time for a new default. If it’s hard enough to keep out the FBI, it might be good enough to lock a mobile wallet.…

This did more than give this guy his first police record. It set in motion a complicated series of legal problems for Best Buy, along with other retailers trying to sell Wi-Fi-accessible televisions.Read more...

A month after you pitch, writes Retail Columnist Todd Michaud, you're back, and the marketing chief is talking about how your brand needs a new, leading-edge loyalty program. You offer up that there is new technology in place that will enable your brand to create a loyalty system without forcing customers carry another plastic card, tag or smartphone application. Read more...

To be clear, what Shopkick said it did is quite impressive. To what end, though? Are these shoppers who went to the local large mall and simply hit store after store to accumulate the points? The much more meaningful figures would have been sales numbers, to indicate that this rush of manipulated foot traffic did something beyond running to the next store.Read more...

ISIS has faced criticism for being overly vague and unable to articulate any significant differences—let alone advantages—over rivals such as Google Wallet and PayPal. Add the fact that ISIS is the only one of those three that hasn't done a public trial, and the sensitivity of not appearing substantive should be huge.Read more...

Depending on how those unrelated businesses process their card transactions, they will expand the retailer's own PCI scope and risk. If a retailer stores, processes or transmits card transactions for an unrelated third party—and that includes merely allowing that business to use the retailer's LAN and to send payment data through it—that retailer becomes a PCI service provider and it needs to validate its compliance as such.Read more...

But the group has the same hurdles that have weighed down so many industry consortium: potential infighting among the leading players; legal obstacles; the need to build a massive infrastructure, given the intent to shun current networks; and the tech questions, such as whether this new approach will have any better luck at mastering security than today's efforts.Read more...

Apple was issued a U.S. patent on Tuesday (March 6) for an interesting way to deal with the transfer of copyrighted multimedia content from one device to another. Digital rights management security techniques often do a good job of screwing up the music, video, podcast or book so that the transferred file won’t work. Apple’s technique not only permits security while a Wi-Fi connection is available but enables the file to be transferred when no wireless connection exists, because it puts the file in a locked area. It’s then unlocked once a connection is established.

The patent envisions using a device’s NFC to transfer the file and to then alert the copyright holder, so the recipient can be charged. Once the NFC transfer is complete, “a gift file created using DRM keys associated with the giftee’s account may be downloaded to the giftee device. If a network connection is unavailable, the giftee device may transfer a locked gift file and a corresponding gift license to the giftee device using a peer-to-peer connection. The giftee device may authenticate the license and unlock the gift file once a connection to the online provider is available.” Of course, a thief could still trick the app into thinking that the copyright holder had been contacted when no such contact happened.…

Retailers have been trying to get that right for years, using a variety of technologies. But if Neiman Marcus' approach works, it may mean that associates and store managers will have to exercise much more discretion and discipline—and that chains will have to change they way they hire associates.Read more...