Evan Schuman's StorefrontBacktalk

Even Visa late last year reclassified franchises for PCI purposes, bowing to the new realities. The issue behind almost all of these incidents is the struggle around who gets to decide IT moves within a franchisee operation.Read more...

Remember Firesheep, the free program that showed up last October and made it easy for almost anyone to hijack the Web browsing of other people using public Wi-Fi to visit social networks and popular Web sites? It turns out that YouTube didn’t forget. Since February, the video-clip site has been quietly adding Secure HTTP to its pages (so YouTube’s URLs begin with https: instead of http:), and at this point almost the entire site appears to be hijack-proof—at least by tools such as Firesheep.

Today, most online retailers just use Secure HTTP when customers are logging into their accounts; conventional wisdom is that the overhead of https (encryption, special session management and other compute-gobbling elements) is just too costly for an entire E-Commerce site. But it may be time to rethink that. If YouTube can handle that security workload, there’s a good chance it’s not outside the reach of major retailers. Or think of it another way: If your customers come to understand that they can watch funny-kitten videos securely on YouTube, how unhappy will they be to learn that they can’t have the same privacy and security in your online store?…

When Square simultaneously accepted a hefty Visa investment and then reversed course to match Visa’s position last week, many observers were trying to make sense of the move. What made Square so attractive to Visa? One industry observer—longtime payments power-player John B. Frank—has an interesting, albeit non-traditional, take. He argues that Visa’s affection for Square has little to do with Square and everything to do with Twitter. Indeed, Frank’s argument is that it was all about Jack Dorsey (Twitter Founder/Executive Chairman and Square Founder/CEO) and his ability to make Twitter deals happen.

“Shout out to Verifone: If it makes you feel any better, I’ve got a feeling, that Visa isn’t as interested in Square as they are in Twitter’s 200 million base,” Frank penned. “If Goliath was going to invest in David, why not a David with a PCI-certified personal POS? It’s because David isn’t really David after all. David is Goliath. Square is Jack Dorsey and Jack Dorsey is again Twitter. It’s all about P2P (person-to-person money movement) and this is Visa making a brilliant P2P investment/move.” Not so sure I buy into this very original theory, because I don’t see Visa connecting the dots with Twitter that aggressively—yet. Still, if it’s wacky and conspiratorial and it involves Silicon Valley today, well, it’s hardly wise to rule it out.…

Details of the attack were spelled out by Sony executives at a Tokyo news conference on May 1 and in written testimony to a U.S. Congressional committee on Wednesday (May 4). As with most attacks, plenty of things went wrong to give thieves their opportunity. But the timeline makes two things very clear: Sony's online store provided the opening that allowed thieves collect huge quantities of personal information on customers—including names, addresses, birth dates and E-mail accounts—and the attack depended on an unpatched hole in the E-Commerce system.Read more...

Best Buy won't say who the vendor is (except that it's not Epsilon or Best Buy's current lead E-mail marketing provider, ExactTarget), how many customers were exposed in the breach or how long ago the vendor was fired—just that the chain is taking legal action. But the situation is one that should make every retailer nervous. It's almost impossible to know for sure that an outside vendor has destroyed all copies of customer data once a business relationship ends. After all, that's extra work to put in for a client who's not going to be paying for it.Read more...

Word of advice to any retailer that is publicly dealing with a more-than-100-million-account breach: Be awfully conservative in using the phrase "of course." Limit it to sentences such as "Of course we'll refund your money" and "Of course we'll pay for your credit monitoring and your time in dealing with our mess" and "Of course we're idiots who you should spit upon." If you feel the desire to say "of course" to modify that you had "a very sophisticated security system," you need to pop another Valium and write a new draft.Read more...

Diapers.com, which is part of the Quidsi group acquired by Amazon last month, borrowed the offline buying technique from SMS. The mobile app enables the consumer to shop without a signal, although it won't complete the transaction until a signal is reestablished. It gets darn close, though, with a Diapers.com exec estimating that the "completion" will take 5 to 7 seconds—long enough for a password to be typed and two clicks. But there is a major downside, at least for now: The customer's offline shopping can't go beyond choosing previously purchased products.Read more...

PCI is impervious to silver bullets of any kind. There are a few things every retailer needs to understand about both EMV and PCI before jumping on this particular bandwagon. Conway crafts a little thought experiment that assumes, as was suggested, that EMV becomes the "metric system" equivalent for payment cards. That means Chip-and-PIN—like a shift to the metric system—replaces all previous card and cardholder authentication methods. My EMV metric system card has no signature panel, no magnetic stripe. And the PAN is printed, not embossed, on the front of the card. Does PCI go away? Conway suggests it does not.Read more...

"If we can envision a world where magstripe doesn't exist, Chip-and-PIN would virtually eliminate all counterfeit, lost and stolen fraud as well as almost 99 percent of PCI costs," said Mike Cook, Wal-Mart's VP and assistant treasurer. "So you no longer have to have your database encrypted. You no longer need to have the secure lines. You're no longer storing data that could be used by somebody else. The PCI costs become significant cost savings."Read more...

Square, the well-funded startup that found itself on the winning end of a pissing context with VeriFone last month, because it refused to encrypt mobile payment transactions, has now reversed course and embraced such encryption. It switched course on Wednesday (April 27), which by remarkable coincidence is the same day it announced that encryption aficionado Visa had made an unspecified investment in Square.

Sam Quigley, a Square manager with the title Security Lead, casually responded to a question at a Visa conference that Square will be distributing—for free, mind you—an encrypting card reader this summer for its mobile-phone-payment users. This is an amusing turn of events. Last month, VeriFone was deluged with no shortage of bad blood for having demanded that Square either encrypt transactions or risk destroying the solar system. Square said no such system was necessary. I guess a month—and Visa dollars—has a way of changing one’s perspective. And, I guess VeriFone ended up winning this battle, in that Square did what it asked the company to do. But it wasn’t what VeriFone wanted Square to do. VeriFone didn’t want the victory; it wanted the battle. By embracing encryption, VeriFone’s fears have become quite real.…

The end of PCI as we know it has implications for merchants and their QSAs. For one thing, QSAs will need to be more than just assessors. That is, in Walt's opinion, more merchants will expect their QSAs to be partners in achieving and maintaining compliance. Such a partnership includes addressing the full range of security and risk issues that affect the business. As a result, QSAs will need to know a lot more about the payment-card business and the merchant's own business than any amount of PCI Council training can provide. Read more...

Automation is always about cutting out human labor, but just piling it on without fully integrating it into a store's operation is bound to generate problems—in this case, potentially huge problems. No one actually backed up a truck to haul away everything in the store. But that depended on the goodwill and honesty of customers, which is not something any chain can count on.Read more...

Two months after being demoted in Google’s search results amid accusations of link farming, Overstock.com said on Monday (April 25) that Google has lifted the penalty. “We understand Google’s position, and we have made changes to remain clearly within their guidelines,” Overstock CEO Patrick Byrne said. In fact, that’s all he said—Overstock won’t explain whether the problem really was links from a discount program aimed at universities, as was widely reported, or exactly what Overstock did to make nice with Google again.

Also missing was any word on Tarazz, the shopping Web site in Singapore that Byrne blasted in February for being part of the problem, saying Tarazz had created 3.5 million links to Overstock’s site. Two months ago, Byrne went on at length about how the Tarazz links were unauthorized and stated that Overstock had sent cease-and-desist letters to stop what he called “sabotage.” Now Byrne has clammed up, and Google won’t talk specifics about the case, so we may never know if Tarazz mattered at all. But one thing’s for sure: These days, clicking on the Overstock.com link on the Tarazz site brings up an “Under Maintenance” screen—and nothing else.…

Apple finally responded on Wednesday (April 27) to the howls of outrage over the automatic logging of iPhone users’ locations by their phones with a Q&A explaining what’s going on (Apple anonymizes the data and uses it for location services) and promising that within a few weeks the iPhone will get an update that limits how much location data is stored. But Apple being Apple, the vendor still couldn’t admit that it was doing what it clearly has been doing.

Case in point: “Why is my iPhone logging my location?” Apple’s answer: “The iPhone is not logging your location. Rather, it’s maintaining a database of Wi-Fi hotspots and cell towers around your current location, some of which may be located more than one hundred miles away from your iPhone, to help your iPhone rapidly and accurately calculate its location when requested.” Translation from Applespeak: “The iPhone is not logging your location. Rather, it’s logging the location of everything around you, like hotspots and cell towers, so we know where those things are. Why do you think this is all about you, you self-absorbed jerk? Oh, wait—you’re an Apple customer. Never mind.”…

The trial starts by giving the consumer a small reader that plugs into the machine's USB slot, said Thom Hounsell, product manager at SecureKey, the Canadian firm handling the trials with Visa. That reader establishes "a secure channel from the terminal directly to Visa," SecureCard CEO Greg Wolfond told attendees at the Visa event.Read more...

Actually, Sony's response to the breach was half right. As soon as it learned it had been attacked, Sony took down the game network, so thieves couldn't use stolen passwords and the company's forensics people could search for evidence uninterrupted. What Sony got wrong was waiting a week before announcing the breach and issuing the payment-card warning. In fact, Sony could have given its customers a heads-up almost immediately—and without making a public announcement.Read more...

As retailers struggle with geolocation, it turns out that Apple has already done the heavy lifting when it comes to iPhone users. On Wednesday (April 20), two U.K. researchers announced that they found an unencrypted iPhone database that records the user’s location (by latitude and longitude) as many as 100 times each day, based on cell towers, in addition to IP addresses of Wi-Fi access points the phone has connected to and data from geofencing applications. The downside: Some data is wildly inaccurate, and Apple isn’t saying why it’s being stored for as long as a year.

Of course, if there’s a way to create potential privacy problems, Apple will find it—from preserving every iPhone keystroke to recording the user’s heartbeat and guessing the user’s mode of transportation. Unfortunately, because Apple hasn’t explained why this location data is being kept (dating back to whenever iOS 4 was installed on the phone), retailers can’t count on the data being available for anything useful. But maybe Apple just likes keeping track of where its users have been—and always with their best interest at heart. If it was anyone else, this would sound like stalking.…

The real difference in time—and there truly is one—has nothing to do with IT, authentication or any other technological issue. It's the practical reality that shoppers tend to keep credit and debit cards buried deep within their wallet/pocketbook, whereas they tend to either have their mobile phone in their hand or in a convenient outer pocket, easily within Bluetooth range. That extends the debate from whether a swipe or a wave is faster to whether the entire mobile payment process is easier and faster because of how people use mobile phones.Read more...

Some examples from the report: "Mary is tired of remembering dozens of usernames and passwords, so she obtains a digital credential from her Internet service provider that is stored on a smartcard." So anyone who steals (or clones) her smartcard can now do all of those things pretending to be her? Yeah, that's a hugeimprovement. Not for Mary but for any cyberthief.Read more...

Case in point: JCPenney. "If we could figure out our rewards customers, it'd be a big win," said CIO Ed Robben. "If I want to be more personalized, I've got to know you're there. You're either checking in with us as you come in, or we're sensing you as you come into a store and are able to react to that. Most everybody's going to have GSM and 3G turned on. They may not have their Wi-Fi turned on. I just don't know that that's reliable enough for where we'd want to detect the customer."Read more...

That disconnect between what developers built and what customers expected would have been unthinkable as recently as five years ago, when JCPenney's strategy was to use its Web site to drive customers to stores. But when a skunkworks team began work on the kiosk in the summer of 2009, the goal was to flip that, so in-store customers who couldn't find exactly what they needed could check the expanded assortment online—in Robben's words, "to extend the aisle to the online assortment."Read more...

Of course, testing RFID on just a few items means it's useless at checkout time—unless everything has a tag, you still need scanners for the items that don't. But it also means instead of trying to speed checkout, RFID is only being used to keep shelves stocked in specific categories of goods. By dumping the end-to-end goal, it may be possible to get more real leverage out of RFID—and keep the cost and supplier headaches down, too.Read more...

"The RFID antenna can be placed in the touch sensor panel, such that the touch sensor panel can now additionally function as an RFID transponder. No separate space-consuming RFID antenna is necessary. In one embodiment, loops (single or multiple) forming the loop antenna of the RFID circuit (for either reader or tag applications) can be formed from metal on the same layer as metal traces formed in the borders of a substrate," the filing said before describing its potential uses.Read more...

When the Epsilon E-mail database nightmare exploded earlier this month, the most comforting thought offered by many was that it was only E-mail addresses. Therefore, the comforting thought continued, the worst outcome would merely be an increase in SPAM. Not that many bought that line even initially, but one of the latest breach victims—GlaxoSmithKline—put that theory to rest.

The medical substance giant pointed out to its customers that their E-mail addresses were stored in such a way as to indicate which sites they visited. That could easily reveal the disease that was afflicting most of those visitors. This reminds us that the combination of an E-mail address and a visited domain can reveal quite a bit. What about Victoria’s Secret’s visitors? Or the list from 1-800-Flowers, from the perspective of a bride who knows that she certainly hasn’t received any flowers recently? Or any other specialty domain? Just a thought the next time someone casually mentions that Epsilon was just an E-mail list breach.…

When Best Buy announced to the world that it—along with many other chains—had exposed some of its customer E-mail addresses by retaining Epsilon, it did so in the traditional proper fashion. But when Best Buy sent an E-mail advisory to its customers, someone at Best Buy thought that adding a commercial in the middle of the breach notice was a good idea.

In the middle of Best Buy’s advisory to customers, someone added a plug for the Geek Squad in the letter signed by Best Buy Chief Marketing Officer Barry Judge. “As our experts at Geek Squad would tell you, be very cautious when opening links or attachments from unknown senders,” the letter said. This tactic raises two issues. First, is the middle of a somber breach notification really where you want a backup group to start humming your jingle? Second, as you are pointing out a major privacy disaster, is this the best time to remind people that you own Geek Squad? Isn’t that like offering children safety tips for Halloween and using those tips to announce you’ve hired John Wayne Gacy as head of security?…