Evan Schuman's StorefrontBacktalk

But if Wi-Fi becomes popular, its in-store speeds could quickly slow to 9,600-baud analog modem level. Indeed, if Wi-Fi becomes popular, it could quickly become very unpopular. Customers will be annoyed because their smartphones won't work well. And Wal-Mart won't be happy because none of those annoyed customers will buy an Internet TV that looks lousy when it's demonstrated.Read more...

The study also points to an interesting project by the Electronic Freedom Foundation (EFF) called Panopticlick, which tries to uniquely identify a user through information the Web browser can't hide, such as screen resolution, plug-ins, time zone and fonts. The EFF claims it can use that information to identify a browser returning to the site 99 percent of the time, even if it's in private mode. Fortunately, that still doesn't expose more information than a cookie.Read more...

Conway wants to make it clear, though, that he does not believe card issuers should be ordered to validate PCI compliance. Rather, he believes issuers should voluntarily validate their compliance. And they should do it for three reasons: It is smart; it probably won't be that difficult; and, most importantly, it is the right thing to do. Read more...

But, argues Franchisee Columnist Todd Michaud, this situation gets even more challenging because the person who had the implementation role before you could have stacked the deck against you. It is much easier to say "yes" to a request for something different than it is to say "no." In most cases, these requests will genuinely move the business in the right direction. But that's a double whammy: It means your predecessor may have created a field of variance landmines that you must painfully discover on your own.Read more...

Among the more fascinating tidbits to come out of the Black Hat/Defcon show in Las Vegas last week was a demonstration that an RFID tag could be read from 217 feet away. The tester used two large antennas and ham radio equipment, reported Dark Reading

But retailers have been discovering the ability to monitor RFID at very long distances for years. That’s the irony of RFID. How can something with such low read-rates at a distance of two inches—when you absolutely need it to be read—also be readable by a corporate spy across the parking lot? Admit it: Technology (and cats, by the way) not so secretly wants us all to fail.…

Will they eventually have to turn to a whole new class of outsourcers who do nothing but check up on the big outsourced teams? And who will watch those watchers?

Or is this an overreaction to a disastrous but highly unusual event? A wholesale failure like the American Eagle debacle is big news because it's so rare. Datacenter disasters happen. There's no way to bring the risk to zero. And beyond making sure good practices are being followed, returns diminish quickly--you can suddenly find you're spending a lot of money to prevent something that almost never happens.Read more...

PCI guidelines and a whole slew of privacy laws are based on the assumption that a retailer might do something bad to expose payment-card data to a thief. A retailer's logical response in a case like this: "I didn't do it. The phone's operating system did." But that defense might not hold up if the retailer was aware of the problem and did nothing to avoid it. Further complicating the situation is the fact that there are ways to keep sensitive information out of the keyboard cache. Apple, however, is likely to bounce any app from its iTunes Store that uses such a workaround.Read more...

Please don't get me wrong. Mobile payment is a huge issue and some major players will need to jump in, but retail is the key. More precisely, retailers are the key. The issue of mobile payments comes down to sharing revenue, and it will require lots of trust. Now there's a word not typically associated with AT&T. Asking retailers "Who do you trust more, Visa or AT&T?" is like giving parents of 3-year-old twins a babysitting choice of Jeffrey Dahmer, Idi Amin or Osama bin Laden.Read more...

The app itself—which is also due to be released shortly by Macy's, among other chains—comes from a vendor called Shopkick. Its approach involves devices in the store broadcasting a constant audible signal announcing that store's identification number, but nothing else. That sound—theoretically undetectable by humans—would be picked up by any mobile phones in the store, assuming those phones have the Best Buy mobile app launched.Read more...

The latest PCI-DSS compliance stats for the U.S. released by Visa on Monday (August 2) show a tiny increase in the compliance rate for Level 1 retailers since the last report, from 95 percent to 96 percent. The increase, though, may be a statistical anomaly: The number of merchants in that category dropped from 360–where it had been for the last two reports–down to 358. If one of those retailers was non-compliant, that might explain the difference right there.

Level 2 also saw a one-percent increase, from 94 percent–where that group had been for the last couple of reports–to 95 percent. The compliance stats for Levels 3 and 4 were again not reported, beyond the vague level of “moderate.”…

Your backup systems then unintentionally spread cardholder data to locations you don't suspect and expand your PCI scope in the process, pens PCI Columnist Walt Conway. Should you be concerned? Walt thinks you should be, and he's not the only one--the PCI Council thinks retailers might have a problem, too.Read more...

The initial problem was pretty much along the lines of what StorefrontBacktalk reported on Thursday (July 29), which was a series of server failures. But the problems with two of the biggest names in retail tech--IBM and Oracle--are what made this situation balloon into a nightmare.Read more...

The reality is that Wal-Mart's gradual deployment makes a lot of sense. The media-repeated cries of privacy invasion are simply silly, based on ludicrously unrealistic assumptions of how easy this data would be to access, assuming anyone had any reason to even try. The most interesting part of the rollout, though, is the tag disposal question.Read more...

That Requirement is 12.8.2, which states that merchants need to "maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess." Some disappointing service providers seem to treat this requirement as an annoying inconvenience. They either pretend it does not exist or isn't their problem. The result is that you, the retailer, are caught in the lurch. Read more...

We are at the dawn of an age where great companies will figure out how to successfully combine operational, marketing, customer service and social media data sources into systems and tools that enable the business. These firms need to clearly define their Information Supply Chain. Companies that don't figure it out will be left out in the cold.Read more...

Wireless security is broken—again. And this time, it’s WPA2, the WiFi security protocol that meets PCI-DSS requirements. Attendees at next week’s Black Hat and Defcon security conferences in Las Vegas will hear how it’s practical to break into a WPA2-encrypted network without brute-force encryption cracking. The only requirement: The attacker must be an authorized user of the network. According to the researchers from AirTight Networks who unearthed the problem, a malicious insider can simply send spoofed packets encrypted using the shared group key directly to other users on the WiFi network, tricking them into redirecting their data to the insider.

Unfortunately, that makes the “Hole196” attack —named for the page where the vulnerability is specified in the IEEE 802.11 standard—difficult to detect and almost impossible to defend against. In fact, the researchers don’t have a fix for WPA2 —and they don’t believe there is one. The only defense may be to start layering other security measures, such as VPNs, under the WiFi protocol. That’s fine for laptops running WiFi. But it’s likely to be a challenge to implement on scanners, card readers and other wireless devices that retailers commonly use.…

The problem is easy enough to fall into, which is the real issue. The nature of the certificates forces them to have strict expiration dates, which means that a 2- or 3-year-old certificate is likely to expire on the watch of someone other than the person who initially arranged for it.Read more...

The frustration for other retailers trying to avoid Sears' fate is that technology can only go so far and that without extraordinary vigilance, pricing errors are almost unavoidable. A relatively tiny number of chains in the U.S. have toyed with electronic shelf label (ESL) packages—including TJX, Wal-Mart, Albertson's, BJ's Wholesale, Costco, Kohl's, Pathmark, A&P, Whole Foods, Waldbaum and Kmart itself—but few have been deployed in a meaningful way.Read more...

The idea, which isn't especially new in security circles, has LEN rewriting "the data on a valid mag-stripe whenever a customer completes a transaction," thereby making cloned card attempts somewhat pointless.Read more...

To date, Michaud has not received three answers in a row that match.He encourages StorefrontBacktalk readers to play his game at home. Find a few different QSAs and ask them some tough questions. Here are some fun ones to get you started.Read more...

Or requiring these merchants to have vulnerability scans to prevent the bad guys from hijacking their customers. Or how about addressing mail order/telephone order (MOTO) transactions and requiring that you cannot do MOTO and still qualify for SAQ A. Read more...

Now the state of Colorado is warning that its official business-registration records are being changed by crooks who then use the forged data to get lines of credit and steal from other businesses.Read more...

"I guess I could be diplomatic and say these vendors just don't understand what PCI requires, but it is a bit late for that. PCI has been in effect for several years, so ignorance is no longer an excuse. That train has left the station," he penned. "Any vendor that can't properly describe how its application or service will impact a merchant's PCI scope or compliance is--in this QSA's opinion--simply not telling the truth." Do we have examples? Oh, yes!Read more...

This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, "We don't require that." But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.Read more...

The majority of credit card breaches in 2009 were with Level 4 Merchants (under a million Visa transactions). Very few of these small merchants understand PCI compliance. Even fewer are actually compliant. Only a handful of small merchants are actually secure (at least relatively). Everyone in the payments ecosystem knows it is a huge problem, the 800-pound gorilla in the room. But no one has an answer. Read more...