Evan Schuman's StorefrontBacktalk

Most of the software packages on the Bad Apps list come from conventional commercial software vendors. If there's a problem with their applications--specifically, if those apps keep sensitive authentication data after a transaction has been authorized--the vendors are usually quick to create a new version or a patch that solves the problem. Result: Only older versions of the software contain the security problem that makes PCI unhappy. And next to the bad version of the app is a note listing the later versions that don't have the problem.Read more...

Visa routinely compiles a list of applications that, it believes, store sensitive authentication data after a payment has been authorized. Many app versions on this "Bad Apps" list are outdated and no longer being sold. But that doesn't mean they are not lying around in hidden corners of quite a few major—and some not-so-major—retail chains.Read more...

This effort replaced an earlier rewards program where cardholders were given 10 percent off, but the savings could only be used for a subsequent shopping trip. In short, when the discounts were cut in half—from 10 percent to five percent—purchases sharply increased. That's how powerful a difference there exists in consumers' minds between "give it to me now" and "give it to me later."Read more...

His advice to retailers: If an application is not on the list, don't even include it in an RFP.Read more...

When it comes to running a restaurant, investing time and money into learning the store's technology can mean the difference between a money-making hit and a bankruptcy-inducing nightmare. Technology plays a critical role in both the front and the back office. Michaud says he is befuddled by the notion that the same operators who clamor for a Limited Time Offer that may bump sales 1 percent won't invest their energy in systems they already own that could easily save them 3 to 5 percent.Read more...

This payment might be made to the handset manufacturer, but more likely it would go toward a pre-arranged credit or debit card. Let's take this approach one step further. Why not buy from Wal-Mart a Wal-Mart phone—or from McDonald's a McDonald's phone—that allows one-click purchases for anything at all? The consumer would then receive a monthly bill with everything itemized. That's one way to get around interchange and to build some wonderfully deep CRM databases—with lots of your rivals' sales—at the same time.Read more...

Microsoft was rather vague about the reason it's backing off ("After a couple of years of trying, we did not see the broad adoption that we had hoped for," blogged Bing Senior VP Yusuf Mehdi), but there has been a compelling suggestion that the program was simply being gamed by clever consumers.Read more...

When someone sends someone else a gift card, why not first send an E-mail alerting the recipient to the card's imminent arrival and have that E-mail include a password to activate the card after it arrives?Read more...

But which of several approaches each chain will use has yet to be determined, according to the CEO of the vendor (Shopkick) providing the software.Read more...

But the next day (June 2), a self-proclaimed hacker was on Canadian television demonstrating once again that both MasterCard and Visa contactless cards can be read with a $10 commercial RFID reader available on eBay.Read more...

The new PTS specs become effective in one year (May 2011). Although you can buy currently validated equipment up until that time, why would you? If you are looking at a terminal (think kiosk, gasoline pump, vending machine) that combines several individual components, you'll want to check each component (including software) against the Council's list, noting version numbers. Walt also suggests getting something in writing from the seller that indicates every component associated with the PED has been assessed by a PCI PTS lab and is compliant.Read more...

On Tuesday (May 25), MasterCard announced it plans to release Open APIs so developers “will be able to create a new wave of E-Commerce and mobile payment applications.” The only problem: Why would it? MasterCard officials spoke of the power of M-Commerce and E-Commerce platforms, but failed to explain why an Open API approach would help. Unlike PayPal and Apple, where developers have expressed strong interest in creating their own apps to sit atop those platforms, there is little such enthusiasm surrounding Visa and, given its smaller marketshare, even less for MasterCard.

It’s hard to look at this MasterCard statement and not envision Mark Twain’s Tom Sawyer whitewashing his fence by tricking every other kid in the neighborhood into doing the hard work for him, while he made the money. Tom gave them the tools and let them finish the job. To paraphrase MasterCard’s current tagline: There are some things money can’t buy. But custom apps and marketshare ain’t among them. Use that plastic and pay for your own development. Don’t see the development community whitewashing your fence for you this time.…

On his site's blog, Hsieh wrote that the current software—which is all homegrown by Zappos—was so complex it was difficult for non-programmers to feed it information. "Unfortunately, the way to input new rules into the current version of our pricing engine requires near-programmer skills to manipulate, and a few symbols were missed in the coding of a new rule, which resulted in items that were sold exclusively on (Zappos partner site) 6pm.com to have a maximum price of $49.95," he wrote.Read more...

The brand was having a somewhat good day in that it learned of the glitch, fixed it and republished the form in less than four hours. That's impressively fast, even in Web time.Read more...

The exact number of retailers in Level 1 was 360 chains in the figures released this week, which is the exact same number that Visa reported last month. Last month's report covered activity through Dec. 31, 2009, and this week's figures are current as of March 31, 2010. Those results suggest that four of last year’s compliant chains no longer are, bringing the number of non-PCI-compliant major chains up to about 18.Read more...

Visa has given ExxonMobil branded retailers an extension from July 1, 2010, until Dec. 31, 2010, to update their EPOS systems. This change is a big part of the perception problem with PCI enforcement. Deadline exceptions need to be rare. But when they happen, they should be announced by the card brands—not via a leaked letter—along with the specific reasons for the extension.Read more...

Conway can imagine a few scenarios, but none seems to be the answer. This issue is important to every retail CIO, so we need to understand what Chip-and-PIN will and won't do, in addition to what the business case, if any, is for the U.S. and other markets to convert from magnetic stripe to Chip-and-PIN cards.Read more...

By early next year—and possibly by this year's holiday season—Wal-Mart will start accepting Chip-and-PIN cards at all U.S. locations, said Jamie Henry, Wal-Mart's director of payment services. Because of the global needs of world's largest retailer—its stores in much of the rest of the world already have Chip-and-PIN—Wal-Mart's POS hardware in the States has supported Chip-and-PIN for years.Read more...

There are days when I think airport security people are present primarily to make retail security people feel better. At least that’s how I felt when I saw this wonderful picture of an actual sign at the Dubbo City Airport in New South Wales, Australia. Yes, it’s a printout declaring the security access code for a restricted gate and, yes, the printout is taped to the gate in question.

A story in the Australian newspaper Daily Telegraph quoted airport Corporate Development Director Megan Dixon saying the access code “was posted on the gate to allow ‘itinerant airport workers who have security clearance to use this gate. We had a security audit last year, which we passed.'” Kind of makes one homesick for PCI, no?…

A Florida shoplifter successfully navigated his way out of a Wal-Mart on Friday (May 21), carrying $145 worth of stolen DVDs, and bolted right to his getaway car with his friend at the wheel. Well, almost. It seems that in the rush, he actually ran—and literally smashed—into a parked unmarked police car.

(Editor’s Note: We cover retail technology and E-Commerce issues. But every so often, we see something so strange that we feel compelled to break the rules. This is one of those times.) A Bay County Sheriff’s Deputy wrote that Damon Demetrius Love, 35, was “running full strength in my direction” out of Wal-Mart. “I first thought he was running toward me for important assistance,” according to The Walton Sun. The paper then quoted the deputy quoting the suspect: “When he saw my headlights at the north end of the parking lot, he thought I was his ‘partner’ and started running towards me.” Moral to the story: If you’re ever trying to steal 16 DVDs from Wal-Mart, make darn certain you know exactly where your getaway car is parked.…

As retailers evaluate practical ways to use mobile payments in-store, they have a new pioneer ally: Holiday Inn. The hotel chain is trialing a program at two Holiday Inns—in Chicago and Houston—where visitors are allowed to use their own smartphones to open their rooms. Hotel guests go to the Web and download an app the chain calls Open Ways. “Guests ultimately will call up the confirmation E-mail on their smartphone and hold it up to a sensor on the door to unlock it,” a USA Today story said.

The advantages are the elimination of going to the front desk to pick up and return the key, plus the convenience of not having to carry anything else. This trial could be key—pun not intended—to helping retailers eventually use the smartphones for authentication and payment. The more consumers get used to the idea of phones for authentication, but not necessarily for payment (door access at a hotel, to borrow books at the local library, to access a private gym, to pick up a package at the Post Office, etc.), the easier it will be to get them to use the phones for payment.…

One card reader vendor, MagTek, is taking that digital fingerprint approach and making it a little easier, using 2010 technology. But instead of grabbing the card at its birth—something that Fifth Third didn't even try to do—MagTek is simply capturing the card the first time the vendor sees it as one of its POS stations. But it waits three months to make up its mind if the card is legit. Read more...

In this week's PCI column, Walter Conway makes an eloquent argument that chains must take special care to protect their data when changing processors. But Walt only briefly touches on the responsibility issues involving those processors. In PCI Requirement 12.8, the PCI powers-that-be mandate that the retailer properly manage the service provider, but they don't say what happens if the service provider does something wrong anyway.Read more...

"As far as we are concerned, signature is a waste of time. It has to be PIN or nothing," Jamie Henry, Wal-Mart's director of payment services, told attendees of a panel discussion held Wednesday at a Smart Card Alliance event in Scottsdale, Ariz.Read more...

Are you still responsible under PCI Requirement 12.8 for managing a service provider when you no longer have a relationship with that provider but it still has your data? Aside from PCI considerations, if a service provider--think tokenization vendor or loyalty program manager—simply goes out of business, how will you get your data back? Read more...