advertisement

Top Stories

advertisement

Security / Fraud

Are Your Stores Worth Stealing From?

February 29th, 2008
Guest Columnist David Taylor questions how seriously most retailers take store-level security. At least that's a logical conclusion given the number of retailers that have passed PCI assessments without the assessors ever having visited any stores.

There are many causes for this, but jurisdiction is a big part. Some retailers have had Loss Prevention take on store-level PCI compliance as part of their regular audits, but most LP departments have very limited IT skill sets, so this rarely works. At other retailers, PCI is managed out of the IT department, and we all know how much IT people like going into "the field," so that rarely works, either. In still other cases, there's a separate Compliance function that owns SOX and PCI, HIPAA. Most of these people are lawyers or "wannabe lawyers" who rarely show up at meetings let alone visit the stores. Read more...

Posted in Payment Systems, Security/Fraud | Comments Off on Are Your Stores Worth Stealing From?
advertisement

How Fast Is Fast Enough For Encryption?

February 29th, 2008
There's a very wise business adage that instructs customers to not judge a vendor by the mistakes that it makes nearly as much as by how it deals with mistakes once it makes them.

Last week, StorefrontBacktalk ran a story chastising a security vendor, Shift4, for having issued a news release that said retailers using its products wouldn't have to worry about PCI requirements because they would be excluded. The vendor on Monday issued a news release, apologizing for the earlier one and corrected the record. But the core question--about it's encryption approach--still stands. Read more...

Posted in IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud | Comments Off on How Fast Is Fast Enough For Encryption?
advertisement

Princeton Deep-Freezes RAM To Sidestep Encryption

February 27th, 2008

My favorite aspect of writing about security is that software designers work so hard to craft sophisticated, multi-level strategies to protect data, which is then periodically sidestepped by some kid with $18 worth of equipment, engaging in an easy blunt force attack that no one anticipated.

Case in point: Some clever folk at Princeton came up with this delicious and low-cost way around typical encryption methods. It’s based on RAM chip’s tendency to keep all data–including encryption keys–for seconds or even minutes after power is cut off. The Princeton approach then used a common dust removal aerosol can to deep-freeze the chip before killing power, a cooling tactic that sharply lengthy how long the RAM remembered the desired key data. From there, simple pattern recognition software quickly found the keys. This Princeton video demo is worth watching.…

Posted in Security/Fraud | 3 Comments »
advertisement

Pakistani Error Knocks Out Global YouTube Traffic

February 26th, 2008
With so many companies today relying on the Internet as the guts of their communication strategy--a reliance that is only getting more intense as VoIP deployments soar--another Internet vulnerability came to light this week, when a Pakistani telecom firm unintentionally blocked some two-thirds of the world's access to YouTube.

This move comes on top of an incident earlier this month when an undersea cable was cut near Dubai, also wreaking havoc with global Internet traffic. Are more robust safeguards needed? Is these kinds of disruptions can be happen so easily by accidents, how vulnerable would they be to deliberate terrorist efforts? Read more...

Posted in E-Commerce, IT Strategy/Industry, Security/Fraud, Software | Comments Off on Pakistani Error Knocks Out Global YouTube Traffic
advertisement

Kenya Goat Traders And Their Bank-Less Mobile Payments

February 25th, 2008

The stops and starts of mobile commerce in the U.S. has been well reported, along with the fact that many parts of Europe and Asia are well ahead of us. But here is a fascinating CNN report out of Kenya that details mobile-commerce efforts among–so help me–goat traders.

No, we’re not talking about Wall Street sorts, as in oil traders. We’re talking people working the fields selling and buying goats, where all funds quickly get converted into virtual dollars. There are no bank accounts nor credit cards behind these transactions. It goes from cash to mobile. …

Posted in E-Commerce, Payment Systems, Security/Fraud | Comments Off on Kenya Goat Traders And Their Bank-Less Mobile Payments

Euro Retailers May Be Forced To Deactivate RFID At POS

February 24th, 2008

RFID-tagged products will have to be deactivated at the POS throughout Europe, if draft guidelines proposed this month by the European Commission are approved.

A public consultation is being launched into the “soft law” guidelines that EU Information Society and Media Commissioner Viviane Reding hopes will be adopted by the European Union executive to be applied in all the bloc’s 27 member states, according to this Reuters story. The guidelines are “tentaitively scheduled to be adopted before the summer of 2008,” the Commission said in a statement.…

Posted in Mobile/Wireless/Contactless, Payment Systems, RFID, Security/Fraud | Comments Off on Euro Retailers May Be Forced To Deactivate RFID At POS

More PCI Deception. Won’t Vendors Ever Learn?

February 22nd, 2008
A PCI security software vendor issued a statement this week that retailers could avoid PCI's requirement if it adopted a token approach the vendor was selling. The claim would have been even better if it were true.

The token approach is hardly new and it simply replaces a credit card number with a token that acts as the number throughout the payment approval cycle. It's fair to say that such a method—in theory—would reduce the risks of card transactions by shrinking the window of vulnerability. But it's hardly fullproof protection and as long as retailers accept credit card payments, they are almost certainly under the PCI jurisdiction. That didn't stop Shift4 on Wednesday from issuing a statement that "merchants concerned about PCI DSS compliance have an option that enables them to avoid its burdensome requirements." Read more...

Posted in Payment Systems, Security/Fraud | 10 Comments »

Update: Credit Card Receipt Truncation Environment Changing

February 22nd, 2008
Ever since federal rules went into effect January 2007 that prohibited credit card receipts from displaying expiration dates or the last several digits of a credit/debit card number, a lengthy list of retailers have been sued for violating the act, including Apple, Rite Aid, Harry & David, Ikea, KB Toys, Disney, Regal Cinemas and AMC Theaters.

But a recent court ruling and some congressional legislation threaten to change the rules retroactively. Read more...

Posted in Payment Systems, Security/Fraud | Comments Off on Update: Credit Card Receipt Truncation Environment Changing

Contactless Cards Proving To Be More Paymentless Than Contactless

February 22nd, 2008
Contactless cards—which have been pushing accelerated checkout as both a consumer and retail benefit—are running into isolated problems with both. I've been trying to disprove these concerns and have been failing miserably.

Taking some cabs in New York City this month, I was thrilled to see the contactless devices in the backseat, only to be told by three different cabbies to not use them because customers were complaining about getting double-billed. This week, visiting three different grocery chains in New Jersey, tried unsuccessfully to use my contactless card there. The first time, a cashier looked at me as I asked about using my contactless card.Read more...

Posted in Mobile/Wireless/Contactless, Payment Systems, Security/Fraud | 2 Comments »

Insurance Company Reimburses TJX Almost $19 Million For Data Breach

February 22nd, 2008
In the middle of a better-than-expected earnings report from TJX on Wednesday, the retailer whose databreach of 100 million cards was the worst in credit card history reported that it was paid somewhat less than $19 million by its insurance company.

Referring to $178 million the chain had set aside to deal with data-breach-related costs, TJX said that on Jan. 26, 2008, "TJX reduced the reserve by $19 million, primarily due to insurance proceeds with respect to the computer intrusion, which had not previously been reflected in the reserve, as well as a reduction in estimated legal and other fees as the Company has continued to resolve outstanding disputes, litigation and investigations." Read more...

Posted in Payment Systems, Security/Fraud | Comments Off on Insurance Company Reimburses TJX Almost $19 Million For Data Breach

Your Partner’s Security: A Weakest Link Scenario

February 22nd, 2008
Many specialty retailers face an identical problem: Their corporate location and all or most of the fully owned stores have achieved PCI compliance, but they have hundreds of other franchisees and independent retailers, which carry their brand and are often not compliant.

The reasons are many, but a frequent issue is that the chains are not able to get close enough to these independent or affiliated stores to accurately determine whether a breach at one of these stores could compromise the corporate network and data assets. Perhaps worse, they believe that any breach of such stores, whether or not corporate data is compromised, will cause corporate brand damage. Read more...

Posted in Payment Systems, Security/Fraud | Comments Off on Your Partner’s Security: A Weakest Link Scenario

How Static Is Your Data?

February 14th, 2008
In part 2 of guest columnist David Taylor's look at tokenization, we look at why the major retailers are the most quick to dismiss tokens are often the same ones to need it most.

Nearly one-third of merchants dismiss the concept of tokenization because they consider their environment to be too complex, with card data in so many places. But a related reason for the quick dismissal is they see their card data as very "dynamic" — being used by many different applications and service providers. Read more...

Posted in Payment Systems, Security/Fraud | Comments Off on How Static Is Your Data?

PCI: It’s Not Just For Payment Anymore

February 14th, 2008
As retail CFOs begrudgingly approve extensive dollars to help with PCI accreditation efforts—even though many IT departments are using those dollars for projects that primarily have little to do with security—many are discovering that a program designed to protect payment data will also do a fine job at protecting almost any other kind of data.

With CRM systems trying to interact with Web analytics, mobile databases, purchase and returns histories and tons of other non-payment databases, the amount of non-credit-card data that is at risk easily dwarfs Visa transactions. Read more...

Posted in E-Commerce, IT Strategy/Industry, Payment Systems, Security/Fraud | Comments Off on PCI: It’s Not Just For Payment Anymore

The Librarian Wins In The Data Breach David Vs. Goliath Battle

February 14th, 2008
A Florida librarian—whose confidential data was apparently accessed in a databreach involving Wells-Fargo and Sprint Nextel—won his lawsuit against the two giants on Tuesday, when neither company bothered to send anyone to represent them at the hearing. Given that the consumer hadn't sustained any financial losses, he was only seeking $597 so the court order was for the two firms to pay $756.80.

Although that amount might seem trivial, the librarian initially argued that it was likely more than most consumers who filed class-action lawsuits ever received (after attorney fees are paid) and it would be received much more quickly.Read more...

Posted in IT Strategy/Industry, Payment Systems, Security/Fraud | 10 Comments »

Full Text FBI/U.S. Secret Service Statement Of Feb. 12, 2009

February 13th, 2008
Full Text FBI/U.S. Secret Service Statement Of Feb. 12, 2009Read more...
Posted in Security/Fraud | Comments Off on Full Text FBI/U.S. Secret Service Statement Of Feb. 12, 2009

The Data Dilemma: Productivity Vs. Protection

February 8th, 2008
These days, retail's data breach du jour is some manager's laptop getting stolen.

Breach letters are being sent out so frequently that I wonder if it's going to pique the business interests of Hallmark. A card for every occasion, when you care enough to breach the very best. Perhaps a merger with their Get Well cards? "Sorry to hear that you're not getting around these days.... [open card] .... but your CVV sure as heck is. Call 1-800-DATA-OOPS for your free year of credit monitoring, courtesy of your neighborhood retail chain." Read more...

Posted in CRM, E-Commerce, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, RFID, Security/Fraud | 1 Comment »

PCI Vendor Survival Strategy: Shift From Fear To Greed

February 8th, 2008
In very early January, residents of New Hampshire couldn't pull out of their driveways without running into a presidential candidate. That's how it is today with retail IT executives and vendors selling PCI compliance packages.

But, for better or for worse, that's not a long-term situation. Like the presidential candidates who had to fly South for the winter (or fly the coop entirely), these compliance salesfolk have a limited lifespan. Within the next year or so, retailers are going to shift from trying to become PCI compliant to having to maintain PCI compliance. Read more...

Posted in CRM, IT Strategy/Industry, Mobile/Wireless/Contactless, Payment Systems, RFID, Security/Fraud | Comments Off on PCI Vendor Survival Strategy: Shift From Fear To Greed

PCI Council Ditches Outdated 3-Year-Old Self-Assessment Forms

February 8th, 2008
In a move applauded by credit card data security consultants, the PCI Security Standards Council on Wednesday dropped a lengthy older document with a series of shorter forms, but only for those retailers who self-assess.

"This is very good news for most retailers who were struggling with the previous questionnaire and PCI process," said Gartner security analyst Avivah Litan. Read more...

Posted in Payment Systems, Security/Fraud | Comments Off on PCI Council Ditches Outdated 3-Year-Old Self-Assessment Forms

Gartner Report: Banks Pushing Consumers To Less-Secure Payment Methods

February 8th, 2008
The major credit card brands—and the banks they work with—do a fine job talking up security when they're at podiums or writing news releases. But when it's a choice between consumer security and lower transaction fees? Faggedaboutit. Fees win out every time.

At least that's one of the core conclusions from a report released Thursday from technology analysis firm Gartner Inc. Read more...

Posted in Mobile/Wireless/Contactless, Payment Systems, RFID, Security/Fraud | Comments Off on Gartner Report: Banks Pushing Consumers To Less-Secure Payment Methods

Tokenization: You Can’t Protect Data You Don’t Have

February 8th, 2008
Guest Columnist David Taylor argues that not enough merchants know about Tokenization — the automated replacement of a credit card number with another (non-sensitive) number at the POS.

The point that these vendors make is that if you don't have the data, then you've outsourced your risk. But Taylor writes that he's always lived by the principle that "you don't outsource risk" because when it comes time to file lawsuits, the merchant will still get named. Read more...

Posted in CRM, IT Strategy/Industry, Payment Systems, Security/Fraud | 1 Comment »

FTC: Don’t Blame Us For Anemic Enforcement. Blame Congress

February 1st, 2008
When we ran a column last week about the FTC's rather lax enforcement efforts against an e-tailer who had engaged in especially blatant data security violations, former and current FTC officials reached out.

Yes, it's never a good idea to ignore E-mails from FTC attorneys. But these folk had some excellent points, most of which amounted to an agreement that the enforcement was lethargic but that Congress is to blame. Read more...

Posted in E-Commerce, IT Strategy/Industry, Payment Systems, Security/Fraud | Comments Off on FTC: Don’t Blame Us For Anemic Enforcement. Blame Congress

Guest View: The Ultimate Security Conundrum

January 31st, 2008
Most merchants are so focused on protecting credit card and social security numbers that they forget the very process of securing their environment creates a risk. All of the alerts and log data from all of the various network, application and database monitoring tools must be promptly reviewed and acted upon.

When these alerts and log files are allowed to "sit around" without being processed, the data and the lack of action become "evidence" that could be used to show negligence, in the event of a breach. Read more...

Posted in Payment Systems, Security/Fraud | 1 Comment »

EBay Paying $169 Million Cash For Israeli Online Risk Tool Vendor

January 29th, 2008

EBay’s PayPal confirmed Monday that it is paying $169 million in cash to buy an Israeli online risk tool vendor.

The companies said that “key personnel” from Fraud Sciences Ltd.—including Yossi Barak, Fraud Sciences’ COO, and founders Shvat Shaked and Saar Wilf—will join eBay while “Gadi Maier, Fraud Sciences’ President and CEO, will provide strategic and operational support to the company during the integration period.”…

Posted in E-Commerce, Payment Systems, Security/Fraud | Comments Off on EBay Paying $169 Million Cash For Israeli Online Risk Tool Vendor

Sears Looks To Wal-Mart, Microsoft Talent To Help Online

January 26th, 2008
Sears is tapping talent from Wal-Mart and Microsoft to try and resurrect its online operations Sears is tapping talent from Wal-Mart and Microsoft to try and resurrect its online operations, as it also replaces its CEO with its senior supply-chain executive. That move is because, as the Sears Chairman said in a Monday statement, "We are entering a new phase in Sears' evolution as a multi-channel retailer."

The new interim CEO, Bruce Johnson, came up through the KMart side of the business and he had gone to KMart from French retail empire Carrefour, where he had been director, organization and systems and a member of the management board. Before that, he spent 16 years at Colgate-Palmolive and had worked as a management consultant at Booz Allen & Hamilton and Arthur Andersen & Company.Read more...

Posted in E-Commerce, Security/Fraud, Software | Comments Off on Sears Looks To Wal-Mart, Microsoft Talent To Help Online

Smart Wireless Checkout Running Into Speedbump

January 25th, 2008
A wireless item-level checkout device being trialed by regional grocery chain Stop & Shop is demonstrating the potential—and simultaneously the difficulties--of distributed checkout.

The 389-store grocery chain—employing about 59,000 in Massachusetts, Connecticut, Rhode Island, Maine, New Hampshire, New York and New Jersey—has been running this trial since October at 90 of its stores in Massachusetts, Connecticut and Rhode Island. Read more...

Posted in CRM, Mobile/Wireless/Contactless, Payment Systems, Security/Fraud | 4 Comments »

Newsletters

StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
advertisement

Most Recent Comments

"Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code." -Marc

Will Warranty Enforcement Be Amazon Marketplace's Achilles' Heel?

Nathan
I buy most of my nerd toys on Amazon and I had never stopped to consider that I may be shooting myself in the foot in terms of warranties. I'll have to make a point of checking the seller's info to confirm they are authorized distributors (at least for high-ticket items). Thanks for the head's up! Read more...

When Replacing NFC, Tech Is Really Not The Issue

A reader
Folk wisdom on the net suggests that if you are given a "free" product, look carefully at the terms because you are no longer the consumer - you are the product. If Google offered free readers to merchants, what would they be getting from those merchants? Data. They would be able to close the loop on when and why customers who research on line buy from a bricks and mortar store. This would enable Google to know retailer price points, which searches are most effective to get those products in front of on line advertisers, and to be able to sell that advice to others. Not every retailer would want to provide such data to their competition. Read more...

Court To Fed: Keep The (Inter)Change

terry
This was an easy way for merchants to effectively directly remove money from a customer’s bank account. The risk of default was low, as was the cost of processing. Merchants had to install new PIN-based POS terminals, but many banks and acquirers helped to subsidize these costs by setting the interchange fees at “par” (no fee) or even reverse fees as a subsidy. Read more...

Walmart Sales Tax Snafu: How Did They Get This So Wrong?

Paula
I've been in the industry for a thousand years and didn't know about these "collection fees". Actually checked with my former boss, a COO of a major multichannel retailer, and neither he nor his CFO knew about it either, even though his company is taking advantage of it in a couple of states. Read more...

PCI's Not-So-Open Global Forum

Marc
I agree with your premise that the PCI SSC needs to do a better job of communicating with POs. I don't agree with your QSAs interpretation of PA-DSS requirements. 4.2.7 is not specific to user accounts with user databases. "4.2 Payment application must provide an audit trail to reconstruct the following events: 4.2.7 Creation and deletion of system-level objects within or by the application." The standard interpretation, in my experience, is that the application must provide an audit trail for system events. Read more...
Stephen Ames, CISA, CISSP
I received confirmation from the PCI Council's director of data security standards that my PA-QSA was not exacly spot on with his guidance. Without getting into too much detail, my application in question is compliant with PA-DSS 4.2 out-of-the-box. I'll be having a conversation with my PA-QSA about this. Read more...

Why Did Gonzales Hackers Like European Cards So Much Better?

David True
I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Marc
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
Biff Matthews
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
Mimi Hart
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
A reader
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Changing Terms of Service? Be Ready For A Class Action Lawsuit

Bernard Regier
Very enlightening article. In regards to policy statements/terms of service, why hasn't Craigslist been sued up the wahoo for not allowing users to cancel their memberships? Of their many uncouth business practices, including complete lack of accountability and doling out strange, arbitrary punishments to out-of-line members(see customerservicescoreboard.com for 8-9 hundred horror stories), disallowing individuals to terminate service seems the most unlawful. I don't know anything about contractual law or online regulations, but If I owned a store, I could refuse or restrict service to anyone or lock them out if necessary; what I CAN'T do is lock them in!Your thoughts? Read more...

Amazon And The Limited May Be Stripped Of Their Brands When It Comes To Vanity Domains

Earl Jaforski
I don't know if you can say this is stripping companies of their brands. If anything, it points to an abject lesson in brand strategy.... beware of the pitfalls of naming your company or product after a river, fruit or something so generic you might come across those who object to your attempt to control or block the use of that word or term. Read more...

eBay Lawsuit Asks: Is An E-Commerce Store Really "A Place Of Public Accommodation"?

A reader
That argument didn't exactly work out for Target. http://en.m.wikipedia.org/wiki/National_Federation_of_the_Blind_v._Target_Corporation But the parties settled, so the law wasn't really tested. Read more...

Major Chain Loses PCI Compliance When Data Center Moves

Joe
A simple data center transition? Ha! Read more...
Preston
"Real world" PCI news is precisely why I keep coming here and I love case studies like this. Please keep 'em coming! Read more...
Michael
I'd like to know... who is the acquiring bank. Read more...
Nathan
"PCI compliance is all in the eyes of the beholder." Well then maybe the beholder had better take off his rose-colored glasses, huh? Read more...
Matt Getzelman
This real-world example demonstrates the complexities of maintaining PCI compliance and the importance of the QSA’s relationship with the merchant. Another lesson learned here is that retailers should work with their QSA throughout the year and develop a trusting relationship, as opposed to communicating only during assessment activities. Read more...
PCI Eagle
I'd like to know what the compensating control was/is so that I can apply that to my flat network to "win out over a non-compliant ROC". Read more...
Crypteron
Many companies are loosing PCI compliance when they move to the cloud. Not because of data center standards but because of not properly securing their sensitive customer data. Read more...

JCPenney, Lord & Taylor and Abercrombie LP Work Together To Catch Thief

Dayton
I agree that it is not in the best interest of the stores to keep him walking freely so he can steal even more. I am glad that stores can work together on this and were able to catch him. It just goes to show you that even if you are rivals, you can still work together and do some good for the community. Read more...
shirley
Most of the major retailers work together on tough ones to catch ... including feds if needed for large crime orgs. Read more...
A reader
When you're talking about measures to reduce theft, every retailer stands alone. As long as the deterrents keep them from taking products off of my shelves, I'm happy. But when it comes to fighting criminals, competing retailers, even bitter rivals, often work together. It's in nobody's best interests to allow a thief to keep walking free. Read more...

Apple Drops Amazon "App Store" Lawsuit, Now That Everyone Knows What The Real App Store Is

Regina Schroeder
You say App Store, I say Appstore. Apple has decided to call the whole thing off, and has dropped its lawsuit against Amazon for infringing on its trademark for its digital software retail distribution service — see how much easier it is to just say app store? Apple’s lawyers have decided that they don’t need a court to tell them that combining “app” and “store” does not make a unique and distinguishable brand, and that it’s a lost cause to keep people from referring to a store that sells apps as an app store. Read more...

QR Codes Are A Terrible Idea. Why Is Image Recognition Even Worse?

Ed Dunn
I doubt the object recognition technology being touted can outperform QR codes. Multiple QR codes can be decoded on a single pass as well as very tolerant capable of reading only 75 percent of a QR code and read QR codes from multiple angles and orientation. QR codes are going nowhere and here to stay. If the designer cannot find a way to incorporate QR codes effectively, then they should find a new career field. Read more...
Yogi Chopra
one of the reasons why image matching technology is not working is because brands are not well-educated about this. also there are no apps that are not only doing the job of recognising the image but also giving some value back to the user. Both QR codes and image recognition can be very effective if the end scan results into some offer, value or promotion...! Read more...

Safeway Self-Checkout Security Hole Illustrates The Importance Of Button Sequence

Robert Porter
It would have been interesting if you took a poll of the attendants before this went public about how many were trained and instructed to watch for this scenario. I wonder what the percentage of "yes, we look for that" vs. "Huh?" answer would have been. The retailer had no real incentive of fixing the problem. The items still get paid for, just by the previous customer. The only risk to the store was for some bad PR if this got out. They were gambling that it wouldn't. And for some length of time (I wonder how long...), it stayed hidden from the general public. Read more...
Evan Schuman
I have to disagree that the retailer had no incentive for fixing this. The revenue is the same, so there's no incentive for letting it happen or continue to happen. This is not merely a PR problem. The shoppers who have to pay double will be furious. Will they blame themselves for not clicking the right button? Of course not. They'll blame the retailer and likely think they were ripping them off. They might even assume that the next shopper paid for their goods, too, so it's really a double-charge. This glitch poses a huge threat to the retailer and offers no benefit. Will the customers who benefit thank the store? Will they appreciate the store? No, they'll likely think that store could just as easily have ripped them off. They'll probably avoid self-checkout, which also undermines the retailer. This is truly bad on so many levels. Read more...
Mandy
I honestly think that customers should be more wary of what is on their self-checkout belt before going to pay. Although, a lot of that can be solved by having better designed kiosks. Read more...

Banks to Retailers: Online Fraud? You’re On Your Own

Jonathan Rosenne
In Israel, such a transaction above $50,000 would require either a phone call from the bank to verify it is genuine or a cryptographic token (dongle). Read more...

Extremely Sad News

Preston
Walt will be greatly missed. He was a nice, approachable guy who made PCI a lot less scary in higher education. Read more...
Omar Iftikhar
Very sad to hear about Walt's passing. I had a chance to attend a couple of his talks and he still is the only one who could get people engaged and interested in PCI issues and make them less daunting without losing the seriousness of the subject matter. His columns on this sites were always very helpful and were frequently used by me to help explain this complex subject matter. Read more...
Evan Schuman
403Labs, Walt's employer for years, has just posted a very nice tribute: http://www.403labs.com/walt. Read more...
Robert Santuci
Walt's wit and wisdom will be missed by all. My deepest sympathies to his family & friends. Read more...
Janet Langenderfer
I never met Walt, but used his articles in presentations to clients frequently. Always a resources for accurate explanations that were easy to understand. He will be missed..... Read more...
Ilya Yakovlev
I will always remember Walt's refreshing approach to PCI compliance when he worked with me at two institutions. Other consultants generally said, ok we saw what you have, here is the checklist to comply with SAQ D. Walt would turn it all around and say, for a campus your size you should be able to get your scope down to this, and by the way, here is what worked with your 3rd party on another campus I worked with... I will miss his wit and his gentle soul. Read more...
Anna Letcher
I was fortunate to meet Walt at a time when my campus was beginning the marathon known as PCI compliance. His knowledge was immense and his advice very simple. By the time he completed an engagement with our school, we had become friends. We enjoyed many conversations about things not related to work and shared a meal or two at professional meetings and symposiums. My deepest condolences to his sweet wife Meredith, his family, colleagues, and many friends. Read more...
ed
While I never met Walt Conway, his articles were very informative and he definitely left an impression with his knowledge. Read more...
Chuck Phipps AAP, CTP
What is it with PCI columnists at StoreFront BackTalk? Before Walt, we lost the amazing David Taylor in 2009, who enlightened so many with his crisp writing and insightful viewpoints. Read more...
Jeff Hall
I just cannot believe it. Walt and I had known one another for a number of years and I finally met him in person at the first PCI Community Meeting in Toronto. He and I bantered back and forth for years over the infamous session at that Meeting held by the card brands where they discussed whether pre-authorization data was in-scope. For the record, it was NOT in-scope, but was to be protected as though it were in-scope. I will miss him dearly as he was always will to tell me when I was getting things wrong. RIP my friend. Read more...
Anton Chuvakin
That is incredibly sad news indeed. Walt was extremely knowledgeable about information security (and PCI DSS in particular), but he also made the subject approachable to many (a very rare gift in the industry). He will be missed! Read more...
Blake Dournaee
This is truly sad news. Walt helped educate us here at Intel about PCI and was a tremendous resource for us. He will be missed. Read more...
Steve Sommers
I've been absent from the world and just found out about this very sad news. In the few conversations I had with him I had very similar experiences: personable, intellegent and very nice. Walt will be greatly missed. Read more...
Davesh Patel
This is really sad news, I had met Walt when I started PCI work and has been a great resource to me and our Company. He will be really missed. Read more...
Shirley
While I've been very behind on my reading, I am so sad to hear of this news. I absolutely loved Walt's style of writing, and of course the content was top notch. I appreciated that he even took a call or two to discuss a few PCI topics - and he had a great sense of humor as well. Walt - you will be missed! Read more...
Andy Ray
In 1990 I worked closely with Walt in Visa EMEA/London office : he was our diplomatic pioneer to open doors with rather suspicious "rivals" like American Express, Diners Club, and MasterCard when we were building electronic transaction processing bridges to their hubs. None of them could resist his charm offensive! Now I realise that he had continued to use his ideal mix of personal charm and technical prowess to win hearts and minds in the PCI DSS world too. And it's very humbling to know that he was so involved with helping the homeless. Salute to you, Walt! RIP. Read more...

Where In The World Is ISIS Wallet?

Aaron Jaeger
Where is ISIS? Good question. Google Wallet may not be usable everywhere, but it is available at far more locations than ISIS is. If it wasn't for the collusion among the ISIS backers, it's likely that far more people would be using Google Wallet already. And that would get the attention of more merchants which could accelerate the roll-out of NFC terminals. Read more...
Cy Fenton
You are so right on about their trying to solve all the hardest business problems all at once. The consumer adoption side of this is the key! There is no circumstance where the consumer will think that it's more convenient to have anything attached to a phone (or a new phone for that matter) to pay when they can do so with the tried and true, always works everywhere credit card. And where are the daddy warbucks wireless companies here? Has ANY of them delivered on ISIS enabled handsets? - Nope. Read more...

Retail Privacy Policies Need To Focus On How The Data Is Used Rather Than Just What Is Collected

Shirley
The SAT application reminds me of Doctor offices that continue to have the SSN field on their forms, and ask for your Drivers License # (and more)...not so they can treat you, but so they can track you down for any outstanding payments. How many people question the fields on those forms? Read more...

Still No Apple Mobile Wallet, But A Card-Number Keychain That May Be Just A Bit Too Clever

David True
How about tokenization of the cloud-stored data. Would that help? Read more...

GuestView: Credit Unions Argue That Retailers Are Not Penalized When Breached. May I Ask What Planet You Live On?

Karisse Hendrick
As the foremost global organization that fully supports and promotes operational excellence for fraud, security, risk and payment professionals within eCommerce, we agree with the majority of your editorial. However, to clarify, issuers are NOT the only players who detect fraud or breaches. Many eCommerce/CNP merchants have made a significant investment, not just in data security but also in fraud recognition and prevention tools to detect fraudulent activity and purchases prior to delivery of goods or settlement of the transaction. I do not want to down play the role of issuers and instead would characterize the environment as collaborative between both parties. Happy to provide you with additional information at your leisure. Karisse Hendrick Merchant Risk Council Read more...
Steve Sommers
Good point. My mindset was focused on breach and breach prevention costs. I knew I was missing additional merchant costs but I was experiencing writers block in that section of the post. I briefly touched on this topic with my reference to "little or no liability for these fraudulent card-not-present transactions," but I did not specify the additional costs to the merchants beyond chargebacks and service/merchandise loss. Read more...

PCI's New PIN Rules: A New Document Is Issued To Require You To Create A New Document

Christine Speedt
A few years ago the privacy shields on some signature capture devices mysteriously stopped shipping with the units, with no satisfactory answer from manufacturers as to why. The shields were problematic and broke off, and eventually many did away with the piece and switched to a recessed pad instead. I wonder many retailers are at risk today of non-PCI Compliance because a privacy shield is missing? An enterprising person could start a new business: inspecting and installing privacy shields on pin devices. Read more...

Flaws in the Carbon Layer: Is a Penetration Test Without a Social Engineering Component Really a Penetration Test?

Shirley
Thanks for your articles Walt - truly enjoyed them! Read more...

Target Quietly Running Four Fulfillment Trials, But The Reason Why Is Far More Interesting

Michael G
This is a really interesting series of trials. It opens up a range of possibilities for other merchants to see how they work for Target and possibly utilize some offshoot of these ideas in their own operations. Even a smaller retailer can try to adapt some of these ideas in store. Read more...

Visa To Genesco: PCI Compliance? What PCI Compliance?

Nathan
Presto, Orwellian non-compliance... I may have to borrow that concept from you in our next PCI/card brand rant. Nicely done, Evan. Read more...

Walmart: Settlement 'Worse Than Losing'

Steve Sommers
The "rules" clause sounds a lot like Obamacare -- we need to pass it to see what's in it. Read more...

Facial Recognition May Not Work For Security, But For CRM, ...

Jon
The facial recognition technology is definitely there for this, but it will take time for HD cameras to become cheap enough for widespread installations. Most of these facial recognition systems require decent resolution photos of a face, which a wide angle low res security camera cannot provide for far-away faces. Read more...

Virtual Retail Currency Could Translate Into Not-So-Virtual Legal Nightmares

Al
I hate to bring this up because the IRS might be listening, but where do "frequent flyer" miles/credits fall into this discussion of an artificial and transferable currency? Read more...

The Case Of The Walmart Drunk: Big Data, Big Duties, Big Headaches

Bob LeMay
People complain about the "nanny" state (or commerce) and lack of privacy...until they are looking for someone else to blame, or deep pockets to sue! Read more...
A reader
The Russians can tell the FBI that a person is dangerous, and even they can't connect every dot when it's their full time job. But a retailer is supposed to assign someone to watch a camera to track every person across their parking lots, see them get in the driver's seat and drive away, and then notify the police based on some underpaid employee's guess that a person's blood might contain more than 0.08% alcohol? I'm not a big fan of Walmart, but this is ludicrous. Read more...
Jim
It is not an unprecedented situation that the company with be sued if they use the CRM data and if they don't. You certainly list the plausible situations for each -- maybe far fetched some time ago; but they seem as likely headlines. Sad. So if all stores have to call the police for every quirky situation a customer "dings the CRM bell", no one will every buy a bag of fertilizer and a gas can in the same trip again. Maybe Walmart should replace the greeter with a lawyer, just sayin'. Read more...

Walmart's Auto Shopping List: The Next Killer Mobile App?

ed
A mobile shopping list app offering linear inventory replenishment for a household is great. A mobile shopping list app smart enough to revolve around existing items in the household pantry would be killer. In the 8 hot dog buns to 10 hot dogs in a package scenario, the shopping list mobile app should be smart enough to recommend a can of baked beans to make frank & beans with the 2 remaining hot dogs instead of inventory replenishment. Wal-Mart would love for me to buy a new package of hot dog buns, but as a customer, I want to make the best use of what I have in my household and have diversity in my meal choices. Read more...

Marks & Spencer's POS Charges Contactless Regardless, At Least Now And Then

Shasur M
Contactless Payments have hit some roadblock or other. Most of NFC and other Contactless payment systems failed to show ROI and advantage over Chip&Pin and MSR devices Read more...

The Pronunciation Debate: GIF Me A Break

kee nethery
He might have created the format but he is wrong about the pronounciation. When the acronym stands for "Graphics Interchange Format", the first word has a hard "G", so the pronunciation is "G" as in Graphics, not "J" as in Jiffy Peanut Butter. If he had claimed "GIF" was "Giraffe Interchange Format" then yes, the acronym would get pronounced with a "J" as in Jiffy. Read more...
Simon Bateman
I have a very strong suspicion that this is simply a publicity stunt to make people aware that there is a person who actually "invented" the GIF(With a hard g). Read more...
Mark Aggleton
Jif in the UK was a toilet bleach (among other cleaning products) until a rename 10 years ago - hardly one to associate images with..... Read more...
Steve Sommers
Hmmm. Maybe it's a West Coast thing or more specifically a Southern California thing (that is where I grew up), but it's always been pronounced JIF for me and most everyone I know. Now for something important, pronounce data. Read more...
Dave Robinson
Always called it 'Jif' myself, mostly because I hated both Compuserve and peanut butter equally ;) Read more...
Brown
English is a funny language anyways and then this - people arguing over whether it should be JIF or GIF. Should we not fix "BUT" and "PUT" first (if that can be fixed....) Read more...
Steve Sommers
We did, that's why we have "BUTT" and "PUTT". Read more...

PayPal Offers Free Card Processing, But For Who?

Gavin Phillips
Regardless of how appropriate Square and PayPal's 'register' apps are for a small business, Starbucks aren't going to replace their existing enterprise POS system with apps that have 1 percent of the functionality, control and reporting that they need to run their business. Likewise, I'm not going to replace my BMW with a free skateboard, just because both technically enable me to get from A to B. Read more...
Christine Speedy
Thank you Gavin for my laugh of the day- well said! Read more...

Fighting Falling Same-Store Sales, Walmart Looks To Be Saved By IT

neverfear
Its been well over 2 months. Has Walmart decided not to develop personalized contextual search. Do we know we why? Read more...

Can Ebay Pull Off A Giant Touch Window For New York Shoppers?

Ed
While I do not know the eBay specific solution, you can create a large format touchscreen using a projector projecting a screen against rear projection film on the storefront window, hi-def cameras using object detection like the Kinnect or OpenCV. This is already done in Europe and Asia and probably the most likely implementation. Read more...

Domino's New Live Video Stream: It Could Have Been Quite Useful, But It Wasn't

Aran
You ask what's the value of watching someone else's pizza being made? I dare you to check out the SmokerCam online at the website for Toronto's super hot BBQ joint and NOT want to book a table.... even if it takes a month to get a table on a Friday night. My mouth waters instantly just watching someone elses brisket or ribs cycle around...http://www.barque.ca/ Read more...
Evan Schuman
Again, let's get back to Domino's. Their product mix isn't changing. Therefore, what is the value for THEM to do a live stream? Read more...
Aran
I totally disagree - i check back on the video stream frequently and keep up on their latest creations. It's really interesting to see what they smoke overnight, and to see them arranging the trays. To say "watching it live doesn't add anything" is like saying "watching a live baseball game doesn't add anything because you can just watch video from last year's game." Read more...

NCR's Anti-Skimming ATM Tech Could Also Help Store PINpads

A Reader
If they're going to all the expense to continue to strengthen the security of the open barn door, and invest money and reliability on a complex motorized system, they should mount the slot sideways, so the user dips the card edge-first into the reader. All external skimmers take advantage of the movement of the card into the slot being the same as the motion required to read the card. By inserting the card edge-on, the motorized mechanism could swipe the head sideways across the track, which would foil any skimmer mounted on the outside of the device. It won't stop skimmers on existing readers. It won't stop cloning. It won't reduce fraud by a measurable amount, because the technology has never had effective security. But we could at least claim to be "doing something" about it. Read more...

Amazon's Five-Mile Threat

Ann Grackin
Retailers can compete. They just need to know how. We recently did a research project on home delivery: Winning at Home Delivery. Great example is John Lewis in the UK, who really got serious about how to home delivery--from the mundane to full services. But retailers need not only the merged channel customer views, inventory visibility, and most importantly the customer experience--all the touch points from store, web to great delivery. In short, give the consumer a compelling reason to shop with you. Read more...

Tesco Really Doesn't Like NFC

David Curtis
Mobie Payment through NFC is another example of over-promise and under-deliver. Whatever mobile payment technology wins will be the one that not only makes it easy for the consumer and cost effective for the merchant, but is also compelling enough to change the consumer's behavior. Our current payment ecology in the United States is too ingrained culturally and any method that apsires to replace that ecology will need a significant disruptive advantage to move the consumer to change how they pay. At this moment, with over 3500 restaurant locations and untold millions of customers, none of them are breaking down our doors or lighting up my phone with demands for mobile payment options. To paraphrase "it is the consumer, stupid". Without them driving the adoption, the rest is all "sound and fury, signifying nothing". So far, all mobile payment solutions are tools looking for a problem to solve. Read more...

Gap's Take On Typical Buy-Online-Pickup-In-Store Programs: Too Efficient

Mike Jones
When have customer's ever been against more efficiency? Seems like a big gamble by the Gap. Read more...
Marty Ramos
Hmmm...they must really hate hointer.com then... Read more...

For The First Time, Amazon's March Traffic Is Higher Than December. Figuring Out What That Means, Though, Is A Lot Trickier

Donna
Driving traffic to your site should be your main goal in internet marketing. Targeted traffic is the key. I do believe the shift is being diverted to user content and on page seo. Great content will always improve traffic and ranking. Read more...

Starbucks Weighs In On "Download Mobile App Vs. Get Customers In-Store" Debate. And The App Won

Andy Miller
Except they have alienated an entire mobile nation - the Blackberry users. Starbucks continues on with the "we are evaluating things" responses. For a company I respect...very interesting... Read more...

Walmart Joins NRF, Ends Longest-Running Retail Feud Ever

Jeff Sandgren
This is an appropriate move for Walmart to have the right kind of voice at the lobbying table, but also to be more involved in the retail sector as a whole, not just in the Big Boys Club. In the new world of customer-driven retail, for the merchandise niches that online and big box can’t dominate with the lowest possible price alone, the independent’s inherent advantage of authentic personalization may become more relevant and effective than ever. Read more...

Lawyers To Interchange Judge: Tell Our Clients To Shut Up

Fly on the Wall
Among other things what the plaintiff attorneys have brought to the court's attention is that some of the web sites in question encourage merchants to object and opt-out together, without explaining they have the option of one or the other (a merchant can object yet remain in the class in the event the settlement is approved, they would still be eligible to file a claim and receive settlement funds, avail themselves of the changes in rules, etc.). If merchants object and opt-out and the settlement is approved, they have unknowingly cut themselves off from the settlement all together. Read more...

The Ups And Downs Of QR Codes. (OK, It's Really Just The Downs.)

Jesper F.
I agree, theres a lot of porely executed QR campaigns out there. And slapping QR codes everywhere with no thought or purpose will almost always fail. Read more...

JCPenney's Johnson Is Out, Ullman Is Back. Now What?

Earl Jaforski
The debaucle here wasn't that he was canned, it was what took them so long? Johnson's genius was anything but, his experiences at Target were more relevant to JCP then his work at Apple. Merchandising the relatively simple assortment at an Apple store is one thing, merchandising the assortment at a JCP store is a whole other thing.... it's a shame how badly he's damaged this brand... Read more...

Is Giant Eagle's Forced Self-Checkout CRM Tactic Smart?

Miels Thomas
Forced CRM is a feature of most wand-based "Scan as you Shop" systems, so this is not a big change Read more...
Bob Skattum
I think that if this is coupled with loyalty card based discounts, that it could train (aka force) the customer to use the card more frequently. Perhaps incorporating a line-buster program with hand scanners could also be offered only to loyalty card holders ... something akin to Costco's method of scanning cart contents before you get to register. Read more...
kevin mitnick
This is a complete invasion of privacy! Big Buzzard will want you to put 666 on your body next or no service. You should be aloud to opt out of data mining if you choose so. I say if the Buzzard wants the data give them false data. A database full of false data is worth less than used TP. Read more...

Macy's Wrongly Priced Necklace: The Problem That Was Never Supposed To Be Possible In-Store

thomas young
A consumer who knowingly accepts change in excess of the amount due is no different than one who takes advantage of an honest mistake made by an store employee regarding pricing of an item. Macy' doesn't need to worry about customers with that ethos. They do need to better train their employees, though they should have common sense before they even show up for work. Read more...
Evan Schuman
Agreed that it applies to all, but there's no indication in this situation that the shoppers knew anything was wrong. Macy's had labeled it clearly as a huge discount--and it was--so there was no reason for them to suspect anything. Macy's associates, on the other hand, have access to their sales and should have seen that the price in the POS didn't match the ad. And if it did, how could it have? A typo in an ad that was replicated in the POS? Much of this doesn't add up, but have yet to see anything that shoppers were acting dishonestly. Read more...
StevenK
Macy's should have handled this differently... on a number of levels. With all of the money Macy's has invested in new IT over the past few years, this error is a perfect example of how even the best new systems are susceptible to human error. Here, there were at least 2, maybe even 3 or 4 separate systems that contained the error. (MMS, POS, E-Com, Marketing) Was it a process breakdown? Sloppy data entry? Collusion among employees? Nobody knows for sure. Regardless of how the error was caused, it is not the customer's problem that the error happened. Any reasonable person, and in this case there were several, would not have thought anything amiss when the advertised one-day sale price matched the price scanned at the register. (Remember the problem grocery stores had with barcodes scanning at higher prices than labelled? Here, it seems the opposite problem occurred.) This should be a wake-up call for retailers to implement better controls in their IT systems and business processes. On a related topic, I wonder if the jewlery merchant at Macy's will get dinged when the GM$ for the department come in far under plan or if that will get written off as a marketing expense! Read more...
Cme
I work at Macy's in fine jewelry. I wasn't at work that day, but if I had worked, and if I had noticed the error, the process to report the error is so complex that it would have been challenging to report the error. Also, if I noticed the error and I was wrong, then I risk being viewed as a troublemaker. In other words, it's not a store employee's "place" to question a large corporate decision. Read more...

Lands' End's "Oops" E-mail. Is There A Wrong Way To Fix An Error?

Edward Armitage
Of course the second email should have had more explanation, but there are a number of additional steps they should have taken.They should have performed some simple database segmentation, and only sent the 'Oops' email to those that had opened or clicked the previous one. They should have used a 302 to redirect from the faulty page to a new one as soon as the problem was identified. Not exactly rocket science... Read more...

Why Amazon And Overstock Lost On Sales Tax

James Tenser
May be a mis-read to characterize this ruling as a "loss" for Amazon. The old nexus argument is obsolete anyway - today the only test that matters is that the law of the ship-to address must apply. In other words, sales tax is not about where it is sold from; it's about where it is purchased from. Calculation and collection are easily automated and embedded into online shopping carts. Several plug-in services are already available, so the argument of unreasonable complexity is baseless. Amazon knows this standard is inevitable, and it has been positioning itself to take greatest advantage of the policy change when it arrives. Meanwhile, court cases like this one in NYS serve to delay the timing. Win or lose, it's good strategy for the online giant. Read more...

Federal Judge Nixes Re-Used Digital Content Copyright Exemption

Ed Dunn
In ReDigi case as well as other similiar cases, the reproduced files in question did not have digital rights management or DRM in place. If the media files had DRM in place, one can argue the digital asset was truly a unique copy and transferrable. Gift cards with unique codes and remaining balance for example are resellable. Pretty ironic to find out digital rights management may offer less legal protection than unprotected files for resale and transfer. Read more...
Steve
Perhaps ReDigi would have been successful had they argued this ruling would prevent users from tranferring digital files from one computer to another when they upgrade or replace a hard-drive. Read more...

U.S. Supreme Court Knocks Down Barrier To Cross-Border E-Tail

Doris
There goes quality control or at least the little bit we had to deal with Read more...

Why The SAQs Will Change This Year

Greg McGraw
I often hear ecommerce merchants say that because they use a transparent redirect or direct post method that tokenizes in the browser that they are totally compliant. And when I ask about securing their web servers that originate the payment form, there is usually a long pause, followed by "oh yeah, but we're still compliant". With the growing number of insecure sources pushing content to the browser, like ad servers, chat, and analytics modules, the number of attack vectors increase BEFORE the PAN is even input by the cardholder. Maybe in the new mandate, 'capture, transport or process' can be preceded by a word like 'isolate, prevent, segment, harden or protect' when it comes to the merchant web servers that get the payment acceptance party started in the first place. Read more...
Janet L
Better clarification by the PCI council is good. It is still unclear to me how to deal with multiple vendors supporting the website -- each saying they have no access to PCI data. How is a merchant supposed to figure it out? And, by the way, in my experience, the bank/processor and assessors look for the easy way to grant compliance. Which may help in the short term but not in the long-term if there is an eventual breach. Read more...
Joel D
I doubt they will be so strict. Let's see come October. I can't see a way all websites with a link to a compliant payments page could possibly be made in scope. Read more...
Trusted User
Level 4 merchants are the fastest growing target group suffering data breaches. There is a massive explosion of compromises where Level 4 merchant web applications are being compromised with the specific goal of hijacking payment mechanism redirects. This is a huge problem that is growing exponentially. Most Level 4's falsely believe they are too small of a target for a breach, but the criminal groups know that, and they know that "Bob's Comic Shop" can't afford an Imperva WAF, and can't use an open source WAF in their GoDaddy/Dreamhost/whatever $10/year hosting account, and they don't even know how to begin reviewing their logs. Read more...

With Starbucks' Grocery CRM Plan, It Had To Get Clever About Fraud

Bob LeMay
Gee, Starbucks should take a page from Cracker Jack and some cereal boxes--put the "prize" (code) INSIDE the bag! Either print it on the inside of the bag/box, or attach a sticker on the inside, or just insert a small card (perhaps inside a wrapper with a lame joke on it!) in the bag/box. Do you think Starbucks will pay me a consultant's fee for this idea? Read more...

Starbucks' First-Ever Groupon Coupon Crashes Groupon's Page

Bob Skattum
What continues to amaze me (I am dating myself a little here)is that what is perceived by many to be new from a marketing and business building perspective is simply an updating of the printed coupon books that were sold by various organizations as fundraisers or as localized advertising ... offering a free appetizer/dessert, Buy One Get One, percent off second purchase, etc. at local establishments. I always felt that these discounts often amounted to an all out effort to build traffic and gross revenues at the expense of profits. Without a good database of past customers (or clear ability to delineate new from old, best customer from occasional visitor, etc.), it is very difficult to determine if these are new customers or you are just rewarding your current customer base and eroding profits. Read more...

PCI DSS: The Next Generation

James Johnson
I would expect this turnover to continue, and wonder what resource would be best to refer the new security team to for a thorough PCI orientation? Read more...
Christine Speedy
Forcing credit card processing sales people to be responsible would probably improve compliance. What if the salesperson had compensation withheld whenever a merchant is known to not be PCI Compliant? Read more...
Bob Dobbs
A firewall is not network segmentation? What is? How do I keep my upstream ISP's router out of scope? Read more...
Walt Conway
I do a lot of training, but if somebody is going to be responsible for PCI compliance, then an Internal Security Assessor (ISA) credential is pretty important, and the other key staff should at least attend some PCI security awareness training and maybe even go for the PCI Professional (PCIP) credential. The particularly attractive part of the PCIP is that it stays with the individual, not the company. Read more...
Bob Dobbs
So if I'm running an e-commerce operation and my customer at home in his pajamas ordering a widget from my site can talk to my CDE (which he has to in order to submit his credit card info) his PC is in scope? Or my monitoring system which connects to snmpd on my order taking internet facing webserver is in scope? I can understand how an Active Directory or LDAP server which handles authentication for machines in the CDE would be in scope but to say anything which can connect to the CDE and anything which can be connected to from the CDE is in scope is greatly overstating the problem and renders lots of people's work to reduce scope via network segmentation and firewalls moot. Read more...
Stephen Thornber
The option of a true Air Gap, i.e. a physically disconnected network is the ultimate segmentation but by no means the only way to segment. Firewalls and routing, switches and ACLs are all very valid ways to do so. All of these items mean that the assessor you or me must make a decision to the effectiveness and the adequacy of the segmentation. Read more...
Walt Conway
Unfortunately, in the real world, firewalls often permit inbound or outbound connections, and therefore they do not achieve the desired segmentation and scope reduction. For example, there may be "holes" in the firewall to permit patching, AV updates, etc. My point is that if the rules on a firewall permit any access by another system for whatever purposes, then that other system is not segmented (isolated) from the PCI environment, and that other system is in your PCI scope. By permitting an inbound or outbound connection to the cardholder data environment (CDE), you expand your PCI scope. It all comes down to the actual specification of the firewall ruleset or router ACLs. An explicit "Deny All" rule achieves segmentation for PCI. About anything else risks expanding scope. Read more...
Fabian G
If the rules on a firewall permit any access by another system for whatever purposes, then that other system is not segmented (isolated) from the PCI environment, and that other system is in your PCI scope. By permitting an inbound or outbound connection to the cardholder data environment (CDE), you expand your PCI scope. If a system or device can initiate a connection into the cardholder data environment (CDE) or receive a connection from the CDE, that system or device is in the merchant’s PCI scope. It does not matter if there is a firewall controlling the access. It doesn’t matter if the connection is only for “a little while.” If a connection is possible, then the network is not segmented for PCI purposes and all the devices are in scope. Read more...

Customer Service Survey Places Apple Second To Last

Chad
I would be curious to see how this survey would report against an NPS score. Does a bad experience in service in a retail setting correlate to the likelihood of someone recommending the company for their product or other services? Read more...
Nathan
I had a professor in college tell all of his students who used Macs to buy at least one share of Apple stock. That way they could contact Investor Relations when Customer Service refused to help. Not sure it's the solution for everyone, but it certainly worked for him. He had his screen and his hard drive replaced by Apple - at their expense - in the time that I worked with him. Read more...

Is Customized Pricing Brilliant Or An Imminent Disaster?

Rajeswari
I know Safeway has 'Just for you' pricing. Who else is doing it? In my opinion, this type of dynamic pricing based on the purchasing threshold may initially gain momentum among the customers but long term it may wane away with customers not withstanding the disparity. Read more...

With POS Paper Supplies Vanishing, E-Receipts May No Longer Be Optional

Mark Richards
oehler is leaving the market because they DEFRAUDED the US Government. They purposely lied and withheld information from the US Government to artificially lower the selling price of thermal receipt paper in the US in an effort to financially hurt domestic producers. That is a fact proven repeatedly in the court. Nobody likes a cheat. The price of thermal paper is returning to its true market clearing level now that Koehler has been prosecuted and found guilty. Regardless of the industry we compete, we all can agree that playing by the rules is a prerequisite, and when you don't the responsible party needs to be prosecuted to protect those who are playing fairly. Read more...
Bob Skattum
Beyond the issue of whether or not there is or will be a thermal paper shortage ... this post raises a number of valid considerations and obstacles for moving to totally digital receipts. I too have experienced the overly long receipts that hawk everything from my earned gas price discounts to a full-blown application for the retailer's co-branded credit card. Recently I experienced a FFS (fat finger syndrome)moment when an eager young clerk in a popular high-tech retail outlet keyed "n" vs. "m" in my email, and the receipt never arrived. I then had to call back and get a copy re-sent (once they found the transaction). I prefer to be given the option of getting both digital and on-site receipts such as a department store chain I frequent allows. That way, I can determine my comfort level on a case-by-case basis. And then there are the cases where you need a "gift receipt". How to best approach this will remain a topic of much discussion between the various constituencies. Read more...
bill
No paper receipt, no sale. I don't give email or other personal info at the register. I left a full cart with 14 xbox games, two hard drives, flight control panel, and several dvd's at best buy this christmas because the check-out girl required my phone number to complete the transaction for a cash sale. I also left a over loaded cart at toy-r-us with almost $400 in toys because they demanded a phone number and zip code to complete the cash transaction. I didn't get angry, I just walked out and shopped at wal-mart and newegg.com. Read more...
Christine Speedy
Is the paper supply shortage real? Yes, but only temporarily as market production will correct itself with others filling the void in time. I'm with Bill. I'm not giving out my email address to every retailer, nor to even 40. It's very rare that I would give it out. Ditto for cell phone number, which stores have been increasingly asking for as a faster and less error prone alternative to typing an email address. Read more...

KFC Discovers That Mobile Isn't Nice. It's Essential

ed
Implementing geolocation is not the best answer, geolocation is an assumption about the mobile user availability. What if the mobile user had to stop on the way and help walk a senior citizen across the street? Will KFC be able to know this incident occurred in their "timing" of customer arrival? Read more...
Paul
The plan with the geolocation feature will be to give the customer a notification when they get within a certain distance of the store - likely a 1-2 mins walk away - and them ask them what they'd like us to do. The customer can either give the go ahead to start final packing of the order, or alternatively they can simply wait until they arrive at the store and we'll start the packing process then. We're definitely not looking to snoop on the location of customers or make assumptions that they are coming directly to the store, simply trying to find ways for them to get their food as quickly as possible by giving them the option to trigger the final stage of the process. As you'd imagine, the notification feature can be deselected if required. Read more...

You Know What Your Shoppers Did Last Summer

The Dr
Will the folks carrying the mobile POS i-pod (really an i-pod) be carrying around i-bags, and i-receipts to use once the RFID is disabled? You know those things that often tell the LP folks that someone actually paid? This sounds like a love of technology deal..... JCP needs to fix the supply chain and infrastructure - just buy a couple of shirts from them and you'll realize the tech packs are out of wack - no two shirts / style fit the same. Hum – are i-pods really going to fix this company? Fix the supply chain / product mix first. Read more...

On Telecommuting, Best Buy Looks To Yahoo For Leadership Vision. *Gulp*

Jim Huguelet
In my nearly 20 years of consulting across clients and types of projects, I have to admit I've seen very few where a significant amount of face-time did not dramatically improve the results (or, in the absence of it, suffer demonstrably due to the lack of it). Especially in a crisis situation (which YHOO and BBY most definitely are in), you need constant communication and an atmosphere of mutual respect/trust. Neither reliably develops at the speed these companies likely need unless you are in close proximity to you co-workers. While interesting, why they are in need of more extreme measures now is completely irrelevant. They do need them – and good leaders make tough decisions that can affect change. Read more...

CMU: Consumers Have Sharply Reduced Public Data Sharing

Oisin
Makes allot of sense especially that users are moving to mobile where users do allot more sharing then on browser. Read more...

Today's Mobile Uncharted Territory Lesson: What Happens When Your Processor Is Ordered To Not Take Payments?

Bob Skattum
Good point regarding another factor to be considered when employing new payment vehicles. However, what seems to have been consistently missed in the posting/re-posting of the "ghastly accusation" regarding Square is the fact that the Illinois Department of Financial & Professional Regulation also filed C&D's in January 2013 against NetSpend, Skrill USA(aka MoneyBookers), and TouchPay Holdings. In contrast to Square, these three had applied for licenses, appeared to have been working with the IDFPR to provide requested information and somehow the process had not yet been completed. Perhaps this is not a major issue, but simply one where a governmental department is firing a warning shot to get the firms involved to bring the process to closure. Read more...
Chris Phillips
My read of the C&D in the context of the historical money transmitter exemption for merchant acquirers is that Square is in the line of fire (i) for its digital gift card program and (ii) because it allows consumers to receive payments (as opposed to merchants offering goods or services for sale). My guess is that Square can continue its pure play acquiring business for merchants, as that is a business that is typically not subject to these laws. It's the non-commercial role of individuals in this process that has attracted IL's attention. The C&D isn't really clear about that, but if this is the case as I suspect, Sq and the state of IL have outlined these parameters between themselves. Read more...
Evan Schuman
Agreed. Was merely making the point that states can and will issue these kinds of broad orders as the early days of mobile payments continue. Not saying it's right, but that it will happen regardless. Read more...

Macy's Stops Reporting Online Stats, Blames Too Much Channel Blur

Benjamin
Most companies that started as strictly brick-and-mortar retailers have not thought of themselves as e-retailers yet, because planning habits and systems have been developed mainly to support strictly retail locations for so long. Then ecommerce forced the brick-and-mortar model to evolve to include ecommerce systems, but it never forced a total redesign of the brick-and-mortar concept to support the ecommerce concept. Macy's is now supporting its ecommerce model via the brick-and-mortar locations it already has available. Smart move. Read more...
David P Himes
I find this mildly annoying. Because the sales transaction can clearly be categorized based upon the transaction-engine -- retail store, web site, mobile device, phone center. All sales are influenced by multiple channels of messaging. So, I interpret Macy's decision as a desire to not be comparable to other merchants, except at the top line. It may even be a way of avoiding their own internal debate about channel conflict. Whatever their rationale, it's affect is to cease providing useful information to their external stakeholders, investors, analysts. Read more...

At JCPenney, Everybody Gets A POS iPod In March

Dan
What's to stop a thief from posing as a salesperson with a mobile checkout device? Read more...
L in midwest
The issue with online sales is lack of stock, along with web page design/implmentation problems. Out of 246 different dress choices, they had ONE in my size. Read more...
Oisin
Good move on their parts but I feel like its to little to fight the changing of the times. They need to get really good online and having their offline presence augment their online. Read more...

Visa's Mobile-Payment Moves: Still Solving The Wrong Problems

Michal Kisiel
Being a little bit US-centric, aren't we? ;) In Poland 1 in 5 Visa low value transactions is contactless. In UK it is on the rise. Same for Turkey, Italy, Spain... Read more...

Germany Wants Amazon To Loosen Its Third-Party Seller Restrictions

AmazonGenius
It's disheartening to hear Amazon is taking advantage of sellers in Germany. Read more...

Phone Tracking And The Law: Clear Sailing

David Sheidlower
I think the idea that it is not difficult to opt out of being tracked by going to a web site and typing in your MAC address is a bit of a stretch. I'm not sure that most users can just grab their MAC addresses off their devices. Consider how much work the credit card industry has done in the past few years to get people to notice the three digits on the back of their cards (CSV#). Teaching people to learn what a new identifier is, how to find it, and what it is used for may not be as simple as you think. Read more...
Mark Rasch
I tried to opt out FROM MY iPhone. The problem was switching back and forth between the website (and the CAPTCHA) and the settings to get the MAC address. Also, there's a difference between a Nordstrom CUSTOMER opting out, and a passer by who has no idea that the data is being captured at all. How about a giant sign, "warning -- big brother is watching! To opt out, do the following...?" Read more...
A Reader
You're the one who purchased and is voluntarily carrying the device that is continually spraying "I'm 12:34:56:78:90:AB" across the 2.4GHz band. You may have the device for your own convenience. It's entirely your choice to have the device and have the WiFi radio turned on. If you want to "opt out," turn off your WiFi. And your Bluetooth. And your cellphone. And remove any RFID responding devices you have from your person, including your credit and transit and door entry cards, any RFID tags sewn into your garments, and perhaps even your car keys. And if you're going that far, you might want to wear "CV dazzle" makeup to hide from all the cameras watching virtually every public space you enter. Read more...
Mark Rasch
I agree that surveillance is now ubiquitous in the public square. It doesn't make sense to ignore it. It does make sense to try to balance that with rights to privacy. I transmit my MAC address in order to obtain a signal and to log on to a service. In doing so, I do not expect to create a permanant record, available to everyone at all times of my location and movements. The logic of "you are broadcasting it so it can't be private" can apply to (and has applied to) location data as well as the contents of cordless phone conversations. IMHO, you CAN have an expectation of privacy in public spaces -- its a matter of defining its parameters. Read more...
Marty Ramos
Doesn't V/MC already market credit card data such that one retailer can see visits to various other retailers... Read more...

Best Buy's Cure For Showrooming? Not Exactly

Earl
I agree, for Best Buy to claim that it's eradicating showrooming with its customers is a bizarre claim, and bit arrogant. It's not enough to match the competitors price. They have to beat it and go beyond. Once a comparative analysis is being done by a customer, there's little left for Best Buy if they don't differentiate themselves from whatever competitor they're trying to match. Until retailers remove "friction" from the purchase process, consumers will continue to go to where the "friction" is lowest and the benefit to them is the greatest. Read more...
Bill
Sorry Best Buy but it's to little and to late. Best Buy can offer customers a Victoria's Secret Model to escort them while shopping and it won't bring in the customers or save Best Buy. Consumer's have a long memory when it comes to bad treatment and BS when returning items. The writing is on the wall and Best Buy should plan for the going out of business sale like Circuit City. You won't be saved by the consumers! You caused your own demise. You will be missed as much as Circuit City. Read more...

eBay's Day In Court: No Soup For You

Philip Cohen
So, eBay users have to follow eBay’s ever-changing, 270-page set of rules and, regardless, sell on eBay only at eBay’s pleasure. But, what about eBay following “the rules”? Or does the US Criminal Code on wire fraud and the facilitating thereof not apply to eBay? The ugly reality for consumers dealing with the clunky, unscrupulous eBay/PayPal complex. Read more...
Theresa Moore
So in other words, if eBay decides you are a risk to their continuing success and someone tips them off falsely (bearing false witness) about an honest merchant, it goes along with their perjury. Thanks for reminding me once again why I don't do business with eBay. It used to be such a friendly place, but I stopped using it in 2005 and have never looked back. As to small businesses not doing well, there are so many other online retail marketplaces to choose from. This small business person would be better off using Etsy, where supplies are not frowned upon. The listing fees are less than eBays, and the listing duration is three months, not 7 days. So, no soup for eBay. Read more...
Craig Duncan
I wonder why Genesta sued eBay rather than the competitors she believe engaged in a “sustained campaign ... to discredit [her] with eBay through unsubstantiated complaints about the authenticity of the antiques." I imagine Genesta was counseled by one who advised her to sue eBay rather than the competitors she claims libeled her, it seems to me she is suing the wrong parties, and that the CA courts are correct in dismissing her claim. Read more...
S. Pescion
This frivolous lawsuit is still on-going, ebay has been cleared but some defendants - innocent former customers are still waiting for their case to be heard. This Plaintiff saw big dollars expecting ebay to roll over to shut her up. Now she wants the remaining defendants to offer a settlement to go away and help her pay ebays cost of defense... that's just wrong. Read more...
Mark Rasch
Without discussing the merits of Genesta's claim, or indeed why she was "booted off" eBay (or even whether it was a violation of eBay's TOS), the fact remains that an online marketplace provider is NOT required to have a TOS, not required to have an appeal process, and may ordinarily kick someone off the service for any reason (good or bad.) Whether Genesta SHOULD have been kicked off is not the issue, and the court did not consider that issue. The question is whether eBay has such market power that its decision to boot someone effectively denies them entry into the marketplace, and whether that is anticompetitive. Read more...

PCI's New Cloud Guidance: Great Ideas, Short On Realism

Richard Rees
Having an ill-behaved or malicious neighbor is actually far less of a risk than believed. MIT did an excellent research paper on this very topic, and found it was HARDER in a public cloud environment than in a private environment. One corollary - the FEWER neighbors you have the LESS protected you are, not the reverse. If you have 50 tenants on the same host, finding a specific tenant's information is going to be far more difficult than if there are 3 tenants on the same host. Read more...

PCI Security Problems: The Practical Versus The Perfect

AC
While members of the PCI "board" will argue that they (and their vendors) are able to comment and provide "input" to the standards, what is actually in the standard is under the control of key individuals within the PCI organization and the card associations. QSAs and auditors have absolutely no input mechanism, so their guidance on how this could be realized (or not) for implementor is absent. this results in your examples and many people shaking their heads saying "what were they thinking..." Read more...

Nordstrom Phone-Tracking Trial Raises Customer-Theft Threat

ed
Tapping into customers wi-fi transmission not only is bad karma but totally unneccesary and not the most effective manner to get the end result. A better implementation would be augmented video analysis. There are several open source and commercial packages that can accomplish this. Take the existing recorded security camera video feed, run it through the video analytics engines that turns people into object squares like CBS "Person of Interest" and you can tag each "object" and track their activity in the store. The floor can have augmented markers (qr codes or special barcode paint on wall/column) for each departments and the video analytics can how long "objects" linger around them. Read more...
A Reader
Is it better to remind people that their phones are continually broadcasting their presence by using that data commercially; or is it better to pretend that this isn't already being done? Google relies on GPS data from Android phones to measure current traffic speeds and to display them in Google Maps. People are already contributing their location data constantly without being aware of it. And all such data originates with enough information to uniquely identify the phone - although the services above assure us that the identity data is stripped prior to aggregation, that doesn't mean it doesn't exist. The only reason wireless data isn't being used for shopper tracking today is the fear of backlash. Offer someone a discount in exchange for tracking them, though, and I bet they'll let you follow them anywhere. Read more...

NRF And EPC's Swipe-Fee Flame War: Full Of Sound And Fury, Signifying Nothing

Dennis
As a Visa/Mastercard MSP/ISO, all the calls we have received to date, from our merchants have been in the "When can I start surcharging, and how can I do it"? category. These are all small businesses that have been bearing the costs of Interchange and PCI without being able to pass on the additional costs to their customers. OF COURSE Wal-Mart will not want to do it, but the small brick-and-mortar, or mom-and-pop operations want this desperately. Read more...

After Seven Months, Why Does The PCI Council Yet To Have Anyone P2PE Validated?

DJ
As a QSA, (not a P2PE QSA), I'm concerned that there are no listings as pressure builds to validate software encryption solutions that vendors arrogantly push, merchants ignorantly accept and I'm on the hook to confirm a level of confidence in the security. Read more...
Suzy
So many good points made in this article. The Payment Card Industry Security Standards Council certainly has had its share of shortcomings. I wish someone from the Council would read this article! Read more...
Lyal Collins
P2PE is a dead duck, imho. Prior guidance for the PCI Council indicated that encrypted data, where the merchant cannot decrypt it (proven absence of keys etc), is out of scope. All a terminal vendor needs to do is encrypt the payment message payload (SSL anyone?) and accept a token/hashed value in the and they have descoped most / of their internal store network, and maybe head office too. Read more...

California Opens CRM Goldmine For All E-Tailers

Mark Shuda
What should the bottom line be? The choice should be with the consumer. If the technology enhances the customer experience the customer should have the opportunity to opt in or out of the "service choice". These "services" (or downloaded apps to smart phones)enhancing the store experience will soon be mainstream. Read more...
Daniel Kim
As technological advancements push businesses to evolve towards a paperless and cloud-based environment, there is a growing need for state/national legislation to evolve simultaneously, encouraging innovation. Read more...
LJessie
Why in NY do some gas pumps require that you key in your zip code before the credit card transaction will go through? Read more...

Amazon Is Closing Its Distribution Gap, And That Could Mean The End Of Sales-Tax Deals

Ann Grackin
The challenge will be to create a technology and process (people, transportation equipment, expertise in the terrain/domain of the customer), etc. to keep appointments and provide that service as agreed with the customers and not disappoint. Read more...

Windows XP End-of-Life Could Cripple PCI Compliance

Seth
Another possible solution - POSReady 2009, which we are currently investigating. Mainstream support will end April 2014, but extended support will continue to April 2019. Nothing like putting off the inevitable, but a few more years will certainly help. Read more...
Lyal Collins
This is an interesting issue, pivoting largely on the interpretation of PCI 6.1. One could argue - no new vendor patches means no missing patches therefore compliant. The truth is probably in the middle - vulnerability management, mitigating controls, and possibly the messy compensating control path. Read more...
Walt Conway
While you mention a compensating control, and I tried to address that path in the column because it may technically be possible, actually I was doing my best to dissuade anybody from going there. I cannot see any comp control being effective. Beyond PCI DSS Requirement 6.1, another factor condemning Windows XP after April 2014 is contained in the ASV Program Guide. Read more...
John
POSready 2009 is based of the Windows XP SP3 codebase. It's the successor of Windows Embedded POS with was initially launched based on XP Embedded. Windows Embedded Standard 2009 ("standard" is the new name for the toolkit version of embedded, in this case based of XP Embedded SP3). Both solutions will add many years to your devices without any changes on you side. Read more...
Helen Sybil
We have no plans to move off XP after April 2014. Later Windows products do not meet our requirements. Read more...
Bill
First, Windows XP is still around because people like it! I wonder if anyone has considered Ubuntu Linx? The OS is straight forward and works extremely well and it's FREE! Well, except for the profesional online support but $250 per year no bad. Read more...
Mark
What about placing the XP POS terminals on an intranet network without any comunication or connection to internet by IPS, NAT, Firewall, etc.? They would only communicate with the main server on the intranet (running Windows 7 or 8) and only allow the main server communication to internet for needed functions like Credit Card transactions or like EDI to other main servers. Read more...
Mark
You may want to look at this article: http://storefrontbacktalk.com/securityfraud/out-of-date-os-causes-pci-violation-no-but-why-let-facts-trip-up-a-marketing-letter/ It is older but completely contradictory of this article. Change of opinion or interpretation? Either way PCI compliance doesn't clearly state one way or another. Read more...

Survey Says Consumers Worry About Mobile Wallet Security. But Does That Matter?

Jim Van Dyke
So if consumers care so much about security, why do they sometimes say one thing, and then do another? (Like use unprotected computers, over-share online, buy from an unsecure wi-fi connection, etc.). The answer is actually at once simple and complex: we fail to make it simple for consumers to understand (or act on) the connection between a recommendation and a safer state of being. There is so much security advice out there, and most of is either confusing or impossible. All people act rationally in their own mind. Read more...
Evan Schuman
Consumers TELL surveys that they care (that is absolutely consistent) but we determine care by consumer actions. We conclude they care about price when we see them purchase more as prices drop. As for security, every single time--I wish we could say "mostly" but we have yet to find a counter-example--that there has been a major retail data breach disclosed, we have found zero drop in sales attributable to that data breach disclosure. Read more...

Rivals Hate Amazon, Except During A D-DOS Attack. Retailers Then Are A Band Of HTML Brothers

Bob Skattum
Excellent point ... that getting back up in less than an hour was something of a miracle. Today, 2/1/13 BofA's online banking site has been down for almost six hours as I type this ... Read more...

Starbucks Dominates Mobile Payments. Why Isn't Anyone Else Even In The Game?

A reader
Starbucks is nothing like other retailers. Their typical customer interaction is: solitary customer orders a coffee, customer pulls out their phone, customer updates Facebook while waiting, customer heads to register and pays. The Starbucks app is conveniently in hand at exactly the right time in the process. By contrast, the typical shopper at another establishment is wrangling a cart full of thawing pizzas and a squirming toddler, or hanging up a gas pump hose, or chatting with their friends at a restaurant table. They don't have their phone in hand, and have other distractions occupying their time. To them, a phone is inconvenient. Read more...
Vancouver Starbucks Customer
Starbucks success with mobile payments makes perfect sense if you consider the business. A lot of customers visit the store regularly and the payment amounts are relatively small. Why would customers want to have currency or incur small charges on the debit/ credit cards? It has also helped that they have been successful with their gift card program. Over the years I have received more than a few of them from friends. Read more...

Retail Facial Recognition Comes Of Age

Bob LeMay
And would facial recognition be fooled by a mask or photo? Fingerprints might be hard to get a good enough image of to duplicate, but the image of my face? Not so much. So if my bank uses facial recognition ATMs, could anyone with a good photo of me withdraw from my account? Thanks, but I'll take my chances with an ATM card and a PIN! Read more...

Fake Prices At JCPenney? Why Not Real (But Rigged) Price Comparisons?

Joe
The issue is likely the cost of developing all those automated price comparison tools, rolling out new electronic signs with date stamps and actually getting competitive prices from other retailers. Considering the fact it was just reported they're ditching RFID and other plans in order to stem the bleeding means it is less likely they can implement pricing comparison functionality. Read more...

MCX Sees ACH As Interchange Salvation. Many Chains Not So Sure

ANN GRACKIN
Why would customers want to sign up for yet another credit card? Why are not these systems already integrated with the rest of the retailers apps, ala Starbuck, so if you a loyal customer it is all integrated and I don’t have to hunt and peck to get it right? When I suggested that the consumer or merchant could just use Square, they shivered, and told me that were going to have a partner who can embed an NFC chip in the phone protector/case. So those that sounds useful—all in one phone cover/NFC. But wait…. you don’t get the phone, you don’t get the chip, and you don’t get the case…and you don’t get your existing credit card points!!! The consumer has to go then and get each one, and pay for it. Oh, I feel that ease of adoption, motivations slipping away away away. And that ongoing ‘up sell/side sell--fleecing sell--the model of the cell phone company. Read more...
Christine Speedy
The good, the bad, the ugly. A single, neutral, mobile payment app, such as MCX, to use at many stores is essential for the future growth of mobile payments. A single application for all consumers, driven by merchants deciding what that application is, is not the answer. Competition breeds security, excellence, innovation, and cost benefits; monopolies bring stifling mediocrity. Specifically regarding ACH, is the secret sauce really ACH, or is it interchange management? First, let’s consider would who opt-in to the MCX solution. Would a credit card user switch transactions to ACH? Doubtful. That means retailers will be converting the roughly 50 percent of customers using debit cards to some alternative payment method; three quarters of debit cards are qualified for low regulated debit rates at .05 percent and 21 cents per transaction. Read more...

Reassembling Albertsons: It Won't Be Easy, But It Has To Be Fast

nuttyriv3r
All Supervalu "banners" recently underwent a transition to a unified private label brand called Essential Everyday. I am curious what will happen with those products already highly integrated within stores. Read more...

PayPal Mobile Payment Trial Tripped Up By Lack Of Training

Gerard
Why did PayPal need a physical booth at the mall for mobile payments? Mobile payments are not supposed to require live agent assistance. I don't understand what the kiosk was doing with users walking back and forth Read more...
ed
"But they were having a lot of difficulty with it, so they all just paid” with cash or Visa or MasterCard." This statement is the #1 reason mobile payment implementation in the USA is a cognitive dissonance tragic comedy and in some ways, discriminatory. Worldwide case studies of mobile commerce success demonstrate the target audience are primarily unbanked and/or live in high density areas. Read more...

How Much Too Long Did Lands' End Wait For Its Payroll Upgrade? Maybe A Million Dollars Too Long

Steve Sommers
Can't believe anyone would sign a term license like this for a mission critical system. That being said, Genesys does have something to lose. If I were Lands' End, I would make sure we never did business with Genesys again. And if I were an employee of Lands' End and I moved on to another company, I would strongly advise my new employer to not use Genesys either. Press like this would also be considered a loss in my books so they do have something to lose. I guess if Genesys is planning on closing it doors and is just trying to milk any existing customers for what they are worth, then maybe there is not a downside. And for Lands' End, this would be another reason not to pay the new licensing fees. Read more...
John Quincy
Software vendors are notorious for these types of tactics. What is uncommon is that these tactics are made available in the public forum, such as through a lawsuit. Term licenses were very common (typical) in the software world back then are are still somewhat common - perpetual licenses are certainly the more common practice now. Keep in mind, they signed a 20 year agreement and had plenty of time to make a switch - someone was obviously asleep at the wheel at Land's End and probably should be fired because of this gaffe. Complete mismanagement. Read more...

PayPal Is Touting Everything Mobile It Can, Except Shoppers Using It

intrigued at the concept
Doesn't accepting PayPal in-store make it easier to return web merchandise purchased via PayPal to the brick and mortar location? With such a high return rate for web purchased products, maybe this will help drive the PayPal expansion. Read more...

MCX Embracing QR Codes, The Cloud And Unparalleled Vagueness

Patty Payment
Can you imagine when a customer walks into Walmart with his Isis or Google wallet phone and wants to pay and the representative says, sorry: we only accept MCX mobile payments here. You have to go to this web site, download this application, register your credit card, then come back and we will accept your mobile payment and, by the way, it only works at these dozen merchants but thanks, because you saved Walmart money on our interchange rate. Also: sorry we can't offer you a reward or redeem a coupon for your trouble because that MCX application only works one-way and can't communicate to the phone, but if you wait a few seconds longer we can query your account in our big customer database in the cloud and try to find you something to give you for your trouble. Read more...
Dave Birch
It will be more like I go shopping at Target - my Target app opens automatically when I walk in the store - when I get to the checkout my Target app shows a code (just like the Starbucks app) so the Target POS displays "That's $20.45 thanks Dave" and I punch in my PIN and leave. Meanwhile the funds are pulled via ACH overnight. Read more...
Paolo Guerrero
Or more likely, the myTarget app will say "That's $20.45 thanks Paolo Guerrero!" Read more...
Paolo Guerrero
Or more likely, the myTarget app will say "That's $20.45 thanks Paolo Guerrero!" Read more...

Home Depot Privacy Pratfall: Spotting Web Shoppers In-Store

Steve Sommers
Multi-use tokens and what I would call repeatable tokens are two different aspects. Multi-use token simply means that a token can be used multiple times for multiple transactions, like card-on-file or express check-out. Multi-use tokes, provided they are not mathematically derived from PAN are very secure. On the other hand, repeatable token or a token mathematically derived from the PAN (hash or encryption for example), are not nearly as secure as their non-mathematically derived counterpart and if improperly implemented, can actually be fairly insecure. Multi-use and repeatable represent different aspects of tokenization. Read more...
Aaron Smith
If companies want to offer customized marketing while navigating around a backlash they need to understand where the lines is drawn for the consumer. There is a clear difference between learning about your customer and stalking them. Read more...
Lance Christenson
People who opt in sometimes aren't aware of it. Not everyone reads and scans everything in front of them. Sad, but that's how many businesses operate. Read more...
Richard S
My own experience is that people are much less concerned about this type of privacy concern than they once were. More likely people expect that a store can find their old purchases, and like the extra catering to their desires and needs. Shoppers like it when they can come into the store and want a new line feeder for their weed whacker. And if they don't remember which one they need, the associate can look it up. Shoppers seems to expect that level of service. Perhaps THD should examine the use of guest shopping accounts for the same purpose though. Read more...
Rob S
Apple does this as well. I bought an iPad at an Apple Store over the holidays using the payment card that I have on file with them and by the time I got home I had an email thanking me for my purchase and describing how to attach it to my existing Apple ID. I did not provide my email address or name or anything. Just the card. No idea if this is covered in the iTunes TOS or not. Read more...

Was Finish Line's New Site Disaster The Latest Cloud Casualty?

Sarah Park
With what happened last holiday and with so many people greatly affected, I guess they will have a hard time building the credibility and gaining people's trust again. Read more...
Ed
Is this really Demandware's fault or the Finish Line CIO/CEO's fault? Why would anybody release new technology prior to their biggest activity season? The Finish Line made a risky bet and they lost. Retailers should stop the risky "just in time for the holiday season" mantra when implementing technology solutions. I've seen this over and over in Retail IT sector and they seem to end up with more eggs on their face than success stories lately. Read more...
M
Avid Finish Line (Online Shopper) & let me say first hand experience that site was absolutely horrendous...every link failed and timed out it was hellacious...The old site is just fine no need to change it. Read more...
Jaimie Sirovich
This was a foolish move, and the fool that decided to switch from what they had to Demandware should be fired (or hire me to evaluate his next questionable decision). Even if I’m wrong about all of the above, they then had no control over their application, as their entire application is SaaS! SaaS has a habit of causing that problem. For a large B&M like FinishLine, this is an unacceptable decision. Demandware has crocs.com in its portfolio, I see — which is no doubt a bullet point that Demandware used to seal the deal, but Crocs isn’t FinishLine. Crocs is a manufacturer that dabbles in selling online. Finishline is a retailer with serious merchandising needs. Read more...
Karl Farbman
Conversion rate is driven by so many factors that it's impossible for an outsider to comment on what the problems were. Finish Line did a complete site redesign at the same time they launched a new eCommerce platform. If their design firm did a poor job with the usability of the site, that could cause conversion rate to plummet, regardless of what platform you're moving to. Calling this the problem of the SaaS infrastructure without any details of the problems doesn't make sense. Read more...
Frank Hayes
When you have a conventional E-Commerce site that's working fine, then replace it with a cloud-based site and conversion rates drop, you don't just blame site design. The site's new design didn't drive traffic away -- traffic went up slightly. It was just conversions that dropped. The fact that Finish Line didn't make the decision to simply fix the creative, but instead is taking a total of four months to assess whether the new site can be workable, suggests this isn't just the front end, but a more intractable technical problem. Read more...
Michael Hines
No, this isn't a "Cloud Casualty." This is clearly just another example of a rushed launch. If you are re-platforming your entire e-commerce business, you should launch at least two months before the holiday season. Some pre-launch performance testing would help. It's that simple. Anyone with any decent experience at all with e-commerce platforms who doesn't have something to sell, knows I'm right. We've all been there. Read more...
Rich
After working in ecommerce for over 15 years I would bet there are several factors for this failure. But this is usually the most common. Performance usually takes a back seat to features and customizations. No one will step up and say to a retailer... you probably don't want to implement this feature because the very nature of it will kill your performance and possibly the site itself. Its a game of Quantity and not Quality. Do not implement anything until you have confidence it can perform well. Also, there are no perfect 'platforms'. I'll bet the Finish Line also has issues with their legacy system too, its just that over years of use... they are used to its shortcomings. Read more...

Why Amazon And Overstock Lost On Sales Tax

Frank Steiner
It is always better not to make major changes before and during the holiday season. Launching a new technology or feature during this period is very risky and should be avoided at all costs. Read more...
Observer
The fault seems to lie with both of them. Finish Line for requesting to rush a platform and website redesign launched the week of Black Friday & Cyber Monday. (I mean, how stupid do you have to be? They must be the laughing stock of the retail community. You don't make major IT changes in Q4 period, let alone Thanksgiving week.) And Demandware for agreeing to go along with it. Foolish. Maybe greedy. Sometimes you've got to say no to a customer. Read more...

Amazon: Same-Day Delivers More Conversions, Few Actual Users

Dave in Denver
I would bet that the biggest take rate for this kind of service would be for drug stores and pharmacies. If I'm home alone and sick, I'd definitely pay a premium to have someone grab a needed collection of medicines, toiletries, electrolyte beverages and prescriptions and bring them to me! Read more...
Gary Chatman
Customers use the service and local retailers are viewing sameday delivery as a way to help level the playing field. Read more...
Sarah Park
As a fan of online shopping, same day delivery still makes a lot of difference compared to next day. Of course, if I am purchasing an item, I would want to see it right away. Read more...
Pekah Kleingeld
Would it not be just as simple as a customer having no delivery window available at such short notice? An "unanticipated" delivery due to impulse buying can break your day more than the impulse of buying. It might have the same impact as inbound emergency deliveries in a warehouse operation. Read more...
June Hayford
The same day demand is getting stronger, particularly now that companies like Amazon and EBay are advertising it. The majority are businesses that are more accustomed to using courier companies, but more individuals are now realizing they too can use a local courier company and get almost anything delivered in hours, very cost effectively. Read more...

JCPenney Is Predicted To Vanish In 2013 By People Who Are Truly Awful At Predictions

Lori
They maybe awful but when most days there are more employees than customers, you can't stick around forever. But even if they are bad, there have been tons of other sites saying the same thing for quite a while. That we're hanging on by the skin of our teeth Read more...
Marie
Penney's should fall by the wayside! The products that they now carry are of worse quality than K Mart. Lots of luck finding ANYTHING made in this country. They are catering to the 20-35 year olds and not caring about all of us 'oldsters' that built them up in the first place. Ron Johnson needs to go back to where he came from, his 'boutique shops' concept is a joke. Why in the world would I want 'shops' within a store that is located in a mall? If I want a particular shop, then I'll step outside of Penney's doors and go to that shop in the mall. Read more...
Paul
There is nothing machiavellian going on here with either Ron Johnson or jcp. Change retailing, fight and don't give up jcp. Read more...
Mick
Marie, tell me how many nationwide retailers exist that sell mainly USA-made products? No, you won't find much in JCP (although they have made it a point to start carrying more). However, I guarantee you will find just as little at Kohls, Macy's and definetely not much at Walmart. Read more...

Holiday Recap 2012: Hardly Any Downtime, Surprising Traffic Stats

Mark Lilien
Do the drops in traffic include mobile traffic? Read more...
Carlos Cherubin
There are two reasons for the better performance: 1) retailers have invested in capacity and better infrastructure, including better processes to forecast web traffic and demand; 2) the drop in traffic, at least for some, is due to a different promotional strategy that deliberately spreads some of the traffic across multiple days. I think they are finding that it improves service while being equally profitable. I believe this last is a strategic shift that is being implemented at both Thanksgiving and Christmas holidays. Read more...

Shoppers Want Mobile To Replace Cards And Cash, Just Not Their Cards And Cash

Suzy
Great point that you made, that is the mobile payment industry's crux right now, how to show itself to be a better alternative than the more traditional methods. I do believe there will be a new standard of incentives rolled out to entice future shoppers into mobile payment over cash. I think someday cash will be obsolete. Read more...
SubtleData
Illustrates the critical importance of showing a tangible benefit to the consumer. The 'cool factor' only goes so far. Also interesting that some of the responses infer that consumers are thinking of mobile payment in an either/or scenario as it relates to their credit cards. In the end, it's an academic discussion until there is a ubiquity of availability for the consumer. Read more...

Best Buy Yanks E-mail Support From Its Site. Shoppers May Be Better Off

Luzel
I ordered an item for christmas. It said on their website that I'll have it between dec18-21. Then I got this confirmation email stating that estimated delivery will be dec31. I tried cancelling my order with them but they refused to do it. I wouldn't have ordered it in the first place if it won't get to me before christmas. Haven't had this experience before with other stores Very unsatisfied shopper! Read more...
Peter
just tested the app, quite amazing with the rewards/gift cards.the only downsides are... this app is a battery killer, with mobile network and GPS enabled, half of the juice was kick off your phone for staying in the mall for an hour or two when you are trying to scan and walk in.this app is time waster... for 1250 kicks / $5 gift card, you wasted 1-2 hours Read more...

Best Buy's iPad Dilemma: The Tricky World Of Shipping Errors

Bob LeMay
"...and give them to people in need." I also thought that this was a strange suggestion. Did they mean someone who "needs" an iPad? Or someone that is truly "in need"? To the first point, no one "needs" an iPad. And someone truly "in need" probably has an iPad pretty far down on their list of needs! Read more...

Microsoft Pop-Up Stores: Apple (And Walmart) Shouldn't Sweat

Daniel
I worked at the pop up store in Las Vegas. I got hired as a "Technical Advisor", because of my high knowledge in computers. They stuck me into sales. So basically they lied about the position they hired me into. I got fired because I did not have good customer interactions. Although I was the only one there who treated customers like they were people. Only 3 people out of the like 14 hired knew anything about computers. And I mean anything. Most didn't even have the basic computer knowledge. Read more...

JCPenney's Christmas Pin Program: Channel Ping-Pong

J. E. Anstett
What a ridiculous idea. Another example of a non-merchant playing games. Perhaps this was one of Johnson's kids ideas? I can hear other real retailers laughing, all the way to the bank. Read more...
ConsumerLambda
JCPenney needs to get its act together fast. Very fast. I see a Diplodocus happily munching grass while the meteor is about to hit the ground. BTW: The "Apple" legal mention is probably related to the iTunes gift codes that are offered as prizes. Read more...
Linda
They need to make the site easier to find. I enter the jcp.com/christmas and it takes me to everything but. It has taken me 45 mins to find it and haven't won a darn thing. I have done a lot of shopping at Pennys and have gotten quite a few buttons but have won squat. Read more...
Janet Hale
I have entered several codes and it keeps saying they have already been used. I just got them from the store. Read more...
chandra
I too have read the dim reviews for the past limited promotion of JC Penney on the button thing at this point it reminds me of the kid game " button, button who got the button" or was it 'button ,button who stole the button" in any case i had much trouble getting into the site and entering the code (needed a magnifying glass to see the code) which was ridiculous and not a good promotion at this time of transition ... I still have 8 buttons that i was not able to enter and I am mad. i hope I didn't win big shame on the marketing management of JC Penney. Read more...
Jerry
This seems really insane. Why would you send a potential in store customer back home and to their computer. It doesn't make any sense. Read more...
Sol
I don't think this technique was a home run for JCPenny at all. Sounded like a big waste of time if you ask me. Jerry is right. Why remove the customer from the store and set them back home in front of their computers? Read more...

Sears Black Friday Confirmation Snafu: Just Check Inventory, OK?

Ann Grackin
Basic business processes are clearly missing here: 1. Realtime inventory locating across the warehouses and stores; 2. Before you offer a promotion you forecast the expected demand. And just like the police when going into tough situations, they call for backup! On hand inventory to support a special deal or integration to suppliers to check for additional stock if you run out. 3. Don’t commit to what you can't deliver--period! 4. Then save everyone money and honour your commitments, and drop ship the merchandize to the customer! Read more...
Evan Schuman
For some of these special campaigns, you also get into what should be a less tricky situation (but often isn't), namely that it might be that you are only permitting a small subset of your stock of a product to go at the super-low Black Friday price. In theory, that should be even easier to track, but it's often not. Read more...
steve w
Yes Kohls has the same issue on Black Friday the last week or so their facebook page is filled with complaints on orders being cancelled. Kohls also made a huge policy change on Kohls cash purchases returned will have NO CREDIT to the customers. Read more...
Ann Grackin
Ah, the trail of the fine point! Complex pricing methods, policies and fine print! Customers nor employees nor IT systems, it seems, can keep track of all this. Listen up retailers (or any other business): Why do things your customers HATE YOU FOR? Read more...
Evan Schuman
Ann, to answer your question (""Why do things your customers hate you for?"): Tradition. Read more...

A Workaround For Sending Texts To Shoppers Without Texting Plans?

Mark A
I must admit I had to do a double take on this and go to Google. I didn't realise you had to pay to receive texts in the US! That used to be the case many years ago this side of the pond if it came form a different carrier but now only occurs if you are abroad. Read more...
ed
SMS messaging is both expensive and antiquated. In addition, all carriers have different set of rules regarding their Premium SMS program. It is cheaper to build a mobile app with push notification on the iPhone, Android and Windows mobile platform than deal with the red tape and thousands of dollars for Premium SMS. Read more...

Would You Like Spam With That?

Felix Lee
Consent to one thing is not tantamount to consent to other things, especially not spam. These companies just want to circumvent the law and make excuses for their actions. They shouldn't be permitted to do this when what they're actually doing is harassing customers. Read more...

Must PCI Compliance Conflict With Customer Service?

Dmitry Sokolov
While it can't yet address PCI compliance questions associated with customer-owned mobile apps, client virtualization (VDI or SBC) can deliver on PCI compliance requirements across in-branch POS, back-office processing, outsourced customer service call-centers and other tasks where customer data is collected, accessed or processed. Added benefits of enhanced up-time, PC client management and disaster recovery will be welcomed as well. Read more...
A Reader
Consider cardholder information as if it were radioactive gold. It's toxic, something to keep a long ways away from everything, and handle as little as possible. Sticking it in the digital equivalent of a lead-lined vault keeps us a little safer, but we'd still rather have something completely different.But since that's still how we get paid, we're stuck with it. Read more...

Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads

Walt Conway
Does PCI DSS care about skimming at the POS? While PCI DSS itself does not have much to say about skimming at present, that situation may be changing. The PCI Security Standards Council has an information supplement for retailers in its documents library. I wish more retailers would read it. Another hopeful piece of evidence is the extensive merchant requirements -- including checking the POS devices, maintaining an inventory, etc -- in the P2PE Program Guide. I'm hoping that with PCI DSS v3 coming in 2013, we'll see changes to the standard and the SAQs to have retailers inspect their POS devices regularly just like they conduct regular vulnerability scans now. Read more...
ed
Thanks to outsourcing, most of the latest model card processing and pin pad devices are sold white label through sites like Alibaba and can be bought in markets around Ghangzhou, China. It is my understanding that in Europe, they had organized crime rings operating this same card theft using white label POS devices for years. Obviously, there needs to be a way to detect a counterfeit card processing machine and I don't know if that conversation has happened yet. Read more...
John Pruban
Thieves today are getting more brazen in their tactics. Because of this, it’s important that retailers remain vigilant in their efforts to keep their PIN pads secure. PIN pads should be locked down at all times. (Amazingly enough, there are still some retailers that choose not to spend the extra money on locking stands, but it’s really a small price to pay for peace of mind, in my opinion.). Make sure you know exactly who will be servicing the devices, if necessary. Did the field technician properly identify himself/herself? Did he/she have an appointment? Did he/she sign in or check in with the proper person? Online monitoring is another valuable tool for round-the-clock network security. Not only can retailers be alerted if a device comes off the network, but can take immediate action to prevent the crime from progressing. Read more...
Ed Dunn
One way to avoid POS tampering is use inventory barcode or security rfid stickers on the POS devices and scan on a regular interval. If they are using the security rfid sticker, then the security gate should sound an alarm. Read more...
Mark A
Not sure how other retailers do it but we (Debenhams) have a whitelisting app that knows what PEDs are in any given store and only allows those PEDS to be attached to tills in that store so stores can't move them between stores and no PED that hadn't been previously authorised would work. Read more...

PayPal's Price-Match Program Is Fishing For Your Shoppers In Your Stores

Philip Cohen
PayPal’s Price-Match Program is, in fact, a sign of utter desperation. Now that Visa's "professional online digital wallet, V.me, is up and running, the clunky PreyPal is, except for its mandated use on the atrophying eBafia marketplace, effectively dead in the water. If I recognise nothing else, this announcement of “price matching” from the eBafia/PreyPal Dept of Spin represents the desperate irregular breathing of a couple of dying enterprises. Read more...
Mark Goldstein
Price match is a good idea but it definitely didnt get above the noise. Phillip--PayPal might be clunky but so is that old 1965 Mustang in your garage that you love to drive...it works, its registered to your bank and its a first mover. V.me has a long road to hike before its relevant... Read more...

Google Wallet Goes Plastic. What Now For Mobile Payments?

ed
Google using plastic channels to their gWallet may be the most realistic implementation for right now. I do not what Google is doing takes mobile payments back, it is probably the smartest move to create a realistic bridge to wean customers towards mobile payments. Read more...

Retail IT Lessons In The Path Of Sandy

Bob LeMay
Wait...so the Target managers aren't paid enough (or smart enough) to decide to BUY a few flashlights and batteries in order to keep their store functioning and selling well? And then submit an expense report after the fact? Read more...
Evan Schuman
In fairness, it's hardly that simple. Given the storm and all of the infrastructure issues (road closures, difficulty for some employees to get in, gas shortages, etc.), the stores that we visited were all performing quite well. They were relatively stocked and transactions were flowing. This specific issue involved bringing things up from the backroom for some marketing promotions. That's important, but in an emergency situation, hardly mission-critical. The managers there seemed to make the right call at the time. The point of that reference is to think of the little things, such as what you want backed up and the implications of those decisions. Read more...

Toys"R"Us Payments About As Far From Seamless As Possible

Steve Sommers
Well, the problem is with the word "seamless". Every time I hear or see someone use the word seamless, I picture everything falling apart where seams should have been. Read more...

Amazon Prime Price Test May Be Testing A Lot More Than You Thought

Mary P
The monthly Prime membership is not the only recent change at Amazon. I have been a Prime member for a number of years, primarily for the shipping benefits, as video streaming and free kindle book borrowing didn't exist then. The Prime shipping benefits are quickly being eroded. We run a small business and it is convenient to order through Amazon with free two-day shipping, and $3.99 expedited overnight. I used to be able to order early on a Thursday morning and receive my order on Saturday with free two-day shipping. Somewhere around this July they did away with two-day shipping Saturday deliveries, with Thursday orders arriving on Monday. Read more...

How Much Does Amazon Still Own What It Sells?

Harry Hamlin
What is profoundly disturbing is Amazon's Kafkaesque refusal to explain the perputed violation and afford an opportunity for refutation. I hopr the blizzard of negative publicity got their attention. It certainly got mine: Helloooo Nook! Read more...

Isis Wants Users In The Worst Way Possible, And That's How It's Going After Them

Bob Skattum
I couldn't agree more. The analogy to how Visa and MasterCard started is totally correct. At a minimum, if I was carrying a potentially ISIS-capable smartphpne, why wouldn't I be given the opportunity to go online, request the specific card product data that I want loaded, and let the ISIS telcos obtain the data from the card partners and send me the SIM card to me with simple installation instructions. Or better yet, why not send me a SIM card that works with my phone, have me call or go online to activate and register (like card companies do)and do an upsell (if I am interested) at that time. Read more...

A Ray Of Hope For Mobile Barcode Scan ROI With Grocer's 100-Plus Location Expansion

Rajan
I hope there is value in the trial for both peapod and it's customers. What may add value is that a customer shops from a station and a delivery (of couple of bags) is made while waiting for a train. Read more...

Want Out Of Interchange? It May Be A Question Of Loyalty Vs. Fear

Christine Speedy
Can anything actually reduce interchange? There's more options than meets the eye. Merchants can reduce the cost of payment acceptance by using interchange management technology. For example, a merchant can steer customers to low cost debit cards by offering a discount- under rules that they control. Further, with the 'two debit networks' mandated under Dodd-Frank in 2011, merchants can route the transaction to the lower cost network. There are other creative ways merchants can use technology to manage fees and mitigate risk, without requiring a change in consumer habits. One of the more exciting new options for merchants with higher volume of business to busines customers is sending level 3 data in a retail environment, shaving up to .85 off interchange for some MasterCard cards. Read more...

Shopkick's Clever Twist On Mobile Catalogues: In-Store Inventory Hook

Jeremy Geiger
I'd also question the assertion that shoppers would plan based on points, rather than product availability. From my understanding, a typical ShopKick reward equates to a penny up to $5 (for specific purchases over $50). Yet among the shopper searches we've seen (across 1,000+ different mobile apps), the majority are oriented towards local in-store product availability, rather than price comparison. So given that the typical price differential is greater than the typical ShopKick reward, I'd be surprised if the reward would be much of a driver for the typical shopper. Read more...

The Apple Shopper Arrested For Using The Chain's Mobile App Improperly Is Sentenced, And It Sends A Very Dangerous Signal

Ray Allen
I completely agree. I would be surprised if a lawyer hadn't already contacted Eric about suing Apple over the way they handled the incident which can be easily explained as an oversight by both Eric and the associate who handed him a bag for his purchase. Many website struggled and continue to struggle with closing purchases. Their final verification screen looks a lot like a receipt. I can't tell you the number of times I have seen someone at the airline counter arguing that they already bought a ticket online. Read more...

Best Buy's Self-Destructive Online Price-Match Program

Jim Bahler
I'm one of the 1800 "Asset Protection" people that were axed by Best Buy on August 1. There are storewide bonuses available, called "Blue Crew Bucks." Paid quarterly, they are based purely on overall sales to every employee of that store, not profit margin. I understand that, in a couple of departments, there is a method of getting more pay, but I believe it's based on selling such things as Broadband cards and extended warranties, neither of which would be affected by price matching. Read more...
Fabien Tiburce
Any kind of price-match is better than nothing at all. Most consumers don't actually look too hard for competitive pricing once they've bought a product so I think this is more about brand and pricing perception than anything else. As a retailer, you also need to protect yourself against unfair pricing practices by etailers. Jjust because you see a price online doesn't mean you can actually get the good delivered to you at that price. The product could be out of stock, priced with strings attached or simply listed to generate "buzz". Read more...

Walmart's E-Grocer Plans Half-Mile-Long Virtual Stores

ed
Augmented Reality or "invisible pop-up" stores take advantage of time, place and context using geospatial technologies and sell where vendors cannot solicit but is a hub for people - like an art museum. For example, think of the red tape, time and cost to get a vending permit in Los Angeles to sell t-shirts in front of the Staples Center or a vending permit to sell t-shirts in front of Madison Square Garden. Read more...

The PCI Scoping Discussion Is Over. Now It's On To SAQ Roulette

Steve Sommers
I think this is a very strict interpretation of "connected" systems. You may be right in that PCI SSC views scoping in this purist view, but this is one of the problems with PCI. SAQ-C for example, creates a catch-22 for merchants. A requirement for SAQ-C is "Use and regularly update anti-virus software." Well, to do this, the AV application must have connectivity to another "connected" system. Yes, I know, a merchant can manually copy AV definitions to removable media and manually update the CDE, but how many are really going to do this and for the few that do, how up-to-date are they really? Read more...
lyal collins
A related problems for retailers can be the payment equipment supplied by the bank, ISO or integrator. For example, consider a dial-up terminal/PINPad without an integrated printer. This means receipt printing on a printer attached to the POS workstation which is in turn connected to the in-store LAN and thus may/may place the entire 'typical'store network in scope - because PAN is often printed on merchant receipts during offline/SAF modes as a result of business requirements of Acquirers. Read more...
Walt Conway
Steve, I agree my position is a strict interpretation of the PCI SSC's guidance, but that is exactly what I as a QSA am supposed to do. The same goes for merchants, too. The only position that matters is that of the PCI Council's or maybe the merchant's acquiring bank. That is, if the acquirer wants to give the merchant a pass on a particular SAQ, I would have no problem with that. Otherwise, we all have to play by the house's rules. Read more...
Steve Sommers
I agree that you, as a QSA, you must use a strict interpretation. But with this strict interpretation, I argue that in the real world, with this strict interpretation, no merchant can qualify for SAQ-C and still comply with SAQ-C. Either PCI SSC needs to relax their "connected systems" definition, or drop SAQ-C -- the latter being a boom for alternative payments. Read more...
Christine Speedy
I don't have a single customer that qualifies for the shortened SAQ any more. I think the SAQ is getting to be such a burden that businesses are making decisions to not upgrade to new equipment and technologies. This stifles business growth and inhibits moving to solutions that encourage more secure practices, as well as other benefits. For example, I regularly encounter business to business companies that say they don't store credit data because of risk. But when employees are probed, they really do store data. They have all sorts of excuses- we only hold it for 30 days and it's in a locked file drawer, etc. I've heard it all. Read more...
Karl
I disagree; this is an issue of scoping as it applies to the unencrypted cardholder data. If the data is encrypted, and the retailer does not hold any of the keys or ability to access the keys, then the data is out of scope, and therefore the system that data is on is also out of scope. Read more...
Randall Cotton
I'm a little confused as to what a "connected to connected to" might mean. Did they use specific language or did they just speak generally in language affirming that scope of assessment extends out to two degrees of separation as a rule of thumb? Was this a formal written clarification (e.g. a FAQ)? Read more...

Starbucks Digital Tip Effort: Will It Really Translate From Cash To Mobile?

Joe
Maybe presets to round up to the next dollar, or next dollar plus 1 dollar for the tip. If you built those presets into the app, when your code is scanned, it just adds those amounts to the total. Granted, if you pay before you get your coffee might have wished you didn't tip, but this tipping issue is the main reason I don't use my Dunkin card. I see the same woman every morning and I feel like I'm cheating her out of a tip if I pay by the app. If DD builds the same ability in, I would definitely use it more. Read more...

Retailers To Mobile Payment Players: What's In It For Us?

Trip
If explained properly, there are all kinds of perks from mobile payment acceptance. From remarketing purposes to better cash management, I don't see how merchants would not be sold on that alone. Read more...
Ann Grackin
Yes, but how many of these separate systems does a retailer have to join--right now there are several competing programs from Google, PayPal, Isis, MCX, the retailers own program (aka Starbucks) as well as directly from the credit companies. Consumers don't want to download too many apps , re-entering too much security data to too many sites. The idea is fantastic--since the mobile carriers already have the customer online, why not weigh in and get a few pennies on the transaction? But much needs to be thought about. How do these all fit with out mobile programs and how to make that all pretty seamless, should be thought about. See it. Buy it. Read more...

How Risky Is Updating Digital Signs With Apps, Anyway?

lyal collins
Another complication with wireless is that some stores are located in mult-tenant centres - shopping centres etc. So the car park and environments will almost never be empty except after midnight to 5am. Read more...
ed
This is an easy answer - digital signage player will play only files that can be successfully encrypted/decrypted. It does not display standard .jpg or .wmv or .mov files, it receive a file in a certain encrypted format, decrypts and play. Read more...

Walmart Same-Day Trial: Can Dec. 24 Be E-tail Windfall?

Earl
Any day but Dec 24th makes same-day viable, but that one day just want cut it from a logistics perspective...consumers can forget about it... Read more...

Target Using QR Codes To Enable Surreptitious Santas

ed
By using in-store QR codes, Target may reduce the effects showrooming by focusing the mobile device on in-store options rather than external competitor e-commerce sites. Read more...
Evan Schuman
True. Or they could just as easily increase showrooming by encouraging shoppers to do it and making it easier, more comfortable, for them. But I'd argue that none of this is particularly important. Mobile will become a standard part of shopper interactions so there's no way to prevent customers from shopping around. The best technique is the 100-year-old one: courteous and well-informed associates and plenty of them; the right assortment; better prices; better experience. In short, if you just do your job properly, showrooming will be little more than a minor irritant. If it's much more than that, you probably have bigger problems than mobile integration. Read more...

Mobile Phone Location Privacy: U.S. Justice Now Says It Doesn't Exist

Jack A
Was wondering what your expert legal opinion is on the credibility of historic mobile phone location data as evidence. After all, it is a mobile phone and therefore, it can be carried by anyone to a location. How would they prove from the data that I was personally at that location? Seems like an easy way to set someone up. I would think they would need to correlate the location data with a call made at the same time, to someone they would call as a witness to state it was me on the line. And text messages don't count. Read more...
Mark Rasch
Location data does prove the location of your device and not neccesarily YOU, but it is both admissible and very persuasive circumstantial evidence that you were where your device was. You can add other circumstantial evidence to the mix, like you checked and appropriately responded to e-mail on the device, you entered a user id and password (that only you should know) on the device, that pictures of you were geotagged with the device, etc. Add other evidence (video surveillance, witnessess) and voilia! Privacy gone. Even evidence of habit (he ALWAYS takes his phone with him...) can be enough to pursuade a factfinder that the phone didnt just out out by itself. Read more...

Do Walmart, Macy's And Target Even Know Tablets Exist?

alewisdesign
Anyone heard of "responsive web design"? We've been talking about this and trying to solve this specific problem. I don't know why ecommerce has not jumped on board. Read more...
Jason Goldberg
Sending iPads users to a desktop site (that expects hoover-over to work for super menu's, quickview,etc... ) sucks, as does sending them to a smartphone optimized site. Either way, retailers have a lot of room to improve their experience for the tablet users. One interesting note is that while Android tablets have a fair amount of hardware marketshare (especially if you include Kindles), they don't seem to have great share as a percentage of browsers visiting e-commerce sites. Sending Android tablets to Mobile while iPads are going to the Desktop pages may be lazy programming rather than a strategy. Google made a very poor decision to make the Android Tablet user agent very similar to the Andorid Mobile user agent, so many programmers don't notice the difference. Read more...

PCI Scoping Toolkit: Where QSAs Fear To Tread?

Kim Halavakoski
Scoping is a pain using the current scoping requirements in PCI-DSS. There is just too much uncertainity and ambiguity and too much room for different interpretations. This new toolkit is the first document that I have seen that explains the scoping in a understandable and unambiguous way! I hope this will be incorporated by the SSC to clear the uncertain scoping hurdled currently experienced by QSAs and organisation security and system administrators! Read more...
Jim Thomas
If I have an encrypted card swipe reader connected via USB to a Windows PC which has no ability to decrypt the card info, is the PC in scope? Its my understanding the PC is out of scope but I would like confirmation. Read more...

How Do I Track Thee, Mobile Shopper? Let Me Count The Ways

ed
Instead of targeting the customer personal mobile device, how about tracking the basket or the cart in the store using RFID? If baskets or carts are not available, it is possible to use RFID embedded loyalty card. This would make a better seamless transition to use the same metrics for tracking e-commerce baskets and shopping carts as well as prevent the expensive headache of attempting to create a ubiquitous solution for every consumer mobile device. Read more...

Walmart's CRM Gateway: Mobile Checkout?

My Sales Dialer (CRM+)
even small retailers loving to go techno for CRM Read more...

How Do I Track Thee, Mobile Shopper? Let Me Count The Ways

Evan Schuman
It depends if you're looking at this as a temporary placeholder measure or a long-term strategy. Given all of the changes, there's a lot of good arguments for the placeholder approach. But longterm, mobile device approaches are inherently superior. What if someone runs in and doesn't take a cart or basket? They'll still have their phone. What if the chain doesn't use a loyalty card (such as Walmart) or that customer didn't bring it or doesn't feel like pulling it out? And what about tracking shoppers through multiple trips across multiple places? Read more...

PCI Memo To Mobile Payment App Developers: It's Up To You

Preston
As you say, it's either use m-commerce or be PCI compliant. The lack of PA-DSS validation puts merchants in a real bind, and it can't last much longer. I think the council risks making itself irrelevant if merchants realize that they're "damned if you do, damned if you don't." The number of merchants taking the risk and using m-commerce platforms speaks either to ignorance, risk blindness, or a calculated decision that the benefits of m-commerce outweigh the risk. Read more...
Walt Conway
One has to wonder whether it is too late: the mobile commerce genie sure seems to be out of the bottle. I wish developers and merchants (and their acquirers) would have had these guidelines two years ago, but wishes are not terribly useful. Taking action like the Council did -- however late -- is what will improve security. Read more...
David King
I am glad that the Council has finally released guidelines. The challenge with m-commerce is it is a bit of the wild wild west right now. Today, just about any kid can whip up a payment app. The Council has to find a way to reach all of these people. They are not necessarily medium to large businesses that they are used to working with. Many of them are one or two guys slinging code in their basement. Read more...

Spending Less On Mobile Often Yields The Same Results

Fabien Tiburce
We recently had a prominent distributor pilot our mobile and cloud based software. Sales managers loved it and so did head office. Pricing for the software itself was a non-issue. However the project was put on hold. Why? They would have had to equip their sales managers, the very people responsible for visiting stores and placing orders (the heart-beat of the company's cashflow), with smart phones which they deemed too expensive. Are you thinking what I am thinking? You mean they don't *already* have smartphones? To me, this is borderline unbelievable in 2012. Read more...

The Politics Of Being A Retail CIO

CIO Inverted
CEOs of most large retailers were born in the era of no internet, no mobile phones, social media ? what's that ! And most of them are techno phobic. CEOs of this generation have largely tolerated IT and the CIO or they have made sure that discussions give you pain in all the wrong parts of the body. Yes, there are exceptions, but they are exactly that, a minority of exceptions. Read more...
ed
This discussion parallels the banking industry going through the same challenges. The old adage apply that if it isn't broken, don't fix it or upgrade it which is why many computer systems and the software tend to be 10-15 years old! I believe these industries want a CIO that understands how to keep the gears spinning rather than the latest and greatest gizmos. Read more...
Paul Lappage
It's always interesting to learn about the pressures that these professionals are under. Read more...
Greg
After working in retail for 10 years, I know the pressures management face. Advanced technology offers many advantages but often old systems are kept in place that should be updated. The costs can really add up as well as the lack of efficiency. Read more...

Apple Arrest Puts Heat On Mobile Checkout Policies

ed
Mobile check-out has the same challenges as self-checkout stations by putting trust on the customer to pick from inventory,conduct the transaction and walk out the store without interaction. Most shoplifters believe they are smarter than the retail security system and the shoplifter game goal is to outsmart the retailer with the prize of the shoplifted item. It wouldn't surprise me if this was the case, which was a very expensive pair of headphones. Read more...
Evan Schuman
Good point, Ed, but as the story points out, the security issues involving mobile go beyond self-checkout security. 'Tis not the same issues in the sense that self-checkout transactions are observed in one place, by the associate managing those SCO lanes. In the Walmart story this week, the associate merely sees the shopper scan the single barcode from her phone. This robs her of the ability to notice if she deliberately does NOT scan several items. (Granted, that can be detected with in-aisle cameras, but it's much more complicated. The system--or associates--needs to notice that a specific customer is using mobile and then notice she doesn't scan certain items in certain aisles.) In the Apple Store example, a scan can happen but the process may not be properly completed--deliberately or inadvertently. None of these issues are unsolvable, but the belief that mobile self-checkout presents no security issues beyond traditional POS self-checkout is a very dangerous thought. Read more...

To Survive, Retailers Need To Kill The IT Budget And Burn The Boats

Fabien Tiburce
The IT budget, strictly speaking, should be limited to managing personal computers, the network and the phone system. All other initiatives, anything attributable to a revenue stream, should be paid for and largely managed by a business unit. IT has a role to play of course: assisting business stake holders with system and vendor selection, ensuring the computing environment is coherent and secure, but ultimately the money needs to flow from the business and be controlled by the business. The CIO should be the gate keeper, not the purse holder. The world is moving too fast for organizations to be held back by their own bureaucracies. Make business units accountable and in charge of their own technology purchase decisions. Read more...
Greg Lucas
I think the issue is that all CIO's are not business people but typical IT people. As someone with a business background in IT, I want to and am capable of running IT as a business. Someone who has only come up from the IT ranks probably does not. Hence, it is ever important for companies today to find an IT leader with a business background who is a broad thinker and can see the bigger picture. Read more...
Todd Michaud
Part of the reason that IT does not tend to be the best “ladder” for becoming the CIO is because we are not focusing on the right training for our middle management. There comes a time in an IT leader’s career where training changes from technical in nature, to business in nature. Young leaders need to focus on P&L management, communications, people management and learning the business inside and out. Someone who is a Powerpoint wiz, with great interviewing skills that knows a balance sheet inside and out is going to be a better fit for CIO than someone who has written millions of lines of code or virtualized a datacenter. Read more...

Chip Card Confusion Could Challenge Chains' POS Plans

Tom Mahoney
In the last 6 months, three of my credit/debit cards (all Visa) have expired and been replaced. One of the old ones was chipped but none of the new ones is, unless they've removed the logo. Are we moving to chip cards or not? My limited evidence says NO. Read more...

PayPal/Discover's Retailer Problem:Too Much Data?

Thad Peterson
PayPal appears to have solved two of the three major problems in enabling mobile payments; eliminating changes to the POS (huge), and getting acquirers out of the way. But, it's a card based solution, which is counter to the concept of simplifying the transaction, and it reinforces the customer's perception that cards are just fine. Beyond that, the customer will need to carry yet another piece of plastic that will pretty much provide the same transactional value of their existing plastic, only the customer has to go through one more step, accessing the wallet, to use their payment card. They may be taking a step backward, while positioning this as a step forward. Read more...

RIP Payment Card Industry

R. David Bortfeld
The beginning of the end of the payment oligopolists really started in 1999 when several large retailers finally got fed up with the twice-yearly increases in interchange and fees and started pushing back - hard. Walmart tossed the first major salvo when they sued and won a $3 billion settlement in 2003. To all my friends on the banking and processing side of the business: Look at merchants not as an "inconvenience" between you and the cardholder, but as a client with growing choices to dis-intermediate you. Read more...
Jim
Being that these are transactions going through the Discover network, won't they still be subject to interchange rates and PCI-DSS requirements? Read more...
Evan Schuman
As for PCI, yes, in theory. Interchange will apply, but at what rate? Many questions remain. For example, PayPal's Don Kingsborough was asked Wed. about whether these transactions would be considered card-present or card not present. That's a very interesting question as the card is not really present. When asked directly, he said "it depends on the kinds of transactions. More to come about this as we get closer to the launch in the second quarter." Not especially comforting, but it does signal that interchange issues are far from solidified at this point. Read more...
james christensen
The infrastructure did not exist 20 years ago so the fees justified the risk. Today, the merchants can use the same infrastructure and also now have closed loop payments well tested. At a very high level I think we are going to see two types of payment groups: 1)ubiquitous, Private, Open loop and 2) relationship, value add, closed loop. Visa like vs MCX like. Some consumers will want privacy and universal use, while others will want a relationship with the merchants (and receive extra value). They will likely do both. Mobile will turbo charge the the second group. So if the MCX like offers are reloaded via the consumers bank then the credit card players of today are headed for a huge volume haircut. Read more...
Craig Walker
Todd, I empathize with you and I'm in the processing business. But, the end of the payment brand monopoly is just a dream, or for many a nightmare. With this announcement, PayPal has simply joined the payment brand club, which includes Visa, MasterCard, Amex, and Discover. In fact the winner here is Discover as PayPal cards will have Discover numbers and of course will be subject to Discover interchange. The payment brands have a near universal monopoly on payments and it won't be changing in my lifetime or yours. Read more...
Steven Hermann
If there is enough pressure on visa/mastercard, one would think they would react by lowering fees. Let's face it, those cards are going to be around a while. Looking back to 2001, cc processing fees were .2 of sales and now stands to reach .8 of sales, as that continues to rise, you will see opportunities to make money and to create competition amongst processing fees, which should in turn reduce the cost to the retailer. Where does that pressure come from, is it discover/paypal, or is it the retailer? Think of all the money spent on transaction fees in the grocery industry, roughly $5 to $6 billion a year, there is room for grocers to put the pressure on the cc companies, but it will take communication and promotion by the retailer to the consumer. Read more...
Rich Downing
Why in God's name don't you have a "tweet this" option for your articles? Or at least summaries... It would make a big difference. You must be heard! Read more...
Bill Kisse
Combined with the news of the MCX network these two concepts signal a turning point in payment processing and I am confident that others will surface as the market / perception matures. I've always seen PCI compliance as only a stop-gap to plug holes in the insecure and some say "broken" credit card transaction processes we're all required to use. There will be a dilution of efforts as many proposed products and standards come online, only now available due to the advancement of communications and technology. Read more...

IKEA Kills Self-Checkout In The U.S. For An Unusual Reason: It Was Too Secure And, Therefore, Too Slow

ViiVa Marketing
In Singapore, We observe longer queues and more frustrated customers at the self checkout POS lane. The staff are also equally frustrated because the system throw up exceptions at the slightest "mistakes" made by the customers. For Self checkout POS to substitute traditional staff operated POS, technology vendors must focus on customer experience. Read more...

Testing Shows Mobile POS Power Supply Sharply Reduces Read Range

Suzy
It's a good thing Mastercard has discovered this issue, because that certainly isn't good, even if Verdeschi insists that this isn't a big deal. Read more...
Suzy
It's a good thing Mastercard has discovered this issue, because that certainly isn't good, even if Verdeschi insists that this isn't a big deal. Read more...

Sears, KMart Outage Was To Prep For The Holidays

Tim
I must be missing something. Why would a 3-hour "planned" outage start at 9:00 AM? Aren't those things supposed to start around midnight? Read more...

Can Timing Text Ads Make A Difference?

Serena Ehrlich
While I see your point about open rates with text messages, the truth is, getting someone to open anything marketing related is a feat unto itself - just look at today's MediaPost article about email open rates hovering around 20.1. With a 98 receipt rate, I think the point was, and is, that this is a high response medium that can be utilized successfully by today’s marketers. I work for a text marketing company and we have many clients who utilize the data that text marketing provides to drive higher success – time testing is absolutely one option, geo-targeting is another (combine the two for even higher response). Brands looking to drive app downloads can even do platform specific marketing. As you note the more one knows about their customer base, the more they can tailored their approach eliciting a stronger response. This is why brands like Charlotte Russe do so well with text marketing, they understand exactly who their customer is, what they respond to and where they choose to interact with the brand. Read more...

Are PIN Pads Insecure By Design?

A Reader
Hardening PIN pads just kicks the can a few feet down the road, the way PCI kicked mag stripes down to Chip and PIN. But it's still the same can and the same road, so why do we think the same problems won't keep chasing us? The next attacks are even visible from here. Instead of hacking and reprogramming PIN pads, the bad guys will simply put their own computers into hollowed out PIN pad cases. Customers and cashiers won't even know the difference. Smart cards are already capable of doing encryption. Add a 10-key pad to each customer’s card, and a small screen to display the amount to authorize, and each customer is now carrying their own full PIN pad for about $5-10 per card. This is equipment given them by their bank, which they can trust. It’s not on a network, not upgradable, sealed hardware, and cannot be hacked remotely. The banks then have true end-to-end encryption all the way from their own tiny PIN pads to their own mainframes, and not the hop-to-hop-to-hop that exists today (that is mislabeled E2E by every vendor selling the stuff.) Read more...

The Message Recall: Diabolical or E-Mail Ignorant?

Alex Wieder
This is pretty common. Another trick I've seen a bunch of times is to send an email apologizing for email problems - "last week, our email newsletter failed to go out due to server issues; here it is again, in case you missed it." Read more...

Michaels Breach Convictions Point To The Most Sophisticated PIN Pad Attack Yet

Biff Matthews
Do not literally "screw down, a pin pad as it will cause a TAMPER ERROR. Switching PEDs is not an easily accomplished without employee complicity or failure to follow best practices. Train and retrain then hold accountable employees who don't follow procedures. You don't leave a cash register unattended nor a POS terminal, period! Read more...
Vidya Swamy
Hackers are always steps ahead. But, it is shocking to read it takes a long time to spot the breaches. Also, is it that easy to swap a PIN pad? I thought Aldi does not accept credit cards. Maybe they changed to cash only after the breach. Read more...

JCPenney CEO: E-Commerce Is Going To Hit A Ceiling

EL
Everyone in retail should hope that Ron's strategies pay off. JCP is an anchor at a number of malls and as long as traffic is off, it impacts the rest of the tenants. Their negative same store comp is dragging a lot of other folks down which is counterintuitive. You'd think that folks would go to another store in the mall. Instead, consumers are avoiding the mall altogether. Read more...

Vulnerability Scan Often Says "Pass" Even If You've Flunked

Walt Conway
Apply the same cautions to a merchant's *internal* vulnerability scans, too (Requirement 11.2.1). I sometimes run into internal scans where the merchant did not configure their scanning tool properly. For example, it may not scan all ports, or it may "pass" vulnerabilities with a high (i.e., 4.0 or above) CVSS score. QSAs need to check for both these situations. Another issue with internal scans is finding and remediating vulnerabilities the merchant has classified as "high" in Requirement 6.2. If merchants rely on their service providers for these internal scans, they need to make sure the scans are run properly and the results documented. As we all know, a merchant can outsource their processing, but they cannot outsource their responsibility. Read more...

Walmart: Don't Stop Me Before I Sue (Visa) Again

Biff Matthews
These law suits are becoming like this years election rhetoric and ads, very, very tiresome. The retailers are like whining children who don't like something yet don't know what they want so they make life hell for everyone. It's time to put fourth a viable alternative or shut up. Read more...
Robert Day
The real solution would be for the government to put a stop to the price fixing. Then the retailers would not have to fight the banks (processing networks). Also, we all know, all cost of products and services get added back into the cost of business. Therefore, the less the business pays the banks, the less the cost of their product or services for all of consumers. I would like to see a business grow and hire more people, than to see a bank CEO get an extra 5 million dollar bonus. Read more...

RadioShack Rep Used Customer Data To File False Tax Returns. Why Is RadioShack Even Still Collecting SS Numbers?

Jim Huguelet
Without knowing all of the details of the specific case, it seems more likely the defendant did not use previously-stored data - she simply captured what she wanted on a piece of paper on her desk as she was working with the customers to obtain the information in the first place. Thus, it isn't a "data at rest" issue - but a "data capture" issue. The best way to handle this sort of situation is to have the agent briefly transfer the customer to an IVR system when the appropriate time in the call occurs so that he/she can enter their SSN via their phone's keypad - then have the call transferred back to the live agent when this is done. It's fairly straight-forward to implement and takes the agent out of the loop on data capture. Read more...
A reader
The problem is that identity data has value. If it wasn't SSN, what would you have them ask for in order to extend credit to an unknown person? No matter what information the industry asks for, the same information can be copied and abused. The technical answer is a chip embedded in your Orwellian identity card. Is the personal cost of privacy worth the price of corporate security? Read more...
Dan Stiel
Another issue apparently overlooked regarding social security numbers is the comfort level with giving/accepting the last four digits as some holy grail over identity validation. Anyone armed with this tidbit of info can wreak havoc on both consumer and data gatekeepers. I'm surprised more attention hasn't been paid to this. Read more...

PIN Pad Pong: Is Verifone Playing Games With German POS Security?

A reader
To prevent fraud by a dishonest retailer, applications and screens that display 10 key pads have to be reviewed and digitally signed by the manufacturer to ensure the app isn't falsely requesting the customer's PIN. However, the app's security is enforced by the app processor's OS. With JTAG access (USB JTAG communications modules can be bought online or built for about $20 in parts), or other network vulnerabilities that enable accessing system level code, the attacker could take over the OS, bypass the signature requirements and run their own code, enabling them to intercept PINs. The guys at Security Research Labs have done some serious work in the area of breaking ciphers, and have developed and released software that mathematically analyzes generic crypto algorithms, and used it to break the Crypto1 cipher used in the MiFare transit cards in under 40 seconds. Read more...

Amazon Same-Day Delivery? Stores Not The Target

Scott
I am pretty sure that is a new focus for Amazon, and I would think the implications for local stores may be real. You would not get the touch/feel or the absolute instant gratification, but for the right price reduction - it would surely be pretty attractive to many people. A real stretch thought might be Amazon opening tiny catalog stores where people can browse merchandise on nice Amazon computers and displays, pay for their merchandise via PayPal Here and then expect their product in a few hours. Real estate costs would be fairly low, but they could drive foot traffic in major malls or urban shopping districts into their stores. Read more...
EL
If AMZN allocates inventory across its distribution network using the 80/20 rule - that is 80 of the stuff that sells is 20 of your owned SKUs, this will absolutely hurt physical retail, especially if they focus allocation on dry goods and diapers (you know, stuff that costs a lot to ship cross country?). The beauty of this shift to same day fulfillment is that AMZN doesn't have to go all-in for its core businesses (books and media) because those have shifted to digital. Yes, this will squeeze other etailers, but the true target is big box retail. All of them. Read more...

New PCI Rules Will Force Retailers To Set The Risk Level

Cathy
I've created risk matrices for almost everything in Infrastructure. I started with the application which relied on what environment it was in, what operating system was installed, whether the application contained PII, etc. It is not as hard as it sounds if you just extrapulate each component which could contribute to the risk and make it logical. Read more...

Amazon Lockers: When Urban Dwellers Find Home Delivery Really Inconvenient

Miles Thomas
This is not just an Amazon thing in the UK: "Click and Collect" (from a local branch) is big for all retailers that have physical presence, and even parcel companies are getting in on the act: for example, Collect+ has leveraged the convenience store bill payment systems of PayPoint and the delivery courier Yodel to provide parcel pickup and dispatch points (and ecommerce return points) in lots of local convenience stores, and these locations are, well, convenient (local and open long hours). Read more...

U.S. Appeals Court Gives Retailers Fraud Loss Victory

Sid Sidner
But there is one more key point here: crooked employees at customers. There is a non-trivial amount of attempted fraud by employees at small businesses. Before the Zeus malware, business bankers worked with their SMB customers to put in place split-knowledge and dual-control. SMB accounting departments typically only have a few people in them, and do not have the kind of on-premise accounting and IT expertise that large companies have. Read more...

iPad As Kiosk? That's Not As Elegant An Idea As It Sounds

Mike James
It really makes more sense to use an HP or Samsung Windows tablet. They have readily-available USB ports and can run existing peripheral device drivers, both of which the iPad can't do. Agreed, since the home button is covered up, it doesn't matter to the user what the hardware is. The good news is that our industry now has millions of new kiosk users that aren't afraid to approach touchscreens, especially ones that look like their iPads. Read more...
ed
I do not see how slapping a $600 iPad within a kiosk is "affordable" and believe this is just wishful thinking. The touch screen of an iPad is not commercial grade and made out of glass. Commercial touch screen applications uses a film-based that has longer wear for day-in/day-out use. Second, a mini-PC attached to a touch-enabled LCD monitor could connect more devices such as the Kinnect or Ardunio controller and still be as cost-effective as slapping an iPad to a kiosk enclosure. Read more...
Mike James
Ed - I thought the exact same thing, especially with a (less than) 10-inch screen size. They are a bad idea! Now we're selling these by the hundreds - to repeat customers. The tablet's low-cost means you can deploy in three times as many locations as standard kiosks and still save money. Read more...

Can Amazon Cloud Be PCI Compliant? Not Likely

lyal collins
Isn't this whole article missing the point of PCI 12.8.x? If the merchant is using a service provider (Amazon) then all the merchant needs to do is follow 12.8.x regarding the relevant PCI controls. I'm not sure I see the issue the article purports is present. Read more...
Peter Spier
Indeed, 12.8 applies to service providers. However, the entirety of the DSS applies to the assessed entity's cardholder data environment's applicable scope. As such, all system components which process, store, or transmit cardholder data within a defined network segment are in scope of assessment. Further, in a virtualized or cloud hosted environment, those system components which serve as a hypervisor must also be assessed. Read more...
Ted
So are you saying that you contend that cloud providers in general (AWS in this case) have most likely not assessed all components that should be considered as "in scope" to have an accruate ROC and Level 1 Service Provider attestation? Read more...
Evan Schuman
Ted, I'll let Peter speak for himself, but my read on the column was that he wasn't saying that at all. The point of the piece was not that cloud providers haven't adequately performed assessments, but that retailers using those cloud sites might not be able to sufficiently prove their own compliance. Read more...
Peter Spier
Ted, I fully believe that each cloud provider determined to be PCI compliant as a service provider by a QSA was compliant at the point in time of the assessment and should be sufficiently maintaining their environments so as to support similar findings in future assessments. However, as many service providers such as AWS do not themselves store cardholder data, the scope of their assessment is limited. Read more...
Tom
The whole process is to establish a trust framework of service providers, merchants, and assessors, and the reduce the waste that people spend on QSA's doing things for the sake of compliance that don't provide much risk protection. Should merchants be paying QSA's to do physical walk throughs of service providers that are already validated? I don't see much value in it. Why stop at physical walk throughs and not just assess the entire service providers against all PCI controls, since the merchant is ultimately responsible? Read more...
Ruth Xovox
There is security, there is risk and there is compliance. Some of these objectives can be synonymous and some are not. PCI DSS is very stringent on what is required to be divulged as the breakdown between a service provider and a merchant as part of their own assessment utilizing the service provider. The onus is on the merchant and the QSA to establish that they understand the scope of the controls being provided by the service provider vs the controls that the merchant is responsible for. Read more...

Queue Busting May Be More Effective Than Initially Thought, Thanks To Line Psychology

Greg Buzek
Something that can't be lost here is if even if customers get to a suspended transaction mode, they are far less likely to abandon the order because of the line. They are one more step committed to the purchase. This is why some fast food restaurants build a curb around fast food drive-thru's. Once someone places the order they are locked in. So in mobile case, psychology brings a portion of this. Read more...
Shasur M
Mobile POS (MPOS) is more than queue-busting. It reduces / eliminates POS desserts. Bringing the Point-oF-Sale to the Point of Service increases chances of cross-selling and up-selling. One wonderful point made in this article - Rounding Up the total sale . MPOS comes handy in this . A self-checkout App will be even effective. Read more...

Visa Joins MasterCard In Relegating PCI To An Afterthought

Steve
like fire codes in your community, the rules come after walking through a couple of deadly fires and seeing reasons to have rules. After the first major breach that is unique to a mobile payment scheme - we will see attention from the brands. Read more...
Cory
Agreed with the other poster. Very much a reactive system. Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way. Heck, even the DNC is out there in force using these device to get contributions for the presidential campaign. How many billions... yes as in "B" are being run through that type of setup with complete disregard to compliance? It's like tax cheats... when u see all your neighbors doing it, you start to wonder why you are following the rules. Read more...
Gavin P
"Everyone knows those dang square devices and associated configs are not compliant, yet everyone looks the other way." Most of those 'dang devices' do utilise P2PE in-hardware which still remains absent from the bulk of traditional POS terminals around the world. I'd actually be happier swiping my card through one of those, given they've been designed ground-up with the view that the smartphone it's being used on is an insecure environment, than in a traditional POS or integrated environment which is anyone's guess. Read more...
Walt Conway
You point out the apparent inconsistency with which the brands view mobile for mid-size and large retailers, versus what they allow smaller merchants to get away with (in a PCI and risk sense, anyway). Will it take a major breach to apply the standards uniformly? I really hope not. But how else can one reconcile the evidence of increased card fraud at small businesses (Verizon Data Breach Report) with easing PCI compliance requirements for some of these same merchants. Or, to put it on a more personal level (as one client of mine did), the brands have thrown her/him into the "no" business. They need to be PCI compliant, so the Security team has to say "no" when their business divisions want to use these devices. Not a lot of fun for them (or their QSA). Read more...
Walt Conway
I disagree as to whether *any* of the devices uses "P2PE in-hardware." P2PE is just rolling out, and there are precisely zero approved devices. What's more, some of the dongles in their original version did not even encrypt the mag stripe data. We have similar issues with the payment apps themselves (none of which is PA-DSS validated). As for the underlying operating systems, I don't think anyone knows what they do with the data passing through them. Do they retain the data? Are the data cached somewhere? Read more...

Cloud Vendor Hypocrites: Contracts May Not Help

RLS
Great piece, but I would disagree in part with one statement made that "If a cloud contract requires the cloud provider to maintain "reasonable" security, then the standard is too loose to be enforceable." Courts are increasingly scrutinizing what constitutes legally defensible reasonable security in breach and other infosec related lawsuits. IT has also approached the concept, too. Read more...

So Why Is M-Commerce Struggling So Much In The U.S.?

David Curtis
I work for a multi-brand franchisor and having looked at Google Wallet and ISIS, we decided not to participate at this time. What I can say is that from our evaluation neither of these is ready for prime time (although to be fair ISIS is still in the gestation period and not yet launched). One very serious consideration that concerned me is that neither effort works with the iPhone. Mobile commerce / payment will come to the U.S. it is a natural evolution of the mobile space and I believe it will be a natural extension of how we use our smart phones today. The early adopters will be the younger folks and they will drive this as they have the mobile market. What it will take is simplicity, convenience, and reasonable security. Read more...
ed
The problem in the USA is we are expecting status quo payment processors to disrupt their own industry with mobile payments. I cringe everytime I see an article on mobile payments and the desire to name drop Apple, Google, ISIS and PayPal. These firms see mobile payments as a novelty and want to keep it that way. It is going to take a true independent entity with the clear goal of disruption to transform mobile payments in the USA. Read more...
Sally Bretton
Mobile commerce is becoming popular in almost every nation. USA can't be behind the race. However, it is the users who can make it popular. Mobile commerce will increase at a rate of 65 annually to reach $24 billion in 2015. (Coda Research). So, let us hope USA will take part in the growth. Read more...

Domino's Tablet Testing: Make The App Into A Game

Greg Lucas
Customers want to order - not play a game. My favorite part of this ad campaign is when Domino's says "if you are good enough we will offer you a job." How many of their potential employees own an iPad? 1? Read more...
Greg Lucas
I see. You think when people use a friend / relative's tablet or go into the apple store they will prioritize playing the Domino's game over the thousands of better / real games available. Read more...

Microsoft's Tablet Move: Not For Retail

tks
Everything about (the Microsoft rollout) is completely different from the iPad and groundbreaking. BTW, hands on is now happening EVERYWHERE with journalists. It's called limiting your product to generate a buzz. It obviously got you writing about it so I'd say mission accomplished. Read more...

Debenhams Pushing Free Wi-Fi Chain-Wide. A Different Strategy Or A Different Environment?

ed
Free wi-fi is crucial. I have a tablet but do not have 4G plan and will never buy a 4G plan in my lifetime. The same with my kids iPod. There are two benefits to wifi - first is the ability for the retailer to control the landing page when they connect. The second benefit is to reach non-4G shoppers with wi-fi only devices to have a reason to shop and do research in-store. Read more...

Burger King Trial: No PCI, No Hardware Changes, A Lot Of Cloud

Dom Celentano
The BK mobile payment is in my opinion, a gateway entry point to introduce consumers to mobile as a shopping tool. Payment via mobile gets the "fast" into fast food payments, which still rely on traditional systems. However the intrigue is really the next steps that can be implemented in digital consumer engagement. Read more...

Switchable Grocery Checkout Lanes: The Complications Aren't Obvious

Mark A
In the UK, you can't buy tobacco other than over the counter. In pubs, even vending machines are now behind the bar and accessed by bar staff. Agree re alcohol, however I use self checkout in 2 of the largest UK supermarket chains and have never had to wait more than 15 seconds for a member of staff to authorise the sale. Not sure how it works on knife sales though (even kitchen knives are age restricted here) Read more...

PayPal: Chains Get PINs, Small Fry Get The Good Stuff

Scott
Why don't you create an app that actually works and is beneficial. All yours does is lock up the phones and create a crowd of people standing by doors and products (that we don't necessarily need) waiting for the app to connect to the server. In today's economy, you have to know that people will do whatever they can to earn the most amount of points/money. If you really want to get this going, make it worth our while. Better walk-ins and better products (why would I want to buy printer ink from 3 different places?? I am going to purchase it from the cheapest location !) Read more...

Apple's Mobile Payments: Not Bluetooth, But Maybe Closer Than You Think

Jason Goldberg
Apple does in fact allow you to pay in-store using your iTunes account... via EasyPay their self-service checkout tech. Read more...

Faced With Soaring Fraud, Shell Oil Pays Each Franchisee Gas Station $400 To Boost Security

Jim Huguelet
In the case of retail petroleum, this is even more complicated than the usual franchise-based retail business due to the myriad of channels that exist between the typical petroleum brand and their marketers based upon site ownership, methods of distribution, and level of control that the brand has over the locations flying its flag. However, dispenser skimming has unfortunately become such a pervasive issue in some markets (and one that ultimately creates damage for the entire brand) that the incentives are likely money well spent. Read more...

Should Forensic Tools Be Sold To Anyone?

A reader
Computers with FireWire have long been known to be vulnerable, since it has DMA access. Password interception via FireWire is not a new trick. Making these tools commercially available should put more of them in the right hands, where the overall level of benefit to society goes up. Assuming it doesn't further enable a corrupt Police State, of course. Read more...

Yes, Virginia, We Really Do Need A QIR Program

Michael
We are a Fortune 500 retailer. Our leadership applauds this new program. It's a good thing. Read more...

Big Data Is Exactly What You Think It Isn't

Thad Peterson
I agree that it's going to completely change the way retailers deal with their customers (and their suppliers), but there's going to be a whole bunch o' garbage out there before people really understand. Read more...

MasterCard Aims To Take Mobile Wallet Rivals Apart

Adrian Lane
Could you please validate the use of tokenization in the wallet's payment scheme? I'm looking at the wallet API and there is no mention of tokenization, only OAUTH identity tokens. Read more...

P2PE: No Cakewalk for Merchants, But There May Be No Alternative For Reducing Scope

Jaime
Walt, what are your thoughts on the applicability of P2PE to merchants who process using a mobile phone application with a swiper? I've asked a few QSA's this question and feeling seems to vary on whether a compliant POI device connected through the phone to a compliant gateway, etc. would allow the merchant to qualify. The crux of the conflict seems to be whether the phone remains in scope as part of the processing environment, or if it can be considered removed because the data is encrypted while being passed to the gateway through an app or the browser. Read more...
Andrew Jamieson
If the swipe device is PCI PTS certified, AND also compliant tot the SRED requirements of that standard, then it should be possible for the phone to be out of scope. This is basically the crux of the new PCI guidance on mobile payment acceptance, and the whole point of the SRED module (ie to help secure data through encryption to assist with scope reduction). Read more...

Considering An Operations Person For An Open IT Position? Don't Do It

Chris
I have an ops mentality but have worked directly or indirectly in IT for over 30 years. I think, naturally, young people and/or go-getter personality types are, by nature, "operations" types. However, as responsibility, experience, and maturity increases, people who may even be naturally "ops-oriented" can and should make the transition to an "IT" mentality like that you describe above. My boss is, by background, an "operations" person who never had a strong technical background or interest. Very smart, and capable when focused, but not that turned on by learning the intricacies of "how stuff works." In other words, despite over 20 years in the "IT" industry, still fixing tractors in the field. Read more...
Todd Michaud
I think that the more that both sides understand where the other is coming from, the better off everyone will be. I find that taking the time to ask someone "why" (is something being done that way, is that decision made, is this project important) can at least provide a good starting point. Read more...

Walmart's Online Cash Creates New Fraud Problem

ed
Wal-Mart pay-with-cash for online orders is a big benefit for resellers and suppliers versus reselling their products through eBay or Amazon.com. A startup supplier or product manufacturer no longer need to meet Wal-Mart strict specifications and minimum order requirement to stock products for sale in-store. They can now market throught Wal-Mart.com to a bigger crowd that can also pay with cash and use Wal-Mart expansive logistic system to deliver just-in-time. Read more...

"Careless" Systems Integrators Now Directly Under PCI DSS

Kat Valentine
This exact issue has been bothering me for years, and I was JUST talking about it with someone only yesterday. This may well be my favorite article, mostly because I'm biased and have hated this particular problem forever. Read more...
Nathan
Good article, but how does this have anything to do with the DSS? Read more...
Walt Conway
Actually, the QIR program has a lot to do with the DSS (or PCI). Since merchants rely on their reseller or integrator to implement their PA-DSS validated application, these resellers and system integrators play a critical role in merchants achieving and maintaining PCI compliance. As far as I can tell, the QIR program is designed to help merchants stay compliant by making sure their payment applications are installed according to the PA-DSS Implementation Guide, for example ensuring default passwords are changed (and protected), that the data encryption keys are properly set and secured, that the merchant's data retention policy is set, that no sensitive cardholder data are stored, and often that a firewall is in place and properly configured. Read more...
Cory
Although this is a great move forward in pushing the issue of highly trained people, it is also a good marketing ploy for the council. It begs the question: How much do they stand to make? The problem for this is that for people (like myself) that are just starting out their own business venture, PCI has typically charged a premium for their training and certifications. This change will likely force those of us with less capital to spin into the abyss. I have more than 15 years in the security and compliance fields with heavy hitter certs like CISSP, CRISC, and Sec+. There should not be a guide but a free test or a pre-requisite of either the PCI cert OR other heavy hitter certs. I just don't want the good guys in small places to get flushed out. Read more...
Christine
The ETA recently launched the Certified Payment Professional program, which charges $425 for non-members to take the test, assuming they meet the 'experience' requirement, to PROVE they are a professional. And they'll have to take it every 3 years. Worthy program, but high cost. Plus, only a select few were allowed to be in the first class, and there are only 4 test windows per year currently. So being on the registry simply means, you were lucky enough to get picked, nothing to do with skill level. Read more...
Walt Conway
@Cory: Thanks for your comment and question about the pricing of the QIR training. I raised that question in a conversation with Bob Russo last week, and I will address it in a follow-up column in a few days. While the pricing is not yet set, hopefully it will not be too great a burden for you or other integrators/resellers. We'll have to see, though. Read more...

Macy's, Amazon CFOs Say The Darndest Things

Andy
Amazon only collects state sales taxes today in five states. The comment from Amazon CFO Thomas Szkutak is misleading because he is factoring all overseas sales in, and they must collect VAT taxes in Europe. Their collection percentage is miniscule in the United States and they are using this 50 percent number to mislead the public. Read more...

The Privacy Triple Play: Digital Giftcards Using Facebook Data And Geolocation

Thad Peterson
This is a really interesting idea that portends a really powerful trend toward linking publicly available personal information with transaction data to deliver perfectly relevant offers in the right place at the right time. Privacy will be an issue forever but my guess is that the power of relevance will overwhelm consumer concerns about privacy. After all, that's what Facebook is all about. Read more...

Wacky Legal Idea: Using Class-Action Lawsuits To Gather CRM Data

danjahRoss
the ever true "bad publicity, good publicity - still publicity" right? Read more...
Marketer in Toronto
Mark, I wholly subscribe to your theory. In fact, many car manufacturers will orchestrate 'recalls' as a measure for getting people to attend at their local dealership to complete the recall work, and anything else that can be suggested or done at the time. (We all have minor maintenance matters that need to be done but are not important enough to create a priority). Read more...

Wal-Mart MoneyCard Break-In Offers Lessons For New Payment Tactics

ed
Whoa, this is major and have widespread implications not only to GreenDot and Wal-Mart but the whole Visa/Master prepaid card industry.Sounds to me like hackers overseas are calling in these prepaid account phone banks with random prepaid credit card numbers (they likely don't need to know the number) and can tell once it has been open. This has widespread security implications throughout the whole prepaid industry as many low-income people and expats are putting their cash into these prepaid cards for remittance purpose as well as spending. Read more...

KFC Learns The Dangers Of Social Media Empowerment

A reader
Some companies have gotten ahead of this by publishing social media usage guidelines. But don't lose heart. We'll no doubt see more amusing gaffes in the future. Read more...

With IBM's POS Sale, History Really Does Make A Difference

Rick Legue
It would appear that a huge challenge to IBM POS System users will be, how to maintain the integrity of the IBM POS platform they have installed. How long willl the existing models be available before changes are made? Standardization within the store would appear to potentially be in jeopardy. Read more...
Jeff Ketner
Mobile is one of the huge disruptive trends that are hastening the demise of the traditional POS business. Margins were already razor-thin,and with demand declining rapidly, it's a tough time overall for traditional POS hardware vendors. Read more...
Michael Koploy
As the importance of hardware seemingly decreases, I wonder if other providers make similar moves in the near future. Read more...

Best Buy's Last Hope: A Radical Reversal On Customer Service And Credibility

Todd Michaud
I am surprised that the fact that Stephen Gillett being named EVP of Global Business Services hasn't gotten more attention. As the former CIO and Head of Digital Ventures for Starbucks, Stephen has a great track-record of disruptive innovation and is just what Best Buy needs. Read more...

Appellate Court Limits Computer Fraud And Abuse Act

Chet Uber
The court is correct, Rash is correct. Employers should do what their Security consultants should have told them to. Banners that clearly state you have no expectation to any right of privacy and company computers are never to be used for anything other than company work. Read more...

Apple, PayPal Enjoy Uncharted Mobile Payment Legal Issues

Fred
and if you don't believe it, you might not know that the English police already regularly access data about a user's "Oyster Card" which is the stored value card of the London Underground and bus system. Read more...

New Jersey Giftcard Law Is Much More Complicated For Retailers Than Even Its Critics Believe

Kevin Thompson
A lot of good questions here. However, as I read through NJ's law, I didn't see anything that required the merchant to drain the remaining value of the card after 2 years. The merchant will have to pay that amount to the state, but can opt to leave the balance on the card (and should in the name of customer service). If the customer comes back after 2 years and uses the card, then the onus is on the merchant to fill out the form and recoup from NJ. Read more...
Steve Sommers
New Jersey is not as unique as this article makes it sound -- at least not with the issues. You mention other states have escheatment laws but imply they don't have these issues, but they do. I guess this article is focusing on the zip code collection issue, but most, if not all the other issues you mention exist in these other states: What if it bought out-of-state via web, bought out-of-state but picked up in-state, etc. Read more...

Scanning Fruit At Checkout Looks Clever, But Will It Actually Save Anything?

Aaron
I saw similar technology demonstrated at a "store of the future" display at NRF - in 2004. Read more...

Want To Finally Move Beyond Magstripes? Fix The PIN Pad

Joe
Until there is consistency in how these devices act in a large number of retailers, consumers are going to struggle with changes. There are so many devices out there today that most consumers are not sure how each type works. Read more...

Costco Self-Checkout Trial Setback After Store Losses

Mark Scherer
Not all self checkout works this way. One self checkout vendor is designed to work this way and it leaves a gaping security problem that can create this situation. There are 3 predominant providers of self checkout in the U.S. and this represents the lowest installed base provider of the 3 and their market share continues to shrink from reports I have seen. Read more...
Evan Schuman
Editor's Note; The vendor that Mark was referencing is IBM. His point is that other systems make it easier for any weight mismatches to require associate intervention--just like with alcohol or cigarettes or any other age-restricted item--rather than a more passive flag to the customer that the item was excluded. Read more...
Ann Grackin
Another angle on the challenges with self checkout which may come to the retail scene in the next year is the tap and go/NFC smart phones. Though these are all the rage in Japan, we have yet to adopt them in the U.S.. But that will change as the new phones emerge with the chips embedded this year. And the new demographic want to use this type of technology. A large retailer told us that NFC phone customers are getting their identities stolen, even though the self check-out requires proximity-- and they do not want to take responsibility for this occurrence in their stores, on their premises. So although they like the idea self check-out they are still experimenting with various approaches. Read more...
ed
For self checkout, item-level RFID or unique barcodes plus real-time tracking appears to be the missing component. Mail delivery companies use real-time tracking of mail with a barcode and assure delivery at a certain time. The public library embed books with RFID and track them through checkout. Retailers and SCO manufacturers are going to have to accept the fact they cannot rely on UPC and really need an item-level identifier that tract that specific product as a unique item from shelving to checkout. Read more...

Amazon Learns Why Placeholder Headlines Are Bad Ideas

FMJohnson
I visited the Irwin tool set in question on Amazon earlier today and the faulty image was still there. Ironically, while reading another blog this afternoon, I was served an Amazon banner ad for the same tool set, and the faulty image is still there. This is most likely the supplier's fault, but as you point out, it's on suppliers, distributors, and retailers alike to check and ensure the product information they're using is correct. Read more...

Visa Yanks Global Payments' PCI Compliance. Catch-22 In Full Force

Chris
So PCI compliance can not guarantee that a provider will not be breached, but a breach is inherent evidence of non-compliance? Any comment from VISA as to whether they will continue to accept ROCs prepared by Trustwave? Seems like an inconsistent position. Read more...
Thu
Global Payments reported they were working toward being in compliance with PCI, despite already being on the list. In a backwards way, they admitted they were not previously in compliance. We can't really say that a breach is inherent in these type of situations without having a full investigation report. That's one reason why MasterCard is waiting to see what forensics finds before yanking them from their list. Read more...
Steve Sommers
In the past, Visa has stated, "No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach." This quote can be taken two ways. Either PCI is perfect and all-encompassing and compliance guarantees you won't be breached; or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way — and interpretations among QSAs vary so much — as to make it impossible for anyone to be 100 percent compliant 100 percent of the time. Read more...
Biff Matthews
PCI, TSA, IRS - obviously none of these functions as intended or as promoted. I've said it before and I say it again, hackers are free of personnel, budget, expertise, infrastructure and time constrains. Nothing, NOTHING, is ever fully safe. Visa and its attorneys simply choose to hide behind the false sense of security of the PCI veil. Truth be known, Visa has probably been hacked. Anyone see the similarities between VISA and the wizard of OZ? Read more...
Steve Sommers
This begs the question, how does this decision by Visa affect Third Party Processors (TPA's)? Our TPA agreement has wording to the effect that we can only send CHD to PCI compliant processors and banks. Now that Visa has deemed GPS non-compliant, are we breaking our TPA agreement by allowing our customers to continue using GPS? Read more...

Could Global Payments Breach Finally Kill KBA Questions?

trooper
Integrating strong, managed security processes has always demanded more security-focused employees. Companies look at anything security-related as non value overhead. If they're forced into a compliance mandate, such as PCI, it usually translates into a do-the-minimim approach, put on existing IT employees who are already over utilized doing production support (primary) work. Read more...
Justin Robinson
I think the death of KBA questions has been dying for quite sometime and unfortunately businesses and consumers are having to pay the price before companies take action. It's amazing that social media and gaming companies around the globe have adopted technologies that allow their users to telesign into their account using the telephone while enterprises, financial institutions, etc sit around and let things like this happen..... Read more...

How About A Little Service Provider Responsibility Here, PCI-Wise?

lyal collins
I appreciate the one-sideness issue highlighted in this article. I also understand how card brands have a contractual link to merchants - but only rarely do with service providers. I'd find it virtually meaningless for the PCI requirement to mandate actions by the service provider, when they have no contracted responsibility to a commercial entity. That said, 12.8.4 places an obligation on the service provider to demonstrate compliance to their customer the merchant (or service provider, Acquirer etc). Is not the combination of these 2 requirements having the same outcome? Read more...
Lem
PCI is like banging your head on the wall. When you complete the SAQ, it feels good stopping. Read more...
Walt Conway
Actually, service providers do have direct links to the card brands. For example, many have direct system connections/access points to the card networks. More importantly, all service providers validate their PCI compliance to the card brands. The brands (at least Visa and MasterCard) also post lists of compliant Level 1 Service Providers on their websites. My point was not so much about the card brands, though. I was observing that since PCI already has a number of requirements that only apply only to Service Providers and not to merchants, there is precedent for one more Service-provider-only requirement to cure the imbalance I noted. Read more...
Nathan
Walt, I'd suggest that perhaps you have a limited concept of who would be considered a Service Provider under the guidelines that you've suggested. The fact is that most resellers/integrators do NOT have direct links to the card brands or the card networks. They may work with processors to board new merchants or provide support, but there is no contractual or legal obligation at all. Your comment that all service provides validate their PCI compliance is also way off base if you include resellers & integrators. The limited number of Level 1 Service Providers probably do validate their compliance, but the vast majority of resellers/integrators are not that big. Read more...

Should Retailers Be Worried About Amazon's Kiva Deal?

Marc Wulfraat
I think the points being raised express are valid concerns, however I do think that emotions are running high at the moment because we tend to think the worst in the absence of information. The questions that I have are (1) How much Kiva production and support capacity will remain available for non-Amazon customers going forward? (2) Will potential customers be scared away by this acquisition because of the potential for such a capacity constraint? (3) How will the new Amazon / Kiva team ensure that new and existing non-Amazon customers don't get "sent to the back of the line" so to speak. I'm optimistic that these concerns will be dealt with appropriately but I so think the market needs immediate feedback to address the concerns being raised. Read more...
Ann Grackin
This is a great question-and what happens when any big tech company buys a SaaS solutions that has all the connections, customer emails, etc. In general the issue of commitment by the tech company to service competitors do have to be questioned. IBM purchased many firms like EDI, demand management (Sterling, DemandTec, Ilog and others) that are used by their competitors. And yes, over time it does appear that mutual ties that bind do loosen. Read more...

If A Pattern Can Beat The FBI, Maybe It Should Be The New PIN

A reader
The nature of the PIN or pattern or password has almost nothing to do with it. The security came from the five-tries-and-it-locks-up-requiring-more-authentication model. It could be argued that Apple's model is at least as secure. They can be configured to wipe personal data the device after n failed tries, requiring the owner restore it from a backup. Read more...
A Responder
The focus of the article was not device related, but rather the concept of using gestures for authentication, rather than a PIN. Based upon the exponentially higher number of possible combinations, the author suggests they might be used for securing devices which, if concepts and technologies technologies like NFC or mobile wallets take off, would serve as a more secure method to protect the users' financial and personal information. Why must every mobile accolade, other than Apple's, be subject to an immediate repudiation? Read more...

Shopkick Proudly Re-Creates Black Friday Foot Traffic, But Did It Deliver Revenue?

Todd Michaud
I think that this is an example of the need to have clear goals with any marketing plan. From what I can read the goal was to increase the foot-traffic to be the same as Black Friday. It sounds like the error was in calling in Black Friday 2, which implies Black Friday sales, which this program was unlikely to reproduce. Read more...

ISIS Turns To Sleight-Of-Hand To Show Off Its Wallet. That's Not Helping, Guys

Chuck Phipps, AAP, CTP
The other glaring omission in their amusing demo was any clue about how to get it. I live in Austin and am trying to become an early-adopter for their announced testing period this year, crank up my NFC and start spending at participating merchants. Or so my un-acknowledged tweets have stated. What we need here is some serious marketing focus and some social media awareness. Read more...

The Missing Piece In PCI: System Resellers

Walt Conway
As a follow-up to the column, I learned that Visa has a Best Practices document for resellers and integrators on their website. Retailers (and anyone) can go here and take a look at what Visa is telling resellers and integrators to do when they work on a merchant site: http://usa.visa.com/merchants/risk_management/cisp_alerts.html. It looks like a very good list, and thanks to the SFBT reader who brought this to my attention. Merchants can use the best practices, too, to make sure they get all they are paying for. Read more...

Facebook Retail Sites Dying, And For Very Good Reasons

Thad Peterson
If this were on Facebook, I'd "like" it. Read more...

Miles Thomas
There are many reasons why a user may want to pay with Paypal even if they have their payment cards with them. It's a good way of bypassing a retailer's choice to not accept certain payment cards (e. g. Amex, Discover, out of area debit cards, prepaid debit cards/travel money cards etc), and/or clearing small balances from Paypal. Or indeed buying something on behalf of someone else, who has paid for it in advance with Paypal. Read more...

Shoppers: "That's Not What I Signed Up For!"

Jo
"Big Brother" is alive and well... On top of that, WE aren't paid/compensated for our invasion of privacy. It's more like a home invasion, where your feeling of security can never be replaced. (As for the, "privacy, like virginity, can't be restored"...true, but I should at LEAST be grinning after, instead of saying, "I shaved my legs for THIS?"!) Citizens of the US are GIVING AWAY their privacy/rights in so many areas, under the guise of "security." It's scary to those of us that remember the communist countries and their lack of rights. Too many have forgotten history, therefore, it WILL repeat itself. Read more...

How A Drive-Thru Could Turn Showrooming Into Roadkill

ed
Probably the most effective way to stop showrooming is for the retailer to build their own app for customers to use. Read more...
Shirley
Not only would it help those of us with little ones - and one of us (the kids or adults) having a meltdown ;) ... it could also help those with disabilities from having to get out of the vehicle as well. Read more...

Risque Business: Sears Thought It Had Removed A Naughty Image, But It Didn't Go Far Enough

Alicia Saunders
Oh my gosh! Time to panic and feel guilty because somebody saw a bare breast. What is this society coming to ? Read more...
Evan Schuman
Editor's Note: The intended point of the piece was not that the particular body part was offensive. It was the challenge for a retailer to control its images and to remove it completely once it decided to do so. Whether or not Sears should have wanted to remove that image is a separate issue. Read more...
S Burrows
I think this article is a great reminder of the world we now live in. Retailers sometimes forget what it involves. In the 'old days' of printed catalogs, we often knew how many and where copies existed. Now, you know that the world could see your error ... even after you've removed it. Preparation, planning, proofing, etc. are even more critical! Read more...

MasterCard Clarifies Its EMV Plans, Paints An EMV E-Commerce Future

Jay Gould
There is the argument that, as cardholders are fully protected against fraud, limiting it would only benefit the card issuers and processors. Well, even if that were the case, consumers would still benefit from the fact that their credit cards will be usable in Europe. However, minimizing fraud does matter to consumers, as the issuers' fraud losses are reflected in the levels of interest rates and penalty fees we pay. Read more...

Wal-Mart Exec: We're Testing Social In-Store

Sally
What an idiotic idea. Up goes the labor costs, down goes the impulse buys. This is just 'organizing the stores' all over again. It's anti-Sam, which always fails. Read more...

The Backward World Of Loyalty: "I'd Like A VCR, A Wired Phone and a Plastic Loyalty Card, Please"

Walt Conway
The common thread in each case is immediacy. I carry no additional plastic in my wallet I can avoid. Then again, I'm not a typical consumer so maybe others have different experiences as retailers or consumers. Read more...
Omar Iftikhar
Loyalty should be the main driver for all your targeted services and promotions. Not a lot of retailers do that very well. The best at it in my experience is Best Buy. Being part of their Rewards Zone not only automatically assigns the points to your purchase, but also sends you an electronic copy of your receipt, and any follow up coupons and specials. Read more...
Thad Peterson
We're at a nexus in the evolution of customer reward and incentives and the tools that are being used are based on 1980's batch processing technology. We all need to remember that we NEVER own the customer. If we're lucky, the customer owns us. Read more...
Joe
Agreed with eliminating the physical coupon. Staples rewards me with rebates that I need to log on to the website to print and bring to the store. I should be able to state at the register I want to redeem the rebate on my profile. The same when they give me a Staples card for rebates. Why bother sending me plastic when I should be able to use it virtually thru access to my profile. Read more...

Neiman Marcus Goes Down, But Only For A Special Few

Steven P
We insist our staff check all changes (how ever small) on all the popular browsers. Its something we'd recommend to everyone. Read more...

The Never-Ending Dance Of Contactless Security

ed
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required? Read more...
contaftless okay
Contactless card transactions are verfied online, if there is fraud the bank with take the liablity. This does not happen with checks, bills. Oh and contactless is faster than any other form of payment and you do not have to check the takings at the end of the day: so faster service and a bit more secure. Read more...
MC
To contaftless. Not completly true that the bank will take the hit for a fraudulant contactless transaction. When paying at the fuel pump with contactless, you will have a defined pre-auth limit which is set by the issuer and obtain an online auth number. Even with the issuer providing real time auth, should the customer dispute the transaction, the liability and burden of proof still lies with the retailer in most circumstances. To the issuer they claim this is a "card not present" transaction if completed out of sight of the store attendant. Add that to the fact that that a gas station forecourt allows the hiding of the necessary fraudulant transaction supporting equipment inside a vehicle, it creates the anoynmous environment that fraudsters prefer to operate under. Read more...

Home Depot's Try At Not Shutting Down Completely Leaves Customers Running In Circles

Bill N
This is SO Home Depot -- a lack of vigor resulting in rookie mistakes. I see it all the time in the stores. Read more...

MasterCard Pushing EMV PIN. Visa? Not So Much

James L.
When our company switched from AmEx to MC for business travel expenses, I thought we finally had the opportunity for chip/PIN & signature cards to facilitate the travel in Europe. "They're not available in the US yet", I was told by the bank representative who conducted the training on the new related expense reporting website. It was interesting to see that the chip card with mag stripe was available to my colleages in Canada. I thought the idea with chip & signature was to allow its use in both US & EU markets. One card - dual authorization methods. Read more...
Dan
I want Chip & PIN. With Chip & Signature, sure it has a an EMV chip, but then a fraudster could just steal my card, run it through the chip reader and then sign my name. The PIN adds an extra layer of security as only I (should) know it. At the very least, I would like to see a dual method wherein if the US insists on using Chip & Signature, our cards would work as Chip & PIN in countries where that is the norm. I am just sick of this back and forth. America needs to get off its high horse and comply with the world payment standards. Visa says Chip & Signature, MasterCard wants Chip & PIN and then Amex is mysteriously quiet. All of this talk....the government, banks, acquiring banks and card networks need to work together to make it affordable and easy to fast track EMV. Read more...

In The Security Vs. Compliance Battle Of The Mind, Security Is Winning

Andrew Jamieson
I think that this has the potential to provide a terrific win for the merchants in scope for these sorts of systems, and also to the security posture of payments as a whole - exactly because it should ensure that people who know what they are doing are the only ones involved in the details. Read more...

Guess CIO On iPad Trial: "This Is The Consumerization Of IT."

John Pruban
Because Apple provides little support at the enterprise level, it is interesting to watch the struggles as retailers implement. In Mike's case, he talks at great length about the augmentation of the customer experience. The biggest hole we see retailers struggle with here is basic wireless coverage. The experience goes bad quickly if, while your walking around, you get into the middle of a function and can't recover. Read more...

Brook
This phone is not "from Verizon". The operating system was written by Google. The hardware was manufactured by Samsung. The reason a person might buy such a device is to run Android software. Verizon is just the service provider that links the device to the telephone backbone and the Internet. Verizon has no right to tell users what software they can or cannot run on their devices. And "Google Wallet" or Verizon's (vaporware so far) competing product should be treated as just what they are: software. The users should be able to download and install their own choice. Read more...

Macy's In Australia: No, John, It's Not All Thanks To eBay

Ric
John Donahoe is so anxious to impress his Wall Street Masters that it comes as no surprise he exaggerated and got the facts wrong during the conference call. Read more...

In Theory, E-Commerce Sites Are Way Too Slow. But Do Customers Care?

Jason Goldberg
I love it when the data in vendor studies directly contradicts the conclusion, and thanks for calling it out. In the case of page load speed, while I am skeptical of the urban legends quantifying the effect of page load (1 conversion drop per 100ms, etc...), I have seen a number of first hand examples of improved performance directly improving bounce rate and conversion. So my own experience tells me that speed is an important factor in customer experience. I just don't believe it can be reduced to a simple equation. Read more...

Fortnum & Mason's PCI Weakness: Customer Service

Walt Conway
This is a great example of "customer service" trumping security. This situation also has me wondering if they also have a call recording system that captures and stores card data, too. Just for quality purposes, of course. It is disappointing that a leading retailer like Fortnum's would be so casually dismissive of their customers' security. Read more...

Wal-Mart's Stealth Social Strategy: Pretend This Isn't About Customers

Rajan
Very clever indeed. It is effectively 'crowd sourcing' product selection. Read more...

The PayPal Problem: Will It Impact Retailers' PCI Scope?

Emma Jenkins
For the foreseeable future, retailers are not going to be transacting exclusively against PayPal accounts. Therefore, with the assumption that the payments are stored, transmitted and processed through the same systems as "regular" CHD, there will be no change in scope. Merchants will have to protect the PayPal payment information with the same rigour as PANs/CV2s/tokens, but this isn't arduous because they are doing it right now. (Or should be.) Read more...
Steve Gurney
This is the problem with the notion of the high value token wording in September's guidelines. As you rightly point out an email address, mobile no. or even a name can be considered a high value token. Yet by their very nature these are all readily available in the public domain, so I find it hard for them to be considered as a high value token. Read more...
Philip Cohen
Will Visa be including in their V.me system the additional ability for online payers to source funds via a “debit” transaction from their banking account, rather than only by a credit card transaction as has been the case in the past because of the PIN requirement for such a “debit” transaction? After all, what’s the difference between a PIN, that Visa/MasterCard already hold, and a password required to access a secure online payments gateway? Read more...
Rob Sadowski
The PayPal user information is much more "high value" because it can be used across merchants to initiate transactions. If I have it or gain access to it via a merchant compromise, there is nothing to stop me from using it at another merchant. A properly designed tokenization system should have rules that prohibit tokens obtained from one merchant to be used at another merchant and/or prohibit initiating transactions unless the PAN and authentication data has been previously received by that merchant. Read more...
Richard Haag
A big difference with PINs(at least in the debit world) is that they should only be entered into an encrypting PIN Pad. The feeling goes that if I steal a card with a valid PIN I can go to an unattended device(ATM) and pull out money w/o having to present a legitimate card to a person. I suppose you could make the same case(which you did) regarding an online transaction w/ a password. Read more...
Jay Gould
PayPal's plan of POS attack is to entice merchants with below-cost credit and debit card processing, which is an offer no retailer will refuse. The company will subsidize its losses from the card transactions with the very high-margin profits it enjoys when its users fund the sales amount from their bank accounts. On the other hand, whether the consumers will be won over is another question altogether. If it is to stand a chance, PayPal will need to make the checkout process as uneventful as possible. As it is, the customer is asked to enter his or her cell phone number, in addition to a PIN, before the transaction can be completed. That's unnecessary and excessive. Read more...

Tokens Are Not The Same As Encryption. Honest

Steve Sommers
I agree with all your points on how the technologies differ. The only possible disagreement I have is that you are very generous in giving PCI credit for distinguishing the differences between the two technologies and scope whereas I think they caused the confusion (or at least didn't help). Read more...
Andrew Jamieson
I tend to disagree that tokenisation and encryption are different - indeed, I see tokenisation as a form of bespoke encryption. Many of the arguments I hear about tokenisation being different from encryption leads to concerns about the security of encryption, or that encryption can be reversed. Although it is true that encryption can be reversed with the key, I strongly dispute the arguments about the security of encryption, and personally I put much more faith in an algorithm that has undergone many decades of community research, where the security (key) can be isolated in approved hardware, than in a bespoke solution I have no visibility or independent assurance of. Read more...
Steve Gurney
"High-value tokens are those that can be used to initiate a new card transaction." Personally, I didn't understand this part of the doc. Surely that's the point of a token, so I'm assuming they mean a token that can be used independently of a 'vault' type of service to initiate and complete a transaction. Otherwise, every token would be a High Value token. Services like Square's card case where a person's name can trigger a payment, or PayPal's where an email and password trigger a card payment. In these cases a name and email would be tokens and as they are initiating a card payment could be considered a High Value token. Read more...
Jeff Man
I disagree with you on the point you made about there being no way from a PCI scoping perspective to compare tokenization guidance to encryption clarification. The parallel that I see is not between tokenization and encryption, but between the token and the encrypted data values themselves. Semantics? Maybe, but I believe there is a significant if not subtle difference between these two statements. Read more...
Mark Bower
How can QSA be comfortable determining if something is out of scope, if he or she does not know how the system providing that benefit explicitly works in all conditions over its lifetime, especially if its distributed and may its functionality and risk profile may change over time and can be explicitly guaranteed? A QSA takes liability for such a de-scoping claim. Only proofs of security and evidence can stand behind that something seriously lacking in most of the debate. Read more...
Marc Massar
Tokenization is a use case of data transformation, not a specific technology. Humans have been practicing tokenization using multiple methods for centuries and claiming that one method of data transformation is the "real" tokenization and not some other way doesn't make sense. Tokenization must be reversible. Read more...
Mike McCormack
Promises of incremental sales and the ability to target loyalty have been completely worn out by endless pitches of card services, hardware, software, etc etc etc... Another watershed way of getting mobile payments introduced is to shift merchant's payment modes from higher to lower cost products. I think ISIS has started down a path that completely misses that opportunity by partnering with incumbents who have zero interest in reducing merchant payment costs. Read more...

Zappos Breach's Payment Card Pledge Very Risky

Jay Gould
Zappos is giving everyone a lesson on managing a data breach that everyone who may ever have to deal with the problem should look to for guidance. There is a lot to be learned. People understand that such things happen and, unless you've been egregiously lax in protecting their account information, will give you the benefit of the doubt. Read more...

Sears' E-Receipt Fear: Buy Once, Return Many

jandraski
I find the comment concerning the "painful item - level RFID process interesting. obviously there is an education gap that can easily be closed. item level RFID provides a host of benefits that can definitely impact returns management. Read more...

Is Visa Making Up Compensation, Fine Calculations? Court Filings Raise Questions

Jay Gould
We now know what happens, although many of us predicted it before the debit interchange saga took place, when there is a fall in the issuers' interchange revenues. That shortfall will be offset in one way or another, so that when it's all said and done, the banks will have managed to get their overall revenues to pre-reform levels and it will be the consumer who will end up paying the bill. Only this time that bill would be much bigger, as banks' losses from a potential credit interchange cut would be several times as large. Read more...
Anonymous
Jay, the incidents in this case unfolded over a period from 2000 - 2008, long before Dodd-Frank and the Durbin Amendment legislation. Read more...

Android Is About To Truly Kill The POS Business Model

Rajan
I agree that with tablets specifically becoming cheaper, they do offer a form factor that can be used in the retail environment. But, I still see the adoption happening slowly before it becomes ubiquitous. Read more...
Chris Roon
Classic sides squaring off here: existing POS providers want buyers to believe tablet-based POS is discontinuous innovation with whole product risk - where to get service if not from one vendor, industrial grade?, theft, etc. Tablet suppliers will dis-intermediate the incombants by positioning their innovation as re-segmenting the existing POS experience with continuous innovation for forward-thinking retailers. Read more...
welcomestranger
To completely displace the traditional POS *software*, payment acceptance is only part of the requirement. What is holding back the rest of us is the lack of a viable software solution for inventory-driven businesses. Square just doesn't cut it, at least the last time I looked at its capabilities. Inventory management and reporting, purchasing and invoicing, as well as multiple location and channel capabilities are some the features that force us to the much maligned legacy POS solutions. There doesn't seem to be a middle ground between the entrenched, large scale POS solutions and the agile 'startup merchant' apps that run on tablets or iphones. Read more...

With Google's Social/SEO Mashup, Your Teams Are On A Collision Course

Seo Queen
It is just tactic by Google to get more and more users for Google PLUS and I think that he has every right to do whatever it takes to get more and more people to Google Plus as I guess that Google has a target of get about same number of users as facebook by the end of 2012 Read more...

Self-Service Shifts Legal Risks, May Let Customers Off The Hook

Cedric Nunez
I do not think google will be able to achieve those targets of getting more users than facebook. But they are trying it in different way. According to sources, google is going to launch another 100 social platforms at the end of 2013. Read more...

Want To Push Social Media? Have You Considered Using Your Stores?

Walt Conway
What about if the retailer is in a shared space (e.g., a food court in a mall or college campus) where there may be limited space and possibly limited flexibility (e.g., power, comms, lease restrictions)? Or in airports, where I see more and more retailers. Would your recommendations hold for those locations, too? By coincidence, I was at a conference this week and sat next to the person charged with building brand awareness for a national food chain on college campuses -- and therefore with the student demographic -- nationwide. After reading your piece, I was wondering, would your recommendations would hold for them? As for airports, I could see one school of thought that says customers don't live there, so get them in and out. But I also could see where the particulars of this demographic could be sufficiently compelling to want to reach out. Read more...
Todd Michaud
I agree that there are even deeper levels of engagement that you absolutely could drive in the store (I love the idea of floating coupons by the way). I think what is most important is using the store to start a conversation that could be then continued online (rather than always trying to start a conversation online that culminates with a sale in the store). Read more...
Holidayfor5
I think the statement "Then there is the small fact that the retail operator doesn’t feed his family based upon how well his customers are engaged online" speaks loads. Read more...

Publix Buy-Online-Pick-Up-In-Store Trial Nixed: Grocery Shoppers Are Different

Emma Jenkins
Your take on the customer's view is right, however I wonder whether supermarkets can go a _long_ way towards resolving it with easy, quick refunds? My partner unpacked our home-delivered fruit and veg box last week, and discovered bruised fruit. Took a picture, emailed the company, and within 10 minutes had a refund. Happy customer all round - the company cares, etc. This requires very careful thinking on the merchant's part about how to invest in this area of customer service. However, since it is equally easy for my partner's picture of bruised oranges to be uploaded to a social media site as it is to email the company, the downsides for NOT doing this are quite large. Read more...
Steven P
What about the other non tangible benefits of shopping at the grocery store - it gets you out of the house and you get to interact with the staff. for many people this might be there only "human contact" in a day, or at least human contact that doesnt come with the stresses associated with family/work colleagues/customers. And of course, there is the primeval "hunting and gathering food" aspect. Read more...
ed
The last poster hit it head on - there is a primal "hunter" instinct of us humans preventing the buy groceries online model to take off. Food, clothing and shelter are the three things we humans go out and scavenge for and that is in our primal instinct. It appears the next logical step is to focus on items that do not interfere with our primal instincts such as prepackaged food or personal hygiene. Read more...

Questions To Ask Your System Vendor Or Reseller

ed
Vendors will hawk retail solutions with buzzwords like mobile POS, loyalty and RFID inventory to grab attention, but can they deliver? My experience early on was the majority of vendors could not follow up after the purchase order was generated. I ended up burnt dealing with firms I met at a conference who had nothing more than a nice brochure and a free memo pad with their logo on it. Read more...

Massive Subway Cyber Attack Ripped Into Weak Remote Access, Unencrypted Card Swipes

Dan C
What Chris P experienced was that the anti-fraud system/algorithm DOES NOT believe any devoted Shopkicker could frequent nearby stores that frequently, let along anyone willing to spend time to visit multiple malls in a short period of time. Probably need to limit daily kick collection to be below 1 or 2K. After the orange warning, what any Shopkicker can do is to (1) dial down your Shopkick devotion at once, (2) redeem your kick collection as soon as possible -- before it's too late. Once banned, there is no route of discussion/petition. Looks like only physical phone swap could restart the Shopkick habit -- the ban at least backlisted your phone ID. Read more...

Guess Google Wallet: Great GUI, Hardly Any Customers

Jay Gould
The thing I like the best about Google Wallet is that, unlike many of its competitors, it would allow users to link all of their cards, regardless of brand (Visa, MasterCard, etc.) to their Google Wallet accounts. From a consumer�s point of view, the best mobile wallet would store all of our cards, as well as cash and checks. What we would not want to have is a clutter of apps for each individual card type or even each card issuer. So Google is moving in precisely the right direction and I hope the promised future versions will build on that foundation. Read more...

Starbucks Reports 26 Million Mobile Transactions, A Good Sign Of Consumer Mobile Comfort

Jay Gould
Starbucks' mobile payments program has been a great success for the company, but is it really all that consumer-friendly? After all, customers can only link their phones to a Starbucks prepaid card and then use the service only at Starbucks stores. What would happen if every retailer took the same approach? I mean, would we want in the not-too-distant future to be using a separate app for each retailer and provide them personal information over and over again? Wouldn't it be far safer and more convenient to have one or two mobile payments accounts with providers of our choosing and use whatever payment method (credit cards, debit cards bank accounts, etc.) we may feel like? Read more...

Quick-and-Dirty (And Dangerous) Wi-Fi Retail Deployments Likely To Be Rampant In 2012

Richard Nedwich
While a blanket statement of alarm may be too cautionary, there is some merit for concern. The quick serve market of cafes and restaurants and gas stations, etc. have no such IT staff or large budgets to choose enterprise class solutions. While some find it best to rely upon a reputable managed service provider, perhaps too many simply 'go their own' by running down to the local Best Buy, or ask some kid on staff to 'plug and pray' in order to satiate customer desire for constant connectivity while they sip their java, eat their burger or fill up the tank. This is where what you don't know can hurt you. Read more...

Is PCI Skimping On Skimming?

Jonathan Rosenne
Please consider EMV. This is exactly what it was designed for. Read more...
Walt Conway
Unfortunately, EMV is not going to be a solution for several years at the soonest. And since ATMs still use the mag stripe almost everywhere, EMV does nothing for banks' risks. (I focused on retailers' risks, but banks face the same or larger risks at their ATMs!) What merchants (and banks) need to do is address the problem now based on the technology that is in use. Read more...
ed
EMV payment processing machines were implemented throughout the USA and in ATMs but have not been enabled at this time. For example, all of Wal-Mart payment devices are EMV-equipped to handle chip and pin. Read more...
Walt Conway
Good comment, Ed, but terminals are not the issue. The cards are the issue. That is until retailers no longer use or need the mag stripe, skimming is going to happen. And it is going to happen to the least prepared, least vigilant, and least aware retailers. This is less a technology issue (although monitoring your devices is a great idea) but a result of living with a 50-year old technology (i.e., mag stripe), and until that is changed, all the EMV-equipped terminals in the world won't help too much. Read more...

Mobile Tracking Would Be Great, If It Weren't Illegal. (What, Everything Has To Be Perfect With You?)

Susan Musleh
Malls track shoppers.... It's here.... street level data mining. Why should this information be confined to mega mall owners? I get it... personal privacy is gone.... But if our privacy as human beings is traceable by the UI of our cell phones... (And it is) all of us being tracked should have the information available. Street level data mining is very powerful, profitable and scary. A community consciousness needs to be implemented now. Large conglomerates collecting data on an individual bases and collectively leveraging our very movements for their own agendas... is simply exploitation. Read more...
John
You have chosen an unfortunate example of "the person hanging around outside the Victoria’s Secret dressing room was your 70-year-old neighbor." That is probably a reason why most people would AGREE that this kind of surveillance is necessary. Why not make an argument using an example of someone doing something completely innocuous? Such as: "it is a trivial task to cross reference the cell phone data with the payment data and send a message to Store B that someone who just spent $1000 at Store A just walked in their door." Read more...

mobile tracking
Mobile tracking isn't necessarily illegal. You can track your family or vehicles to ensure their safety. Read more...

Tablet Retail Impact: Sometimes, No Change Is The Best Strategy

Nick
It seems that you're making the assumption that bigger screen = better conversion rate. The really interesting question is whether shopping apps and shopping sites optimized for tablets will convert at a higher rate than the laptop/desktop. If they aren't today, they will one day. Read more...

EMV Is Simply Not Worth The Effort. Not Even A Little

Howie Brecher
Well said. Most of what Visa and MasterCard do is only to improve their profitability. They have virtually no interest in stopping fraud as they just pass the cost on to their customers. When they have to eat the costs of stolen cards and identity theft then they'll do the right thing. Read more...
Gavin Phillips
It's a good point, but bear in mind that just because the US is beginning to see that there's other technologies beyond the magstripe, in Europe EMV has been around for a *long* time. In that context, when EMV was created the issues around card data security weren't of the same scope, and therefore was never the primary focus of the standard. Read more...

A Wireless Tracking Way To Solve The In-Aisle Digital Receipt Verification Problem

ed
I believe the solution here it the emphasis on mobile phone but what the store already owns that can manage the products. I would embed 900Mhz RFID stickers (long- range) in carts and baskets. The mobile user can then associate their mobile device (note I'm not saying mobile phone as there are more wi-fi only devices such as tablets than mobile in the market) using an app to the "smart cart" or "smart basket." Read more...
Bryan Wargo
Cell signals are not going to be accurate enough to get aisle resolution unless the retailer installs a lot of equipment. I think WiFi is a better technology for this type of locationing. Most retailers already have it installed in their stores and all smartphones support it. Read more...

MasterCard And Intel Want To Put Contactless Readers In Laptops—Maybe Even Soon Enough To Matter

MonopolistAreSoPredictable
Why is Intel always trying to strike exclusionary agreements with common services? HD streaming - Intel monopolizing. Credit Card transactions - Intel monopolizing. Gawd, Intel, the people are begging for you to stop monopolizing! Read more...
PayPoint.net Merchant Services
Fraud is set to increase with the emergence of social and mobile commerce, so it is not a surprise that banks and card issuers are trying new methods to help and stop this worrying trend. Read more...

Could Lord & Taylor's "Claim Your Prom Dress" Effort Be Improved With ZIP Codes And Some Pull-Downs?

ed
Using Zip Codes will not be effective where students are going to school on the other side of town that is very common in large U.S. cities. One suggestion is the implementation of an interactive touchpoint displaying which dresses were sold and suggest fashion accessories to make the dress unique just in case. Read more...

Letting Customers Chase Your Thieves Gets Something More Valuable Than A Nabbed Thief: A Loyal and Happy Customer

Tom Mahoney
Anything less than getting your customers involved is like watching someone get beaten in front of your house while you do nothing. If more merchants and customers got involved, I think we'd see a less cyber-crime. As you mentioned, privacy issues and all the other excuses are tossed around and anonymity runs wild. Read more...
Biff Matthews
Unfortunately, no one of importance, the merchant much less the police or card issuers and associations, are interested in pursuing these criminals. Criminals know this so they continue to operate with reckless abandon. UNTIL someone in one of those entities or who is high profile is compromised, then it's Katie, bar the door. Read more...

New Visa PCI Compliance Stats: Level 1s Up, Level 3s Down Slightly, Level 2s Down Sharply

Walt Conway
One possible explanation for the drop in Level 2 compliance is MasterCard's new compliance validation regime. This new (this year) process requires merchants have either a QSA or the company's own Internal Security Assessor (ISA) sign off on their PCI compliance. Based on my experience, there can be a world of difference between a company completing their own Self-Assessment Questionnaire (SAQ, aka the PCI honor system) and proving to an independent assessor that you meet each requirement and can prove it. Read more...
Vinny Damiano
Mastercard pushed back the requirement for a QSA or certifed ISA to 2012. If the compliance percent went down this year, just wait until MasterCards compliance standards take effect next year. Read more...

In-Store Trial: 3 Mobile Datapoints To Locate Customers

ed
Retail-based indoor positioning systems would be best served with a RFID/NFC solution. Wi-Fi and barcode scanning is not exact science. I would 900Mhz RFID tag the shopping carts or shopping baskets and have multiple readers that can pickup the cart/basket position near displays or point of interest instead of trying to triangulation x/y coordinations that may not be accurate. Read more...

Vote Now: Why Retailers Really Should Help Select PCI SIGs

Steve Sommers
Based on my experience, if all the SIGs run like the tokenization SIG was, I'm not sure the point. They either ignore the feedback and do what they want anyway or only pay attention to the big payers. Read more...
Adrian Lane
Steve's right - it's a 'token' gesture. Seriously, it's great the sponsoring orgs will get a voice, but that's a tiny consolation prize. I like the 1 year requirement for completion, but if the PCI council can fold a SIG and ignore the advice of the merchants-vendors-providers, there's not much value being provided. Read more...
Andrew Barratt
Its just a shame the QSA's can't vote on the SIGS. We constantly get asked "whats the SIG going to be about?" I think its really important to have QSAs involved in the SIG from inception so that strange ambiguities can be avoided in the wording of papers issued by SIGs. Read more...

Home Depot, Macy's, Target Evaluating QR Codes That Show Different Things Based On The Consumer's CRM

Nick Martin
It will be interesting to see if the retailers decide to invest in the QR format to provide that kind of experience for their customers. Read more...
Mike Wehrs
This code innovation uses the standard QR symbology and is 100 readable by every scanning app that reads standard QR codes. This is just one of the many benefits afforded by a non-proprietary code technology and an open standards approach. Read more...
Eric Reed
Interesting comment from Microsoft Tag's Nick Martin. Will Microsoft be next to license NeoMedia's patents? Read more...

Whole Foods: We Don't Need No Stinkin' Data

thad peterson
It might also be a commentary on the true nature of loyalty. They have a fiercely loyal customer base because they offer great stuff supported with terrific service. Customers self select into the store, and come back because it consistently meets or exceeds their expectations. No need to bribe a customer to show up, and you can track skus to see what is and isn't moving. So who needs CRM? Read more...

The New Face Of Asian M-Commerce: Android Sells Five Times As Many Phones In 2011 As In 2010

Different joe
There are Androids that cost more than iPhones. But I am willing to bet that he is referring to the vast sea of Android phones here in China that sell from $50-$150 usd. I guess you have never been to any of the electronics market in asia, only your local best buy. Read more...
Holidayfor5
A duopoly like apple/android isnt a bad thing. customers have choice but not so much choice that no app provider can service all of them. Read more...
ed
There is more to this than mobile phones as Android is heavily used in cheap tablets over in Asia for m-commerce. Sharp Corporation just recently released an Android tablet that supports NFC in Japan a few weeks ago for example. Read more...

PCI Finally Addresses Vending Machines, Phones And Kiosks That Take Cards. For Retailers, Though, It's Still Tricky

Steve Sommers
PCI's timing is perfect. They release their PIN guidlines for kiosks approximately two weeks after the Durbin Amendment killed the small ticket purchase rates. I know, this guildline is not kiosk specific, I just find the timing kind of amusing. Read more...

Japanese RFID-In-Hanger Trial Raises Questions About Extra Labor, Customer Distractions

ed
The Shibuya 109 and 109 Men store are "social shopping" zones designed to attract attention as the place is comprised of small independent micro-retailers using 200 to 700 square footage attracting a worldwide audience. I find this concept excellent in terms of the context for the following reasons: -a couple shopping date and pull the hanger item off the display and get rich information and impressive attention. Others pay attention to what others are looking at and they would want to follow suit and do the same thing. Read more...
Steven Sutton
The idea has merit, especially since this is dear to me being the the hanger industry for 18 years. The hanger is part of a merchandising accessory which will always be part of most apparel. The availability & possibility of added presentation features that "come to life" - getting 1 step closer to the checkout register is definitely worth the effort. There is so much unused advertising & potential marketing on every hanger (and we manufacture approximately 2 Billion a year) that just begs for a new & innovative sales method to drive sales. It's a great match of an old basic product with the latest technology! Read more...

Count On Users To Foil NFC Payment Security

Mark
What's wrong with a simple acknowledgement? Imagine the phone displayed "Fred's Newspapers asked for $1.23. Swipe upwards to approve". That would give positive confirmation, is unlikely to be accidentally triggered in your pocket, and is easier than typing a PIN every time. Read more...

Can Item-Level RFID Pay For Itself By Cutting Theft? Well, Sort Of

Jim
The ROI was not based on Shrink reduction but on the other benefits of RFID that include labor reductions, improved sales due to better in-stock percentages and better customer service. Read more...

Google Loses Control As Retailers Push Out Wallet

Jeff Carter
And .... once those POS' are updated we will have to accept whatever Android based security protocol that comes with Google Wallet for a long time too. Read more...

Mobile POS's Unfixable Single Point Of Failure: Wi-Fi

ed
One frightening aspect of this is social engineering where an 10 year old can own the "jammer" device and cannot be charged as an adult but can disrupt the transactional process of a small store at the height of their shopping season. Read more...
Richard Nedwich
Depending on Wi-Fi for critical retail applications such as POS is not new to Retailers. Even cash registers can be connected to Wi-Fi with NIC cards. What's new is the ease with which anyone could disrupt that network. In fact, without a 'scrambler' one could simply use their smartphone's Wi-Fi hotspot capability near the retailer's access point to create interference. Read more...
StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.