Evan Schuman's StorefrontBacktalk

Some of the nation's top retailers—including Rite Aid, Harry & David, Ikea, KB Toys, Disney, Regal Cinemas and AMC Theaters—are named as defendants in a lawsuit stemming from inconsistent Point-of-Sale (POS) deployment.

The class-action lawsuits accuse about 50 retail chains of violating a provision of the Fair and Accurate Credit Transactions Act (FACTA) that makes it illegal for a retailer to print more than the last five digits or a credit/debit card number and it also forbids printing the card's expiration data on that receipt. The rule took effect in phases, but by December 2006, the latest of its phases kicked in. There is little dispute that the overwhelming majority of retailers are in full compliance and there's little incentive for a retailer to resist complying. And yet, attorneys say they have found many examples of receipts that still contain the forbidden data.Read more...

When it comes to the places that e-retailers fear as the most fraud-friendly, Nigeria, Russia, the UK, Indonesia and Mexico are the top countries, while the North American cities that are seen as the most felony-favoring are New York, Miami, Los Angeles and Montreal.

Those datapoints come courtesy of the annual online fraud survey from security vendor CyberSource. The survey of 351 company executives “of companies involved in E-Commerce” was conducted Sept. 14 through Oct. 6, the company said.

The results are entirely perceptions—as opposed to an examination of where frauds have actually happened—but those are the perceptions that drive where retailers choose to focus extra scrutiny. The survey showed more retailers focusing on where transactions are coming from.…

The Massachusetts Bankers Association has now confirmed TJX-related fraudulent credit/debit card purchases in Florida, Georgia and Lousisiana plus in Hong Kong and Sweden. “Thus far, nearly 60 banks have reported into the MBA that they have been contacted by the card companies about compromised cards, and these banks are notifying customers and in many cases reissuing new cards,” the association said.

The ABA has been lobbying for rules that would require the disclosure of a retailer’s name when they “caused a data breach,” as a way of both discouraging retailers from being cavalier about security as well as protecting their member banks from being blamed for something they didn’t do. They also are trying to force retailers to pay for the damage if its’ caused by that retailer’s reckless security procedures.…

TJX is learning that the trickling out of bad news is a great way to keep a negative story alive and to send distrust as high as possible. Remember that mid-December unauthorized access that it didn’t report until mid-January? Turns out it had taken place almost seven months earlier, back in May 2006. I guess they wanted to make sure the thieves had plenty of time before the public was alerted.

“We had said in our press release that we had discovered the breach in mid-December but we did not put in when it occurred,” TJX spokeswoman Debra McConnell was quoted as saying in a Computerworld story.

Meanwhile, in Pennsylvania, regulators there have decided that the credit card theft was, ironically, too big to require consumer disclosure. “Under a new state law that took effect in June, businesses are required to notify Pennsylvania consumers by letter, telephone or e-mail if sensitive personal data is lost or stolen, exposing them to the risk of identity theft,” reported the Pittsburgh Post-Gazette. “But the AG’s office, which enforces the statute, said yesterday that personal notice is not required if more than 175,000 consumers are involved or if the cost of notification would exceed $100,000.”…

Two days after confirming that driver’s license data was intercepted during a major intrusion last month, TJX officials have been directly accused of retaining “unnecessary” personal data, possibly in violation of PCI rules.

“We think it’s a little odd that (TJX) would characterize themselves as victims when it appears that they may have been capturing data that is unnecessary,” said Daniel J. Forte, president of the Massachusetts Bankers Association. Forte’s group is lobbying for a state law change that would force retailers who are recklessly lax in their security procedures to pay for the cost of repairs.

“When a bank must issue new cards due to a retailer’s data breach, it can add up to a significant expense considering that thousands of cards could be involved. MasterCard, and now Visa, has in place a process for banks to make claims for the cost of re-issuing cards. However, there is no guarantee that the full amount will be reimbursed,” Forte said. “Additionally, there is the fraud issue. If a fraud does take place, MasterCard and Visa have a zero liability policy in place for the benefit of consumers, which is good. However, the cost is borne by the bank even if the retailer is responsible for a major violation of the card association rules resulting in fraud. Does this make sense?”…

When TJX Companies Inc.—the $16 billion global retail chain that owns T.J. Maxx and Marshall's, among many other brands—disclosed this week that it had "suffered an unauthorized intrusion into its computer systems" in December, it seemed to be forthcoming.

After all, the chain issued what appeared to be . But a closer reading of the statement raises quite a few questions.Read more...

The world of retail technology has learned to always take notice when the Metro Group–a massive German retailer–starts to take anything seriously. So when Metro this week confirmed that it had invited Checkpoint Systems to join its ambituous 36-dock door trial of Gen2 RFID, it raised some eyebrows. Checkpoint’s official role is hardware integrator for the trial.

Each of 36 adjacent dock doors at the Metro distribution center was equipped with a Gen2 RFID reader, according to a story in RFID Update. At the same time, pallet loaded with about 60 tagged Procter & Gamble goods was passed through each portal and onto a docked truck at full operational speed, meaning each pallet was in the RFID read field for between one and one and a half seconds, the story said. A joint statement put the accuracy at a “98.6-percent-plus read rate simultaneously from multiple pallets as they were wheeled through the dock doors.”

“The results represent a significant milestone in European RFID operational deployment,” said Dr. Gerd Wolfram, Managing Director of Metro’s Information Technology Group.…

Oracle on Monday will official launch its Retail Returns Management package, which will support highly-customized returns policies, such as one allowing a frequent purchaser to return more products than a less profitable customer.

Oracle is pushing the package’s ability to track–and enforce–returns across mutliple channels, making it theoretically easier to deal with in-store returns of catalogue and online purchases, as well as those from a store in another state.

This has some strong potential as many retailers are feeling the pressure to liberalize their return policies. This suite could at least allow merchants to formalize exceptions, which might at least take away some of the sting of aggressive return policies. Also, the integrated CRM capability across multiple channnels couldn’t hurt with that elusive single-view-of-the-customer goal.…

As key governments–especially in Latin America and Asia Pacific–start protecting against the most common forms of credit card fraud, they are pushing the thieves into other countries and making it the problem of another country’s retailers, according to a new report from market research firm Frost & Sullivan.

“There is a noticeable shift in card related fraudulent activities to
neighboring countries using less secure magnetic stripe cards for a majority of their transactions. With the United Kingdom implementing Chip
and PIN and France implementing dynamic data authentication (DDA) cards, countries such as Germany and Italy are facing the brunt of the increasing migration of fraud,” the report said. “Singapore and Indonesia are facing a significant threat from fraud escalation and are considering a move toward EMV-compliant card technology. This phenomenon is significantly feeding the demand for electronic funds transfer (EFT) at point-of-sale (POS) terminals worldwide.”…

With a backdrop of renewed E-Commerce fraud fears, EBay’s PayPal is doubling its buyer protection effort–to $2,000–for some eBay transactions, according to a statement eBay and PayPal issued Wednesday.

The program will be offered by American and Canadian eBay sellers who qualify by “maintaining a 98 percent positive feedback rating and having at least 50 feedback points.” The program covers products that are not delivered as well as “items that are significantly not as described,” the companies said.

Effective Jan. 17, PayPal said the program should cover “more than 95 percent of items listed on eBay.com.”…

Like the constant reports that every food imaginable causes cancer or some other deadly ailment, IT managers looking for the mythical safe security approach would be best served by giving up and having a bowl of hot fudge. This is prompted by a university report out of the U.K. that chip-and-PIN terminals, which were touted as a more expensive but more secure way to validate credit and debit card purchases, are–you guessed it–not secure.

A team at the University of Cambridge “opened up one of the supposedly tamper-proof terminals, replaced its internal hardware with their own, put it back together without any external evidence of tampering and then got the machine to play Tetris,” according to a report in Computerworld.

Researcher Saar Drimer said the school’s experiments proved that all components of the PIN pads used to authenticate such transactions could be made to interact and respond to input from one another. “This means that the card reader can read information from the chip and display it on the screen. The data from the keypad, such as a PIN, can also be recorded,” Drimer was quoted as saying.…

This is a little off the high-tech path, but it’s such a frighteningly vile retail story, it’s hard to not include it here. A Green Bay, Wisconsin, company called PureCart Systems LLC is trying to sell to retailers an automated shopping cart purifying system.

Company president Jim Kratowicz is quoted Post-Crescent newspaper as cheerfully saying, “”They are never clean. They are covered in meat and poultry juices, a leaky toddler’s diaper and other germs. And you put your fruit and produce there and even your purse.” He also cites an ultra-plesant report from the Univ. of Arizona that found that 54 percent of shopping carts contain bodily fluids, and 21 percent of them tested positive for blood, mucus, urine or saliva.

The PureCart system uses a peroxide-based solution to try and kill 99.99 percent of bacteria and more than 90 percent of viruses.

…

The best gift for a cyber thief is retail and banking apathy. The good holiday news for those thieves is that, this year, they're making out a like a bandit. Security and privacy are among the top issues for consumers so it seems odd that so many retailers and banks often take security so very lightly.

Please don't get me wrong. Officially, all executives with those entities say they take such matters seriously, but when we listen to the day-to-day management, the priorities seem to be elsewhere. Consider an upcoming report from the Aberdeen Group, which details a survey of retail IT execs who were asked to discuss contactless payment.Read more...

Consumer groups are making their lists and checking them twice, to see which store return policies are naughty or nice. It’s a delicate balancing act, with lax return policies are a huge source of fraud but strict return policies a major disincentive for purchases, especially gift purchases. The typical retail answer has been to “have a strict policy but don’t tell anyone.”

ConsumerWorld.org on Monday tried to shed a little light on those merchants, with Sears, CircuitCity and BestBuy on the naughty list for aggressive restocking fees, Amazon got a lump of coal for keeping as much as half of the purchase price for post-30-day returns and–my personal favorite–the site Grinched Buy.com’s “Easy Returns” policy for being more than 1,400 words long.

On the nice list–which included some of the same merchants–the site listed retailers who have liberalized their return policy into January but who inexplicably have not prominently announced this. The site did them the courtesy of announcing it for them. Moral of the story: If a retailer feels the need to keep a policy quiet, there’s a wonderful chance it’s not a policy it should have.…

In the ongoing saga of IBM’s patent infringement lawsuit against Amazon.com, Amazon struck back on Thursday, countersuing that it’s actually IBM that is violating patents.

The lawsuit is not subtly phrased: “IBM’s broad allegations of infringement amount to a claim that IBM invented the Internet. If IBM’s claims are believed, then not only must Amazon.com pay IBM, but everyone conducting electronic commerce over the World Wide Web (indeed, every Web site and potentially everyone who uses a Web browser to surf the Web) must pay IBM a toll for the right to do so.”

An IBM spokeswoman–Kendra Collins–said that Amazon’s counterclaims “ring hollow” and represent “nothing more than a transparent litigation ploy,” Collins said, because Amazon never brought up concerns over those patents during four years of cross-licensing discussions with IBM, according to a story in News.com.

In other E-Commerce legal action on Thursday, a lawsuit involving Yahoo and Google AdWords was dismissed, which raises the prospect of an out-of-court settlement.…

As E-Commerce matures, some of the assumptions about when and how shoppers shop need to be updated. Electronic payment vendor Cybersource analyzed some of its tracking data and found that office-time purchases is staying high, with the proliferation of residential broadband not making much of a dent.

Peaking at about 1 PM Pacific/4 PM Eastern, it’s feared that much late-afternoon keyboard tapping is not about pushing corporate profits, other than for retailers. Monday and Tuesdays are still the highest volume days, with weekend traffic at the bottom.

One key change. As E-Commerce grows, the traffic is remaining stronger at all hours, suggesting a morph into a 24-hour store. “The graphs are flattening—albeit with much higher numbers. Online shopping is not only getting bigger, it’s becoming more of a 24 hour phenomenon,” said Doug Schwegman, CyberSource director of market and customer intelligence.…

Earlier this month, giftcard exchange site Plastic Jungle was approached by a giftcard seller, offering two $200 Wal-Mart giftcards. Site CEO Tina Henson declined to buy the cards directly and instead suggested the seller use the site's auction area. The seller did and posted the cards for $125 and $135.

But when the site's authentication team checked on the cards, the Wal-Mart computer reported that the cards were valid and their value was intact, but they had just been purchased the day before. Thinking it was odd that someone would pay $400 for cards and then the next day be willing to sell them for $260, the CEO was contacted, but she shrugged and approved the sale anyway. The cards quickly sold.Read more...

In a strong concession that fines have not worked in getting retailers to comply with credit card security rules, Visa has switched course and has dedicated $20 million for a fund to reward retailers who actually comply with industry-accepted PCI rules by Aug. 31, 2007.

"This is absolutely a different tactic," said Jennifer Fischer, a director with Visa USA, which is the nation's largest payment system company. "We believe that incentives are necessary to achieve compliance. This is the first time a payment card brand has used positive incentives" to encourage security compliance.Read more...

Managed service company Verio on Tuesday introduced a new version of its small E-Commerce business shopping cart package, integrating payment processing services including PayPal, GoogleCheckout, eBay auction, Authorize.Net, WorldPay and FedEx realtime shipping quotes.

Like the earlier versions of the software, ShopSite 8.1 does not require any software to be installed on the retailers because it’s an outsourced service, which all computations happening on Verio servers.…

One credit card processor has issued a list of the characterics of typical fraudsters, including seeking accelerated delivery and purchasing four items at once.

Putting aside the fact that I typically engage in those suspect behaviors (but for honest reasons: I’m impatient and impulsive. I find maturity to be way overrated), the stats collected by Retail Decisions are rather interesting. Beyond the typical well-known fraudster profile elements—such as using free E-mail domains, living in densely populated areas and spending 2.5 times more than typical consumer—the group reported that 56 percent of fraudulent orders seek next-day or two-day delivery “whereas only nine percent of genuine customers ask for next day delivery online.

The company also reported that fraudsters often “bundle their purchases with an average of four items at a time (while) legitimate customers typically purchase one or two items per transaction.”…

Reports out of Malaysia have the government wanting to embed into every car license plate an RFID chip with vehicle and owner information.

My favorite comment on this move came from a Wired blog post: “It’s not exactly clear how this will help since Road Transport Department Director-General Ahmad Mustapha was quoted by New Straits Times as saying ‘The first thing thieves do after a car theft is change the registration plates.'”

Perhaps it could help catch thieves in the first minutes after a theft? It would also force the thieves to defeat the RFID chip. Depending on the sophistication of law enforcement, they might then simply search for any license plates that do not generate working RFID signals and label them suspect. At the very least, it would force the car thieves to either fabricate RFID chips to send out false signals or–frighteningly–steal cars in such a way that it’s either not reported or at least not reported for a very long time.…

U.S. Sen. Charles Schumer is formally petitioning the Federal Reserve to crack down on contactless payment, requiring consumers to be warned about privacy risks and preventing retailers from offering incentives for the cards to be tried.

"If you are using a no—swipe credit card, when you put your card in your back pocket or in your pocketbook, you might as well print your credit card number across your back," Schumer said. "Holiday shoppers need to be extremely careful with their credit cards, and these companies need to step up their efforts to protect people from identity theft."Read more...

With E-Commerce leaders getting more sophisticated in the ways of online fraud schemes, criminals are increasingly turning to auction forums. In those forums, the cyber crooks can use the site's prestige to add to their credibility while they sidestep that very same site's anti-fraud safeguards by selling directly to consumers.

Major auction sites—most notably EBay—often use community policing as a defense, where members who do not deliver honorably are given low ratings by fellow members, which theoretically warn members to avoid them. The fraudsters have tried countering by using a series of fake names, which are quickly abandoned once bad ratings are filed.Read more...

As giftcards have soared in popularity in recent years—some $25 billion in giftcards are expected to sold this holiday season alone—the attempts to use them fraudulently have also soared. But some of the theft techniques being described to consumers are woefully out-of-date.

Does this mean that giftcards are secure financial tools for retailers and consumers? Not necessarily, but today's giftcards are certainly no less secure than traditional credit cards, with most retailers and issuers willing to be flexible with consumers who have been burned.Read more...