Evan Schuman's StorefrontBacktalk

Vague guidelines and conflicting audit firm interpretations—coupled with retailers that fall into multiple PCI categories—are making for some unhappy retailers. The problem is less one of how the PCI guidelines are phrased and more a matter of how they are being interpreted, particularly by audit firms the retailers are hiring to prove compliance.

"The guidelines are written fairly broadly and you sit there and say, 'How do we apply them?' One audit firm will tell you, 'No, you can't do this. It's prohibited by the guidelines' and another audit firm will say, 'This is perfectly fine,'" said security consultant Mark Rasch. Read more...

This week’s audiocast looked at issues ranging from payment systems—practical problems with retail PCI deployment as well as a new POS/Loyalty card program from Subway–to a new search feature unveiled on Thursday by Amazon.com and a look at the RFID industry after Alien Technology’s failed IPO. This week’s panelists featured return visits from IDC’s Pete Abell, Solutionary senior VP and former federal prosecutor Mark Rasch and Jupiter Research’s Patti Freeman Evans. Newcomers to StorefrontBacktalk’s Week In Review this week were Cathy Hotka, senior VP for the Retail Industry Leaders Association and Jupiter‘s Edward Kountz. StorefrontBacktalk Editor Evan Schuman moderated.

The PCI discussion was a fascinating realworld look at how PCI is great on paper but much more challenging in live retail environments. No panelist kept out of that free-for-all. You really should listen to it, if for no other reason than to get better excuses for PCI hiccups.…

This week’s audiocast panel discussion of the StorefrontBacktalk retail technology week that was …. was decidedly global in topics. This week’s group of retail technology analysts that sat down late Thursday was Patti Freeman Evans from Jupiter Research, Sucharita Mulpuru from Forrester Research and Paula Rosenblum from the Retail Systems Alert Group. StorefrontBacktalk’s Editor Evan Schuman moderated.

The group opened with a hard look at the German Metro Group’s Item-Level RFID plans and whether Wal-Mart can survive as a retailer outside (and, as one panelist argued, inside) the U.S.

The group also discussed retail attempts at mobile marketing, focusing on the Subway chain’s experimentations with cellphones, which raised issues of how far ahead of the U.S. much of Asia and Europe are and how that should impact retailer’s global IT strategy.

The panel also jumped into a report expected next week from Jupiter Research that looked at how e-tailers—including Netflix–are making some surprising decisions about incorporating user-generated product reviews.…

I hate to take a brief respite from this retail technology excitement, but when I saw this popular Web video–supposedly depicting Darth Vader’s younger brother as a retail manager–I had to share.…

Another group of retail technology analysts sat down Thursday late afternoon to look at the retail technology week that was. This week’s panel independent retail technology consultant John Fontanella—veteran analyst with the Aberdeen Group and AMR Research—along with returning guests IHL President Greg Buzek and the Retail Systems Alert Group’s Paula Rosenblum. StorefrontBacktalk‘s Editor Evan Schuman moderated. This week’s topics were Alien’s delayed IPO and the problematic ROI picture of kiosks. If some disappointing earnings and a few economic darkclouds are any indication, the retail tech sector may be in for a serious downturn. If so, what segments will fare well and which will likely get bloodied?

A few vendors have been pushing digital watermark technology—somewhat equivalent to a 21st Century microdot—as a clever way to bridge the physical store and online worlds, without the need for keyboard interactions. The cellphone becomes the remote control. Is this where much of retailing is headed? Will it work? What are the practical implications for customer service?

Are there topics or panelists you’d like us to consider for next week? Please don’t be shy.…

Here’s a discomforting statistic. Despite the sales pitches of payment processing companies telling retailers to avoid errors and costly credit card problems by outsourcing those efforts, new data finds that about 60 percent of data compromises are because of third-party processing errors and only about 40 percent are merchant mistakes.

The figures, released this week by Ambiron TrustWave, a Chicago-headquartered PCI security audit compliance firm. “POS developers, integrators and IT firms are not following PCI DSS and are leaving merchants at risk,” according to a slide Ambiron prepared for a conference. “The Majority of the compromises were caused by a fault in the service provided by a third-party to a merchant.”…

Visa on Friday changed its retail security requirement structure, which will—because of a change in definition of what a qualifying transaction is--have the impact of forcing more retailers to use its more stringent security procedures.

The core change is including all transactions when determining what level a retailer should be. Before, the criteria was limited to online purchases. "The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year," a Visa statement said. "Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing 1 million to 6 million Visa transactions per year."Read more...

At the end of every week, StorefrontBacktalk.com will assemble some of the industry’s top consultants, analysts and IT executives to discuss that week’s retail tech developments. We inaugurated our StorefrontBacktalk Week In Review on July 21.

The July 21 panel included Pete Abell from IDC, Paula Rosenblum from the Retail Systems Alert Group, Greg Buzek of IHL and Mark Rasch, a former federal prosecutor who today serves as VP for Solutionary.

The panel–moderated by StorefrontBacktalk Editor Evan Schuman–ripped into a wide range of topics. Listen to Rasch, Rosenblum, Buzek and Abell discuss the new PCI changes announced by Visa or Rosenblum, Rasch and Buzek debate how multi-channel will likely do this holiday shopping season. Abell tackled HP’s RFID-rival Memory Spot alone while Rasch, Buzek and Rosenblum ganged up on self-checkout trends, including a fascinating discussion about self-checkout obliterating impulse purchases. Rosenblum and Buzek also argued about workforce management technology, concluding that the larger companies are–much more than they initially thought–avoiding workforce technology.

Please listen and shout your feedback to us.…

Coupons are a time-honored retail tradition, but like secret Black Friday promotions and regional pricing, there is a good argument that they may no longer make sense. There are many Web sites today that are designed to empower consumers, often ostensibly against the interest of big business, whether those are major retailers, government agencies or large publishers.

Some of the more interesting ones help consumers get around mandatory free site registration—such as www.bugmenot.com--or get to a human voice when locked inside a voice-system hell (www.gethuman.com).Read more...

Retailers with larger brick-and-mortar operations are going to be facing more demanding PCI security requirements this Fall because of a change in how Visa USA wants to group retailers, according to a report in Digital Transactions. Among the changes could be more internal audits.

The new tier definitions come as the card networks are making other changes to tighten data security. Visa is preparing to make a set of security recommendations for point-of-sale software, known as the Payment Application Best Practices rules, a requirement for merchants and software developers. To read the full story, please click here.…

Broadcom has introduced an RFID chip that won’t transmit sensitive information until it authenticates with a fingerprint reader. Citing applications included physical access and contactless payment, the semiconductor player rolled out the BCM5890 in a partnership with biometrics company Privaris, according to a report in RFIDUpdate. “A key feature is that the approved fingerprint information is stored on the fob, so the authentication is all done ‘on-board’ and the system does not need to transmit the scanned fingerprint to a remote database for verification,” the story said. To read the full RFID Update story, please click here.…

As contactless payment devices become more adopted by consumers, retailers need to be ready to handle them and, rightly or wrongly, take the blame for associated problems. Popgadget just did a fascinating look at Citibank’s latest RFID PayPass card. It references a Gearlog post about the pros and cons of such a device, along with a hacker’s take on contactless card security.

Little of this is new, as we reported a year ago Shell Canada’s experiments about contactess payment security. But as these cards start to come into common usage, it’s not a bad idea to look at the latest threats and be prepared to deal with the complaints. Trust me: they’ll come. It’s still worth doing, but the easier a system is to use, the more problematic its security profile will be.…

Following a series of seemingly nonstop theft-of-data problems from quite a few government agencies recently (Veterans Affairs, IRS, Agriculture, Federal Trade Commission and the Navy), the White House has given agencies 45 days to implement new safety procedures, the Washington Post reported today.

The new security guidelines were issued today (Wed., June 28) from the White House Office of Management and Budget. The agencies will have to encrypt all data on laptop or handheld computers unless the data are classified as “non-sensitive” by an agency’s deputy director.

Agency employees also would need two-factor authentication — a password plus a physical device such as a key card — to reach a work database through a remote connection, which must be automatically severed after 30 minutes of inactivity.

To read the full Washington Post story, please click here.…

A technology vendor called SmartTools thinks that customers should stop lollygagging around in the cashier checkout lanes. While waiting, they should be scanning their own items and saving the cashier's time. If you find this idea attractive, we need to chat. (Hint: This is not an especially good career-advancement purchase.) Read more...

When a Cincinnati man brought his hard-drive to Best Buy to be repaired, he was told that he couldn't have his old hard-drive back. But fear not, he was told: the drive would be made useless by having holes drilled in it. A few months later, the fully intact drive is purchased at a flea market in Chicago for $25.Read more...

Just what the federal government needs this week: more data-protection problems. An Internal Revenue Service employee lost an agency laptop early last month that contained sensitive personal information on 291 workers and job applicants. The Washington Post reported Thursday.

The paper reported that the employee checked the laptop as luggage aboard a commercial flight while traveling to a job fair and never saw it again. The computer contained unencrypted names, birth dates, Social Security numbers and fingerprints of the employees and applicants.…

In the ongoing saga of the Veterans Administration and how it’s been protecting confidential information, the VA Secretary will confirm today that the VA is about to recall all laptops, according to an eWEEK.com report today.

Perhaps an overreaction, given that employees could just as easily burn a CD or use a USB drive to bring work home and work on their home PCs. But at least it shows someone is trying to take some action, which is a good first step.…

As the rules for payment data get tighter and well-publicized incidents invite regulatory scrutiny, hungry lawyers and bad publicity, many smaller E-Commerce shops are hungry for an easy way out. Being the kind-hearted altruistic souls that they be, vendors are flocking to help these folk out. Read more...

Shortly after the media began reporting this weekend on its data loss from a car thief, Expedia hired a PR firm to call reporters and stress that the incident was not in reality exposing its customers to identity thieves, but merely to credit card thieves.

Now there's a comforting distinction. First, what does it say about Expedia that it not only felt that exposing customers to credit-card theft was a lot nicer than exposing them to identity thieves, but it was willing to pay money to try and make that difference clear? Even better, one could make the argument that if you give a clever con artist sufficient access to a consumer's credit card data, they will easily be able to extract enough personal data to try for an identity theft. Read more...

More than a quarter-of-a-million Hotels.com customers are now at high risk for credit card theft after a password-protected laptop computer containing their credit card information was stolen from an Ernst & Young auditor's locked car in what appears to be a "randon petty theft," a Hotels.com spokesperson was quoted as telling the Associated Press. The Seattle incident at Hotels.com, a subsidiary of Expedia.com, is just the latest in a series of data-identity cases recently centering not around criminal hackers but around the garden-variety thug breaking into locked places. Read more...

Just as E-Commerce players are getting used to the idea of people buying products using their cellphones, whether in a physical location beaming right to a POS or making purchases online, the cellphone wants to make the next leap forward. Nokia has ported the Apache webserver to Symbian, which will theoretically allow cell phones to directly serve Web content.

According to a report in LinuxDevices.com, Nokia installed its experimental port, initially, on a Nokia 6630, which it then accessed over a Bluetooth PAN (personal area network). This proved somewhat useful, in that it brought “the possibility of accessing functionality on the phone using a big screen and proper keyboard.”

However, the project’s goal was to enable access to the phone of the cellular network, the story said. This proved challenging due to firewalls explicitly deployed by operators to prevent such access.

This is the logical next step with the growth of the Web. The Internet’s early days were made powerful because of the networking of millions of PCs around the globe. The potential to expand that now with the networking of huge numbers of connected cellphones is, to say the least, powerful.…

Just what major retail E-Commerce sites need these days: Security holes associated only with their site. The Washington Post reported today that the security hole, which has existed for more than two weeks on the Circuit City site, created a “back door” for hackers to assume control of the victim’s machine and use it to send SPAM. The problem, which only reportedly impacted users who were not current with their Internet Explorer patches, lived on Circuit City’s customer-support portion of its site.

Users are tolerant of–nay, even used to–browser and OS security holes. But when the fears start routinely becoming site specific, E-Commerce players may finally take patches and security seriously. …

When $57 billion consumer products giant Procter & Gamble decided to experimentally tag and track its Braun Cruzer razors, it tied that tracking in with a 61 percent increase in sales. Is a rock-solid RFID ROI business case far behind?

The CEO of RFID company Applied Digital, which owns Verichip, has gone on television to altruistically suggest that . Some ideas are so absolutely awful that words don't do them justice. Read more...