Evan Schuman's StorefrontBacktalk

The potential is absolutely there, with retailers collecting molecular mountains of shopping history—sometimes more than a decade's worth—and law enforcement seeking creative ways to find criminals (or people they think are criminals) who are quite determined about not being found. Read more...

"In today's environment, the card is swiped by a consumer and it's never seen by the cashier," said Joe LaRocca, the NRF VP for loss prevention. "There's no way to see the information on the plastic," he said, and therefore no way to verify identity." Read more...

A pair of companies is pushing an approach where hotel guests could use their electronic room key to also open vending machine snacks, which would then be automatically charged to the guest’s room.

The new approach, from Cstar Technologies and Fastcorp, would theoretically make such purchases easy to order repeatedly, offering revenue and margin that could more than compensate for reductions in “honor bar” purchases. …

The two-employee a-cappella.com was deluged with requests for an old DVD when a YouTube copy of the video--which had been lying dormant on YouTube for almost a year--suddenly started getting 400,000 daily views. Seems that a-cappella.com was the only merchant to have the video for sale. Read more...

Global RFID revenue is expected to hit $1.2 billion this year and $3.5 billion in the next four years, according to new Gartner projections. This year’s figures represents an almost 31 percent increase from last year.

Gartner reported that the leading segments were discrete manufacturing (21 percent), national and international government (20 percent), transportation (20 percent) and then retail (14 percent).…

There are many causes for this, but jurisdiction is a big part. Some retailers have had Loss Prevention take on store-level PCI compliance as part of their regular audits, but most LP departments have very limited IT skill sets, so this rarely works. At other retailers, PCI is managed out of the IT department, and we all know how much IT people like going into "the field," so that rarely works, either. In still other cases, there's a separate Compliance function that owns SOX and PCI, HIPAA. Most of these people are lawyers or "wannabe lawyers" who rarely show up at meetings let alone visit the stores. Read more...

Last week, StorefrontBacktalk ran a story chastising a security vendor, Shift4, for having issued a news release that said retailers using its products wouldn't have to worry about PCI requirements because they would be excluded. The vendor on Monday issued a news release, apologizing for the earlier one and corrected the record. But the core question--about it's encryption approach--still stands. Read more...

My favorite aspect of writing about security is that software designers work so hard to craft sophisticated, multi-level strategies to protect data, which is then periodically sidestepped by some kid with $18 worth of equipment, engaging in an easy blunt force attack that no one anticipated.

Case in point: Some clever folk at Princeton came up with this delicious and low-cost way around typical encryption methods. It’s based on RAM chip’s tendency to keep all data–including encryption keys–for seconds or even minutes after power is cut off. The Princeton approach then used a common dust removal aerosol can to deep-freeze the chip before killing power, a cooling tactic that sharply lengthy how long the RAM remembered the desired key data. From there, simple pattern recognition software quickly found the keys. This Princeton video demo is worth watching.…

This move comes on top of an incident earlier this month when an undersea cable was cut near Dubai, also wreaking havoc with global Internet traffic. Are more robust safeguards needed? Is these kinds of disruptions can be happen so easily by accidents, how vulnerable would they be to deliberate terrorist efforts? Read more...

The stops and starts of mobile commerce in the U.S. has been well reported, along with the fact that many parts of Europe and Asia are well ahead of us. But here is a fascinating CNN report out of Kenya that details mobile-commerce efforts among–so help me–goat traders.

No, we’re not talking about Wall Street sorts, as in oil traders. We’re talking people working the fields selling and buying goats, where all funds quickly get converted into virtual dollars. There are no bank accounts nor credit cards behind these transactions. It goes from cash to mobile. …

RFID-tagged products will have to be deactivated at the POS throughout Europe, if draft guidelines proposed this month by the European Commission are approved.

A public consultation is being launched into the “soft law” guidelines that EU Information Society and Media Commissioner Viviane Reding hopes will be adopted by the European Union executive to be applied in all the bloc’s 27 member states, according to this Reuters story. The guidelines are “tentaitively scheduled to be adopted before the summer of 2008,” the Commission said in a statement.…

There are several reasons for the unexpected spike, chief among them PCI demands hitting smaller retailers and new profit-enhancing techniques that require current POS equipment, said IHL President Greg Buzek. Read more...

One person working on the trial—sworn to secrecy by Wal-Mart—said the group initially tried cramming in a lot of sales info into each text message. This was done on the theory that it would increase the probability of hitting on an item that particular consumer would want. "We were sending 10-15 in about three or four text messages," the manager said. "We learned that three messages is where the consumer says, 'I've heard enough from you, Mr. Retailer,'." Read more...

For example, one of the digital services for their in-store kiosk was from an E-Commerce site called Shutterfly.com. That decision went beyond the attraction of digital photos, said Kevin Ertell, Borders' E-commerce chief. Read more...

The token approach is hardly new and it simply replaces a credit card number with a token that acts as the number throughout the payment approval cycle. It's fair to say that such a method—in theory—would reduce the risks of card transactions by shrinking the window of vulnerability. But it's hardly fullproof protection and as long as retailers accept credit card payments, they are almost certainly under the PCI jurisdiction. That didn't stop Shift4 on Wednesday from issuing a statement that "merchants concerned about PCI DSS compliance have an option that enables them to avoid its burdensome requirements." Read more...

But a recent court ruling and some congressional legislation threaten to change the rules retroactively. Read more...

Taking some cabs in New York City this month, I was thrilled to see the contactless devices in the backseat, only to be told by three different cabbies to not use them because customers were complaining about getting double-billed. This week, visiting three different grocery chains in New Jersey, tried unsuccessfully to use my contactless card there. The first time, a cashier looked at me as I asked about using my contactless card.Read more...

Referring to $178 million the chain had set aside to deal with data-breach-related costs, TJX said that on Jan. 26, 2008, "TJX reduced the reserve by $19 million, primarily due to insurance proceeds with respect to the computer intrusion, which had not previously been reflected in the reserve, as well as a reduction in estimated legal and other fees as the Company has continued to resolve outstanding disputes, litigation and investigations." Read more...

The reasons are many, but a frequent issue is that the chains are not able to get close enough to these independent or affiliated stores to accurately determine whether a breach at one of these stores could compromise the corporate network and data assets. Perhaps worse, they believe that any breach of such stores, whether or not corporate data is compromised, will cause corporate brand damage. Read more...

But it's been difficult to quantify the ROI of such chat functions, mostly because it's impossible to know reliably what the customer would have likely done had a chat session not happened. Forrester Research this week this to quantify the slippery ROI arguments for interactive chat and made an eloquent case for chat investment. Read more...

Retailers and telcos and others are watching test markets such as New York City and seeing how many consumers are using contactless payment. Their assumptions are based on the number of contactless cards in the population. But if that population doesn't realize that they have a contactless card, there's nothing valid that can be concluded when those people do not use them. Read more...

Amazon's own change involves it selling access to its pages to direct rivals. The backstory involves the stunningly thin margins that an E-Commerce behemoth like Amazon enjoys and the realization that Amazon might be able to enjoy better profits by taking a cut of a rival's revenue than by selling the item directly. Read more...

Nearly one-third of merchants dismiss the concept of tokenization because they consider their environment to be too complex, with card data in so many places. But a related reason for the quick dismissal is they see their card data as very "dynamic" — being used by many different applications and service providers. Read more...

With CRM systems trying to interact with Web analytics, mobile databases, purchase and returns histories and tons of other non-payment databases, the amount of non-credit-card data that is at risk easily dwarfs Visa transactions. Read more...

Although that amount might seem trivial, the librarian initially argued that it was likely more than most consumers who filed class-action lawsuits ever received (after attorney fees are paid) and it would be received much more quickly.Read more...