Evan Schuman's StorefrontBacktalk

Unfortunately, opines GuestView PCI Columnist David Taylor, it does not go nearly far enough.Read more...

And both firms quickly retreated. The specifics here do not indicate a major inappropriate reaction, but the pattern is discomforting. For companies to lead the industry and stake out strong global positions--especially in a weak economy—requires bold action. That means being aggressive at times to see how far consumers and competitors will permit them to go.Read more...

Multiple federal units are investigating the Heartland data breach, company CFO Robert Baldwin told investors Tuesday (Feb. 25). Among them are the U.S. Department of Justice, the Federal Trade Commission and U.S. Treasury Department’s Office of the Comptroller of the Currency (OCC).

Although the specific details surrounding the breach are still unclear, it has now impacted more than 500 financial institutions, according to Bank Info Security, and resulted in at least three arrests of people accused of using some of the data taken. It’s not clear precisely what the Feds are investigating or whether they are even involved in the same probe. The SEC might be looking at early CEO stock sales while Justice could be looking to catch more suspects, and both Justice and OCC might be simply trying to better understand the relative security of payment systems today.…

According to TJX's earnings statement issued Wednesday (Feb. 25), the chain had set aside significantly more money than it ended up needing to deal with the 2006 breach, thereby allowing the company to reallocate cash for other purposes and add about $18 million to the year's net income.Read more...

The retailer initially suspected that one of its third-party payment card processors caused the problem. But in mid-January, company officials said no outside entities were to blame. Instead, they attributed the incidents to a problem with a gateway. The lack of new details makes determining precisely what happened difficult, especially when dealing with a phrase as vague as "formatting flaw" somewhere within the POS. What role did the high holiday rush traffic play? Was the system so overloaded that response times were too slow? Or was it more of a programming error, such as assuming that when more than X number of transactions are processed during any one-hour period, presume it's an attack and suspend authorizations?Read more...

But too often lost in the coercive relationship that drives PCI, argued GuestView PCI Columnist David Taylor, is the intent of the standards: fraud reduction. A few simple Google searches will confirm that the links between PCI compliance and fraud reduction are largely unexplored and unproven.Read more...

Imagine my disappointment when a rudimentary runway model demo was all that this experience amounted to. Barely two-dozen short videos of models walking. And yet, just down the E-Commerce corridor sit the ghosts of what J.C. Penney might have done had the company truly wanted to show E-Commerce leadership and innovation. Had it chosen to move from mediocre to meritorious, think of the customization potential in a runway show.Read more...

One vendor is trying to get consumers to sidestep the hassle of filling out loyalty card applications at every store by integrating the functionality into a PDA.

The field test by Japan’s NTT Communication started this month, just as the vendor promised when it rolled out the program in October 2008. NTT’s new “Gyazapo” system, which uses an RFID chip in a mobile phone to carry loyalty card information for multiple retailers, can allow RFID scanners at the POS to grab shoppers’ personal information from a central database managed by NTT.…

In a proof-of-concept experiment in Bangalore, Intel India is marrying RFID tags and POS with a CRM database where “frequent customers would have their preferences and favorites recorded.” Such a system could tout related products and flag new versions of that consumer’s preferred brands.

“This system is designed to replace the current simplistic computer or other system that only provides billing and basic services,” said Sanat Rao, Marketing Director (Emerging Markets), Embedded and Communications Group, at Intel. “Our system, once implemented, allows the possibility of being operated as a kiosk and provides the information on inventory.”…

It’s been clear for a few weeks now that there has been another major credit card processor breach—above and beyond Heartland–lurking in the retail financial shadows. But the processor (along with co-conspirators Visa and MasterCard) has remained silent and, for the moment, unidentified. One report said that the breach appeared to be limited to “card not present” transactions, which certainly suggests an E-Commerce-only aspect.

StorefrontBacktalk has been in a quandary on this one for weeks, as it seemed pointless to run a story in which we couldn’t say who the processor was, how the breach happened, what the breach accessed or, well, pretty much anything else. But as more media outlets report that there has been another processor breach of some sort, staying silent started to seem ridiculous.…

To interpret motivation and real intent, sometimes a look at history can be useful. Do you remember another Facebook privacy incident back in December 2007? In that case, Facebook tried sharing—without permission—customers' purchases with people on their friends list. Is this a pattern? Is Facebook trying things, and if it's caught and there's a loud enough protest, the site pulls back? In short, is Facebook trying the permission versus forgiveness approach? Indeed, it seems to have tried both options. For a company that is trying to solidify a brand and build as much trust as possible, these tactical approaches seem odd.Read more...

Wal-Mart has historically had a strong fondness for its own homegrown apps, given the $401 billion chain’s rather absurdly large size. The company has liberalized that policy recently, allowing a few shrink-wrapped enterprise apps to slip in. Now there’s a report in Economic Times that Bentonville is seriously considering an Indian business process outsourcing contract that could include “non-core processes of procurement, merchandising, finance, accounting and payroll” and be valued at as much as $500 million.

The story quoted from a Wal-Mart document that said “Wal-Mart will expand staffing of certain elements of IT application maintenance and development with some of India’s leading information technology firms. India is one of several countries that the company is targeting as part of its remote sourcing model for IT activities.” Vendors in the running, the story said, include IBM, TCS, WNS and Wipro.…

No stunning revelation here, but the facial recognition included with several vendors’ laptops laptop vendors doesn’t work very well. Yes, it can be fooled by a photograph or other digital images. The latest details were revealed at the Black Hat security conference—tagline: Yes, You’re Every Bit As Doomed As You Thought—by a researcher at Bach Khoa Internetwork Security Centre, a Hanoi-based security firm.

To be fair, most vendors have marketed the face-recognition feature as a convenience, and they suggest using more robust security (such as almost anything else) to protect sensitive files. Also, the research said that it sometimes was a bit more complicated than showing an ordinary photo. For example, Toshiba systems forced the researcher “to move the images a bit to fool the technology because it looks for facial movement.” But if any retail IT folk are thinking of using this method as even a first-level security defense, they should probably rethink it.…

But in an attempt to give users a more consistent and professional experience—professional as in free shipping, 24-hour customer service and instant purchases—is eBay abandoning everything that made it work, everything that made it the world's largest and best garage sale?Read more...

Given P&G's reputation for ROI worship, many assumed the company pulled the plug because RFID was failing the test. What is closer to the truth is that the test failed, not the technology. And to the extent that Wal-Mart was as much a player in this trial as P&G, it could also be said that the test didn't fail, the tester did.Read more...

The orders between the chain, the Federal Trade Commission (FTC) and the U.S. Department of Human Services followed a probe that found workers at the company's pharmacies tossed into open garbage dumpsters many items containing highly sensitive consumer medical information.Read more...

Overall, the American Customer Satisfaction Index (ACSI) climbed 0.9 percent to 75.7 on the 100-point scale during the quarter, compared with the same period in 2007. "Very few economic indicators show positive signs these days," said Claes Fornell, who heads the ACSI. "The American Customer Satisfaction (for in-store) is one of them."Read more...

It was the second regulation imposition delay by the state Office of Consumer Affairs and Business Regulation (OCABR) in three months. The tough new rules, announced in September 2008, were originally scheduled to take effect Jan. 1, 2009. Read more...

FTC Commissioner Pamela Jones Harbourn's comment was in the context of a new FTC staff report that says E-tailers need to start taking privacy much more seriously if they do not want the government to start imposing new rules.Read more...

The payment application data security standards (PA-DSS) are actually tougher in some respects than PCI DSS. As a result, some ERP vendors and users of packaged enterprise applications are considering tokenization as a strategy to modularize and centralize all payment processing by these applications. It's either that or partner with payment processing specialists (which provide payment processing functionality) to remove the overall ERP software from PCI scope.Read more...

Customers of E-tailer Zappos.com will soon be able to personalize the content of the Zappos Web pages they see. The company, using its own technology and developers, will enable shoppers to arrange content by category and style, said a report in the Internet Retailer. Zappos also plans to include more social networking tools on its product pages. This effort will make for easy sharing of information over Twitter, Facebook and other social sites.

Zappos, which began selling only shoes but has widely expanded its product offerings, is also suggesting that its employees create their own product videos to present to Zappos customers over the Web site, a move almost identical to Best Buy’s.…

Web sites where consumers can find money-saving coupons enjoyed a 32 percent increase in traffic between October and November 2008, the largest month-to-month increase of 10 measured site categories. Coupon site visitations jumped from 27,101 in October to 35,649 in November, said an eMarketer report, based on a new study by ComScore.

Next on the list, in terms of visitation growth, were retail sites selling jewelry, luxury goods and accessories. They saw a 25 percent change, increasing from 15,362 in October to 19,210 in November. At the bottom of the list were retail sites selling food. They experienced visitation growth of 10 percent.…

Even though no retailers were involved in that particular incident, the implications of this attack technique must be thought through. What the thieves did was to take the fundamental security of time and flip it around.Read more...

Given that it has one of the oldest names in retail, it’s impressive how Sears is repeatedly on the cutting edge of technology. ServiceLive, introduced this month, is another good example why. Instead of trying to sell products directly, it tries to connect homeowners with contractors and takes a cut of the action.

Here’s how the Sears-described process works: Users review and select pre-screened service providers in their area and then describe a repair or improvement project in detail, including the price they want to pay and their desired appointment time. The project is then routed to selected providers after the user uploads funds to his or her ServiceLive account. The first provider to accept the terms electronically wins the project.…