Quantcast #StorefrontBacktalk RSS Feed StorefrontBacktalk » JC Penney, Wet Seal: Gonzalez Mystery Merchants Comments Feed StorefrontBacktalk PC Parts and Wal-Mart? No Match Study: E-Commerce And Self-Indulgent. Perfect Together? Convenience Chain Discovers That Privacy Can Actually Deliver Profits Evan Schuman's StorefrontBacktalk Techniques, Tools, and Tirades about Retail Technology and E-Commerce ____________________ Search * About Us * Advertise * Newsletter * Contact Us Click To View All Categories * CRM * E-Commerce * In-Store * IT Strategy/Industry * Mobile/Wireless/Contactless * Payment Systems * RFID * Security/Fraud * Software * Supply Chain advertisement Top Stories * JC Penney, Wet Seal: Gonzalez Mystery Merchants * Convenience Chain Discovers That Privacy Can Actually Deliver Profits * Gonzalez Psych Report Tells Of 12-Year-Old Sex and Doing 5,000 Pushups * Best Buy Trialing Ultrasonic Waves To Finetune Customer Location * Apple's iGroups Patent Has Strong Retail Potential * Study: E-Commerce And Self-Indulgent. Perfect Together? * Gonzalez Lawyers, Judges Debate Data Breach Costs * Your Business Is Irrelevant And IT Wants To Help * Item-Level RFID At One Cent? By 2015, Printed Tags Could Do It * Squeezing More Value From Your PCI Assessment * ABI: Retail Tech Spend To Hit $21 Billion By 2014 * FROM RISNEWS: Retail Store Closings Signal Major Brand Restructuring advertisement advertisement _________________________________________________________________ JC Penney, Wet Seal: Gonzalez Mystery Merchants Written by Brooklynne Kelly Peters and Evan Schuman March 26th, 2010 Like this story? Share it To share this story with people in your social network, please click on the network icons below. * LinkedIn * Facebook * Digg JCPenney and Wet Seal were both officially added to the list of Albert Gonzalez’s retail victims on Friday (March 26) when U.S. District Court Judge Douglas P. Woodlock refused to continue their cloak of secrecy and unsealed their names. StorefrontBacktalk reported last August that the $17 billion JCPenney chain was one of Gonzalez’s victims even though JCPenney’s media representatives denied it. But the $561 million chain Wet Seal, which has 504 stores in 47 states, Washington, D.C., and Puerto Rico, kept its identity secret. No more, though, and that’s the way Woodlock wanted it. For those keeping track, every reference in the indictment that came out of New Jersey about Company A was really talking about JCPenney and every reference to Company B was shorthand for Wet Seal, according to Jarrett Lovett, Woodlock’s deputy clerk. JCPenney attorney Michael Ricciuti, in Boston federal court Friday, argued to the judge that no consumers were impacted by the breach because the data grabbed from JCPenney was not sufficient to create bogus cards. Ricciuti added that there was, therefore, no need for consumers to know about the company’s vulnerabilities. “I’m not convinced,” Woodlock said, adding that he believed both retailers should have announced their involvement from the start and that consumers had the right to know. Woodlock said he would not provide the companies “insulation from transparency.” The judge stressed that the companies were seeking privacy as though they were individual victims, which he said was like “hermaphroditing a business corporation.” Back in November, an attorney for JCPenney asked the judge to protect its “dignity,” phrasing that might have set his Honor off. Posted in IT Strategy/Industry, Payment Systems, Security/Fraud _________________________________________________________________ advertisement _________________________________________________________________ One Comment | Read JC Penney, Wet Seal: Gonzalez Mystery Merchants 1. Tom Mahoney Says: March 26th, 2010 at 11:16 pm It’s about time the information was made public. Kudos to Judge Woodlock. Leave a Reply ______________________ Name (required) ______________________ Mail (will not be published) (required) ______________________ Website ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ ______________________________________________________________________ Submit Comment Newsletter Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly newsletter, with urgent bulletins as news merits. Sign Up advertisement Read StorefrontBacktalk's Retail Realities Column every week at CBSNews.com. Please click here for an archive of those columns. Most Recent Comments " How do you define 'light' users on Twitter? Do you eliminate people that are obviously spammy? Do you include people that have just started? " -Brian Hayashi _________________________________________________________________ JC Penney, Wet Seal: Gonzalez Mystery Merchants Tom Mahoney It's about time the information was made public. Kudos to Judge Woodlock. Read more... _________________________________________________________________ Your Business Is Irrelevant And IT Wants To Help Brian Hayashi How do you define "light" users on Twitter? Do you eliminate people that are "obviously" spammy? Do you include people that have just started? And which Twitter account are you talking about - the corporate account, or the accounts for individual locations? The answers to these questions are significant, echoing hygiene and maintenance issues that have bedeviled smaller organizations for years. Read more... George Eberstadt You're already trying to associate your brand with other things that motivate the buyer; beauty, health, a good time, efficiency... "Your friends buy this brand" may be the most powerful association you can create of all. Read more... _________________________________________________________________ PCI And Cloud Computing: It’s All About Scope Joshua Corman Will the Cloud provider *allow* audits? There are cases where you cannot be compliant because they will not let you audit them - as a mater of policy. Layer 8+. Several of the "newer" challenges are Legal/Contract/Audit issues. Hosting and CoLo give us glimpses into these challenges, but this is still a big reason why many are not yet willing to put regulated data into clouds. Read more... Cranston Snoard It is refreshing to read an article (and a good one at that!) that discusses cloud computing and security which doesn't get caught up in the industry hype. Read more... _________________________________________________________________ Some Radical IT Ideas From An Exasperated IT Exec PCI Guy Todd Michaud asks why a $100 credit card transaction carries an interchange fee of almost $3. In a word: Risk. The issuer and acquirer banks involved in credit card transactions each assume part of the associated risk. For the issuer, the risk is that the cardholder will not pay the bill, or that the card is fraudulent, and the issuer also floats a potentially interest-free loan until the bill is paid. Read more... Steve Sommers No merchant is required to take credit cards. There are plenty of vendors that will install ATM's at the merchant location to allow the customer to buy cash if they didn't notice the "cash only" sign and this will be at no cost to the merchant -- while I don't like this option, it is available to merchants. Read more... steve klebe PayPal would be worse for your restaurant than what you take today because the transaction would be considered Card Not Present and the Interchange would be higher. Read more... beefyfunk I can't imagine a scenario where you could pay for something using facebook credits. In order to authenticate with facebook especially, you don't even store credentials, just oAuth. You'd have to ask the customer each and every time to input their username/password? That's surely not faster or easier. Read more... _________________________________________________________________ In A First, Google Does Real-time Joint Retail Trials Tom Stegmann If it was relatively simple to integrate an SMB SaaS POS system with a major search site like what Google is doing--wouldn't that solve the problem of hyper local inventory discovery and management? Read more... bill bittner The key to satisfying consumer demand is “data normalization”. Normalization involves recognizing what are considered equivalent products. The challenge is that “equivalent” could mean something completely different to each consumer. You don’t need to know what the inventory is until you know what you want to buy. Read more... _________________________________________________________________ Macy's Killing Giftwrap Could Be A Great Move, If It's Public Enough Lee Given the challenges of FINDING the gift wrap, I'm not surprised its not used - I'm a regular Macy's shopper, and didn't even know they did gift wrap ... if the gift wrap table were in the middle of the women's accessories, I'll bet it would have gotten lots more business. Read more... Michael R Hoffman Another great customer contact opportunity forfeited. HR and finance are only looking at cost side of equation. The gift wrapping contact is the best value differentiator in many customer's experience. It should be featured, not shut. What a great moment to capture referrals, grow brand value, represent vendor partners, cash in loyalty points (why not wrap for points). Read more... _________________________________________________________________ Amazon Limits Customers Talking With Each Other bill bittner I actually like this idea, especially when I am buying my x rated videos ... no need for the seller to know my real e-mail (just kidding). Read more... _________________________________________________________________ Facebook To Tighten E-Commerce Hooks Next Month RedRoseLoyaltist Not only does GE really want out of the credit business (esp. retail credit which is dying a very slow death over the next 30 years), but at the end of the day, it's about topline sales. Credit sales roll up into topline, but with a historical 46 percent use (if even close to this now) of credit, nearly every retailer that can figure out how to is going to tender-neutral, or is there now. You could say at least L&T is trying something, but now that they don't have MAY behind them, and Federated (Macy's Inc) sold them off, they're on their own. Read more... _________________________________________________________________ Overpaying For PCI Compliance Steve Sommers One can always come up with a theoretical scenario that requires maintaining full card holder data. Heck, my company is a gateway provider and we've had instances where if we stored the full raw track information, it would have greatly helped in diagnosing and solving a problem -- the full PAN was not enough. Read more... Todd Aument Consider that there are many other non-PCI data elements (name, date, email, amount, first 6 and last 4 digits of the PAN, etc.) available to track down these types of transactions. The organization should take a critical look at how often something like this actually happens, how often the PAN is *really* required for resolution, and how much (or how little) work/expense it might be to get help from the acquirer to research a transaction based on PAN. Read more... Gene Hoffman Let's assume a kids subscription game. Dad looks at his credit card and sees a charge he's been ignoring for months. He has no idea which of 2 sons or 1 daughter signed up and further doesn't know which of the about 4 email addresses his kids used to sign up. How do you rely on anything but luck to find that TX? Further, you can't afford the risk of cancelling the wrong one. Read more... Brian Grafsgaard In regard to tokenization, consider implementing your own tokenization (vs. outsourcing to your acquirer, gateway, or processor). You can still reduce scope by focusing your controls on the token vault environment (and the systems that call the tokenization solution) and maintain complete independence. You can also extend your tokenization platform to address other sensitive data like PII. Read more... Steve Sommers 1) Use additional data like name, email address or physical address with the last four digit may be an option. 2) Use a processor/acquirer neutral gateway, but I'm abviously bias. Putting my bias aside, merchants change processors or banks much more than they change gateways -- unless the two are tied together as with a non-neutral gateway. Read more... Mark We tend to have to store full PAN for missing and incomplete transactions.... Read more... Gene Hoffman How does Customer Service terminate an account when all they have is the PAN and a date? Most subscription services have 1 -3 price points so price doesn't give one much information. If a parent or the victim of card theft is calling in, the last 4 digits can easily match more than 1 transaction per day. Read more... Steve Sommers The #1 reason for this deafness: "We always did it this way", followed by "that would be too hard to change our procedures." More times than not, merchants can eliminate the storage of this data without much impact on their procedures but they need to shed the always "done it that way" shell. Yes there are exceptions, but with serious thought, the exceptions are just that, exceptions. Read more... _________________________________________________________________ An Underappreciated Threat: The Bored Employee Walt Conway The message for retail CIOs everywhere - and especially franchise operations - is that some pretty weak (i.e., junk) payment systems out there. You don't want to be buying from the low priced provider; it will be too expensive. My first reaction was that the vendor should be taken to the PCI woodshed (or worse), and the store owner who bought the POS system with him. Read more... _________________________________________________________________ With Online Ordering, Your Cashiers Can No Longer Cover For You Noah Glass There are a lot of online ordering salesmen out there who promise full POS-integration, when all they really execute is one-way order transmission to the POS. True integration should be a two-way street, including both order transmission and menu extraction. Menu extraction means that your online menu is updated in real-time when an item is 86’d or turned back on. Dan gets it absolutely right on when your online menu needs the human touch. No customer wants to see “BRGR” when they are perusing your online menu. Read more... Dan Veronese The obvious benefits of adding online ordering to a restaurant's site is to open the "doors" for business so to speak. That said, there are some ins and outs that are important with regard to the operations and efficiency of not only the ordering, but fulfillment and efficiency of the program. You're right regarding the modifiers as well and POS integration. Although a POS is designed for a tactile response, the online ordering site must be intuitive and guide the guest through the various modifiers and up sell opportunities and many times the "lingo" from the internal operations won't work for the guests. Such as "heavy" for condiments or "four-top", etc. Read more... _________________________________________________________________ Best Buy's Trade-In Plans: "Why Let eBay Have All The Fun?" Ashley First of all why would a store not give you store credit instead of cash... business decision wise that would be a poor one. Secondly you're probably more apt to get more money back if you receive it in store credit than if you were to receive it in cash because they (Best Buy) want you to BUY expensive items from their store to replace your old ones. Read more... Dan If I'm trying to get rid of it I am going to be looking for the cash. I am willing to bet that the amount that they will give you in store credit isn't anywhere near what you could get on ebay or craigslist. Now if they ever decide to give cold hard cash for my junk will someone please let me be the first to know. Read more... Karyn Cooks Win for Best Buy. Win for consumers. I predict a dramatic increase in synchronous & asynchronous Best Buy satisfaction web chatter. Congratulations on rethinking the old wheel. Read more... _________________________________________________________________ Cyberthieves Using Bluetooth To Steal Gas Station Credit Card Data Todd Michaud My question is, how did the thieves manage to implement the system in the first place? That sounds like quite an elaborate install. Did these locations run outdoor cameras at night? I would also agree that if this elaborate of a setup was created, I find it highly unlikely there would not be some type of localized storage on the device. It seems foolish for there not to be one. Read more... Terry Hare This sounds like too much effort, expense and project management skills for a common criminal, this is likely a small group, probably with someone inside one of the companies that make, deliver or service the pumps. What is scary is that this technology can translate to other card readers and if the perpetrators add local storage, the problem is even harder to uncover as they could drive up once a week purchase gas and download the data. Read more... _________________________________________________________________ Should Retailers Use PCI Training To Enhance—Or Replace—Their QSA? Dave CISA/M/SP I think this arrangement represents a balanced compromise. The goal was to increase the overall quality of merchant assessments, specifically self-assessments. Originally that was to be accomplished by expanding the QSA franchise. This allows merchants to continue self assessing, while mandating a measurable and demonstrable understanding of PCI DSS by the self-assessor through examination. Read more... Jestep This not only undermines PCI but just undermines the benefit of a 3rd party. On a cost basis, it's probably a no-brainer. Realistically, if you want PCI to work, you can't have the person managing the books and writing the checks. They're going to do what's in the best interest of the bottom line. Read more... _________________________________________________________________ Fidelity Tells Customers It's Shutting Down Self-Service Kiosks Todd Ablowitz Do you think this could be due to some sort of fraud that was happening? Did you probe on that area? When something seems to make no sense on the surface, one has to wonder what one does not know. Read more... _________________________________________________________________ Sears Chairman Argues That Amazon Should Be Taxed A Lot More Rob Martell Please, don't get me started on sales and use taxes, or god forbid, VAT... Just don't. Read more... _________________________________________________________________ Target Decides Payment Method Incentives Work Peter Guidi Retailers are rightly concerned about interchange fees. Merchant’s are given a choice either accept cards, or not. Retailers can negotiate the Merchant Discount Rate, but not the interchange fee which is the largest part of the cost. Alternative Payment providers who create disintermediation offer payment programs that bring significant savings. Read more... ben benack Now if TARGET figures out how to convince customers to grant access to their bank checking accounts and offers the in-store card as decoupled debit...look-out. Read more... Dan Stiel Rewarding behavior to choose lower cost payment enablers is smart business for Target. The math is pretty compelling and simple for Target. First, encouraging customers to use the house card means Target avoids bankcard interchant/merchant discounts - even with costs of running a private-label portfolio, it is less than 3rd-party bank card costs. Read more... James Van Dyke Target's provision of a 5% discount for consumers that use their payment card is a significant development that must be watched closely by banking card issuers, payments executives and merchants alike. The success or failure of new payment mechanisms can more accurately be determined by assessing the balance of value propositions between the three constituents (rather than the traditional approach of offering lopsided value to just one or two constituents, which results in failure). Keep your eyes on this one! Read more... _________________________________________________________________ PCI Council And Passwords: Do As We Say, Not As We Do Carsten Harry Maggiore, can i get this in writing ? Given they do not collect store or transmit card holder data, they are not subject to the specification. i have proven to my QSA that we do not collect any card holder data within our system except for the last four digits... and i am still required to implement all 12 PCI requirements throuhout the whole IT landscape and infrastructure. Yes, we are a retailer, and yes, we do a lot of credit card business... but we do not store card holer information other than the ccPAN masked, with only the last 4 digits visible. But that doesn't seem to be enough to be PCI compliant? Read more... Frank The document should be one that the PCIDSS has in their possession with their own security. I really don't see the purpose or the reason to password protect the document. If a level whatever credit card processor wants to make changes to the document and they compare the original with the one submitted this would in my view be fraud and subject to some very serious fines. Read more... Robert L Santuci Jr. At least it appears that they've removed the spot for credit card information from their fax forms. Read more... bill bittner One of my pet peaves with passwords is the 90 day rule. That, more than anything else I would imagine, is the reason you find passwords written on the back of postit notes attached to monitors. Read more... A reader Irony? From the association that was created to inflict tissue-paper security protocols on the rest of the world, and whose mandate is to punish organizations that don't build a proper steel safe to guard their used tissues? Their foundations were built on irony. Why are you so surprised? Read more... Evan Schuman Compliance is not the issue. As we--and tons of others--have noted, PCI is not just for payment. Officially, of course, it is, but the guidance, guidelines and best practices contained in PCI is a good tool for anyone to use when needing to protect any kind of data. The irony here is that the PCI Council didn't opt to use its own advice. Read more... Harry Maggiore Given they do not collect store or transmit card holder data, they are not subject to the specification. Read more... _________________________________________________________________ Secret Service Investigating Debit-Only Breach Of An Alabama Dairy Queen Walt Conway More than just suffering losses, the knock-on effect of these debit card breaches could be consumers finally having standing to sue a breached merchant. Enter the lawyers. At some point, I fear this could lead to a successful consumer class action against a retailer for a data breach. Compared to such a "doomsday scenario," any PCI fines will seem like a pinprick. Read more... _________________________________________________________________ PCI Council Changes Its Audio Recording Policy, Again Barak Engel When one reads the PCI standard, it quickly becomes painfully obvious that this sort of scenario wasn't really considered during development. Significant portions of PCI simply do not seem to make sense in this context. For example, investing in technology that ensures that card numbers are not emailed in clear text seems pointless; while it is an important control in an environment that deals with transactions and has sales audit and loss prevention functions, it is not really applicable in our case. Read more... _________________________________________________________________ You’ve Got A Mole Giving Away Your Sensitive Data A reader Right now, retailers see trends only as they unfold in their own stores, or through expensive research. And they may be colored by their desire to see their own trends succeed. This is a chance to see a broader spectrum of data. And it may be best for the smaller retailers, the ones who can't afford to carry a lot of inventory. If they can react quickly to trends that are selling elsewhere, they could really improve margins. Read more... _________________________________________________________________ New PCI Phone Rules: A Number Spoken Is Just As Risky As One Typed Jeff Man As a QSA, I've been telling call center clients to protect their recordings for at least five years. Now I have "proof" that recordings are in scope - and that sensitive authentication data simply should not be recorded. Read more... _________________________________________________________________ Chip-And-PIN Is Not A Free Pass On PCI Steve Sommers I don't understand where the false assumption that EMV addresses security comes from? (well, I do understand, but I'll keep my mouth shut) EMV attempts to address fraudulent card usage, not security. To me EMV and the Magnasafe technology that Magtek developed (swipe fingerprint) address the same thing in different was, but Magtek never promoted their technology as a security protocol. Read more... _________________________________________________________________ Is Mobile A Real Channel Or A Second-Rate Sub-Channel? Greg Lucas Suzy - I agree in a perfect world that is what we all want but there are trade-offs with everything. I think less than 5% of all web sites offer real customer service. Filling out a form on a web site for them to get back to me later is not customer service. Read more... Suzy Meriwether What I want as a consumer is the same tools, the same application, the same service no matter what channel of communications I use - mobile, phone, web site or my XBOX controller. Interactions should be device independent. And companies who are building applications for the same function (ordering pizza) to work differently on each device set themselves up for failure. Read more... cee_m_bee The important point here is that mobile retail strategy should incorporate both mobile applications and optimized mobile sites, offering a unified approach. After all, 'standalone' is hardly in the spirit of multichannel retailing. Read more... Evan Schuman It will always be a balance, but I'm encouraging the balance to favor the phone a bit more. A standalone app should be able to work, well, standalone. The power is there, but we may have to start morphing how we think. Read more... Greg Lucas I think your real question is this - is a mobile app a channel for all of a company's customer facing functions? No. Is it a channel for ordering / viewing products? Yes. Is it a channel for customer service? No Read more... _________________________________________________________________ Chip-And-PIN Hack Is So Scary Because It Surprised No One Steve Sommers Recently the EU shifted some of the burden of proof back to the banks and this was done prior to this Cambridge report. If the system is so secure, why the shift? Read more... Howard This hack has been available for over 8 years now. I doubt this should be a surprise to anyone. Read more... David Dorf The fact that this particular hole went undiscovered for at least six years is actually pretty impressive. I'm willing to bet this particular issue can be resolved in the terminal code without having to reissue all the cards. This is a great example of the importance of ethical hacking. Hats off to the Cambridge team. Read more... A reader How do you equate the failure of a developed-in-secret, 14-year-old cryptographic protocol with the adoption of object oriented programming, the recognition of design patterns, or the maturity of software engineering as a discipline? There were no software failures here, no code crashes being exploited nor buffer overrun attacks smashing stacks. This was a failure in the design and creation of a *protocol* that fell prey to being spoofed. No objects failed, because no objects were transmitted. Read more... R Dallaire Sure, you may hide all the cables but the setup will be obvious if you are wearing a T-Shirt. ;) EMV has to fix this. I don't know if the same issue has been raised in Canada. Read more... R Dallaire I worked on EMV project in Canada. EMV is better than plain MSR card. No doubt. This is not marketing "gimmick". The Cambridge/BBC video shows a guy using a Netbook PC and an EMV "test card" hooked on a stolen EMV card. Sure, you may hide all the cables Read more... bill bittner This hack demonstrates a much larger vulnerability that goes way beyond payment authorization. Just as we are hearing more about cyber attacks from overseas, we are using software design techniques that make our systems more vulnerable. Better get a kerosene lamp. Read more... _________________________________________________________________ Target Starts Accepting Phone Gift Cards, Courtesy Of Virtual Barcodes Shelley Hunter (Gift Card Girfriend) How will give someone a virtual gift card? Can you upload a physical gift card to your phone to make it easier to redeem? What happens if your phone breaks? Who is responsible for storing your gift card data? Read more... _________________________________________________________________ Visa: If All Else Fails Speed-Wise, Cut Corners Jim Janke Not surprisingly the information on the VISA website has yet to be updated with this change. Read more... _________________________________________________________________ CVS Twitter Program Perplexing Fabien Tiburce / Compliantia I agree that "secret" is a poor choice of words for something that just isn't. However engaging your users and promising quick, if not secret, access to coupons and the like is a great first step for any retailer. Read more... _________________________________________________________________ Gonzalez Lawyer: Don't Punish Gonzalez Because TJX Security Was "Seriously Deficit" Walter Meier If you factor in the domino effect that the TJX breach has caused, it's cost retail industries world-wide BILLIONS of dollars as they try to fend off other such cyber-attacks. I say life without parole is too lenient for Gonzalez! Read more... _________________________________________________________________ Security Versus Scope: Choose One Luther Martin Let's get a rough idea of exactly how secure 112- and 128-bit keys are by estimating the level of effort needed to crack one. Let's base this on the EFF's DES Cracker. The DES Cracker can test roughly 92 billion keys per second on 1,536 special-purpose chips. Given a plaintext-ciphertext pair, it can test all possible DES keys in a bit over 9 days, and you’d expect it to find the key that decrypted the ciphertext in about half that time, or about 4 and a half days. Read more... Steve Sommers I never meant to imply that brute force encryption is easy (even though, technically it is, it just take a long time). All encrypted data can be cracked, it's just a matter of at what cost; in money or time. What is considered strong today may be insignificant tomorrow. Read more... Mark Bower "Encrypted data is still data and can always be decrypted" is a meaningless statement. It like saying "the sun will eventually explode". Read more... _________________________________________________________________ Carrefour, World's Second Largest Retailer, Makes Major Contactless Endorsement David Dorf Contactless payment just doesn't do anything for me as a consumer. The difference between waving my card and swiping my card is negligible. Now from a retailer's perspective I imagine fraud can be significantly reduced, but does the savings outweigh the required investment? On the other hand, I think near-field technology in mobile phones can be leveraged in lots of places in the store, not just the checkout stand. That will be much more interesting. Read more... _________________________________________________________________ Facebook Learns The Downside To Making Logins Easy Kiril Alexiev Software security will be coming to the front of many of the social networking sites as they become closely tied to business, having credit card info in them and in general becoming more of a marketplace, rather than just a place to blog, chat and goof around. With mobile phones and computers converging, such security will be even more challenging than before. Read more... Kiril Alexiev Software security will be coming to the front of many of the social networking sites as they become closely tied to business, having credit card info in them and in general becoming more of a marketplace, rather than just a place to blog, chat and goof around. Read more... _________________________________________________________________ E-Tailers Dodge A FACTA Bullet Steve Sommers Well this is a blow to PCI and card security. Email receipts should fall under FACTA as it is a bigger security risk than printed receipts. Email is not secure. Everyone knows this. Except apparently, some E-commerce merchants and some judges. Read more... _________________________________________________________________ Pizza Hut CIO Proving The Unprovable: Mobile ROI Rob Weber Hats off to Pizza Hut! Their iPhone app has a very well designed user interface. It actually makes ordering a pizza on your cell phone fun. I'm generally not a huge fan of food companies creating apps because they offer me very little extra utility. Large scale brick and mortar retailers should focus on the location based aspects of mobile commerce, and not try to simply port their web strategy into mobile. Mobile requires its own strategy, as does other forms of app marketing (social apps and sharing, etc). Finally, should Pizza Hut be considering other app platforms as the platforms become more saturated? For example, car electronics. Read more... Evan Schuman Dave said: "Domino’s app is sub-standard to say the least (so is their website!)" Well, so is their pizza, but that's another issue. Read more... Dave At last someone has a decent grasp of what iPhone apps should include. A nice simple idea that uses the technology in an iPhone to maximize usability. Interesting use of technology for the payment processing as well. Too many brands are currently jumping on the app bandwagon and failing, Domino's app is sub-standard to say the least (so is their website!) Read more... David Dorf The Pizza Hut app is a great example because its useful, engaging, and leverages the capabilities of the phone. Yes its specific to the iPhone, but there's no better place to start. You certainly wouldn't criticize someone for releasing their software on Windows first and following-up with other operating systems once its proven. Read more... Fabien Tiburce / Compliantia Greg, Using the numbers you provided yourself, 42% of iPhone users are less than 34 years old! That's huge! I am not saying this is not a worthwhile demographic, in fact in the case of a pizza brand, that is precisely where you want to be. Read more... Jeff Roster I believe this is a terrific example for a couple of reasons: Remember the app was prominently featured in Apple iPhone commercials run nationally. I have heard estimates as to the value of that exposure. The number is large. We are still in the very early days of mobile commerce. Pizza Hut made a bold decision and I believe have been handsomely rewarded for their gutsy call. From a US perspective the iPhone user is the perfect demographic to experiment with. Read more... Greg Lucas Fabien, I have to respectfully disagree with you. First, you shouldn't look at the worldwide smart phone market when looking to deploy a US only mobile application. You have to look at the US trends. You can't doubt the popularity of the iPhone here in the US. Secondly, the iPhone is not for "young, urban professionals." Neilsen published numbers that show there are just as many iphone user 55+ years old as there are 13-24. Read more... Fabien Tiburce / Compliantia Creative use of technology, well suited to the likely audience: mostly young, students or urban professionals, many of whom with iPhones. However this particular use-case may not be portable to other industries and categories. Read more... _________________________________________________________________ A CIO Do Not Call List Tim Davis When I was CIO at Popeyes, we setup an IT vendor voicemail that the switchboard routes calls to when salesman calls for IT but knows no names. That is checked monthly by a team member. Read more... Carlos Cherubin I am in. I completely empathize with Todd. I also do not answer my office telephone and am bomparded by repeated, irrelevant, and more often than not arrogant emails, to the point that I am now starting to set them up in my junkmail filter. Read more... Chad Symens Don't answer your phone but on your voice mail provide a "if you have a product or svc you want me to consider email me at" and then provide an email address like vendor@. Then when you are looking for a solution you can search that box based on key word and see if anything is helpful to you. Read more... Todd L. Michaud Take it from me, most CIOs have too much on their plate already. The last thing that they need is someone solving a problem that is not on their Top Priority list. It may be a great system/solution that will save or make the company money, but if it's not part of the current burning-platform, there simply are no cycles to think about it right now. Read more... Cranston Snoard I've been dealing with a pesky sales rep from a leading firm that offers log monitoring / management capabilities who just can't accept we are not interested in her product line. For some reason, even though several managers, including myself (security and risk), our auditors, our vendor relations manager, our CIO, the PCI business owner, etc. have all told her we are not interested, she insists on sending each of us e-mails or making calls every month or so. Read more... Todd L. Michaud Todd P. Michaud you will always have a pass on my DNC list. Call me any time. Just please don't call my wife--that would be awkward. Read more... Todd P. Michaud Todd L. Michaud has written a brilliant article about common sense professionalism, says Todd P. Michaud, CEO of one of those "darned I/T services providers!" I am certain that I would at least pronounce his name correctly. Read more... Todd Amen Brother Todd!! This is so annoying and 99% of these callers took zero time to understand who I am or what my company's needs might be. I used to hate being rude, but I'm over it. Sign me up as a charter member. Read more... Frank Urbaniak Sitting on the consulting side, I am amazed by the number of retailers that send out RFP's to companies, or request additional information, and then don't have the courtesy to say 'Thanks' in an e-mail reply, or 'We'll get back to you if we're interested". This after contacting you and requesting infomation/a proposal ASAP, which takes time and money to prepare. Read more... Mike Romano Welcome to the real world of capitalism. This is the US, not China. Read more... Della Lowe Made my day. I know all vendors (including my company) deal with this double edged sword - how to acquire new leads but not annoy folks. My favorite was the young woman who called me, would not take a breath so I could question her and then yelled at me because I said her solution was way out of my budget. Read more... Mike I'm in. Let's get started. Read more... John This list and process is needed. You left off one thing, the cold caller that gets someone in the business to transfer the call to get past caller id... automatic on the list. Read more... _________________________________________________________________ PCI Conundrum Of The Week: When Plastic Meets Paper Walt Conway @Dave, I have never seen formal guidance on using a marker to 'black out' a PAN or other data. But I have used my eyes, and if you turn the paper just so in the light you can read quite easily the blacked-out information. Read more... Lee RE: blacking out - not only can it sometimes be read, but many copier/fax machines will pick it right up. I've found an ultrafine black Sharpie 'squiggled' vs straight line works well in most case. For hole punches, look for 'long arm' hole punch (one source is a craft store) so you can get to the number even if it is in the middle of the page. Read more... Dave CISA/M/SP Is there any guidance on paper redaction? I've received verbal guidance that heavy marker redaction is sufficient for the Card Verification Value, but that hole-punching the CVV out of the copy is prefereable. zation in ANY form - redact with a heavy marker or punch out the number from the image. Read more... Walt Conway There are situations where existing laws are in conflict with PCI requirements. This is most often encountered in the area of background checks (Requirement 12.7) which can conflict with privacy legislation in some countries. Whenever there is such a conflict, sovereign law trumps PCI. That would seem to describe the situation here. Read more... _________________________________________________________________ Cambridge University Calls Verified By Visa Secure Protocol Terrible Security E t Voorde One bank using the card PIN as 3DS password doesn't prove that the whole protocol is useless. Besides that, the protocol might not be perfect, it does prevent from a lot of very simple Card Not Present fraud happening today. Offtopic: saying that with EMV the ATM PIN is used for POS is typically UK, because whole Europe was already using PIN in POS in magstripe debit transactions for years! Read more... A reader Nice paper. Factual conclusions. Utterly useless. It won't get fixed. Remember that Visa is perversely opposed to providing true security for transactions. It won't get fixed because the current screwed up system is too profitable for Visa. How screwed up is that? Read more... _________________________________________________________________ Retail Vendors: Forget New Functions. Just Make It Simple And Cheap Doron Sometimes it seems there is more investment in innovation than basic retail operations. Your basic Costco sold cash register can't give you the data you need if you are interested in tracking sales but in most cases you can turn any pc or laptop into a register for less than a few hundred in software and peripherals. You can find USB barcode readers cheaply as well. Read more... Joe The costs for delivering 5 second credit card processing through high speed connections integrated with POS (and associated PCI costs) are excessive if the transactional volume is not sufficient. Much cheaper, yet slower, to use the old stand alone terminals. Read more... _________________________________________________________________ Mobile Sites Are Supposed To Be Slow, But Not This Slow Frank Shopping on a mobile is just as silly as trying to watch video on one, the new gadget fascination brought on by witless people. And people wonder why the world is so messed up. Greed, not so smart people, the list goes on and on... Read more... Wayne Brown What happened at these retailers, is that full-screen, non-mobile-centric developers were used. The best mobile apps do not come from the minds of full-screen, PC/Server, type programmers. I'll bet that the retailers criteria matrix didn't even include performance benchmarking. Why, because they are thinking like PC/Server developers....... Read more... mobile sites I agree. Stick with XHTML MP or something light-weight. Most anyway mobile browsers can't process fancy stuff like flash. Read more... _________________________________________________________________ What’s The Rush For New PCI Call Center Requirements? Mike Pruden And I have not heard anyone mention the impact on companies who provide quality improvement services. Many merchants hire quality improvement companies to review their audio recordings to provide guidance on how to improve their sales staff’s effectiveness in customer service and sales retention. PCI Council needs to rethink this requirement until there is a widely available commercially viable solution. Read more... Geoff Miller Another ridiculous decision where regulators don't think critically enough about the unintended consequences of their decision. This will be a huge problem for the credit and collections industry. We have to keep all recorded calls for other reasons not related to cc information. We can't purge all of our calls and we don't have the technology to not record part of the conversation. Even if we did, I am not sure we could afford it. Read more... J- R This "clarification" is causing a lot of panic with large FS clients who now appear to be non-compliant after spending 7 figure sums on their compliance programs. The only alternative to call recording would now appear to be some sort of IVR/push button type interrupt to take card data away from the contact centre. The council is a position to force that sort of process and technology change and this may backfire on them and the vendors that lobbied hard for this clarification. Read more... Kemil Carbuccia PCI council has made a one-sided decision; They should have done a much more in-depth research that could have provided more insight on what regards to the implications of such decision. Read more... _________________________________________________________________ Trying To Force Strong Passwords Futile, Counterproductive PCI Guy This brings to mind yet more senseless, pointless, burdensome and counter-productive impacts from the "intelligent, thoughtful, capable people" at the PCI Security Standards Council: The PCI DSS not only mandates passwords that are at least 7 characters long and containing both letters and numbers, passwords must be changed every 90 days. Read more... Steve Sommers Another factor, assuming a user is not using post-it's, is that passwords will be lost more frequently -- expecially in systems users don't use frequently. This moves the risk from the login authentication, to the password reset/reassignment authentication and these areas of many applications are less secure and usually more vulnerable to social engineering attacks. Read more... _________________________________________________________________ HSN: Where Multi-Channel Becomes Even More Multi Suzy Meriwether I think 'even more multi' is right on. I think it's multi-channel, mult-times, and retailers, service providers and others need to understand that. I'll see it on TV, I'll go on line ot look up details, I'll tweet about it to see if friends have used it, go to the store to look at it then buy on-line. Read more... Fabien Tiburce What a great reminder that we should never deploy technology just "because we can." Consumer behavior and usability (watch what users do, not what they say), not technology for its own sake, ought to drive technology selection. Read more... _________________________________________________________________ Burger King Sues Franchisees Who Didn't Upgrade POS Fabien Tiburce Having attended a number of franchising shows and seen what retail brands will do (and how much they spend) to attract would-be franchisees, I can't help thinking this is, at the very least, a PR disaster for the brand. Read more... _________________________________________________________________ Data Breach Cost Numbers Games Gray Taylor You rightly point out that there is no safe harbor through compliance - you are compliant until you are breached, and then you are not. Retailers I work with are wondering "If we implement rational security practices, who cares about compliance?", and that is hard to argue with. In essence, PCI compliance has become less of a data security exercise, and more of a fine avoidance strategy. Read more... _________________________________________________________________ Social Unstructured Data Is Not Unusable Michelle de Haaff This information is hugely valuable. We analyze it for real use and action with retailers everyday. There is so much real-action insights in social media... Some examples:*Cries for help! - are customers complaining about something online that you can answer? We find it, analyze it and route it to people to get involved in the conversation. Read more... _________________________________________________________________ Will Old OS Cause PCI Violation? No, But Marketing Still Says So Jacob Ansari This is an interesting issue, because there's more to it than what's apparent on the surface. PA-DSS requires supported and patched operating systems and other software components (e.g., databases, libraries, Java, etc.) per PA-DSS 7.1.b and 8.1, and the option for compensating controls simply isn't there. Merchants can make use of compensating controls for most PCI DSS requirements, but only when legitimate constraints exist and only in ways that meet the intent and rigor of the requirement and go above and beyond the other PCI DSS requirements. Read more... Cranston Snoard Why would one automatically upgrade to a "new" OS -- some of the older versions of certain OS-es are more stable and more robust than the crap being peddled today. This is yet another clear example of PCI SSC being out of touch with reality. Rather than requiring a "current" OS, the requirement should be to demonstrate the OS in use is stable and robust, and is adequately hardened against threats. Read more... Steve Sommers There are compensating controls that encrypt the swipe at the driver level as it enter the PC, there are hardware encrypting card swipes so the cardholder data is already encrypted before it comes to the PC -- either of these, especially the second, would remove the OS entirely from a cardholder data risk profile. Read more... Lucas Zaichkowsky In my opinion, the only thing the vendor did wrong was they didn’t know of that FAQ entry. Even if they did, it changes nothing about the need for merchants to update software that no longer receives updates. Read more... _________________________________________________________________ Helicopter Parents May Ruin The Retail IT Industry Lee Given that IT people are stereotypically less socially aware, perhaps this trend makes sense. The parent (seems to usually be the mother?) knows that their technically gifted son/daughter has some people issues and wants to help compensate? Read more... Scott Please someone tell me this will appear on an episode of Punked! Read more... Marty My son (non-IT) was considering a promissing post-college stint in minor baseball a few years ago. He informed me, "If I don't make the Bigs and have to take a regular job, it better not be entry-level." My response (after the laughter) "Are you kidding me?" But he was very serious. Read more... _________________________________________________________________ Forget Your Well-Thought-Out Mobile Strategy: You Now Need Three David Dorf I have spoken with a couple companies that claim to automatically build native apps for different platforms from one source. If each retailers builds 1-3 apps for 1-3 platforms, consumers will be overwhelmed. As more retailers enter this area, its going to get tougher to differentiate. A few will get this right and lead the market. Read more... Fabien Tiburce / Compliantia The value proposition of mobility is multi-faceted because mobility is an enabler, not an end it itself. Mobility is actually a lot harder to do well than web-based applications. Networks are slower, devices are smaller (usability does matter) and there is no default mobile platform (hence the reason for carrying 3 phones) unlike the PC/Windows monopoly we love to hate. Read more... _________________________________________________________________ Holiday Season Dollars: We (Somehow) Were Right Doron Levy I have to admit, I was part of the naysayer camp before Christmas and I'm encouraged by the increase but (and this is a big but) we shouldn't be jumping for joy for 1.1 percent. You can't tell me that cost of goods sold and overhead didn't increase at least 1.1%! Read more... Evan Schuman Editor's Note: Doron's right. The key point we were initially trying to make was that, back in October, with all of the data then available, we simply couldn't see how the 2090 holiday could have been worse than the prior year's disaster. Pentup demand, among about 20 other factors, simply wouldn't allow that, unless some other catastrophe kicked in, which (fortunately) didn't happen. But to Doron's point, yes, continued annual increases of 1.1 percent--especially measured against the increased cost of sales--will be very bad news. Read more... _________________________________________________________________ Announce Breach. Blink. Be Sued Steve Sommers Sounds like a possible industry in the making: Hacking cardholder data, not with the intent on using the compromised information, but instead with the intent to win the litigation lottery. Read more... _________________________________________________________________ Beware Of The Side Effects of Software-As-A-Service Fabien Tiburce Asking the IT department what they think of Software-as-a-Service is akin to asking the Detroit auto-makers what they think of public transportation. Your points remain valid. SaaS is not a silver bullet but SaaS does alleviate a lot of problems that have plagued large organizations for some time. Read more... Kevin Ertell I'm not sure it's fair to lump all SaaS models under the same umbrella. Some require more integration that others. The world is changing incredibly quickly, and keeping up with those changes requires adapting technically. Sometimes, SaaS presents the best option, even if that means more integration effort by internal teams. Read more... Alex It is certainly very valid that integration is an important factor to consider when looking to go SaaS (and on-premise for matter). Would you consider that some systems are better suited to SaaS than others? For example, email seems to be an early suitor? Read more... _________________________________________________________________ Last Driver-License Scanning Holdout—Nebraska—May Be About To Cave James Loar Who would write software just for NE? Obviously the applications are written to cover the requirements of the whole country; then during installation you would expect to configure what data to collect -- that's the decision of the retailer - not the software developer. Perhaps NE is worried that a data aggressive retailer will install a floor scale and overhead height sensor in front of the cashier to validate that the driver's license data matches the person after the card is scanned. Mmmm. Read more... Todd Ablowitz Wow. It's amazing that Nebraska is in this position. Restrict usage or storage of the info? Fine. To be an outlier this long on such an obvious benefit to the people of Nebraska? That's already shocking, but to put a target on the developers? Even worse. Read more... _________________________________________________________________ Will Best Buy's Pushback Against Visa Contactless Payment Change The Market Or Is It Irrelevant? Duncan Taylor I applaud Best Buy's stance here, but to think that the card methods will not advance in this direction is short sighted. Clearly VISA needs to overcome the interchange fee concerns, and the contactless payment method is bound to evolve and fold into cell phone payment. Read more... Dan Stiel The real Best Buy message to fellow merchants: It is o.k. to say no to enhancements that increase costs - especially when there is no meaningful impact on the customer experience. Read more... _________________________________________________________________ McDonald's: IT Must Be Comfortable Failing, But "Fail Really Small" Terrell Jones I really agree with failing small and fast. But I can't agree with the PC designation of 'sub optimal business case outcome" Baseball players don't have sub optimal batting experiences, they 'strike out'. Teams don't have a sub optimal game experience, they LOSE the game. Failure is a strong word, but by getting people to look at why and how the project failed and to kill the project while coaching the person is the path to success. Read more... Fabien Tiburce Of course retailers should accept the possibility of failure if it helps fosters innovation. And what is the best way to fail small and fail fast? a) Rapid prototyping, b) pilots and c) software-as-as-service. Combine all three and you have the ability to try out new ideas, at no or a nominal cost, get feedback quickly, adjust and iterate until you can improve or reject the methodology. Read more... Lee "sub-optimal business case outcome" is definitely preferable to 'failure'! Seriously, I'm pleased Roberts in conscious of language. You are up against millennia of conditioning if you try to get people to accept 'failure' as ok. Read more... _________________________________________________________________ For How Long Will Consumers Forgive Mobile Slowness? Fabien Tiburce The apparent (but incomplete. read on...) message is clear: capacity planning is very inconsistent across the industry. Performance under load is predicated on the site's architecture and infrastructure. While money (and expertise) can address infrastructure bottlenecks, only foresight can produce a solid architecture that will help a system scale and distribute its load. Read more... _________________________________________________________________ Target Admits It Was Breached Steve Sommers The question I ask myself is "What did they do differently to stay under the radar and out of the press?" While they state "only a tiny fraction of guest credit and debit card data" were compromised, they process a lot of transactions and a "tiny fraction" could easily be thousands of cards. I know I've seen headlines about breaches with fewer than a thousand cards compromised so I go back to my question, what did they do differently? Read more... _________________________________________________________________ MasterCard: December PCI Deadline Change Not For Holiday Conflict Hybrid Forge eCommerce This announcement did take some pressure off but PCI must be taken seriously by e-tailers. Read more... National Retail Federation NRF's CIO Council and IT Audit Committee, along with many retailers, sent numerous communications to MasterCard about our concerns regarding the proposed changes and timeline. It is both unfortunate and troubling that those concerns were never communicated effectively within their organization. Read more... _________________________________________________________________ Best Buy Kicks Visa Contactless Out Of The Building Steve Sommers Since these cards can be swiped, I think Visa has much more to lose in this battle than Best Buy. Read more... Todd Ablowitz Is Best Buy starting a trend? Will this impact Visa's approach? What is Best Buy losing by turning off PayWave cards? What is Visa losing by not having contactless acceptance at Best Buy? Most importantly, I wonder what the long term effect will be. Will this move the needle either way? Read more... Mobile Payments It won't be long until we are all paying via our mobile payments account, and no longer carrying plastic. Just wave your phone in front of the reader, and it will be paid. Exciting things are in the works. Read more... sleze Meh. None of my credit cards have pins. I always sign. Read more... _________________________________________________________________ Amazon Pricing Needed Serious Optimization, As It Sold A $3 Billion Win98 CD-ROM Lee What ended up on Brian Klug's charge card? Read more... Blue Bird How would one react to a $ 1.5 million shoe on Amazon! (Yes, we have captured it.) Read more... _________________________________________________________________ A Look at PCI in 2010 Janice Gaines Anyone else here reading “I.T. WARS”? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary – an eCulture – for a true understanding of security, being that most identity/data breaches are due to simple human errors. Read more... Dave CISA/M/SP Is anyone seeing movement towards revoking the "free pass" for transferring data unencrypted over private networks? In both Heartland and Hannaford data was being sniffed "on-the-fly". Will the continuing trend towards malware-based data collection attacks drive the council to consider requiring the encryption of data "in flight"? Read more... _________________________________________________________________ When It Comes To PCI Compliance, Franchisors Are Screwed PoS Manager There's so much involved with compliance. Just because the PoS software is PA-DSS, doesn't mean the entire hardware solution is. Just because the physical devices are, doesn't mean the user is using 'best practices' and eating the PCI dogfood. Read more... _________________________________________________________________ MasterCard Blinks, Drops Dec. 31 Level 2 PCI Deadline Dave CISA/M/SP Reciprocity between MasterCard and Visa was always been a factor in Acquirer merchant level assignments. The brief removal of reciprocity generated a great deal of interest in being able to be classified at a lower level in MasterCard's world. Nevertheless the return of the reciprocity language in the December changes did not effectively create any new Level 2 merchants, but it DID dash the hopes of a lot of them.... :-( Read more... Cranston Snoard Let's given them credit??? For being idiotic in the first place? Not on your life! Everyone has just had to scramble and include the costs of the previously announced M/C requirement in their 2010 budgets, and start negotiating with the QSAs for the additional services. All for naught! Read more... Dave CISA/M/SP "A bunch of Level 3 and Level 4 merchants just became Level 2s". Is this an accurate statement? MasterCard & Visa have historically included the caveat "or is a Level X in another brand" in their level setting criteria. MasterCard appeared to back way from this in the June pronouncement, and have simply returned to the status quo. Have Acquirers have been tracking and reporting merchants at separate levels by brand? Read more... Walt Conway I stick by my comment (quoted in the column) about a bunch of L3 and L4 merchants becoming L2s and requiring an onsite. To me, what made MasterCard's original requirement for an onsite assessment for L2s palatable was that they took away their reciprocity provision. That is, they seemed to focus on larger merchants with over a million MasterCard trans/year. With reciprocity in place, a lot of smaller merchants are pulled into the onsite requirement. Rather than causing confusion, I think reciprocity will lead to additional work for processors and acquirers. Read more... _________________________________________________________________ Why Are You More Afraid Of A QSA Than A Cyberthief? Biff Matthews I believe the issue is one of expense, the known absolute expense of addressing an assessor's finding versus the unknown and possibly no expense if a breach does not occur. What is the probability of being breached, therefore the cost versus the cost of implementing greater security that may or may not be breachable. Read more... Ryan Barnett I work for Web Application Firewall (WAF) vendor Breach Security and I couldn't agree with you more about the unfortunate *gotcha* related to merchants attempting to address Requirement 6.6 by deploying a WAF however they never move into an actual blocking configuration. The intent of 6.6 is Remediation and if you aren't blocking with your WAF then you missed the point. Read more... _________________________________________________________________ Windows File Deletion: Going, Going, Still There PCI Guy Sadly, the clueless folks at the PCI Security Council don't understand how modern file systems work, and they have been stupidly requiring software developers to "securely delete" sensitive data. The thing is, that's not really possible, and the old technique of overwriting confidential data multiple times simply generates a few more allocated disk sectors, while leaving the original "confidential" data untouched. Read more... _________________________________________________________________ Instant Credit Income Verification: A Retail IT Migraine On The Horizon? Chris Phillips The requirements to consider income and liabilities is certainly a huge impediment to instant issue credit cards. Thoughtful concerns have been and are being lodged with the Fed. These rules (to me) seem to be solutions in search of a problem. Failure of consumers to repay private label credit cards did not cause the current crisis. Mortgage companies are now required to verify income, which seems somewhat more on target. Read more... James Loar This would be a great means to kill off the credit concept and force people to only buy what they can afford - in cash. Maybe that's the real goal? Read more... _________________________________________________________________ Blackberry NFC Trial Getting Pushy Cranston Snoard So how would this impact fraud detection routines? Could I use my PayPass card at one location and my spouse using my "tagged" Blackberry at another store next door? Read more... _________________________________________________________________ The Corporate Travel Card PCI Challenge Jay Libove, CISSP, CIPP I realize that the question ultimately lies in who has the liability for damages caused to an information security breach of a 'corporate card' program? If the "cardmember" rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose. Read more... Jay Libove, CISSP, CIPP The question ultimately lies in who has the liability for damages caused to an information security breach of a 'corporate card' program? If the "cardmember" rules which apply to a corporate card lay all of the liability with the business on whose behalf the cards are issued, then the card brands have little standing to impose PCI DSS, as the card brands have little to lose. Read more... _________________________________________________________________ The E-Commerce SEO Game May Soon Have To Deal With Page Load Speed surfvoucher I'm not going to believe that just by having a faster site than my competitors I'll rank over them. I personally believe that what google is saying is that if you have a site slower than the average you might get some sort of penalization in your rankings. Read more... _________________________________________________________________ In The M-Commerce Page Load World: Target, Sears Slow; Amazon, QVC Fast Jack Taylor The Target vs. Amazon results are really interesting, seeing as how Amazon runs Target's site. Looks like someone missed some clauses in the contract on performance. Read more... _________________________________________________________________ The E-Commerce SEO Game May Soon Have To Deal With Page Load Speed Adam Brown Very often performance is overlooked when specifying a web application and is often thought about at the end of the development process when it’s too late or expensive to do anything about. Perhaps now when the benefits of having a high performance web app have a direct impact on bottom line performance will become something that designers and engineers look at from the beginning. Read more... _________________________________________________________________ A Chilling Reminder Of The Internal Security Threat A reader Clearly a systems-based internal theft these days could do a lot more than empty a few tills of their change funds. But how often is it really happening, and how will we ever know unless Loss Prevention departments start publishing their figures? Read more... _________________________________________________________________ Black Friday, By The Numbers Doron Levy Wow, I'm not sure if this story is good or bad news. Looks like online retail will be the shining star this holiday season as the numbers at the physical store aren't so full of good cheer. This story also confirms what we already know, Amazon is a key player in online shopping and they set the standard for customer experience. I believe that this seasons results will change the way Black Friday is deployed next year. Read more... _________________________________________________________________ The Best Way To Stop Marketing From Getting Around IT: Teach 'Em bill bittner There is nothing worse than the marketing side over promising and the supply side under delivering. I agree the new media present challenges, but I think your analysis under estimates the coordinating function of IT. The IT department does not only implement individual projects, they are often the ones who know what both the left and the right hands of an organization are trying to do and can coordinate business processes in addition to technology. Read more... _________________________________________________________________ Retailers Sue POS Vendor, Questions Raised Where PCI Duties Stop A reader I would add a couple more questions: "did the breach involve the use of the default passwords?" (The story doesn't say.) And "were the default passwords used by Computer World to remotely administer the store systems?" "where is the PCI auditor in all this?" Did the restaurant group think they didn't need an audit because Radiant was (mis)representing Aloha as PCI compliant? How is a retailer or even a PCI auditor to know otherwise? A PCI auditor is not necessarily a qualified computer forensic investigator capable of finding the card data on the hard drives. They can only base a decision on information given to them by others. Read more... David Dorf There are so many holes in the process it will be difficult to pin blame on just one constituent. It is ridiculous that the technology exists to better secure these transactions (PIN, EMV, etc) yet banks won't use them. Only the banks or government can force this change, and retailers will suffer until then. Read more... Jim Janke A major issue in this case will be if the restaurants had any support agreements in place with Computer World and if so what those agreements say. In my experience many single unit/small operators choose to skip the support agreements in favor of a "pay as you go" arrangement. In this scenario I can't imagine how the POS VAR can be held responsible for a system they don't own nor exclusively manage. Read more... Steve Sommers There is a big difference in having the POS installation guide say "make sure you set this password because the security of your CHD depends on this" vs. a POS application not storing the CHD in the first place. Traditionally only the merchant was liable for breaches and PCI related fees (fines). Maybe dragging some of the vendors into the liability mud fight will open the eyes of some of these vendors. Read more... _________________________________________________________________ PCI Human Train Wreck Coming Next Year For Level 2s John Bailey This is retail, folks. Year end deadlines are really unacceptable and should be moved to mid-year...July 31st for example. If you're like my company....nothing can happen in the last 6 weeks of the year as we lock down for the holidays. These people totally have their heads in the sand. Read more... Walt Conway I am regularly mystified by how particular dates get picked by the PCI Council and other bodies. For example, what's special about June 30 for replacing WEP encryption (or the March 31, 2009 end date for new WEP applications) or October for the updated DSS? But these really pale compared to the year-end date chosen by MasterCard which conflicts with seasonal system freezes...including their own! Read more... Gray Taylor Not surprisingly, some acquirers are questioning the veracity of the relaxation of "reciprocity". Is there anything in the public domain from MC to substantiate this? I have been constantly surprised at the lack of knowledge about retailing exhibited by those setting mandates (cost burdens to be added to timing issue). Acquirers are in the same boat as merchants - not knowing/understanding what is coming down the pipe next. Only recourse is to get involved in the process and get vocal! Read more... _________________________________________________________________ Should Credit Card Transactions Be Free? There May Be A Way Mathieu Here in the Netherlands, where the population is notoriously penny-pinching, credit card acceptance is amazingly low. It's both a result of the consumer not wanting to pay interest on everyday purchases as well as merchants not giving up a slice of the action. It is both legal and common to pass the processing fee onto the customer as a surcharge. Now things are moving to leave the credit cards behind: mobile phone payments are becoming more and more common here, and the transaction fees are minimal. Parking and entertainment (movie/concert tickets, nightclubs) have been amongst the first, and it's rapidly gaining momentum because the market has been hungry for the convenience at a price it is willing to pay. Read more... Trey Gourley "Free" is an illusion. Don't charge one person but charge double to someone else. I am very skeptical on anyone who says that advertising will create valid cashflow. Just look at the advertising struggles in a TiVo world. And if you sell your customers data, just be warned that the one group that might have issue with that are you customers (which to me is very important to cashflow. Read more... Jestep Another factor not mentioned here is the impending costs that the processors and issuers are going to incur when someone decides on an end-to-end encryption method, and it then becomes government mandated. I can guarantee that this is a when question and not an if question. The back-end networks are pretty antiquated right now, and it's going to cost billions to replace everything. The cost of tech may be going down, but the cost of replacing millions of servers and hardware, and creating new, proprietary, software is still really expensive. Read more... Dan Stiel Accepting credit cards are not "risk-free" for merchants, contrary to Jim's comments above. Chargebacks are an expense - both in terms of actual transaction reversals and costs associated with managing the process. Chargeback rules and expenses can be everything from a thorny issue to an onerous expense for some merchants, especially for convenience stores that allow customers to pay for gasoline at the pump, or other retailers that allow in-store self-checkout options. Read more... Bryan Larkin I've wondered for years why the price of transactions has been so high. Phone companies long ago started offering unlimited calling for flat rates because they understood that in many cases it cost more to report on the transactions (calls) than it did to fulfill them. Read more... Todd Michaud If a home-owner defaults on the mortgage, who is taking the risk? The bank making the loan to the consumer or the person selling the house? It is obviously the bank that takes this risk and is rewarded for that risk through interest rate charges. In my mind, we have mixed together two distinct and unrelated transactions. Read more... Jim Johnson The one big factor not mentioned in this article is who will take over the risk ? Taking credit cards is risk free to merchants and the issuing Banks take the risk if a customer defaults on the payments ! If you had a "interchange free" payment system will the merchants assume the risk ? Also, if there isn't enough profit for the issuing banks they will stop issuing credit cards which will in turn kill our economy. Read more... _________________________________________________________________ A&P Opts For 2-Way CRM Strategy With Digital Coupons bill bittner The A&P and Zavers approach to POS discounts makes all the sense in the world. Even though it is still a long way off, retailers must begin preparing for the long term separation of their marketing and distribution roles. The Internet will become the key marketing vehicle and the store will continue to focus on its distribution role. Read more... _________________________________________________________________ MasterCard Goes Mobile With Chip-And-PIN Displays Mike Lyons I concur Mr. Mahoney. Any safeguards in place to prevent money laundering through virtual bank accounts and unlicensed money remitters? Read more... Tom Mahoney Just what we all need, another big security hole for the bad guys to get into. Read more... _________________________________________________________________ The Dangerous Out-Of-Scope PCI Charade Steve Sommers If tokens are ever deemed in-scope, then where does the line stop? I ask this because it would mean that all timestamps, sequential number, random numbers or any other piece of information that may or may not be used to generate a token is within scope -- all data a POS uses and stores, not just payment data. Read more... Mark Bower Having the ability to do both Tokenization and End to End Encryption (not mere point to point) can have tremendous scope and risk reduction benefits and agility to adapt to change in this fast moving compliance landscape. Being able to have both on tap from a single platform is a solid approach to avoiding the pitfalls. Read more... Evan Schuman But the consumer walks into a particular retail chain, gives their payment card to someone wearing that chain's uniform and the card is swiped. If, six months later, there's a breach and that card was misused, it's the retailer who will in the spotlight. They're the deep pocket and, therefore, the target. If the consumer is angry and wants to cut off business, it will hit the retailer. Therefore, if the retailer is going to end up being blamed no matter what, they have to stay involved. Read more... Kevin Thompson True, that someone may be storing a token-to-PAN cross reference. But that would be the bank, not the retailer. If the bank is not sure they can keep their data secure, then there are bigger problems to be addressed than bringing tokens into scope. Read more... Evan Schuman Good general point, Steve, but for the record, not all tokenization is done the same way. Many tokens are associated with lookup lists that allow for them to re-matched to the card data if it's needed, such as for a chargeback. A token doesn't have to be decryptable (is that a word?) for there to be a way to access the original data. Read more... Steve Sommers The out-of-scope argument is very valid but in reference to tokens, the premise of temporarily out-of-scope or abruptly deemed in-scope is flawed. Conway was quoted “anything that could be made unreadable can, in various ways, be made readable again,” this statement is true when talking about encryption technologies (all encryption technologies) but not so with true tokens. True tokens are in no way related to the original data other than as a reference key. Read more... _________________________________________________________________ Retailers Urge Supreme Court Smackdown Of Process Patents staff Patents may only be issued on novel inventions, meaning if it existed before you discovered/created it, it cannot be patented. If a patent should be issued in spite of a lack of novelty, it will be invalidated in court if an accused infringer can provide proof that the invention was not novel. Read more... _________________________________________________________________ StorefrontBacktalk © 2006-2009 * About Us * Advertise * Newsletter * Contact Us * Entries (RSS) * Comments (RSS) * Back To Top