|
As more details drip out from Forever 21’s data breach of almost 100,000 payment cards, the chain now says it had been certified PCI compliant, despite having stored complete card information from as far back as 2003. “The files were inadvertently retained within other data files and this was not uncovered by the assessor,” a statement from the chain said. This is proving to be a frightening trend, with retailers believing they are compliant and much later on discovering various pockets of forbidden data scattered through their networks. One of the problems in this case—and it could be argued it’s a problem with PCI itself—is that it’s up to the retailer’s IT person to map out the networks for the assessor. Read more. |
Amazon.com, which arguably has one of the most extensive retail CRM databases and purchase recommendation engines, envisions a Catch-22 future for gift cards. The key is making them more personalized, more customized. And yet, anything that hints of privacy violations is off-limits. It's like a starving man being given the keys to a well-stocked food locker as long as he agrees not to eat anything.
As more retailers try to go where the customers are rather than getting them to come to the retailer, TiVo and Domino's are taking the next logical step with a TV-as-E-Commerce-Device approach.
We make calls on PCs and surf the Web on our phones. The lines of separation are blurring fast. But in the world of retail technology, the difference between a kiosk and digital signage is one of the more difficult distinctions to make. How to describe that difference? To one CFO, the answer was obvious: A poem. In rhyming verse. Rhyming verse that is so bad it's almost good.
The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computer that security managers would rather they didn't. GuestView Columnist David Taylor asks if these people might be doing things (e.g., downloading malware) that could bring down your company?
When file transfer site YouSendIt—with more than 100,000 paid users bringing in some $10 million this year—crashed on Monday (Nov. 17), it illustrated the kind of crash that should make retailers very concerned.
Podcast panelists debate card replacement problems, including inadvertently printing encryption keys on customer receipts and the refusal of the card brands to shorten how long expiration dates are valid. "We now have to worry about data that's been there as many as 12 years."
A loyalty card that consumers can turn on and off could potentially usher in a consumer revolution of sorts, allowing the majority to punish merchants they see as misusing CRM data that has been entrusted to them. At least that's one scenario painted by the president of the company that is pushing the card.
Amidst an avalanche of hype about the desirability of gift cards this holiday season, the National Retail Federation on Tuesday (Nov. 18) predicted a six perfect drop in gift card sales this season, from $26.3 billion spent during last year's holiday season to a projected $24.9 billion for this season.
Some 30 meters below solid bedrock underneath Stockholm, an abandoned nuclear bunker has been transformed into what could only be described as the world's coolest datacenter.
Several factors are lining up—including rushed technology upgrades, more site handoffs for everything from mobile to social networking widgets and a surge in traffic from bargain hunters—that could easily make this holiday shopping season one of the crashiest in years, if not the crashiest. (Note to copydesk: I don't care if crashiest is not a word. It should be.)
When Sears rolled out its mobile effort (Sears2go) this month, it illustrated the challenges for a retailer trying to craft a clean and stable mobile strategy at a time of extreme flux for the mobile space.
When E-Commerce execs try and understand abandoned shopping carts, they often overlook concrete clues. One of the best is whether shoppers clicked on the store locator link right before leaving. But deciding what to do about abandoned carts, that gets complicated. The innocuous-looking store locator is akin to waving a red cape in front of the face of an E-Commerce manager bull.
The Web is overflowing with analysis of the TJX data breach disaster, but what's intriguing is the possibility that some of the indicted suspects may have worked as code writers in the light of day for some major companies, including Morgan Stanley.
Equifax on Thursday (Nov. 13) announced an E-Commerce CRM and payment card that consumers can activate and deactivate based on how they feel about the site they are visiting. The only way such a card—dubbed the Equifax online identity card—will be successful is if it's adopted by a large number of retailers. And each of those retailers would have to be willing to surrender one of their most precious pieces of data: customer history.
We see tons of variations on the meta-search concept for E-Commerce, but this site seems to have hit on a truly practical combo: An engine that finds the lowest prices and simultaneously finds relevant coupons and then integrates the two.
Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance. But GuestView Columnist David Taylor notes some unusual phrasing and concludes that Visa wants to ease the compliance process to get more service providers outside the United States on board.
Instead of making gift cards worthless once they're emptied, Target and Best Buy have opted for the other extreme: With enough micro electronics, the gift cards themselves might be worth more than the merchandise they can buy.
Wal-Mart will insist that its Chinese suppliers comply with RFID tagging by January 2009. And given various recent safety problems reported from China, Wal-Mart is also requiring sub-contractor information be included with every tagged product.
Forced to try and boost revenue in a tight economy, Best Buy is pushing an aggressive plan—based partly on open APIs—to sell to customers wherever on the Web they're hanging out, rather than trying to get them to virtually travel to the retailer's online storefront.
While the headlines in the United States tell of store closings and expansions being back-burnered, it's a very different story in at least one part of the Middle East. In Dubai in the United Arab Emirates, Tuesday (Nov. 4) saw the world's largest mall opening ever.
The defendant pleaded guilty to heading a conspiracy that netted more than $1million by using phony UPC labels to obtain products and then sell them on eBay.
RFID sales globally will be more than $5.3 billion this year, with supply chain management, ID documents, ticketing and contactless payment drive shipments leading the way, according to a report released Monday (Nov. 3) by ABI Research.
MasterCard's PayPass is ramping up its mobile program with an over-the-air provisioning service to supposedly make it easier for consumers to personalize their payment data on their mobile devices.
Without a doubt, the most popular strategy for dealing with PCI compliance and data security is avoidance, writes GuestView Columnist David Taylor. Not unlike the game of "hot potato," which dates back to the pilgrims, the goal is to find someone who is willing to put up with the hassle of PCI compliance and then give that person all the credit card data.
When Costco on Monday (Oct. 27) announced that it would support—for the first time—customer comments on its products, the move was less noteworthy for the $71 billion chain's late-to-the-party embrace than for what it says about the industry's acceptance of a once much-feared feature.
The position that there are far-reaching implications of the Payment Applications Data Security Standards (PA DSS) for the merchant community is hardly new, as they affect thousands of payment, infrastructure and business management applications. But GuestView Columnist David Taylor argues that some concerns raised by Jake Star, technology VP at HEI Hotels and Resorts, take this to the next level: the old squeeze-play level.
Although there is a little doubt that the United States is in for a very rough economic period over the next half-year or more, there is ample reason to believe that retail IT may escape mostly unharmed. Let's not get too optimistic here. "Mostly unharmed" doesn't mean escaping untouched. But it does mean that when large companies—especially retailers—have to suddenly make do with a lot fewer people, they need that good ole IT magic more than ever.
The battle for booksales should be an online natural. But as Barnes & Noble discovered this week, the compelling, intimate experience of a physical bookstore is still proving elusive.
Pet product maker Normerica opted for an unorthodox combo of smart boxes with embedded RFID tags and a mobile reader to comply with Wal-Mart's RFID requirement. The application was attractive because it reportedly involved "no significant retooling of its packing or shipping lines."
A Hong Kong RFID vendor is boasting about a new $1,950-$2,500 handheld UHF reader "with a read range exceeding 25 feet with standard dipole passive tags and a throughput reaching 400 tags per second." That claim is usually reserved for fixed readers, a very sharp claimed performance boost.
Genesco, which owns more than 2,000 stores operating as nine different chains including Johnston & Murphy, Dockers and Journeys, learned this week how POS receipt customization can be remarkably dangerous.
As the U.S. economy collapses (temporarily mind you, but a collapse nonetheless) and holiday sales contract, the one segment rumored to likely fare best is merchants selling to the highly affluent. But in what could be bad news for E-Commerce, those rich niche retailers tend to resist online sales more fervently than other E-tail segments.
Technology that has been deployed to digitally watch—and analyze—how consumers interact with digital signage could also be used to interpret what they are doing while looking at a cereal shelf. Are they ignoring the product or are they picking it up, reading the label and then quickly putting it back?
The group originally called the PCI Alliance, which changed its name to the PCI Security Vendor Alliance on Tuesday (Oct. 21), has changed its name again—this time to the Payment Card Industry Security Alliance (PCI SA). Mercifully, it never bothered to change its URL, so it's still pcialliance.org.
When 1,361-store $4.6 billion chain Big Lots unveiled its first E-Commerce site Tuesday (Oct. 21), it decided to borrow a gimmick from its brick-and-mortars and re-create what it dubbed the stores' "treasure hunt atmosphere." Specifically, every morning, the chain plans to announce on the site a "deal of the day," which is a limited-inventory product at supposedly ultra-discounted rates.
A major Japanese mobile phone loyalty card trial slated to run from February through June of next year might prove to be a powerful prototype of how other countries might deploy mobile payment networks.
Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great, argues GuestView Columnist David Taylor. What is even better, he says, is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage.
Australia's Woolworths, which runs the country's largest supermarket chain, has given thumbs up to one RFID trial and thumbs down to another. "The overall cost for a company the size of Woolworths is still too high, and the return on investment for track and trace is just not enough for us to race ahead."
The very premise of E-Commerce is for E-tailers to create a beautiful site, where your customers come to shop. The latest trend, though, is to cut deals with your customers to buy from you anywhere but your site, whether it's on MySpace or Facebook social networking sites, from a cell phone, in the middle of a Google search or while watching a YouTube video.
E-Commerce customers who speak English are "the most frequent victims of identity theft, twice the rate of France, Germany and Spain," according to a study released Tuesday (Oct. 21) by PayPal. The E-mail survey of 1,000 consumers was conducted this summer and examined six countries: the United States, Canada, France, Germany, Spain and the United Kingdom.
As retailers across the globe modernize, the installed base of payment authorization terminals has soared almost 22 percent from 2006 to 2007. As happens typically in a growth segment such as authorization terminals, vendor consolidation has concentrated control—and, therefore, retail purchase options—into far fewer hands.
In their September stats, U.K. sites that sold eyeglasses and related vision aids fared among the very worst in one criteria: sites that are designed to be easily used by those with vision difficulties.
It's hardly a new payment card security threat, but what has become known as differential power analysis (DPA) is still very much a threat on most payment smart cards. A DPA attack takes advantage of the electrical impulses inherent in any smart card.
The Circuit City "one price promise" move could ultimately prove to be quite a clever piece of marketing. First, it will be trumpeted as a consumer advantage, even if it means that the price equality will be achieved by sometimes (all the time?) online pricing being raised to match the in-store price.
Home Depot and McDonald's are both in the middle of non-traditional kiosk trials. McDonald's is on its fourth such trial, after having concluded that the first three simply didn't work well. Not too many retailers would opt for a fourth trial after three unsuccessful attempts. The non-traditional Home Depot kiosk trial is based more on the units themselves—small mobile units, some as tiny as 5-inches tall—and the size of the chain's planned kiosk commitment: Well north of $100 million for full deployment
Consider this: Is there a connection between a growing support for various cloud computing approaches and the increasingly active IT role that franchisees are taking? Yes, it's a wacky juxtaposition, but stay with me for a moment. There has been a steady noise coming from retail franchisees who are trying to drive more of their stores' IT strategy.
When GuestView Columnist David Taylor wrote last week about PCI 1.2 changes, he received quite an earful from readers that some changes are having an even more strict impact.
When supermarket chain Wegmans confirmed this month its first-ever self-checkout trial, it was billed as a customer service feature. That's technically true, but only in a very roundabout way.
This is the latest volley in a federal court—and soon federal legislative—game of Internet taxation and control. Can states force E-Commerce sites to tax for them? Can municipalities police what gets sold in their communities, even via laptop or PDA?
"The systems were very poorly adjusted to reflect differences in locales," said CEO Frank Blake. "We are the single-largest less-than-truckload shipper in the United States. A lot of trucks are going to stores that aren't full. It's not efficient."
October 2nd, 2008 at 8:47 am
QSAs with little experience and rock bottom pricing seem to have a catch; they don’t find everything they are supposed to. Regardless, I think merchants believe that it is the sole responsibility of the assessor to find all gaps, and anything that is not found by a QSA is exempt from liability. I doubt someone intentionally hid the data from assessors, but if you treat them like auditors, there is no question that things will get missed.
October 8th, 2008 at 1:03 pm
I have a different take on this topic. Years back the banks used to send out cards with 2-4 year expiration dates. Now the banks cut costs by sending out cards with 4-12 year expiration at the expense of security. I’m sorry, banks make enough money on cardholders and merchants to send out replacement cards every four years. I place the entire blame for this particular case on the card brands for allowing the data to be valid for longer than 4 years.
October 8th, 2008 at 1:08 pm
Also regarding “QSAs with little experience and rock bottom pricing,” the amount you pay does not directly relate to the quality of the assessment. I’ve seen “cheap guys” catch stuff the “premium guys” missed and visa-versa. I’ve never heard that Hannaford used the cheapest guy on the block yet a significant hole was never noticed.
October 23rd, 2008 at 4:20 pm
“QSAs with little experience and rock bottom pricing seem to have a catch; they don’t find everything they are supposed to.” There isn’t enough information in this article to support that statement. Experience certainly plays a role, but price has nothing to do with it. In this case, the focus is on the presence of a file or files that i doubt _any_ QSA would have found (how many QSAs scan every drive in the enterprise). The question is how access to that file was obtained, and if it was a lack of compliance that allowed that to happen.