|
Most merchants and application vendors seriously underestimate both the scope and the force of the Payment Applications Data Security Standard (PA DSS). If so, it’s only because they haven’t read the standard or don’t immediately grasp what’s involved. Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors, argues GuestView Columnist David Taylor. Read more. |
Amazon.com, which arguably has one of the most extensive retail CRM databases and purchase recommendation engines, envisions a Catch-22 future for gift cards. The key is making them more personalized, more customized. And yet, anything that hints of privacy violations is off-limits. It's like a starving man being given the keys to a well-stocked food locker as long as he agrees not to eat anything.
As more retailers try to go where the customers are rather than getting them to come to the retailer, TiVo and Domino's are taking the next logical step with a TV-as-E-Commerce-Device approach.
We make calls on PCs and surf the Web on our phones. The lines of separation are blurring fast. But in the world of retail technology, the difference between a kiosk and digital signage is one of the more difficult distinctions to make. How to describe that difference? To one CFO, the answer was obvious: A poem. In rhyming verse. Rhyming verse that is so bad it's almost good.
The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computer that security managers would rather they didn't. GuestView Columnist David Taylor asks if these people might be doing things (e.g., downloading malware) that could bring down your company?
When file transfer site YouSendIt—with more than 100,000 paid users bringing in some $10 million this year—crashed on Monday (Nov. 17), it illustrated the kind of crash that should make retailers very concerned.
Podcast panelists debate card replacement problems, including inadvertently printing encryption keys on customer receipts and the refusal of the card brands to shorten how long expiration dates are valid. "We now have to worry about data that's been there as many as 12 years."
A loyalty card that consumers can turn on and off could potentially usher in a consumer revolution of sorts, allowing the majority to punish merchants they see as misusing CRM data that has been entrusted to them. At least that's one scenario painted by the president of the company that is pushing the card.
Amidst an avalanche of hype about the desirability of gift cards this holiday season, the National Retail Federation on Tuesday (Nov. 18) predicted a six perfect drop in gift card sales this season, from $26.3 billion spent during last year's holiday season to a projected $24.9 billion for this season.
Some 30 meters below solid bedrock underneath Stockholm, an abandoned nuclear bunker has been transformed into what could only be described as the world's coolest datacenter.
Several factors are lining up—including rushed technology upgrades, more site handoffs for everything from mobile to social networking widgets and a surge in traffic from bargain hunters—that could easily make this holiday shopping season one of the crashiest in years, if not the crashiest. (Note to copydesk: I don't care if crashiest is not a word. It should be.)
When Sears rolled out its mobile effort (Sears2go) this month, it illustrated the challenges for a retailer trying to craft a clean and stable mobile strategy at a time of extreme flux for the mobile space.
When E-Commerce execs try and understand abandoned shopping carts, they often overlook concrete clues. One of the best is whether shoppers clicked on the store locator link right before leaving. But deciding what to do about abandoned carts, that gets complicated. The innocuous-looking store locator is akin to waving a red cape in front of the face of an E-Commerce manager bull.
The Web is overflowing with analysis of the TJX data breach disaster, but what's intriguing is the possibility that some of the indicted suspects may have worked as code writers in the light of day for some major companies, including Morgan Stanley.
Equifax on Thursday (Nov. 13) announced an E-Commerce CRM and payment card that consumers can activate and deactivate based on how they feel about the site they are visiting. The only way such a card—dubbed the Equifax online identity card—will be successful is if it's adopted by a large number of retailers. And each of those retailers would have to be willing to surrender one of their most precious pieces of data: customer history.
We see tons of variations on the meta-search concept for E-Commerce, but this site seems to have hit on a truly practical combo: An engine that finds the lowest prices and simultaneously finds relevant coupons and then integrates the two.
Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance. But GuestView Columnist David Taylor notes some unusual phrasing and concludes that Visa wants to ease the compliance process to get more service providers outside the United States on board.
Instead of making gift cards worthless once they're emptied, Target and Best Buy have opted for the other extreme: With enough micro electronics, the gift cards themselves might be worth more than the merchandise they can buy.
Wal-Mart will insist that its Chinese suppliers comply with RFID tagging by January 2009. And given various recent safety problems reported from China, Wal-Mart is also requiring sub-contractor information be included with every tagged product.
Forced to try and boost revenue in a tight economy, Best Buy is pushing an aggressive plan—based partly on open APIs—to sell to customers wherever on the Web they're hanging out, rather than trying to get them to virtually travel to the retailer's online storefront.
While the headlines in the United States tell of store closings and expansions being back-burnered, it's a very different story in at least one part of the Middle East. In Dubai in the United Arab Emirates, Tuesday (Nov. 4) saw the world's largest mall opening ever.
The defendant pleaded guilty to heading a conspiracy that netted more than $1million by using phony UPC labels to obtain products and then sell them on eBay.
RFID sales globally will be more than $5.3 billion this year, with supply chain management, ID documents, ticketing and contactless payment drive shipments leading the way, according to a report released Monday (Nov. 3) by ABI Research.
MasterCard's PayPass is ramping up its mobile program with an over-the-air provisioning service to supposedly make it easier for consumers to personalize their payment data on their mobile devices.
Without a doubt, the most popular strategy for dealing with PCI compliance and data security is avoidance, writes GuestView Columnist David Taylor. Not unlike the game of "hot potato," which dates back to the pilgrims, the goal is to find someone who is willing to put up with the hassle of PCI compliance and then give that person all the credit card data.
When Costco on Monday (Oct. 27) announced that it would support—for the first time—customer comments on its products, the move was less noteworthy for the $71 billion chain's late-to-the-party embrace than for what it says about the industry's acceptance of a once much-feared feature.
The position that there are far-reaching implications of the Payment Applications Data Security Standards (PA DSS) for the merchant community is hardly new, as they affect thousands of payment, infrastructure and business management applications. But GuestView Columnist David Taylor argues that some concerns raised by Jake Star, technology VP at HEI Hotels and Resorts, take this to the next level: the old squeeze-play level.
Although there is a little doubt that the United States is in for a very rough economic period over the next half-year or more, there is ample reason to believe that retail IT may escape mostly unharmed. Let's not get too optimistic here. "Mostly unharmed" doesn't mean escaping untouched. But it does mean that when large companies—especially retailers—have to suddenly make do with a lot fewer people, they need that good ole IT magic more than ever.
The battle for booksales should be an online natural. But as Barnes & Noble discovered this week, the compelling, intimate experience of a physical bookstore is still proving elusive.
Pet product maker Normerica opted for an unorthodox combo of smart boxes with embedded RFID tags and a mobile reader to comply with Wal-Mart's RFID requirement. The application was attractive because it reportedly involved "no significant retooling of its packing or shipping lines."
A Hong Kong RFID vendor is boasting about a new $1,950-$2,500 handheld UHF reader "with a read range exceeding 25 feet with standard dipole passive tags and a throughput reaching 400 tags per second." That claim is usually reserved for fixed readers, a very sharp claimed performance boost.
Genesco, which owns more than 2,000 stores operating as nine different chains including Johnston & Murphy, Dockers and Journeys, learned this week how POS receipt customization can be remarkably dangerous.
As the U.S. economy collapses (temporarily mind you, but a collapse nonetheless) and holiday sales contract, the one segment rumored to likely fare best is merchants selling to the highly affluent. But in what could be bad news for E-Commerce, those rich niche retailers tend to resist online sales more fervently than other E-tail segments.
Technology that has been deployed to digitally watch—and analyze—how consumers interact with digital signage could also be used to interpret what they are doing while looking at a cereal shelf. Are they ignoring the product or are they picking it up, reading the label and then quickly putting it back?
The group originally called the PCI Alliance, which changed its name to the PCI Security Vendor Alliance on Tuesday (Oct. 21), has changed its name again—this time to the Payment Card Industry Security Alliance (PCI SA). Mercifully, it never bothered to change its URL, so it's still pcialliance.org.
When 1,361-store $4.6 billion chain Big Lots unveiled its first E-Commerce site Tuesday (Oct. 21), it decided to borrow a gimmick from its brick-and-mortars and re-create what it dubbed the stores' "treasure hunt atmosphere." Specifically, every morning, the chain plans to announce on the site a "deal of the day," which is a limited-inventory product at supposedly ultra-discounted rates.
A major Japanese mobile phone loyalty card trial slated to run from February through June of next year might prove to be a powerful prototype of how other countries might deploy mobile payment networks.
Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great, argues GuestView Columnist David Taylor. What is even better, he says, is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage.
Australia's Woolworths, which runs the country's largest supermarket chain, has given thumbs up to one RFID trial and thumbs down to another. "The overall cost for a company the size of Woolworths is still too high, and the return on investment for track and trace is just not enough for us to race ahead."
The very premise of E-Commerce is for E-tailers to create a beautiful site, where your customers come to shop. The latest trend, though, is to cut deals with your customers to buy from you anywhere but your site, whether it's on MySpace or Facebook social networking sites, from a cell phone, in the middle of a Google search or while watching a YouTube video.
E-Commerce customers who speak English are "the most frequent victims of identity theft, twice the rate of France, Germany and Spain," according to a study released Tuesday (Oct. 21) by PayPal. The E-mail survey of 1,000 consumers was conducted this summer and examined six countries: the United States, Canada, France, Germany, Spain and the United Kingdom.
As retailers across the globe modernize, the installed base of payment authorization terminals has soared almost 22 percent from 2006 to 2007. As happens typically in a growth segment such as authorization terminals, vendor consolidation has concentrated control—and, therefore, retail purchase options—into far fewer hands.
In their September stats, U.K. sites that sold eyeglasses and related vision aids fared among the very worst in one criteria: sites that are designed to be easily used by those with vision difficulties.
It's hardly a new payment card security threat, but what has become known as differential power analysis (DPA) is still very much a threat on most payment smart cards. A DPA attack takes advantage of the electrical impulses inherent in any smart card.
The Circuit City "one price promise" move could ultimately prove to be quite a clever piece of marketing. First, it will be trumpeted as a consumer advantage, even if it means that the price equality will be achieved by sometimes (all the time?) online pricing being raised to match the in-store price.
Home Depot and McDonald's are both in the middle of non-traditional kiosk trials. McDonald's is on its fourth such trial, after having concluded that the first three simply didn't work well. Not too many retailers would opt for a fourth trial after three unsuccessful attempts. The non-traditional Home Depot kiosk trial is based more on the units themselves—small mobile units, some as tiny as 5-inches tall—and the size of the chain's planned kiosk commitment: Well north of $100 million for full deployment
Consider this: Is there a connection between a growing support for various cloud computing approaches and the increasingly active IT role that franchisees are taking? Yes, it's a wacky juxtaposition, but stay with me for a moment. There has been a steady noise coming from retail franchisees who are trying to drive more of their stores' IT strategy.
When GuestView Columnist David Taylor wrote last week about PCI 1.2 changes, he received quite an earful from readers that some changes are having an even more strict impact.
When supermarket chain Wegmans confirmed this month its first-ever self-checkout trial, it was billed as a customer service feature. That's technically true, but only in a very roundabout way.
This is the latest volley in a federal court—and soon federal legislative—game of Internet taxation and control. Can states force E-Commerce sites to tax for them? Can municipalities police what gets sold in their communities, even via laptop or PDA?
"The systems were very poorly adjusted to reflect differences in locales," said CEO Frank Blake. "We are the single-largest less-than-truckload shipper in the United States. A lot of trucks are going to stores that aren't full. It's not efficient."
October 3rd, 2008 at 3:05 pm
David, you state: “What are the compensating controls for PA DSS? There are none…”
Well, yes and no. While there are no compensating controls for PA-DSS, there is technology to take POS payment applications out-of-scope of PCI and thus act as a compensating control. Take for instance our 4Go application, it intercepts cardholder data (CHD) prior to the data entering the POS payment application and substitutes faux or fake CHD. The real CHD is relinked to the transaction when the fake CHD is used on the backend side, after it leaves the POS. In this model, the POS is completely taken out-of-scope because the POS never collects, processes, or stores CHD.
Just to clarify, 4Go only takes the POS out-of-scope; the merchant is still in PCI scope and thus all other PCI requirements apply (firewalls, merchant procedures, etc.).
October 9th, 2008 at 12:49 am
You might be able to skate by the rules by declaring the POS software “out of scope” but the fact is, if the 4Go encryption software runs on the POS system then the POS software — and any other app running on that machine — really should be audited. Otherwise, weaknesses in poorly written POS software can be exploited to give an intruder control of the machine, at which point it’s game-over, because the thieves can just grab the card data before the 4Go software can encrypt it.
October 9th, 2008 at 8:28 pm
Actually no. 4Go has both sanity checks and tamper detection built in and is included in several software layers (system level, service level, tray app level) so these exploits would be noticed and the merchant would be alerted. Also, because one of the levels is very low in the O/S, while not impossible, it would be very difficult to accomplish what you’re describing and even more difficult to go unnoticed.
Let’s face it, there is no such thing as a 100% secure system. Yes, with enough effort you might be able to compromise a 4Go protected system, as well as any other system. I would argue however, that because 4Go is specifically written to secure cardholder data in a wide variety of environments and POS applications, more thought and coding is put into the security of this product than the average PABP or PA-DSS approved application.
While you might call it skating the rules, I disagree and I would call it making PCI more affordable to the average merchant. Since you can never be 100% secure, what’s the goal of software security? To be secure enough to have the thief move on to easier prey. 4Go does this.
October 10th, 2008 at 11:06 am
Ever heard of a root kit? It lets an interloper take 100% control of the machine and is completely transparent to anything else running on that computer. Root kits are widely used by hackers. Your solution might be better than no solution, but you are mostly providing a false sense of security and in some ways that is worse. It would be better to have the POS software audited. That, too, is not a guarantee of security, but it is the technical equivalent of making sure all the doors and windows are closed and locked while your solution by itself is somewhat closer to hiding the valuables in the underwear drawer: Better than nothing, but not much.
October 10th, 2008 at 1:09 pm
Well, we’ll just have to agree to disagree. Even with using root kits it would be very difficult to circumvent 4Go — moreso than most audited applications. 4Go encrypts the information as soon as it enters and it remains encrypted from that point forward until after it leaves the merchant network. Most POS applications, compliant, audited or not, do not encrypt end-to-end — it is in the clear within the applications physical memory. It may be encrypted prior to storage, but within the RAM is is most often in plain text and could be sniffed and compromised. Most POS application do not install themselves in low levels of the O/S and most do not do any sort of process scan for what applications are loaded below or above them — it does not even need be a root kit to compromise the average compliant POS. Using your analogy, I still would argue that 4Go protected systems have stonger security measures in place out-of-the-box than most peoples window and door locks. PM me. I would love to schedule a time for you to come to our offices and do any test you want. We want skeptics to review the product. We only ask for an honest review done with an open mind.
October 10th, 2008 at 5:24 pm
Do you disagree with the facts? They are: (1) A root kit can be undetectable to software running on the same computer. (2) The 4Go product does not and cannot prevent or detect the installation of a root kit. (3) With a root kit installed, it is trivial for an attacker to read credit card data from the keyboard or serial port before the data can be encrypted.
A poorly written POS application can provide an attack vector through which a root kit can be installed. The purpose of a PA-DSS assessment is to eliminate potential attack vectors. It seems to me you are being reckless and irresponsible in declaring that your 4Go product removes the need for PA-DSS review of the POS software. Does the PCI Standards Council agree with you on that? (Even if they do, that does not make it wise — they still allow using WEP for wireless networks!) I do not even see the “4Go” product listed as a validated application.
Thanks for the invite to your offices, but I am sure my hacker talents are far lower than those who make it their business to steal credit card data. And keep in mind, the more popular your product becomes, the more likely it is those folks will design attacks for it.
October 12th, 2008 at 1:39 am
Like I said, agree to disagree. This may be the foundation for another article by a better writer than I, but if anyone thinks a PA-DSS assessment will protect an application, any application, from a root kit compromise, they will be sadly mistaken.
I never said that 4Go removes the merchant from PCI scope, only applications. Firewalls and the like still need to be in place, computers and computer access still need proper lock down processes, virus protection needs to be installed, etc. More times than not, more PCI rules will have been broken installing the components for a root kit attack than just a POS’s PA-DSS certification.
October 12th, 2008 at 8:45 pm
I never said a PA-DSS assessment will protect an application from a root kit compromise, and I never claimed you said 4Go removes the merchant from PCI scope.
I said a PA-DSS assessment will [help] eliminate potential attack vectors. If there are no attack vectors then a root kit could not be installed.
YOU said 4Go takes the POS out-of-scope [for PA-DSS], and I think your claim is just plain wrong. (I don’t know if your claim is technically correct within PCI rules but, even if it is, that’s a very bad position to take.)
A poorly written POS application can easily provide the path by which the POS system becomes compromised. Once that happens, the POS system is “owned” and the attacker can access all of the sensitive data before 4Go can touch it.
The 4Go product should not be considered (or promoted) as some sort of “magic elixir” that eliminates the need for a PA-DSS assessment.
October 13th, 2008 at 2:29 pm
This will be my last posting on this thread.
Yes, root kits can potentially allow a system to be “owned,” per your word. I still firmly believe that a 4Go protected system has more solid security protections than most PA-DSS audited and certified applications. Yes, since 4Go is a “generic” application designed to protect virtually any POS application running on the PC, there is an unknown vector factor involved. But even if the POS applications has a hot key configured to open a command prompt with full administration access, getting a root kit on will not go unnoticed. Most QSA’s doing PA-DSS audits would not catch this hot key command prompt “feature” in an application so I don’t have the same confidence in PA-DSS certifications than you do. PA-DSS somewhat assures that an application is compliant, not necessarily secure and there is definitely no guarantee of either.
Obviously I’m not going to sway your opinion nor will you mine. Thanks for the voicing your opinion here as I don’t have a problem showing both sides of an argument, especially security related since opinions can vary so greatly. We’ll just have to let the viewers, community, and eventually time decide.
–Steve