|
GuestView Columnist David Taylor suggests that a surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort, as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what’s changed? Read more. |
When the PCI Security Council this week detailed a bunch of changes it will include in PCI 1.2, what might be more worthy of note is what they didn't address. There were technical issues—such as segmentation and tokenization—that didn't get referenced, but also policy issues.
The new version of PCI due out in October will let the outdated WEP wireless security standard stick around for almost two more years, while also reducing the required frequency of firewall rule reviews.
It's late on a Friday night and as Jane Smith walks into her local grocery frozen food aisle, she notices a neighbor walking away carrying a frozen pizza, right near a digital advertisement for 20 percent off of a Budweiser six-pack. Jane reaches into the freezer to grab her favorite Hagen-Dazs vanilla ice cream but notices that the digital ad instantly changes to hawk 40 percent off fresh apple pie in the bakery section.
It's generally accepted that any key economic issue—whether it's a housing slump, rising gas prices or tax refund checks—can have a sharp impact on business spending. But the IHL Group is floating an interesting theory that recent gas price hikes are going to have a very specific and direct impact on IT spending next year.
After years of trials with only the rarest evidence of CFO-friendly RFID ROI, shelf stock monitoring is quickly emerging as "the first major application of RFID in retail with a strong business case," according to a new report from London-based RFID analyst firm IDTechEx.
While North American retail execs are planning for trivial—if any—IT investment increases this year, with "more than one-quarter of retailers expecting lower IT spending," more than half of their Asian Pacific counterparts are preparing for significantly higher IT spending, according to new Forrester numbers released this week. A bit of the Tortoise and the Hare perhaps?
A gang of data thieves in Ireland has well learned the lesson that the best place to hide is in plain sight. The group hit a large number of retailers throughout Ireland and grabbed more than 20,000 payment cards by placing skimmers on card-swipes by wearing what appeared to be maintenance uniforms and saying that they were performing bank repairs.
These days, when U.S. government officials want to ask questions about privacy and data security, it's never clear if they want to protect consumers' privacy or learn the best way to violate it themselves. But retail execs who want hints can drop by a Sept. 22 hearing at the U.S. Federal Trade Commission's Washington, D.C., headquarters.
Retailers who are worried about RFID security problems will have more details available to them now that a federal judge has killed a gag order on MIT students who had identified flaws in Boston's contactless RFID subway cards.
Based on the PCI Standards Committee's official hints about what will be in the 1.2 release, it appears that clarifying when and how virtualized servers can be PCI compliant didn't make the cut. But before the server and security geeks start lighting their torches and getting all "vigilante" on the card brands, let GuestView Columnist David Taylor make his case for why it won't matter in the slightest.
As major chains are doubling up their focus on computer-savvy young consumers, some are finding their aversion to avatars giving in to their adoration of avarice.
A "persistent and mysterious technical glitch" has severely disrupted business operations at the massive online film rental site Netflix, "potentially affecting millions of its customers."
For the first time in its more than 100-year history, J.C. Penney on Thursday (Aug. 14) launched a CRM program for all of its customers. Until Thursday, the only CRM program the chain ever had was limited to J.C. Penney credit card customers.
The next time you're about to make a global hardware purchase, it's probably not a bad idea to do a little multinational price comparison. According to one survey released this week, American Mac users would be well served to not buy overseas.
Polo Ralph Lauren has launched a mobile commerce project in the United States that pushes its homegrown version of 2-D barcodes, with its Quick Response (QR) codes appearing initially on print advertisements. Some are questioning, though, whether the chain's lower priced approach might limit the number of consumer phones that can access the content.
Have item-level RFID trials become the industry's Roach Motel? A place where trials check in but they don't check out? On Monday (Aug. 11), the $3.8 billion Jones Apparel Group became the latest retailer to launch an RFID item-level trial, albeit a conservative one, testing it at "a couple" of the 221 stores it operates under the Nine West name, said Norm Veit, executive VP of Management Information Services at Jones.
During a recent speech, J.C. Penney's CIO said that one of the biggest PCI challenges is explaining to businesspeople why it's a priority. This week, GuestView Columnist David Taylor gives his own list of ways to sell PCI to the suits. It usually starts with using the words "security breach" an awful lot.
When JDA Software announced on Monday (Aug. 11) that it was buying supply chain vendor i2 Technologies for $346 million in cash, it wrote a new chapter in one of the most radical stories of stunning success rapidly turning into, well, something a heck of a lot smaller.
At least one RFID vendor is arguing that they are. That vendor, SimplyRFID, is arguing that read distance targets that used to 10 feet are today as far as 40 feet.
It seems Circuit City has concluded that the Web isn't just a fad, after all, with a major E-Commerce revamp coming just a couple of weeks after the chain confirmed a substantial multimedia push for its employee-training extranet.
A Web site performance survey from the U.K.'s Retail Bulletin shows the larger, better known sites—including Staples, Amazon and Laura Ashley—delivering much weaker Web performances than sharply smaller rivals.
Best Buy has launched a cautious kiosk trial, with 12 machines housed at eight airports in the United States. How cautious a trial? It was announced Monday (Aug. 11) and is slated to end Sept. 1. Although it wasn't clear when the trial started, two weeks is not giving it an especially long leash.
Winn-Dixie's impressive financial turnaround is the result of many issues, but some are suggesting that a new embrace of mainframes played a key role. When the venerable 521-store grocery chain declared bankruptcy back in 2005, CIO Charlie Weston's initial thoughts were that such a tact its advantages, namely refocusing the company on fundamentals, including IT.
Before federal authorities cracked a multi-national 11-person cyber-crime ring, the group created its own VPN to, ironically, protect their stolen data as it was transmitted from Florida to Latvia.
Some 3 hours and 19 minutes before the U.S. Justice Department announced to the world that it was charging 11 men with having stolen 41 million payment card numbers from TJX and several other national retailers, a group of Secret Service agents started making phone calls.
The more RFID-tagged items retailers place on Z-bars or shelves, or in boxes, the lower the read rate will be when those items are scanned, according to a study out of the University of Arkansas.
As U.S. retailers struggle to get customers to use self-checkout lanes and to manage the process, overseas merchants are moving well into Self-Checkout Phase Two, with digital cameras used to identify foods by comparing items with an image database and making self-checkout theft much more challenging with multi-chute fully automated tunnels.
In the recent federal probe of retail data breaches, most of the merchants had been unaware of the breaches until informed by government or banking officials. The reason for this is the lack of tools and/or poor procedures for logging network and database access and the general lack of review of this information on a regular basis, argues Guest View Columnist David Taylor.
If it makes U.S. retailers feel any better, their U.K. counterparts aren't faring any better in making cross-channel and especially merged channel efforts work. The percentage of online sales among those merchants has plateaued, holding steady at 4.4 percent for the last two years, according to a Martec report.
Although no E-Commerce companies were initially contacted, if Congress tries to restrict Web sites from customizing their content, it will have a huge retail impact. There's not much of a real distinction between a traditional banner ad on MSN pushing the latest Disney movie and using the same technique on Macys.com to make sure that purses appear on its homepage and—for this particular customer—all are displayed as pink. 
It's the kind of issue that never existed in brick-and-mortars. When a physical store discontinues a physical product, gremlins don't typically sneak into customers' homes and take back the paid-for products. And yet, in effect, that's what Yahoo inadvertently did when it shut down its music download service.
As retailers struggle to figure out the proper role for PDAs and cellphones in their merged channel and marketing strategies, it's good to know that there's strength—well, comfort at least—in numbers. An ABI Research report released Friday (Aug. 1) projected that "location-based mobile social networking revenues will reach $3.3 billion by 2013."
The bizarre back-and-forth claims about the San Francisco network admin who was arrested after refusing to reveal key network passwords raises some troubling issues. Most pointedly, there appears to be some evidence that this admin was fired and arrested partially for having engaged in the precise security procedures that he was paid to deliver.
June 20th, 2008 at 12:52 pm
I’m not sure if we are the exception to the rule or if we were overlooked in the story but we have always been open to how we protect the merchant’s data — both within our data centers and the technology we install at the merchant location to secure the cardholder data on the merchant’s network. Originally when we were added to the Visa certified provider list we did sell on “we’re on the list.” We were one of the first gateway providers on the list; why not use it as far as it will go? But that advantage didn’t last long. We quickly shifted to informing and demonstrating (sometimes maybe even flaunting) our technology. We view our technology as a distinguishing selling point –- after all and as you point out, anyone can get on the certified list via various means.
I’m sorry David, I read all your stories and most of your points I agree and even the ones I don’t agree with your point I still see your point. But I’m confused here on where you are going with this one. A university example is given to demonstrate a case for insource gateway services but industry reports show universities as one of the riskiest places for cardholder data breaches. I couldn’t decide if this example was an argument for insource gateway services or an example where outsource services should be used.
Maybe my confusion is my own preconditioning. I’m used to stories like “in-house is good; out-sourcing is bad” or visa-versa. Maybe your intent was simply “insource/outsource – you decide,” and like I said, I’m not used to that. While I’m a little confused with this story, keep them coming as your still batting over 900 on my books.
June 20th, 2008 at 2:40 pm
Re: the Gateway piece. The funny thing is: I started out wanting to say something very simple, which is that payment gateways built or contracted for more than a few years ago may not provide the level of data protection that retailers need, simply because most decisions were made back then with data security as a minor consideration, if at all. (Even now, many of the providers do not mention PCI, or security. If they do, it’s treated as a simple checklist.
I believe that whether in-sourced, or out-sourced, retailers need to do much more due diligence of their service provider’s data protection, and not take it for granted, based on “check mark” on a form.
However, I wound up throwing in some other ideas, as you can see. But, as I say, my Bottom Line was meant to be very simple.