|
Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption. Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more. |
New stats out of India show three things: a sharply growing acceptance of the Internet (27 percent year-to-year increase); embracing of American sites (the top three most popular sites were from Google, Yahoo and Microsoft); and huge growth potential, given that barely 3 percent of its people today use the Internet.
Wal-Mart is certainly a company of few words. But when the world's largest retailer (it's expecting to hit $400 billion in annual sales later this year or early next year) wants to make a technology endorsement, a few words are all that's necessary.
In an eerie snapshot of where some top marketers want to take the next generation of search engines, a Japanese government-backed research project is working on a search that is based on what a user does, not a keyword a user types in.
Staples' Canadian operation has been quietly testing 2-way live video kiosks at 34 locations, but these kiosks do more than talk with customers: They remotely control hardware, including scanners and payment authorization devices.
Guest View Columnist David Taylor points out that PCI compliance has consistently generated larger security budgets, with little or no requirement for justifying them, other than "our bank told us we have to do it."
Despite an almost universal embrace of the idea of merged channel, most retailers aren't getting any closer to making it a reality, with overly restrictive inventory reserve policies, inconsistent data and political resistance getting most of the blame, according to a new Forrester Research report.
This issue's Reach Of The Week goes to IT analyst firm IDC and its report released Wednesday (July 16) that its survey of 250 execs "found that there is a growing level of commitment" to supporting green programs. So far so good, but let's look a little closer at these IDC figures.
A handful of Stop & Shop stores have been using in-store location tracking—coupled with basket content—to narrowly target ads to customers using handheld shopping devices, the chain confirmed in a statement issued Thursday (July 17).
Consumers older than 50 are rapidly growing fond of the Web, with such users checking news, for example, more frequently than those younger than 20 as well as participating in online communities more. But the study found that instant messaging and video downloads were "still tools for young users."
For those e-tailers wondering if video is an effective way to reach American consumers, here's the latest video stat, courtesy of Comscore: In May alone, U.S. Internet users viewed more than 12 billion online videos, representing an increase of 45 percent versus one year ago.
Bill Homa, who just stepped down July 1 as the CIO for the 165-store Hannaford grocery chain, considers Microsoft's OS to be "so full of holes" and describes the fact that current PCI regs do not require end-to-end encryption as "astonishing."
Retail deployment of the 2-D barcode, a technology that allows consumer cellphones to see virtually unlimited amounts of content by taking a picture of a special barcode, has slowed after an initial flurry of activity in January. But several major cellphone carriers are preparing to bundle the 2-D barcode software with phones as they ship. Will that make a difference?
Two recent developments—one involving a New York federal judge and the other involving a group of U.S. senators—are signaling serious difficulties for E-Commerce efforts over the next two years.
The number of reported data breaches has been soaring, with the figure from the first six months of 2008 some 69 percent higher than the number from the identical period last year. Among those were little-known recent breaches of Facebook, H&R Block and BearingPoint.
Fujitsu is hoping retailers in the United States will embrace a checkout system used by some European stores, but untested in the U.S., that splits scanning and payment processes into two different stations in the store. If American retailers decide to switch to this system, it will call for a significant overhaul of their current checkout systems.
Guest View Columnist David Taylor argues that outsourcing is considered the thing to do these days, like a summer barbecue. But it's both easier and more complex than most merchants think.
RFID vendor Impinj on Thursday (July 10) purchased all of Intel's RFID operation--including the R1000 RFID reader chip. A joint Intel/Impinj statement said that the acquisition details are not being released, but The Seattle Times reported that Intel will get an equity stake in Impinj.
No sooner had IT concocted a system to try and automatically detect an under-age shopper than someone has crafted a remarkably low-tech way to fool it. How low-tech? How about a picture ripped out of a magazine?
Will consumers ever deploy counter-top barcode scanners and a Web site to have groceries delivered to them automatically? A company called Ikan.com is hoping they will.
A new E-commerce payment system at UrbanOutfitters.com allows users to complete purchases in one screen, boosting cart conversion rates by 19 percent.
The PCI Security Council is branching out a little, with an attempt to bring unattended payment terminals (UPTs) under its jurisdiction. As kiosks get more sophisticated and start taking cash, credit cards, mobile transactions and other payment methods, the UPT security risk is sharply increasing.
A semiconductor company is suing a Dutch university to keep its researchers from publishing information about security flaws in the RFID chips used in up to 2 billion smart cards.
Amazon.com on Wednesday (July 9) finally deployed Bill Me Later as a payment option, almost eight months to the day after Amazon announced its intent to do so.
For the second time in two weeks, one of the largest grocery chains in the U.K. hit a snag with its Web site, triggering a 24-hour outage and causing the 823-store retailer to use a temporary homepage. Sainsbury's, a $38 billion retailer, is calling these incidents coincidental.
When the $1.3 billion JCrew apparel chain launched its new Web site on June 29, it was the culmination of a 2-year deployment effort. Seems that customers may have to wait a bit longer to fully use those new capabilities, as the site quickly crashed and has suffered significant slowdowns ever since.
J.C. Penney customers are twice as likely to say they are highly satisfied with their in-store shopping experience if they are working with store employees who are accessing the company's Web site while standing next to them.
When an order processing snafu shut down the delivery operations of one of the U.K.'s largest grocery chains, the $38 billion retailer acted starkly different than the typical U.S. retailer. The London-based 823-store Sainsbury's grocery chain immediately issued almost a half-million dollars' worth of vouchers.
A new Retail Systems Research report is challenging the way retail IT looks at application development backlogs. The report is based on a survey showing that some 79 percent of retailers have appdev backlogs of at least a year, with one-fifth of those hitting delays of more than two years.
The conventional wisdom has held that China is not likely to embrace E-Commerce, because of the Chinese aversion to credit payments and fears of piracy and poor quality products. But a Forbes story this week makes a powerful argument that E-Commerce—and a credit-card lifestyle in general—will be coming to China very soon and in a big way.
In one of the first wide-scale studies of SMS' capability to hold up under volume pressure, the technology fared "surprisingly" poorly, according to Keynote Systems. This has particular significance for retailers, who are exploring the technology's use for mobile communications connecting to both online and in-store.
A U.K. company is pushing retailers to use voice-recognition to authenticate purchases over the phone and online. The Voice Commerce Group's Voice Transact package has consumers call the service, quote a pre-arranged product code and then a series of digits dictated by the automated system. 
A federal appellate court backed a group of retailers Monday (June 23)—including Best Buy, Circuit City, Costco and Lowe's—by ruling that their gift card systems do not violate any patents.
Internal audit is not staffed to enforce PCI at the store level, argues GuestView Columnist David Taylor. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.
Wal-Mart and a handful of others have been trying to do green the right away, with policies that will have a significant environmental impact and that also improve operations.
When Oracle finally introduced its Retail 13 integrated suite this week, after three years of acquisition and integration, the teams working for the world's largest enterprise software vendor might have breathed a sigh of relief.
Are European retailers going to have any better luck than American retailers with consumer-facing biometric payments? The 750-store Albert Heijn supermarket chain, the largest such chain in the Netherlands, is about to find out.
The Moodys Investor Service has upgraded how important a retailer's E-Commerce activity is when assessing that retailer's overall economic health. Although this isn't a radical change for the financial firm—and the thought that E-Commerce is important is hardly surprising—it's one of several recent moves suggesting that the young teen-age Web is starting to be taken a wee bit more seriously.
North American self-service transactions will process $607 billion this year, a figure that is projected to soar to $1.7 trillion by 2012, according to report published Wednesday (June 18) by the IHL Group. When IHL began work on the report, "I did not expect the acceleration that we're seeing in the out years," said IHL President Greg Buzek. "I did not expect how fast it's growing."
One of the repeated arguments made in retail data security circles is that retailers tend to have much weaker security because it's not as much of a cultural priority as, for example, banking. So it's a little bit consoling that the latest ATM databreach is apparently not the result of a retail breach, not the result of social engineering and the trusting bank clerk, but is the first proven incident of a bank server's breach linked to ATM fraud.
A pair of unrelated reports out this week are challenging several fundamental IT security assumptions, including that data breach laws will reduce consumer losses and that insiders account for more thefts than external evil-doers.
Just in time for Friday the 13th, Oracle is finally ready to unveil Oracle Retail V 13, with a formal rollout slated for Tuesday (June 17). Oracle's main retail suite is not expected to undergo any radical changes (even the name change is expected to be slight); it's mostly claims of better integration and interoperability.
E-tailers in continental Europe are just now starting to get hit by slower growth, but they are still shining much more brightly than their U.S. counterparts, according to new figures from eMarketer.
For the second consecutive workday, Amazon.com suffered a major crash on Monday (June 9), with the increasingly unlikely scenarios explaining why the historically robust site is failing.
When Best Buy launched a Spanish version of its site last fall (2007), E-Commerce officials quickly noticed unexpected activity, such as customers spending twice as much time on the Spanish site.
Note to retailers looking to offer free Wi-Fi: It's a good idea to first make sure you can make the offer. Starbucks discovered that an offer of two hours of free Wi-Fi a day simply wasn't working. "Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Card accounts. We are working to fix the problem and ask that you please try again later," said a page shown to site visitors.
The Meijer department store chain—with 182 stores in Michigan, Ohio, Indiana, Illinois and Kentucky—is getting creative with its Web site, food recipes and online coupons.
New York State has started pushing to collect sales tax from e-tailers that have no physical presence in the state, prompting Amazon and Overstock to fight back. But all e-tailers are hoping against the odds that other states don't pull the same revenue-generating attempt. If New York gets legal greenlights, several more states will quickly mimic its efforts, leading to a flood of almost every state within two years.
The worst performance grades were given to Foxnews.com, IGN.com, Gamespot.com, CNN.com, Break.com and ESPN.go.com. The best performance grades were given to Google.com, Live.com, Orkut.com and Craigslist.org.
GuestView Columnist David Taylor asks: What would you do if one of your employees decided to leverage your brand and set up a little side business inside your store, including selling products via an E-Commerce Web site, setting up a merchant bank account and taking credit cards? You'd probably fire the person, right? But, what if you couldn't?
Shoppers at Gap.com will now be able to use a single shopping cart and consolidate shipping at any of the chain's four brands, the Gap announced on Tuesday (May 27). But the change for The Gap, Banana Republic, Old Navy and PiperLime is delicate, as the company still wants those brands to maintain their distinct personalities. Those conflicting goals give the new site a bit of a Jekyll-and-Hyde feel.
Borders this week officially stepped out of the shadow of Amazon and re-launched Borders.com, with an effort that scores points for creativity. The physical side of Borders (as in brick-and-mortar as opposed to Olivia Newton-John) has been trying to arrange its bookshelves to display more of the covers.
Germany's METRO Group is experimenting with RFID inserts to track meat and to immediately locate any product that is about to expire or that has expired. METRO is placing the inlays into the foam meat packing trays used in their Future Store.
April 4th, 2008 at 10:50 pm
After reading the Semtek chief’’s statement in your article, especially the statements regarding “Rijndael [AES] or Feistel techniques”, I’m not personally convinced that they haven’t rolled their own algorithm. What he described sounds “more complex than it should be” which is a definitely a flag. If they tried to write their own low-level encryption routine instead of using ordinary 3DES, it’s possible they unwittingly compromised the security of the standard encryption.
One of the modes of operation applicable to any block cipher is called output feedback mode (OFB http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Output_feedback_.28OFB.29 ), which long ago solved the problem of encrypting variable data with a fixed block size algorithm by turning it into a key generator for a stream cipher. (So long ago that its patent has already expired.) Why would he claim they had to use these Feistel or AES techniques when there’s already an industry accepted solution?
There are ways to accomplish the task they describe using nothing more complex than 3DES and some simple transformations that mathematically retain the security of the underlying encryption.
To provide for backward compatibility, using 3DES in OFB mode the output could be masked down to the same size as the current character set size of the track, as long as the decrypting end also masked off the high bits. They theoretically could even leave the ISO-7813 sentinels, format codes, and parity characters unencrypted — even though that seems like a crib for a cryptanalyst, it shouldn’t come as a surprise to anyone that a magnetic card reader head is outputting encrypted track data.
There is even a fairly simple way to retain the PAN as digits, and the cardholder name as alphanumeric characters, while retaining the full security of the 3DES algorithm.
If Semtek is confident of their security, they should publish their algorithms and protocols so that they can be given a proper cryptographic review by qualified experts. (See Kerckhoff’s Principle http://en.wikipedia.org/wiki/Kerckhoffs%27_principle ) Until they do, their algorithm will carry a cloud of doubt.
April 7th, 2008 at 1:31 pm
Your last statement about proper cryptographic review by experts was the point of my quoted comment. Until the algorithms are proven secure and have test cases and numbers backing up how long a brute force attack would take to crack the data, this technology will have a hard time getting traction. On the other hand, if it can be proven secure by the cypher experts, then it will be a great addition to the PCI security toolbox.