|
Guest View Columnist David Taylor points out that PCI compliance has consistently generated larger security budgets, with little or no requirement for justifying them, other than “our bank told us we have to do it.” But with some acquirers being no better off financially than many retailers, it’s time to ask some hard questions: Is the risk of a security breach great enough to risk the financial health of our company? Read more. |
When the PCI Security Council this week detailed a bunch of changes it will include in PCI 1.2, what might be more worthy of note is what they didn't address. There were technical issues—such as segmentation and tokenization—that didn't get referenced, but also policy issues.
The new version of PCI due out in October will let the outdated WEP wireless security standard stick around for almost two more years, while also reducing the required frequency of firewall rule reviews.
It's late on a Friday night and as Jane Smith walks into her local grocery frozen food aisle, she notices a neighbor walking away carrying a frozen pizza, right near a digital advertisement for 20 percent off of a Budweiser six-pack. Jane reaches into the freezer to grab her favorite Hagen-Dazs vanilla ice cream but notices that the digital ad instantly changes to hawk 40 percent off fresh apple pie in the bakery section.
It's generally accepted that any key economic issue—whether it's a housing slump, rising gas prices or tax refund checks—can have a sharp impact on business spending. But the IHL Group is floating an interesting theory that recent gas price hikes are going to have a very specific and direct impact on IT spending next year.
After years of trials with only the rarest evidence of CFO-friendly RFID ROI, shelf stock monitoring is quickly emerging as "the first major application of RFID in retail with a strong business case," according to a new report from London-based RFID analyst firm IDTechEx.
While North American retail execs are planning for trivial—if any—IT investment increases this year, with "more than one-quarter of retailers expecting lower IT spending," more than half of their Asian Pacific counterparts are preparing for significantly higher IT spending, according to new Forrester numbers released this week. A bit of the Tortoise and the Hare perhaps?
A gang of data thieves in Ireland has well learned the lesson that the best place to hide is in plain sight. The group hit a large number of retailers throughout Ireland and grabbed more than 20,000 payment cards by placing skimmers on card-swipes by wearing what appeared to be maintenance uniforms and saying that they were performing bank repairs.
These days, when U.S. government officials want to ask questions about privacy and data security, it's never clear if they want to protect consumers' privacy or learn the best way to violate it themselves. But retail execs who want hints can drop by a Sept. 22 hearing at the U.S. Federal Trade Commission's Washington, D.C., headquarters.
Retailers who are worried about RFID security problems will have more details available to them now that a federal judge has killed a gag order on MIT students who had identified flaws in Boston's contactless RFID subway cards.
Based on the PCI Standards Committee's official hints about what will be in the 1.2 release, it appears that clarifying when and how virtualized servers can be PCI compliant didn't make the cut. But before the server and security geeks start lighting their torches and getting all "vigilante" on the card brands, let GuestView Columnist David Taylor make his case for why it won't matter in the slightest.
As major chains are doubling up their focus on computer-savvy young consumers, some are finding their aversion to avatars giving in to their adoration of avarice.
A "persistent and mysterious technical glitch" has severely disrupted business operations at the massive online film rental site Netflix, "potentially affecting millions of its customers."
For the first time in its more than 100-year history, J.C. Penney on Thursday (Aug. 14) launched a CRM program for all of its customers. Until Thursday, the only CRM program the chain ever had was limited to J.C. Penney credit card customers.
The next time you're about to make a global hardware purchase, it's probably not a bad idea to do a little multinational price comparison. According to one survey released this week, American Mac users would be well served to not buy overseas.
Polo Ralph Lauren has launched a mobile commerce project in the United States that pushes its homegrown version of 2-D barcodes, with its Quick Response (QR) codes appearing initially on print advertisements. Some are questioning, though, whether the chain's lower priced approach might limit the number of consumer phones that can access the content.
Have item-level RFID trials become the industry's Roach Motel? A place where trials check in but they don't check out? On Monday (Aug. 11), the $3.8 billion Jones Apparel Group became the latest retailer to launch an RFID item-level trial, albeit a conservative one, testing it at "a couple" of the 221 stores it operates under the Nine West name, said Norm Veit, executive VP of Management Information Services at Jones.
During a recent speech, J.C. Penney's CIO said that one of the biggest PCI challenges is explaining to businesspeople why it's a priority. This week, GuestView Columnist David Taylor gives his own list of ways to sell PCI to the suits. It usually starts with using the words "security breach" an awful lot.
When JDA Software announced on Monday (Aug. 11) that it was buying supply chain vendor i2 Technologies for $346 million in cash, it wrote a new chapter in one of the most radical stories of stunning success rapidly turning into, well, something a heck of a lot smaller.
At least one RFID vendor is arguing that they are. That vendor, SimplyRFID, is arguing that read distance targets that used to 10 feet are today as far as 40 feet.
It seems Circuit City has concluded that the Web isn't just a fad, after all, with a major E-Commerce revamp coming just a couple of weeks after the chain confirmed a substantial multimedia push for its employee-training extranet.
A Web site performance survey from the U.K.'s Retail Bulletin shows the larger, better known sites—including Staples, Amazon and Laura Ashley—delivering much weaker Web performances than sharply smaller rivals.
Best Buy has launched a cautious kiosk trial, with 12 machines housed at eight airports in the United States. How cautious a trial? It was announced Monday (Aug. 11) and is slated to end Sept. 1. Although it wasn't clear when the trial started, two weeks is not giving it an especially long leash.
Winn-Dixie's impressive financial turnaround is the result of many issues, but some are suggesting that a new embrace of mainframes played a key role. When the venerable 521-store grocery chain declared bankruptcy back in 2005, CIO Charlie Weston's initial thoughts were that such a tact its advantages, namely refocusing the company on fundamentals, including IT.
Before federal authorities cracked a multi-national 11-person cyber-crime ring, the group created its own VPN to, ironically, protect their stolen data as it was transmitted from Florida to Latvia.
Some 3 hours and 19 minutes before the U.S. Justice Department announced to the world that it was charging 11 men with having stolen 41 million payment card numbers from TJX and several other national retailers, a group of Secret Service agents started making phone calls.
The more RFID-tagged items retailers place on Z-bars or shelves, or in boxes, the lower the read rate will be when those items are scanned, according to a study out of the University of Arkansas.
As U.S. retailers struggle to get customers to use self-checkout lanes and to manage the process, overseas merchants are moving well into Self-Checkout Phase Two, with digital cameras used to identify foods by comparing items with an image database and making self-checkout theft much more challenging with multi-chute fully automated tunnels.
In the recent federal probe of retail data breaches, most of the merchants had been unaware of the breaches until informed by government or banking officials. The reason for this is the lack of tools and/or poor procedures for logging network and database access and the general lack of review of this information on a regular basis, argues Guest View Columnist David Taylor.
If it makes U.S. retailers feel any better, their U.K. counterparts aren't faring any better in making cross-channel and especially merged channel efforts work. The percentage of online sales among those merchants has plateaued, holding steady at 4.4 percent for the last two years, according to a Martec report.
Although no E-Commerce companies were initially contacted, if Congress tries to restrict Web sites from customizing their content, it will have a huge retail impact. There's not much of a real distinction between a traditional banner ad on MSN pushing the latest Disney movie and using the same technique on Macys.com to make sure that purses appear on its homepage and—for this particular customer—all are displayed as pink. 
It's the kind of issue that never existed in brick-and-mortars. When a physical store discontinues a physical product, gremlins don't typically sneak into customers' homes and take back the paid-for products. And yet, in effect, that's what Yahoo inadvertently did when it shut down its music download service.
As retailers struggle to figure out the proper role for PDAs and cellphones in their merged channel and marketing strategies, it's good to know that there's strength—well, comfort at least—in numbers. An ABI Research report released Friday (Aug. 1) projected that "location-based mobile social networking revenues will reach $3.3 billion by 2013."
The bizarre back-and-forth claims about the San Francisco network admin who was arrested after refusing to reveal key network passwords raises some troubling issues. Most pointedly, there appears to be some evidence that this admin was fired and arrested partially for having engaged in the precise security procedures that he was paid to deliver.
July 18th, 2008 at 4:16 pm
Couldn’t rationality be achieved more easily if PCI were to mandate a specific encryption protocol at a specific point in the transaction, and equally mandating the acquirers to hold up their end of the protocol?
Place the encryption requirement (and keys) in the PCI PED approved device, and then DSS can be reduced to proper handling of the PEDs. That’s it. The data is encrypted before it gets into the merchant’s systems, and remains encrypted while passing through them. The merchants would then be relieved of the entire burden of securing their networks, and would stop being the target of attacks by hackers.
Verifone already has such a device available that Evan reported on a few months ago here: http://storefrontbacktalk.com/story/040408swipe
Today’s problems are caused because securing systems is left entirely up to the merchants. Few retailers have enough CISSPs on staff to inspect and secure every intermediate system, let alone the authority. And we certainly don’t want to pay for them all. But true securing of systems requires that depth and application of knowledge, and on an ongoing basis — anything less and you get an ad hoc collection of systems protected to varying degrees, any one of which might be subjected to an attack.
Instead, remove all those requirements from the merchants. Make it simple: merchants must buy and use a secure device from an approved vendor in order to use the network’s cards. And a member bank must buy and use an approved decryption appliance in order to participate in the network.
I know I sound like a broken record, but it’s true: if you remove the value of the information that the merchants handle, the merchants stop being the point of weakness.