NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

Applying Internet-level security to RFID is something that has not gone very far, according to this RFID Update story about the anticipated rollout. NeoCatena Networks is developing RF-Wall, an appliance to be installed between RFID readers or controllers and middleware servers, edge servers or host applications in networked RFID systems. The product acts as a firewall that authenticates RFID tags prior to allowing their data to pass into enterprise systems and also scans input to detect and block malware. RF-Wall works by using the unique tag ID to create a digital signature.

Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle “to explore the growth of contactless payment systems and the implications for consumer protection policy.”

Here are the details of the FTC’s hearing along with a link to submit comments electronically. There are lots of legitimate pros and cons on this issue, but the panel should at least understand the merchant’s perspective.

With the nation’s largest casino town as its backdrop, IBM and NCR gambled that the ho-hum growth in self-checkout can become a winner if the systems are moved away from the front-of-the-store checkout lanes and moved back toward the deli, bakery and even in the middle of the cereal aisle. All in all, I’d rather take my chances at rolling a 10 the hard way.

Las Vegas was hosting the 2008 Food Marketing Institute and Marketechnics show, which felt like self-checkout central this week. Read more.

London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

The exec “who has been running the program said to me a year ago, ‘I’d love Nokia to say we have a way for people to walk into this door, wave their phone over a suit and take it home,’” said IDTechEx Chairman Peter Harrop. “But he said, ‘I think I’ve chosen the wrong frequency.’” Read more.

GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments.

Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives, encryption keys that are never changed, privileged users who have permissions left over from prior projects, terminated employees who still have logins and policies that are not enforced. Fixing this stuff is not expensive, but it’s not fun either. Read more.

Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam’s Clubs by 2010, according to this BusinessWeek story.

After checkout, customers would have the option of removing the labels containing the tags, Wal-Mart told the state legislators. “If a manufacturer installed the tag inside a container, workers would be able to deactivate it before a customer leaves the store,” the story said.

A difficult to duplicate RFID chip? That’s the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or “voiceprint,” which can’t be cloned and can be used to authenticate the chip, according to this RFID Update story.

“Each voiceprint is unique but falls within a defined band so separate readers do not have to be developed for each chip,” the story said. “However, MEMflakes can’t be read with RFID readers currently on the market.”

Although contactless payment has tremendous potential to advance payments and set the stage for mobile commerce, it’s suffering from benign neglect from both retailers and the card brands—and banks, too. That according to a new contactless payment report from analyst firm Javelin Strategy & Research.

The key argument of the report is that none of the three groups of companies involved—the card brands, the issuing banks and key retailers—is spending the dollars to create true incentives to make contactless payment work, said lead report author Bruce Cundiff, who is Javelin’s director of payments research. “There is no effective value proposition for merchants and for wireless carriers,” Cundiff said. Read more.

RFID vendor Mojix has rolled out a new RFID system that it says can read passive, Gen2-standard tags from 600 feet away; cover 250,000 square feet of area; and pinpoint tag location in 3D, according to this intriguing RFID Update story.

The move is interesting, because it shows a vendor’s willingness to play with the assumed RFID rules to try and generate a little retail ROI. The story quotes company officials saying that the claims are based on advances in digital signal processing, RF antenna design and computational processing power. Mojix’s STAR 1000 differs from traditional RFID systems by using separate components to power and read tags. “There is no rule of physics or regulation that says the receiver and transmitter have to be in the same housing,” said Kevin Duffy, Mojix senior vice president of sales and marketing.

With reports out this week that Boeing’s much-celebrated upcoming aircraft—the 787 Dreamliner—would be again delayed because of technology problems, some wondered if the delays involved the plane’s extensive RFID experiments.

Boeing spokesperson Nancy Standifer announced Wednesday that the plane’s delays do not involve its experimental RFID capabilities and for a very good reason: the delays have prevented the RFID phase from even starting. The plane is slated to be among the first to truly have RFID tags on thousands of individual parts. And those tags have to work in temperatures that ranged from 40 degrees (Fahrenheit) below zero to 1,200 degrees above zero.

Amidst the sea of security announcements slated for the next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption.

Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security. The new unit uses Hidden Triple Data Encryption Standard (H-TDES) from a company called Semtek Innovation Solutions Corp.. It’s hardware unit is designed to deactivate if anyone succeeds in opening the case, making the planting of physical data-capture devices more challenging. Read more.

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system. Read more.

Bankrupt Pay By Touch—officially using the name Solidus Networks—has sold off two key units for a total of $4.8 million.

Phoenix Check Cashing dropped $4.2 million to pick up Pay By Touch’s check-cash¬ing division, known as BioPay Paycheck Secure, according to The Nilson Report. Acculink paid $600,000 for ATM Direct, a unit trying to introduce PIN-based debit card payments for E-Commerce sites, the publication reported.

Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them.

This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it. The program is expected to deactivate the last of its fobs by July. There are many reasons the fob may have died, but at least Amex—with six years of fob effort under its payment belt—can’t be accused of not giving the fob enough time to work. Read more.

The retail move to embrace 2-D barcodes that began with a Sears trial in December and strong interest from BestBuy, the Gap and Target is inching forward, with a 500-store trial starting Thursday in San Francisco.

The trial, involving CitySearch, Antenna Audio and Scanbuy, is a fairly basic mobile integration effort. “More than 500 restaurants, shops and businesses reviewed by Citysearch are placing printed bar codes in their windows, and people who have Scanbuy software loaded on their phones can simply take a picture of the code and their phone’s Internet browser will immediately take them to the restaurant’s corresponding Citysearch page,” said a statement from the group.

Next Tuesday, it’s likely Washington state will have a new RFID law on its books, one that will be the first in the nation to make malicious stealing of data via RFID a crime. But the bill is a far cry from what’s the bill’s assemblyman sponsor had envisioned—and what he says he will still fight to get.

The bill had been pushed by Assemblyman Jeff Morris. The final version of the bill—which Morris said he expects Washington Governor Chris Gregoire to sign into law on Tuesday—makes anyone guilty of a Class C felony if they “intentionally scan another person’s identification device remotely, without that person’s prior knowledge and prior consent, for the purpose of fraud, identity theft or for any other illegal purpose.” Read more.

Just three months after filing for Chapter 11 bankruptcy protection, Pay By Touch officially pulled the plug on its remaining biometric transaction customers Thursday morning.

Pay By Touch (officially Solidus Networks Inc. doing business as Pay By Touch) issued a statement on Thursday that it “regretfully announced today that it will no longer process biometric transactions on behalf of its merchant customers and consumer membership base, as 11:59:59pm March 19, 2008.” Read more.

Guest Columnist Ed Adams argues that PCI has a long way to go and that the PCI Security Council isn’t helping very much.

“The PCI Security Standards Council is made up of seemingly smart folks from the credit card brands and security industry. Unfortunately, this group of misfits is saddled with a myriad of competitive conflicts of interest and, worst of all, a complete misunderstanding of how to best protect card data and consumer identity,” writes Adams. Read more.

Shortly after reports surfaced that the Hannaford grocery chain had been PCI compliant at the time of its data breach attack, the Web has been crawling with those questioning the value of PCI, even as the confusing preliminary details of the breach are being sorted out.

As one who has frequently used this column to point out the many flaws within PCI, please allow me to stand up and say to those PCI critics: What planet are you from that tolerates only perfect security systems? Do they conclude from one successful burglary of a house protected by a top-notch burglar alarm and high-security deadbolts that burglar alarms and deadbolts are worthless? Read more.

As details of the Hannaford data breach trickle out, the familiar data breach pattern of apparent inconsistencies has emerged.

For example, Hannaford’s people have been stressing to reporters that they were PCI compliant and, indeed, that they not only were certified compliant in Spring 2007, but that they were re-certified compliant in February 2008. But that raises more troubling questions than it offers comforting assurances. As a Level 1 retailer, Hannaford is only required to undergo a PCI assessment once a year. If they were compliant in the Spring—regardless of which month it was—it seems eyebrow-raising that they would have sought another assessment so soon. Read more.

One of the non-intuitive truths about marketing is that marketers love to suggest the opposite of what they know to be true. This was illustrated this week when a contactless payment organization leapt to attack the Associated Press for pointing out that contactless technology exists in credit cards as well as building access cards.

You don’t address security concerns by pretending they don’t exist. You acknowledge that everything is relative and that weaknesses are there but there are advantages, too. Read more.

This is one of these “everyone already pretty much knew this but it’s nice someone took the time to prove it” studies. The University of Arkansas was paid by Wal–Mart to find out whether RFID actually improves inventory accuracy. It found that, yes, it does, to the tune of some 13 percent.

But the methodology is a lot more interesting than the as-expected result. The team followed air fresheners at 16 Wal-Marts for 23 weeks where “a national inventory-auditing group determined each day’s on-hand air-freshener inventory by manually counting every item in all 16 stores.” Read this RFID Journal piece for a look into how to prove inventory accuracy and why a retailer can never afford to duplicate this study.

A grocer offering milk cartons that glow when their milk turns sour and a programmable soft drink that will change its flavor to a consumer’s whim. These are two of the more unusual ways nanotechnology may impact retailers in the next few years, according to this fascinating story in Australia’s Sydney Morning Herald.

While the product capabilities can be exciting, the potential health hazards are better described as terrifying. If groceries of any kind are among your SKUs, you should check this piece out.

At long last, this week finally delivered a wireless security report with some good news. Due to airport wireless security holes big enough to fly a Boeing 747 through, the report discovered one airport with an unencrypted wireless baggage handling network that could allow bored travelers to hack into it and reroute other people’s luggage for fun.

“Since Bernie ordered me to accompany him on this stupid trip to Philadelphia and we sit here in a five-hour connecting flight delay in Chicago, it’s the least I can do to thank him by giving his luggage a much-deserved holiday in Hong Kong,” deviously thinks Brad, the junior LAN administrator with far too much time on his hands. Read more.

JCPenney and Krogers are the latest U.S. members of the National Retail Federation’s Association for Retail Technology Standards, joining the newest global members of Tesco, Carrefour and IKEA.

The Association for Retail Technology Standards is an international membership organization that, since 1993, has said that it was dedicated to reducing the costs of technology through standards.

Hello, blog readers! We’ve been approached by a company that wants to create a 3-D environment for StorefrontBacktalk, complete with avatars for all readers. Before we explored this more seriously, we wanted to ask our readers whether we should proceed. Therefore…

Near Field Communication (NFC) is running into the exact same kind of tech hurdles that has slowed down RFID, according to a new report from the Venture Development Corp., which cited a lack of supporting infrastructure, standards problems and a “complex ecoysystem of stakeholders.”

VDC “believes that NFC may take root first in niche vertical applications rather than hypervolume consumer applications like contactless payment,” said this RFID Update story.

The Metro Group’s RFID trial efforts have been well-known, but this is an interesting International Herald-Tribune story discussing some of the privacy debates within Europe on their efforts.

The piece quotes a Metro person as saying that a recent European Union effort to force the tags to be deactivated at POS as the kiss of death for consumer-facing RFID. “If we have to deactivate at the check-out, then the technology is going to stay within the logistics process - to say where is a box or where is the pallet in the distribution center. It won’t come on consumer items. They’re going to kill the technology with that.”

Are we looking at a near future where consumers’ purchase profiles will be used by law enforcement to track down fugitives?

The potential is absolutely there, with retailers collecting molecular mountains of shopping history—sometimes more than a decade’s worth—and law enforcement seeking creative ways to find criminals (or people they think are criminals) who are quite determined about not being found. Read more.

A pair of companies is pushing an approach where hotel guests could use their electronic room key to also open vending machine snacks, which would then be automatically charged to the guest’s room.

The new approach, from Cstar Technologies and Fastcorp, would theoretically make such purchases easy to order repeatedly, offering revenue and margin that could more than compensate for reductions in “honor bar” purchases.

Global RFID revenue is expected to hit $1.2 billion this year and $3.5 billion in the next four years, according to new Gartner projections. This year’s figures represents an almost 31 percent increase from last year.

Gartner reported that the leading segments were discrete manufacturing (21 percent), national and international government (20 percent), transportation (20 percent) and then retail (14 percent).

RFID-tagged products will have to be deactivated at the POS throughout Europe, if draft guidelines proposed this month by the European Commission are approved.

A public consultation is being launched into the “soft law” guidelines that EU Information Society and Media Commissioner Viviane Reding hopes will be adopted by the European Union executive to be applied in all the bloc’s 27 member states, according to this Reuters story. The guidelines are “tentaitively scheduled to be adopted before the summer of 2008,” the Commission said in a statement.

Sometimes, people who spend most of their working hours trying to get technology to do magical things lose sight of the many psychological dynamics. In short, employees and consumers rarely see things the way technologists do, which can cause some wonderful disconnects in the field.

Retailers and telcos and others are watching test markets such as New York City and seeing how many consumers are using contactless payment. Their assumptions are based on the number of contactless cards in the population. But if that population doesn’t realize that they have a contactless card, there’s nothing valid that can be concluded when those people do not use them. Read more.

These days, retail’s data breach du jour is some manager’s laptop getting stolen.

Breach letters are being sent out so frequently that I wonder if it’s going to pique the business interests of Hallmark. A card for every occasion, when you care enough to breach the very best. Perhaps a merger with their Get Well cards? “Sorry to hear that you’re not getting around these days…. [open card] …. but your CVV sure as heck is. Call 1-800-DATA-OOPS for your free year of credit monitoring, courtesy of your neighborhood retail chain.” Read more.

In very early January, residents of New Hampshire couldn’t pull out of their driveways without running into a presidential candidate. That’s how it is today with retail IT executives and vendors selling PCI compliance packages.

But, for better or for worse, that’s not a long-term situation. Like the presidential candidates who had to fly South for the winter (or fly the coop entirely), these compliance salesfolk have a limited lifespan. Within the next year or so, retailers are going to shift from trying to become PCI compliant to having to maintain PCI compliance. Read more.

The major credit card brands—and the banks they work with—do a fine job talking up security when they’re at podiums or writing news releases. But when it’s a choice between consumer security and lower transaction fees? Faggedaboutit. Fees win out every time.

At least that’s one of the core conclusions from a report released Thursday from technology analysis firm Gartner Inc. Read more.

In a move that researchers said might set up low-cost, high-volume RFID tags that could replace barcodes, the European Holst Center said Wednesday that their 64-bit, inductively-coupled, passive RFID tag achieved a record 780-bit/second data readout.

This development “represents a five-fold increase in bit rate performance compared to state-of-the-art plastic RFIDs,” reported Electronic Engineering Times. The story reported that the 64-bit RFID consists of a low-cost inductive antenna, capacitor, plastic rectifier and plastic circuit, all on foil.

Some 230 Oakland, Ca., commuters started a trial this week where they were issued specially-equipped near field communication (NFC) Samsung phones, devices that could be used to directly pay for the subway, Jack In The Box meals and can interact with underground posters to get directions.

The trial with the Bay Area Rapid Transit (BART) commuters started Tuesday and is expected to continue for four months, said Mohammad Khan, the CEO of Vivotech, which is one of the technology vendors involved in the trial. Sprint is also a key partner in the project. Read more.

A Chicago man has an older car that he’s not wildly in love with, but it’s good transportation. He’s not into the car’s appearance, figuring that the painting is for the entertainment of everyone else. He cares about what’s on the inside.

One day he’s in a parking lot and discovers that someone placed a huge scratch along the right side of the car. His insurance company inspects and awards him a large check to have the car completely repainted. Instead, the man uses the check to buy a new state-of-the-art audio system. The way that Chicagoan views his insurance check is how many IT leaders see PCI requirements. Read more.

One of the fastest growing segments of retail technology today is clearly mobile, whether it’s in the hands of consumers accessing the web or using 2-D barcodes on ads or in employees’ hands, changing prices on the shelf or doing inventory or even processing customer purchases while they stand in line.

But there is a huge IT frustration with those mobile devices when it comes to retail employees. It’s not the fact that most new retail tech capabilities are mobile and experimental, which just begs the data breach Gods to punish managers. That’s less frustrating than infuriating. Read more.

The retail 2-D barcode efforts are accelerating, with Sears apparently becoming the first U.S. retailer to begin a public trial, having started in mid-December at a store in Marietta, Georgia.

The biggest current concern—which is also likely to be the most short-lived—is that the service is available on a relatively few number of phones in the U.S.. That concern—a shortage of supported phones—was mentioned by a Sears manager involved in the trial. Read more.

RFID sales around the world hit $5 billion last year, a figure significantly pushed by a $2 billion investment in China’s chipped national ID card, according to a report this week from U.K.-based RFID analysis firm IDTechEx.

“Those newly recorded projects represented 20 percent growth in the size of the database, reflecting the rapid growth of the market way beyond the Chinese ID card,” said IDTechEx CEO Raghu Das. “We could have added more than 500 more consumer goods companies mandated by retailers to tag pallets and cases but that would be living a lie because most of these are doing little or nothing in the face of the huge financial cost and lack of payback if they comply.” Read more.

The Wegmans Food Market chain is going to trial whether RFID-tagged prescriptions could make processing orders more accurate and fast, according to this story in RFID Journal.

But the more controversial aspect of the trial will be looking at “how the usefulness of RFID tags on individual pill bottles or blister packs could be extended beyond the point of purchase. For this application, they’re seeking partners interested in developing in-home RFID tag interrogators that consumers could use to organize their drugs and manage when and how much they should take.”

Wal-Mart is threatening Sam’s Club suppliers with a $2 to $3 fine for each non-tagged pallet as of Jan. 31, according to this intriguing RFID Update story.

The story reported that Wal-Mart has “discussed the possibility of allowing suppliers to raise prices to help offset tagging costs.”

Among the major announcements at the National Retail Federation show in New York City next week will be a major 2-D barcode trial backed by Microsoft. But the fun at a show like NRF is to find the offbeat interesting product rollouts tucked away, buried underneath the tons of not-very-significant. Read more.

Japan’s Fujitsu this week announced a Gen2-standard RFID tag with 64 kilobytes (KB) of memory, which it claims is the highest-capacity Gen2 tag available, according to this story in RFID Update.

Fujitsu’s tag uses ferroelectric random access memory (FRAM) memory technology, which features a film capacitor for data storage. Fujitsu manufactures numerous FRAM memory products, which it claims provide capacity and read/write advantages over EEPROM memory, the story.

In what is surely a retail tech addendum to Murphy’s Law, the more sophisticated and elaborate a retailer’s supply chain strategy is, the more it’s likely to fall apart in the last few feet and, naturally, when it’s needed most.

I was reminded of this when shopping this past holiday season in a major national chain and wanted a particular model product, which the store was out of. “No problem,” I was told by a store associate. “We’ll have a large shipment in just a few hours. It may be in there.” Read more.

Reader reaction to a recent piece we did on a Staples reusable active-tag RFID trial was strong and raised a wonderful question about how costs are determined.

The arguments raised are similar to the total cost of ownership (TCO) strategies that were all the rage a few years ago, but they take it one step further. Read more.

Retail IT leaders today are still struggling with RFID, to find a way to salvage years of effort and to try and eek out some provable profits.

Is the human factor to blame? Managers “are going to have to build dependence on RFID. Instead of routing through styles of slacks, will they trust it? It’s going to take a lot more than technology. People are going to have to change the way they work.” Read more.

A one-store RFID trial that Staples ran this summer with reusable tags has been declared a success by the retailer and will expand to four other stores in mid-February, said the retail chain’s IT executive in charge of the project.

Beyond the cost per-use, Soares said the trial continuously delivered a 100 percent accurate read-rate and delivered a “21 percent reduction in out-of-stocks for the items that were counted.” The chain also saw “zero percent shrink” on the tagged items, which Soares said was especially noteworthy because the tagged items high-theft-targets such as MP3 players, laptops and desktop PCs. Read more.

Peer just a year or two down the retail road and the most exciting source of technological potential comes from the all-but-ignored pillar of digital signage.

This is not merely a multimedia ad-displayer. It has the potential to interact with smartphones, smartcarts and contactless credit cards. So where are the retail IT leaders in all of this? Nowhere near, as IT isn’t seriously involved with—and certainly not in charge of—most of the major retail digital signage deployments today. Right there, in a Unix shell, is what’s wrong with corporate IT departments today. Read more.

Has the Web succeeded in taking away perhaps just a touch of the advantage that comes from being a massive retailer? This well-reasoned CIO Magazine story does a nice job of exploring that question by looking at whether Wal-Mart’s IT department has lost its edge and started to hurt Wal-Mart’s dominance.

The piece looks at the mixture of corporate ideas forced onto the stores and whether RFID efforts distracted the company from more practical objectives. A good read.

As EPCGlobal is still finalizing its High Frequency (HF) Gen2 tag protocol standard, a source working with the group says they are seeing speeds of 600 reads/minute, compared with 100 reads/minute for today’s HF tags and about 250 reads/minute for today’s Ultra High Frequency (UHF) tags.

In other RFID news, a major analyst report is about to show a sharp price in transactional kiosks shipping without magstripe support. Read more.

An extensive on-site detection survey of more than 3,000 retailers in six U.S. cities plus London and Paris established most in retail IT have long believed to be true: wireless security is an oxymoron.

The inspections by wireless security firm AirDefense found mis-configured access points, extensive data leakage as well as poorly named SSIDs and naming fields. Read more.

One of the more aggressive retail RFID backers in the world, Germany’s Metro Group, announced Friday that it is moving its pilot to the second phase and adding 70 more suppliers in China and Vietnam.

The program, which Metro calls “Tag it, Easy,” is intended to better track products through Metro’s global supply chain. The first phase of the program, launched in May, used 30 Chinese suppliers. The second phase was launched at “a kick-off event for suppliers today in Hong Kong” and will start to ship the first tagged products by December, Metro said. Read more.