Evan Schuman's StorefrontBacktalk

Google Wallet’s security problems that surfaced last week—two different ways for a thief who has stolen a phone to get access to payment cards in the digital wallet—prompted Google to block new Google Wallet provisioning for several days until the company pushed out a fix. But the vulnerabilities also highlighted a major pain point: Shifting payments from plastic card to smartphone isn’t just about technology, it’s also about getting partners to cooperate—in this case, card issuer Citi.

The big problem: The most logical and secure technology fix—moving PINs to secure hardware—is something Citi seems unwilling to do.

A Seattle mobile payment firm is pushing for phone purchases to be done with no PIN, arguing that with this young a market, consumer convenience needs to trump security. Given its focus on authenticating the phone instead of the customer, it’s had to get creative and might be pushing the privacy envelope. It examines the five most frequently called friends, for example, along with a list of installed applications.

Whether or not its methods go too far, it’s in good company in the mobile early-stage convenience versus security argument, with both PayPal—and its phone-less and card-less purchases at Home Depot—and Visa, which is pushing PIN-less EMV transactions while MasterCard is taking the more secure and less convenient pro-PIN EMV position.

A new cryptographic hole revealed this week will impact one in 500 encryption keys, will be fairly hard for cyberthieves to find and will almost certainly be patched quickly. Still, it raises fundamental questions about encryption reliance. The group of cryptography researchers described an encryption hole that hits RSA especially hard, and at least one major chain is taking this very seriously.

“The bigger concern is internal keys, ones they couldn’t survey. Without their data of ‘weak keys,’ we can’t be sure we aren’t using any,” the retail exec said. “All owners of certificates do not know today if their keys are weak or not, and have no way of finding out just by examining them.”

In almost all U.S. state and federal data breach disclosure laws, a loophole lets a retailer avoid disclosure if law enforcement says it would help the investigation to keep the breach secret. The U.S. SEC, however, now has no such exemption.

This means that if the Secret Service or FBI tells a chain to keep an incident secret or else risk disrupting an active investigation, a company that complies—and keeps word of the breach out of SEC filings—may be guilty of SEC fraud, pens Legal Columnist Mark Rasch. In this federal agency versus federal/state agency situation, the retailer victim may be victimized again.

Yes, customers really will pay attention to in-store electronic signs—especially if they’re not supposed to. In a Reuters news story this week, Kroger CFO Mike Schlotman said 2,200 of the grocery chain’s 3,600 stores have installed video screens to alert associates when more checkout lanes should be opened up. The screens, which display three numbered balls, are supposed to use a secret code to show how many checkstands should be open. But some shoppers have cracked the code, Schlotman said, and now complain to associates that, for example, there should be 11 lanes open because the screens say so.

But did anyone really think customers wouldn’t catch on? There’s a long tradition of retailers trying to slip secrets-in-plain-sight past customers on coupons, receipts or in-store displays. It never worked before, and with fanatical shoppers now constantly comparing notes on the Internet, a cracked code is practically guaranteed to become widely known very quickly. Then again, maybe treating this stuff like a treasure hunt can actually make customers feel like they have more control over their shopping. In that case, it’s fine for retailers to play the secrets game—so long as no one seriously thinks the “secret” can be kept.

Are you legally liable for what customers do over your store’s free Wi-Fi? A Massachusetts lawsuit is backing into that question with a novel legal theory: If illegal activity uses someone else’s unsecured Wi-Fi, then the Wi-Fi owner can be sued for negligence for allowing it to happen.

To be clear, the Massachusetts plaintiff is not going after any retailers—in fact, the plaintiff’s lawyer says he’d hate to try winning a case like that against a retailer. Unfortunately, that doesn’t mean some other lawyer won’t chase the same theory, with results that could put a chain in court.

Apple’s mobile devices all but own in-store mobile in large retail chains, but they’re the least well supported of mobile devices for enterprise use. That’s creating increasingly serious troubles for retailers using iPods and iPads for in-store transactions. Case in point: $3.5 billion housewares chain Williams-Sonoma, where IT had to work all around Apple’s minimalist ideas of device management just to improve chances that transactions would complete reliably.

The problem? Locking down the devices is impossible. Monitoring how well they can communicate with POS backends requires developer gymnastics. Unexpected updates can wreak havoc. And Apple isn’t helping.

At just about every major chain, employees have agreed to lengthy nondisclosure agreements, whereby they have agreed not to “disclose” any “confidential information.” The problem is that most employees don’t think of updating their LinkedIn profile as a disclosure. Even more significantly, they don’t think of a lot of their day-to-day operations as confidential information.

Nowhere is this more true than with retail IT talent, talent that is marketed by touting the various applications people have worked on and the specifics of problems they have solved, pens Legal Columnist Mark Rasch. In LinkedIn, all of those apps and problems/solutions are located right next to their employer’s name.

MasterCard has clarified its EMV push policies, saying its campaign will be focused solely on direct data breaches (as in a wide-scale attack on servers stealing millions of card numbers). Its second campaign will deal with individual fraud (as in consumers losing their cards and someone finding them and then running up charges).

But the number-two card brand also spoke of a near-term future where E-Commerce will be able to use the EMV chip to authenticate and process E-Commerce and M-Commerce transactions. However, will consumers pay more for laptops that can handle such security? And will tablets and smartphones—which can more easily and more cost-effectively handle such technologies—grow quickly enough to make desktop/laptop enhancements irrelevant?

MasterCard’s Monday (Jan. 30) rollout of its roadmap for EMV in the U.S. set it on the opposite side of payment security from Visa, with MasterCard pushing for EMV with PIN and Visa arguing that PIN isn’t necessary. MasterCard is backing up its preference with some serious fraud-dollar forgiveness. Oddly enough, the much-smaller MasterCard has trumped—or, more precisely, nullified—Visa’s position, at least as far as retailers are concerned.

Given that greater-than-99-percent of Visa retailers in the U.S. also accept MasterCard, chains must go along with whichever brand has the more strict requirements. Typically, that’s been Visa, but not this time. On EMV-related PCI relaxations, however, the two brands opted to adopt identical policies.

For quite a few years now, the contactless payment world has enjoyed an endless-loop of defend-and-repel games when dealing with contactless security. The game starts with bank assurances that the data being transmitted wirelessly couldn’t possibly be enough for a thief to perform a transaction. Next is some public demo of a security researcher wirelessly grabbing data and completing a transaction. This is followed by industry refutations that the system demoed was either out-of-date or some part of the test was unrealistic.

Interestingly enough, there’s truth on both sides. But the dance of demo-and-explanation seems to never slow.

It was just past 10:30 PM on January 15 when police say a shoplifter walked into the Murrieta, Calif., Wal-Mart. But as part of a growing trend, she didn’t try and steal any merchandise. What she did was walk over to an unstaffed counter, pull out what seemed to be wire cutters and cut loose the store’s keys to its safer security devices.

Other thieves have opted for grabbing EAS tag detachers, but the point is the same. Beyond protecting products, retailers need to reinforce protections around the devices that protect their products. How are keys and tag detachers handled when not in use? Is there an explicit policy about ignoring EAS alarms?

As retailers embrace the cloud for its flexibility and convenience, they might want to also consider a very serious potential for loss of control. Legally, we’re talking three different types of control loss: Your loss of access to the data; your customers’ loss of the ability to access your services; and the potential for your confidential data to become public records and to then find its way to your competitors.

Paranoid? Not any more, pens Legal Columnist Mark Rasch. Recently, the U.S. Government took down the copyright pirate site “MegaUpload” and had its founder arrested and detained awaiting extradition.

PayPal’s expansion of its in-store payments trial at Home Depot (up from 400 PayPal employees to all PayPal users) marks a huge jump in the trial’s scope—and risk. On January 19, PayPal opened up the trial to include 51 stores (up from the initial 5) and said all PayPal users could now sign up for the system. That should give both PayPal and Home Depot much more useful information on who will use the system, and how.

But PayPal’s approach—which essentially reverses 50 years of payment-card advances by eliminating any physical authentication device—still presents a big challenge when it comes to security. The ability to check out with just a mobile phone number and PIN—no plastic card, NFC-enabled phone or other authentication hardware required—means anyone who can acquire that phone number plus PIN has a free shot at the legitimate customer’s account.

When a customer walks into a store and gives a payment card to an associate, who charges it on a store-branded mobile device, is that customer interacting with that retailer? If that device is using Square, the answer is “no,” but the customer won’t know that. If an E-mail address is requested, is it for Square or that retailer?

If a marketing opt-in question is posed, who is posing it? And how will customers react when they later learn they weren’t sharing with whom they thought they were sharing? Bad news: This is not hypothetical. There is a broader issue at play here. With any of the third-party mobile payment efforts—Google Wallet, PayPal, ISIS, maybe even Apple—there is the potential for this type of confusion.

Historic British retailer Fortnum & Mason—with roots dating back to 1704—is finding that PCI compliance doesn’t end with IT. The chain had to confess last week that a customer service rep was asking customers to E-mail their full credit-card data—including CVV—to process routine refunds.

Clearly, one errant employee is something every chain has. But this example brings up a too-often overlooked PCI fact: Compliance is an issue for every employee. Mobile payment, being a disruptive factor, will only make things worse, because it creates many more opportunities for payment-card data to be captured/retained against the rules.

In the power struggle between retail marketing and retail IT, IT is getting its server farms kicked. It started with E-Commerce and is now growing with mobile and social. What has to go? If it can go in the cloud, get rid of it. E-Mail? Gone. Web hosting? Out of here. CRM? Exit, stage right. If it can be easily outsourced by specialist firms or even done by people in the business unit, you need to let it go.

It’s time to evict Web and mobile app development, and pretty much any marketing initiative that isn’t core to your business. Heresy? Certainly, pens Retail Columnist Todd Michaud. But it’s necessary.

Given that PCI only applies to payment transactions for the five major card brands, PayPal transactions would not normally be in scope. But recent pilot programs by at least one major retailer and an announcement by a POS device vendor has PCI Columnist Walter Conway questioning the conclusion that PayPal transactions will remain out of PCI scope.

If a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? And if the PayPal account is in scope, is it a big deal?

With Visa’s clarification on January 13 that its U.S. EMV deployments will include Chip-and-no-PIN, retailers are trying to decide if this is a good thing or a bad thing. On the bad side, this forces retailers to immediately trust the chip technology perhaps a bit more than they want to.

“When I think about secondary validation, that gives me more of a warm fuzzy even though we have people saying that I have a more sophisticated chip and that my smart device has got some protection sitting in it,” said Bill Titus, the Loss Prevention VP at Sears.

When Amazon’s Zappos apparel unit announced on Sunday (Jan. 15) that more than 24 million customers had their information potentially stolen from its site, Zappos took the radical—but wise—move of wiping out all of its passwords. That caused massive disruptions to the company, shutting down customer service phone access and access to the site from outside the U.S., in addition to inconveniencing all customers.

But it was the unequivocal declaration that payment systems had not been touched that raised eyebrows. At this early stage of a breach investigation—knowing that cyberthieves tend to be quite good at hiding their tracks and creating misleading tracks—is such a blanket promise to customers reckless?

As retail rapidly moves to integrate mobile into almost every aspect of its customer interactions, many in IT and Loss Prevention are wisely scared about the security holes that will crop up during the rush. One such exec, William Titus, LP VP at Sears, said on Tuesday (Jan. 17) that one of his biggest fears involves mobile electronic receipts.

“The E-receipt problem is that the customer now has a valid receipt. I can’t bring it in. I’m not checking it off and signing off on it. So the ability to use that fraudulently increases unless you have a true returns management system,” Titus said.

If ever there was an argument where security trumped compliance, the debate about tokenization versus encryption is it. Readers have made that point abundantly clear following a recent column describing the PCI scope reduction benefits of tokenization versus encryption.

The shift in emphasis from compliance to being secure is not new, but PCI Columnist Walter Conway was struck by how pronounced a perspective change retailers are experiencing.

No retailer likes being fined by Visa or MasterCard for letting thieves steal payment-card data, and most grumble privately about how that process is arbitrary and rigged against merchants. But a lawsuit now unfolding in Utah has uncovered a remarkable level of detail about how arbitrary card brands can be.

The lawsuit is challenging everything from issuing banks’ contracts to Visa’s claims for counting up card fraud and pinpointing who’s to blame—in addition to $1.3 million in card fraud that Visa says the restaurant enabled via an alleged security breach for which there’s no concrete evidence.

Walk into one of about 25 Guess stores this week and you’ll see customer-accessible iPads in the men’s, women’s and accessories departments and even in the dressing rooms. “For the cost of a kiosk, I can put in four or five of these,” said Guess CIO Michael Relich. “This is the consumerization of IT.”

But the Guess iPad trial is hardly being done to save costs. The flexibility of the tablets and sharp, customer-friendly graphics make the devices a much more effective way to show demos and to locate merchandise, check inventory and do anything else that a kiosk would normally do.

The days of the classic botnet distributed denial-of-service attack may be numbered, and that isn’t necessarily good news for retail chains.On January 6, a cyberthief-friendly programmer made public a one-line attack that could enable a single attacker to bring multiple servers to their knees. That moves DDoS out of the realm of requiring a costly botnet for a high-bandwidth mass attack—and brings it into range for a single irritated teenager.

The vulnerability that attack uses is easily fixed. What’s really worrisome is what makes the attack practical: the new ability to target server weaknesses that have been known for years—but no one worried about.