Evan Schuman's StorefrontBacktalk

Integrators and resellers seem to be resisting a program that would provide stronger enforcement over, well, integrators and resellers. PCI Council General Manager Bob Russo talked with PCI Columnist Walter Conway about the resistance (the program is “sorely needed”), the pricing and the nature of the training. And given the number of industry insiders Russo worked with to create the program, he bristled at the suggestion that the Council worked in a vacuum on this one.

Russo said the training will be an online course so nobody should have to travel, Conway writes.

With more than 3,000 stories, columns and GuestViews in the content database here at StorefrontBacktalk, we thought it was time to do a little upgrading. Starting this week, readers (both free and Premium) can search for stories by limiting the search to just the story’s headline—as opposed to the headline and the full text. (Note: Right below the search bar, readers can choose HED Only or Story And Hed.)

The ability to isolate a search to the headline can be useful in two ways. If you happen to remember that the headline mentioned Target, for example, you need not see every story that mentioned Target (or even used the word “target”). The second way is practical. If you want a story that is primarily about tokens—and not a story that merely mentions the word somewhere—the headline-only search can be helpful.

What Google, PayPal and ISIS are trying to assemble in mobile payments, MasterCard wants to dismember. On Monday (May 7), the number-two payment-card brand unveiled a mobile wallet and an E-Commerce payment system that are designed to cut out any middlemen horning in between customers and retailers and payment networks.

Ironically, while MasterCard’s PayPass Wallet for NFC-equipped phones got most of the attention, that’s still largely a pipe dream—MasterCard hasn’t even talked any mobile operators into giving it access to the NFC chip. But the online payments effort will offer tokenization to reduce PCI scope for E-Commerce. The bad news: You can probably forget about any interchange relief.

Corporate data security policies have always been a challenge. In recent years, thumbdrives, corporate telecommuting and smartphones have made such controls problematic. But the assumption has always been that the data being protected was on the hard-disks or RAM of various systems.

A Best Buy incident this month, however, is a grim reminder that saved passwords or tokens can expose employees to sensitive data—and capabilities—far beyond the bits and bytes of that device.

It’s you versus the sales guy in an epic battle over your IT career. The sales guy has a polished presentation about the features and benefits of his products and services. You have a status report. The sales guy has access to unlimited resources to make your business partners’ wildest dreams come true. You have one really great guy who you’ve overworked to the point that you carry a ton of personal shame.

The sales guy says, “Yes. Yes. Yes.” You say, “No. No. No.” In this surreal world, pens Retail Columnist Todd Michaud, you are watching your hard-fought IT career be dismantled by an onslaught of companies that shake your hand and look you in the eye as they pitch your demise one product and service at a time. And you had better buckle-up, Buttercup; it’s only going to get worse.

The latest PCI compliance stats—out this week—show trivial changes from the prior report, with Level 2 and Level 3 retailers slightly increasing compliance. Level 2 went from 91 percent at the end of December 2011 to 92 percent as of March 31, 2012, and Level 3 also increased by 1 percent, from 58 percent to 59 percent.

With changes as small as 1 percent, it’s hard to determine what, if anything, caused the change. The number of Level 2s dropped slightly (from 1,066 to 1,060), so it’s possible a couple of the chains that left might have had compliance issues.

When the PCI Council released version 1.1 of its Point-to-Point Encryption (P2PE) Testing Procedures late last month (April 27), it forced an interesting question: Will P2PE be the only way to remove encrypted data from a merchant’s PCI scope?

Writes PCI Columnist Walter Conway: Current PCI Council guidance (FAQ 10359) holds that encrypted data can be out of a merchant’s PCI scope “if, and only if, it has been validated that the entity that possesses encrypted cardholder data does not have the means to decrypt it.” The important word here is “entity.” That is, the ability to decrypt the data must rest with some unrelated third party. With the emergence of P2PE, could this scoping guidance be revised to where the only appropriate “entity” is an approved P2PE provider?

Mistakes made by careless or incompetent payment application installers or system integrators have led to far too many data breaches over the years. In each case, even though the reseller or integrator made the mistake, the merchant bore the ultimate responsibility.

Unfortunately, system resellers and integrators formerly fell in a governance gap in PCI, and their actions were outside the PCI Council’s jurisdiction. PCI Columnist Walter Conway says “were,” because that situation is about to change.

When Walmart launched its E-Commerce cash program on April 26, did it open the door to evil-minded rivals by giving them the means to falsely lock up merchandise? That is just one example of the many implications behind Walmart’s move to enable people to use cash to make online purchases.

Beyond new security holes on the risk side, the reward side is equally huge. While everyone seems to have focused on the general unbanked audience, a much more interesting prospect for this program is teenagers. Plus, this is sort of an anti-showrooming move, where online shoppers are being lured into the stores. Revenue sharing between Walmart channels is also a point of nervousness with this program. And a store’s inability to cancel such online orders—even if the customer then finds the item on the shelf—is problematic, too. This is a rare example of the kinds of compromises—between online and in-store operations—chains must make these days.

Sears on Tuesday (April 24) launched a service to provide managed technology services for “brick-and-mortar enterprises across all industry verticals.” It is a move partly aimed at Amazon’s cloud service, with Sears promising much more customization and hand-holding. For many retail observers, this was a baffling step, another non-strategic distraction at a time when the 119-year-old retailer needed to do nothing more than focus on selling more products in its stores.

For Sears, though, the move made fiscal sense. With all of those dollars invested in IT systems—with more capacity than Sears needs—why not, in effect, lease out some of it? Put another way: Turn IT from a pure cost-center to a mostly cost-center that generates at least some revenue.

In Mark Rasch’s legal column this week, he points out that online purchases by minors are a potential legal nightmare and that a federal judge is now deciding the retail issue. But what if the case goes against retailers? Frighteningly, the way many digital purchases are processed makes it all but impossible to comply with the law.

How could iTunes refund an already listened to song or an already played game? That’s not merely a business/profit question. From an IT perspective, there is often no mechanism to do it. What might start out as a legal problem will almost instantly morph into an IT problem.

It’s not just those birds that are angry these days. The process by which Apple allows teens, pre-teens and even toddlers to download free apps, and then purchase game currencies within these free apps, may have landed the computer giant in hot water—with both parents and at least one federal district court in San Jose.

The case revolves around a longtime legal reality: Minors cannot agree to a contract. If they pretend to agree, it’s non-binding and can’t be enforced, writes Legal Columnist Mark Rasch. But what if an adult gives the child their password and permission to make a purchase? It’s still the child doing it and the contract, therefore, probably can’t be enforced.

Why is it that the same people who will easily spend hours playing Angry Birds each week won’t spend an extra hour improving their retail operations? Saving money just isn’t sexy or fun. It’s boring, and that’s the biggest problem.

After many years in retail operations, Retail Columnist Todd Michaud is still surprised how little traction well-developed back-office applications receive. You would think that saving money on inventory, labor or marketing expenses would be all the motivation that a retail owner or general manager would need, but that rarely seems to be the case. That got Michaud thinking about some of the new social applications, like Foursquare, and what makes them successful: Gamification.

What began as a Home Depot effort this month to get installers to boost the chain’s Web traffic has morphed into a strange SEO Google mess, with a Home Depot E-mail encouraging those service providers to use invisible links on their sites.

This is not merely an issue of violating the rules of a major search engine. A lot of these partners—carpet installers, for instance—have minimal E-Commerce teams, which means they rely on partners such as Home Depot for E-Commerce guidance. And when chains give advice that is false and endangers the ranking of the sites of those partners, it is a problem.

As retailers accelerate payment experiments, a recent Wal-Mart experience with a well-established approach offers a cautionary tale. A Buffalo, N.Y., woman this month walked into her local Wal-Mart, gave an associate $1,000 in cash and asked for it to be loaded onto a Walmart MoneyCard, in preparation for a vacation. A couple days later, the customer discovered that the money had been removed by a thief in another country.

The fact that it was a thief who stole the funds is undisputed. However, the immediate next actions of Wal-Mart and Green Dot—which manages MoneyCard for Wal-Mart—is a textbook example not of what should not be done, but how it shouldn’t be done.

7-Eleven on Monday (April 16) started a new age-check system, one that provides digital proof that a specific person’s credentials were checked at a specific date and time. This will provide the nation’s largest convenience-store chain with a new independent way to fight back when police say that an underage customer’s driver’s license had never been checked.

But it won’t address many of today’s age-ID problems, including waiving license checks if the associate thinks the person is old enough, license photos often being bad enough to fool weak authenticators, and under-age consumers using the driver’s license of an older sibling. Still, 7-Eleven has crafted ways to deal with some of those gotchas with the new system.

A pair of accused Wal-Mart thieves in North Carolina learned a valuable lesson last week: If you’re going to shoplift from the world’s largest retailer, it’s not a great idea to drive to the heist in a rental car.

It seems that as they exited the Havelock Wal-Mart with multiple yet-to-be-paid-for HP desktop computers, store officials did not stop them, but they did jot down their license plate number. Police found that it was from a car rental company, which happened to be able to remotely shut down the engine. And GPS was involved, too. Yep, this was a dual-shoplifter takedown, ultra-geek style.

In a major decision limiting corporate use of the federal Computer Fraud and Abuse Act (CFAA), the U.S. Court of Appeals for the Ninth Circuit on Tuesday (April 10) said the law is intended to address true cybertheft and other criminal hacking efforts and nothing else. At issue was whether companies could threaten employees with federal prosecution for violating company policies, such as playing games on a company computer.

Beyond the fact that retailers have to deal with many of these employee issues, the potentially bigger retail impact of this ruling is how it would strengthen prosecutions of actual cyberthieves, who tend to work where they shop.

The great New Jersey giftcard exodus continues. On April 5, Blackhawk Network and InComm announced they’ll pull their giftcards from New Jersey retailers to avoid a new state law requiring them to collect and store the purchaser’s ZIP code. (American Express giftcards are already gone from the state.) Their complaint: It’s an IT project that’s all cost and no business benefit. But in a merged-channel world, that’s not the only problem with the new law.

In fact, what lawmakers probably thought was a simple idea runs into a buzzsaw of complexities—and the IT project is the easiest part of the problem.

When the U.S. Secret Service arrested five men last week on charges that they stole hundreds of items from the self-checkout areas of 74 Home Depots in six states, it certainly didn’t help the security reputation of self-checkout. This comes after Costco detailed its own self-checkout thefts and several chains abandoned self-checkout, citing theft as one key reason.

Some self-checkout advocates concede that these types of self-checkout thefts are very real, but that they are often the result of sloppy self-checkout deployments, with some stores not activating all security functions, using insufficient staff around self-checkout, not bothering with security cameras and ignoring other self-checkout best practices.

The abrupt departure of Best Buy CEO Brian Dunn on Tuesday (April 10), because of his “personal conduct,” overshadowed something much more interesting that surfaced this week: the reason for Best Buy’s recent series of planned outages—one on March 28, another on April 8—is that the now-CEO-less retailer is moving its E-Commerce operations to the cloud.

The cloud move, like last fall’s quadrupling of the number of Best Buy IT project managers, is an effort to control IT costs without rolling back IT initiatives—absolutely critical in the face of Dunn’s inability to stem the chain’s loss of sales to Amazon. Amazon, ironically, is among those that Best Buy is writing checks to for its cloud efforts.

As Apple tries to position itself as the ultimate payment processor, the competition is heating up for which entity, and which technology, will be responsible for ensuring that retailers get paid. Although these choices may ultimately prove useful for both consumers and retailers, they present new privacy challenges to all participants.

As a result, pens Legal Columnist Mark Rasch, Apple, PayPal and a host of other payment processors may find the need to hire new teams of lawyers to help them comply with the inevitable subpoenas and discovery requests that will befall them.

ISIS is scaling back expectations for how much its mobile payment system will be used, even before it launches. Last week, ISIS Chief Marketing Officer Ryan Hughes told GigaOM, “We’re not trying to hit a home run, but get a bunt single.” That’s wise, given the very low levels of customer use for Google Wallet and PayPal’s Home Depot trial. In fact, ISIS’s expectations may still be too high, considering what happened to Chip-and-PIN, contactless in the U.S.

After all, even the hottest things in retail-chain POS today—iPads and iPods outfitted with sleds—still only handle one type of payment device: a magstriped card.

When Visa removed, at least temporarily, Global Payments from its list of PCI-compliant service providers, it reflected a subtly different position than any card brand has taken in the past. And the decision has implications for every merchant and service provider.

The PCI Council states that no breached merchant or processor has been found to be PCI compliant at the time of the breach. PCI Columnist Walter Conway has never liked that statement. It seems to be either tempting fate or challenging the bad guys. Although it stopped short of promising a safe harbor, at least the statement acknowledged the possibility of suffering a data breach while still being PCI compliant. Visa’s suspension of Global Payments has swept aside that distinction.

A two-year-old experiment at Costco to try self-checkout in a handful of stores has not gone well, with at least one Costco in Idaho pulling the systems out after finding—and attributing entirely to self-checkout—a $60,000 inventory loss in six months, said a Costco management source.

One of the problems with the Costco system in various stores was either inadequate or non-existent notification to customers when a purchase was rejected. If an item’s weight was different than expected, the system would void the purchase and not charge the customer. But many customers didn’t notice the item was rejected, so they placed it in their cart, took their payment-card receipt and left the store.