Comments for StorefrontBacktalk

Comment on MasterCard Aims To Take Mobile Wallet Rivals Apart by Adrian Lane

Adrian Lane — Tue, 15 May 2012 17:19:18 +0000

Frank,

Could you please validate the use of tokenization in the wallet’s payment scheme? I’m looking at the wallet API and there is no mention of tokenization, only OAUTH identity tokens.

-Adrian

Comment on P2PE: No Cakewalk for Merchants, But There May Be No Alternative For Reducing Scope by Jaime

Jaime — Mon, 14 May 2012 18:05:43 +0000

Walt, what are your thoughts on the applicability of P2PE to merchants who process using a mobile phone application with a swiper? I’ve asked a few QSA’s this question and feeling seems to vary on whether a compliant POI device connected through the phone to a compliant gateway, etc. would allow the merchant to qualify. The crux of the conflict seems to be whether the phone remains in scope as part of the processing environment, or if it can be considered removed because the data is encrypted while being passed to the gateway through an app or the browser.

Comment on “Careless” Systems Integrators Now Directly Under PCI DSS by Walt Conway

Walt Conway — Sun, 13 May 2012 23:45:29 +0000

@Cory: Thanks for your comment and question about the pricing of the QIR training. I raised that question in a conversation with Bob Russo last week, and I will address it in a follow-up column in a few days. While the pricing is not yet set, hopefully it will not be too great a burden for you or other integrators/resellers. We’ll have to see, though.

@Christine: That is an interesting point about employee poaching. I wonder, though, if it isn’t any worse that we have today with listing QSA and ASV employees, or even all the other online social/professional media sites. Wouldn’t it be great — especially for retailers — if we ended up launching a race to the TOP instead of the other way around!?!

Again, thanks for the thoughtful comments (and the emails, too, from the rest of you).

Walt

Comment on Considering An Operations Person For An Open IT Position? Don’t Do It by Chris

Chris — Sat, 12 May 2012 13:57:06 +0000

This post touched a personal pain point I am going through right now. Very insightful, and worthy of a book.

I have an ops mentality but have worked directly or indirectly in IT for over 30 years. I think, naturally, young people and/or go-getter personality types are, by nature, “operations” types. However, as responsibility, experience, and maturity increases, people who may even be naturally “ops-oriented” can and should make the transition to an “IT” mentality like that you describe above.

My boss is, by background, an “operations” person who never had a strong technical background or interest. Very smart, and capable when focused, but not that turned on by learning the intricacies of “how stuff works.” In other words, despite over 20 years in the “IT” industry, still fixing tractors in the field.

As a person who, by training, natural interest, and experience, has transitioned from “ops” to IT, especially given my responsibilities for preventing the failure of deployed IT systems, I continually butt heads with my “ops” boss. It has negatively impacted my health, my demeanor, my sense of satisfaction with my career field. This insightful post provided a glimpse of understanding into why, in a small org with no “IT” mentalities, I was increasingly ostracized for recommending caution, greater examination of risks, and “go slow” approaches to deploying systems on the Internet that had not been sufficiently tested (i.e., not at all with regard to security).

PCI DSS, although at first seen as an unnecessary burden even by myself, has forced the “ops” people in charge at too many organizations deploying web-based tools and services into the light of day. Sadly, I think far too many decision-makers, both business and “IT”, lean towards “ops” rather than reasonable approaches to risks and rewards. Those that can and have read and recommended fixes to get in compliance with PCI DSS likely find themselves ridiculed, demeaned, and ostracized as the self-congratulatory “ops” people charge forward with “innovation” and highly visible new services.

Thanks for writing this article. Helped put a logical framework for seeing the dynamics that I, and probably many others, are caught in the middle of.

Comment on “Careless” Systems Integrators Now Directly Under PCI DSS by Christine

Christine — Fri, 11 May 2012 17:06:33 +0000

The ETA recently launched the Certified Payment Professional program, which charges $425 for non-members to take the test, assuming they meet the ‘experience’ requirement, to PROVE they are a professional. And they’ll have to take it every 3 years. Worthy program, but high cost. Plus, only a select few were allowed to be in the first class, and there are only 4 test windows per year currently. So being on the registry simply means, you were lucky enough to get picked, nothing to do with skill level. Will this be the same? It’s almost like getting a new tax for each segment in the industry.
I suggest a low cost- say $35- to take an online exam or to get an exemption based on other credentials, and $35 would then cover administrative costs.
One final point- I have strong reservations about the ‘individual’ certification and posting of that information for merchants. Can you imagine the potential employee poaching that might occur? The implications when competitors can look up how many are certified with each of their competitors? This digs into ‘trade secret’ information, don’t you think?

Comment on “Careless” Systems Integrators Now Directly Under PCI DSS by Cory

Cory — Wed, 09 May 2012 12:25:41 +0000

Although this is a great move forward in pushing the issue of highly trained people, it is also a good marketing ploy for the council. It begs the question: How much do they stand to make? The problem for this is that for people (like myself) that are just starting out their own business venture, PCI has typically charged a premium for their training and certifications. This change will likely force those of us with less capital to spin into the abyss. I have more than 15 years in the security and compliance fields with heavy hitter certs like CISSP, CRISC, and Sec+.There should not be a guide but a free test or a pre-requisite of either the PCI cert OR other heavy hitter certs. I just don’t want the good guys in small places to get flushed out.

Comment on Walmart’s Online Cash Creates New Fraud Problem by ed

ed — Tue, 08 May 2012 14:01:59 +0000

Wal-Mart pay-with-cash for online orders is a big benefit for resellers and suppliers versus reselling their products through eBay or Amazon.com.

A startup supplier or product manufacturer no longer need to meet Wal-Mart strict specifications and minimum order requirement to stock products for sale in-store. They can now market throught Wal-Mart.com to a bigger crowd that can also pay with cash and use Wal-Mart expansive logistic system to deliver just-in-time.

Comment on “Careless” Systems Integrators Now Directly Under PCI DSS by Walt Conway

Walt Conway — Sat, 05 May 2012 05:20:49 +0000

Thanks for your comments.

Kat: I guess timing is everything!

Nathan: Actually, the QIR program has a lot to do with the DSS (or PCI). Since merchants rely on their reseller or integrator to implement their PA-DSS validated application, these resellers and system integrators play a critical role in merchants achieving and maintaining PCI compliance. As far as I can tell, the QIR program is designed to help merchants stay compliant by making sure their payment applications are installed according to the PA-DSS Implementation Guide, for example ensuring default passwords are changed (and protected), that the data encryption keys are properly set and secured, that the merchant’s data retention policy is set, that no sensitive cardholder data are stored, and often that a firewall is in place and properly configured.

Right now, a good reseller or integrator will make sure the payment application is installed and maintained securely. However if your reseller or integrator does things like install the wrong version, fail to implement security patches, use the same password for all their customers, or retain sensitive cardholder data, then the merchant is vulnerable to a damaging security breach that could potentially put them out of business. BTW, if you don’t believe this can and has happened, see here: http://storefrontbacktalk.com/securityfraud/retailers-suing-card-processor-questions-raised-as-to-where-pci-duties-stop/ or here: http://storefrontbacktalk.com/securityfraud/when-it-comes-to-pci-compliance-
franchisors-are-screwed/ .

As I said in the column, as a QSA I am a big fan of the QIR program. It is not a panacea for merchants, nor is it a silver bullet. But it can be one step to helping small and medium sized businesses (including franchisees) continue to stay in business and operate in a secure manner. And after all, that is really the purpose behind PCI.

Walt

Comment on “Careless” Systems Integrators Now Directly Under PCI DSS by Nathan

Nathan — Fri, 04 May 2012 14:35:53 +0000

Good article, but how does this have anything to do with the DSS?

Comment on “Careless” Systems Integrators Now Directly Under PCI DSS by Kat Valentine

Kat Valentine — Thu, 03 May 2012 20:08:19 +0000

Walt,

Great article. This exact issue has been bothering me for years, and I was JUST talking about it with someone only yesterday. This may well be my favorite article from you, mostly because I’m biased and have hated this particular problem forever. Keep up the good writing, kind sir, and keep those insights coming.

-KJ Valentine

Comment on Macy’s, Amazon CFOs Say The Darndest Things by Evan Schuman

Evan Schuman — Thu, 03 May 2012 18:17:40 +0000

I understand your concern, Andy, but in this instance, I just don’t see that they were trying to mislead anybody. The point of his comment is that Amazon has a lot more experience dealing with processing tax issues than most think. And, assuming these global numbers are true, that is a fair comment. He didn’t try and portray these numbers as U.S. only. Also, five states is not a trivial figure. The experience of dealing with those five states is quite likely to prepare them for handling all states. Misleading is a very common pastime in retail but in this case, there’s nothing here to suggest that Amazon’s CFO (at that moment) was trying to do that.

Comment on Macy’s, Amazon CFOs Say The Darndest Things by Andy

Andy — Thu, 03 May 2012 17:55:53 +0000

Amazon only collects state sales taxes today in five states. The comment from Amazon CFO Thomas Szkutak is misleading because he is factoring all overseas sales in, and they must collect VAT taxes in Europe. Their collection percentage is miniscule in the United States and they are using this 50 percent number to mislead the public.

Comment on Wacky Legal Idea: Using Class-Action Lawsuits To Gather CRM Data by Marketer in Toronto

Marketer in Toronto — Thu, 03 May 2012 17:26:23 +0000

Mark, I wholly subscribe to your theory.

In fact, many car manufacturers will orchestrate ‘recalls’ as a measure for getting people to attend at their local dealership to complete the recall work, and anything else that can be suggested or done at the time. (We all have minor maintenance matters that need to be done but are not important enough to create a priority)

The recall notice turns everything into a priority. (We don’t want the flux capacitator to blow up and catch fire!)

Of course, prima facie, a recall notice may suggest that the manufacturer’s workman ship was shoddy, or it’s product inferior, however most people actually perceive a recall notice as the company putting customers ahead of profits.

Turning a positive into a negative should be every marketers goal.

Comment on The Privacy Triple Play: Digital Giftcards Using Facebook Data And Geolocation by Thad Peterson

Thad Peterson — Thu, 03 May 2012 13:00:03 +0000

This is a really interesting idea that portends a really powerful trend toward linking publicly available personal information with transaction data to deliver perfectly relevant offers in the right place at the right time.

Privacy will be an issue forever but my guess is that the power of relevance will overwhelm consumer concerns about privacy. After all, that’s what Facebook is all about.

Comment on Wacky Legal Idea: Using Class-Action Lawsuits To Gather CRM Data by danjahRoss

danjahRoss — Thu, 03 May 2012 03:23:51 +0000

the ever true “bad publicity, good publicity – still publicity” right?

Comment on Turning Back Office Into A Game, IT Style by ed

ed — Thu, 26 Apr 2012 15:04:18 +0000

Gamification could replace the generic “employee discount” program and reward store credit to employees based on accomplishing defined objectives.

Comment on With IBM’s POS Sale, History Really Does Make A Difference by Michael Koploy

Michael Koploy — Thu, 19 Apr 2012 15:47:54 +0000

Great stuff, Greg. As the importance of hardware seemingly decreases, I wonder if other providers make similar moves in the near future.

Comment on With IBM’s POS Sale, History Really Does Make A Difference by Jeff Ketner

Jeff Ketner — Thu, 19 Apr 2012 15:34:05 +0000

Great analysis, and I agree that mobile is one of the huge disruptive trends that are hastening the demise of the traditional POS business. Margins were already razor-thin,and with demand declining rapidly, it’s a tough time overall for traditional POS hardware vendors.

Comment on Wal-Mart MoneyCard Break-In Offers Lessons For New Payment Tactics by ed

ed — Thu, 19 Apr 2012 14:24:14 +0000

Whoa, this is major and have widespread implications not only to GreenDot and Wal-Mart but the whole Visa/Master prepaid card industry.

Sounds to me like hackers overseas are calling in these prepaid account phone banks with random prepaid credit card numbers (they likely don’t need to know the number) and can tell once it has been open. Once they can validate a prepaid card number was open, they can start spending in less than 30 minutes. The fast turnaround time indicates this may be an automated dialing script run on multiple computers worldwide.

This has widespread security implications throughout the whole prepaid industry as many low-income people and expats are putting their cash into these prepaid cards for remittance purpose as well as spending.

Comment on KFC Learns The Dangers Of Social Media Empowerment by A reader

A reader — Thu, 19 Apr 2012 12:59:44 +0000

A couple years ago, the U.S. Secret Service had a similar incident where an unfortunate agent tweeted something like “Assigned to monitor Fox News. Can’t. Take. The. Blathering.” The Secret Service moved quickly to limit who was permitted to publish on social media sites. Some companies have gotten ahead of this by publishing social media usage guidelines. But don’t lose heart. We’ll no doubt see more amusing gaffes in the future.

Comment on With IBM’s POS Sale, History Really Does Make A Difference by Rick Legue

Rick Legue — Thu, 19 Apr 2012 11:24:25 +0000

Excellent analysis. It would appear that a huge challenge to IBM POS System users will be, how to maintain the integrity of the IBM POS platform they have installed. How long willl the existing models be available before changes are made? Standardization within the store would appear to potentially be in jeopardy. As stated, one of the biggest changes in the POS landscape in history. The market for used, refurbished IBM POS equipment may have just grown exponentially!

Comment on Best Buy’s Last Hope: A Radical Reversal On Customer Service And Credibility by Todd Michaud

Todd Michaud — Wed, 18 Apr 2012 19:53:50 +0000

I am surprised that the fact that Stephen Gillett being named EVP of Global Business Services hasn’t gotten more attention. As the former CIO and Head of Digital Ventures for Starbucks, Stephen has a great track-record of disruptive innovation and is just what Best Buy needs.

Comment on Visa Yanks Global Payments’ PCI Compliance. Catch-22 In Full Force by Steve Sommers

Steve Sommers — Mon, 16 Apr 2012 16:38:46 +0000

This begs the question, how does this decision by Visa affect Third Party Processors (TPA’s)? Our TPA agreement has wording to the effect that we can only send CHD to PCI compliant processors and banks. Now that Visa has deemed GPS non-compliant, are we breaking our TPA agreement by allowing our customers to continue using GPS?

Comment on New Jersey Giftcard Law Is Much More Complicated For Retailers Than Even Its Critics Believe by Steve Sommers

Steve Sommers — Fri, 13 Apr 2012 16:59:11 +0000

New Jersey is not as unique as this article makes it sound — at least not with the issues. You mention other states have escheatment laws but imply they don’t have these issues, but they do. I guess this article is focusing on the zip code collection issue, but most, if not all the other issues you mention exist in these other states: What if it bought out-of-state via web, bought out-of-state but picked up in-state, etc.

Texas, Florida, California, and many others have escheatment laws. Now if you really want to get confused and have a craving for bureaucratic red tape, analyze California where they have escheatment laws requiring funds to go to the state within a certain timeframe but also require never-expiring gift cards that merchants must honor forever — all with no fees (assuming certain amount thresholds and other stipulations).

Comment on Apple, PayPal Enjoy Unchartered Mobile Payment Legal Issues by Fred

Fred — Fri, 13 Apr 2012 02:46:20 +0000

and if you don’t believe it, you might not know that the English police already regularly access data about a user’s “Oyster Card” which is the stored value card of the London Underground and bus system.

Comment on Appellate Court Limits Computer Fraud And Abuse Act by Chet Uber

Chet Uber — Fri, 13 Apr 2012 01:50:27 +0000

The court is correct, Rash is correct. Employers should do what their Security consultants should have told them to. Banners that clearly state you have NO EXPECTATION TO ANY RIGHT OF PRIVACY and company computers are NEVER TO BE USED FOR ANYTHING OTHER THAN company work. In order to make this easier, we Company X have conveniently places a Wireless Access point in the lunch room the password is available from your Supervisor, and three (3) machines are available for sharing – 10 minutes at a time – please be curtious of those with legitimate emergency reasons; and any illegal activity on the break room network suffers all the same punishments as those machines located at your desk. Be clear, be stern. Be human. Employees will appreciate it, you can with most RBUC software manage the sharing time without thinking about it twice. Blacklist as you would your small children. You will find the bill for .25 hours in your Counsels in box, my rate is $250/hr. Keep it out of the court, don’t change the law. This is solely an employee/employer relationship that should be cordial, fair and use inexpensive monitoring gear and add it to though that monitor for exfiltration of TRADE SECRET and other documents or your firewall manager. It can be done with open source and a geek or money.

Comment on New Jersey Giftcard Law Is Much More Complicated For Retailers Than Even Its Critics Believe by Kevin Thompson

Kevin Thompson — Thu, 12 Apr 2012 12:51:44 +0000

A lot of good questions here. However, as I read through NJ’s law, I didn’t see anything that required the merchant to drain the remaining value of the card after 2 years. The merchant will have to pay that amount to the state, but can opt to leave the balance on the card (and should in the name of customer service). If the customer comes back after 2 years and uses the card, then the onus is on the merchant to fill out the form and recoup from NJ.

Comment on Scanning Fruit At Checkout Looks Clever, But Will It Actually Save Anything? by Aaron

Aaron — Thu, 12 Apr 2012 02:26:05 +0000

I saw similar technology demonstrated at a “store of the future” display at NRF – in 2004.

Comment on Starbucks Reports 26 Million Mobile Transactions, A Good Sign Of Consumer Mobile Comfort by Merchant Account

Merchant Account — Wed, 11 Apr 2012 23:11:34 +0000

Starbucks Mobile Pay is linked to a prepaid card and I, as many others, just don’t want to be using such cards. There is no reason anyone who can get a credit card should use a prepaid one, which has no effect on your credit score and gives you no rewards. Moreover, why should I get any payment card, which can only be use at Starbucks? If I did that, I should probably do the same for Whole Foods, Trader Joe’s and many others? Where would that end? It simply makes no sense to me.

Comment on Costco Self-Checkout Trial Setback After Store Losses by ed

ed — Wed, 11 Apr 2012 13:19:34 +0000

For self checkout, item-level RFID or unique barcodes plus real-time tracking appears to be the missing component. Mail delivery companies use real-time tracking of mail with a barcode and assure delivery at a certain time. The public library embed books with RFID and track them through checkout. Retailers and SCO manufacturers are going to have to accept the fact they cannot rely on UPC and really need an item-level identifier that tract that specific product as a unique item from shelving to checkout.

Comment on Costco Self-Checkout Trial Setback After Store Losses by Ann Grackin

Ann Grackin — Tue, 10 Apr 2012 17:52:26 +0000

Another angle on the challenges with self checkout which may come to the retail scene in the next year is the tap and go/NFC smart phones. Though these are all the rage in Japan, we have yet to adopt them in the U.S.. But that will change as the new phones emerge with the chips embedded this year. And the new demographic want to use this type of technology. A large retailer told us that NFC phone customers are getting their identities stolen, even though the self check-out requires proximity– and they do not want to take responsibility for this occurrence in their stores, on their premises. So although they like the idea self check-out they are still experimenting with various approaches.

Comment on Costco Self-Checkout Trial Setback After Store Losses by Evan Schuman

Evan Schuman — Mon, 09 Apr 2012 15:28:01 +0000

Editor’s Note; The vendor that Mark was referencing is IBM. His point is that other systems make it easier for any weight mismatches to require associate intervention–just like with alcohol or cigarettes or any other age-restricted item–rather than a more passive flag to the customer that the item was excluded.

Comment on Want To Finally Move Beyond Magstripes? Fix The PIN Pad by Joe

Joe — Mon, 09 Apr 2012 14:34:48 +0000

Until there is consistency in how these devices act in a large number of retailers, consumers are going to struggle with changes. There are so many devices out there today that most consumers are not sure how each type works.

Comment on Costco Self-Checkout Trial Setback After Store Losses by Mark Scherer

Mark Scherer — Mon, 09 Apr 2012 13:43:18 +0000

Not all self checkout works this way. One self checkout vendor is designed to work this way and it leaves a gaping security problem that can create this situation. There are 3 predominant providers of self checkout in the U.S. and this represents the lowest installed base provider of the 3 and their market share continues to shrink from reports I have seen.

Comment on Visa Yanks Global Payments’ PCI Compliance. Catch-22 In Full Force by Biff Matthews

Biff Matthews — Fri, 06 Apr 2012 17:56:29 +0000

PCI, TSA, IRS – obviously none of these functions as intended or as promoted. I’ve said it before and I say it again, hackers are free of personnel, budget, expertise, infrastructure and time constrains. Nothing, NOTHING, is ever fully safe. Visa and its attorneys simply choose to hide behind the false sense of security of the PCI veil. Truth be known, Visa has probably been hacked. Anyone see the similarities between VISA and the wizard of OZ?