Evan Schuman's StorefrontBacktalk

PCI DSS compliance is not like the flu. You can’t “catch” it from your service provider, even though that provider might be PCI compliant. Merchants must go beyond reading the marketing materials and taking a quick glance at the service provider’s attestation of compliance (AOC). The path to PCI compliance starts with PCI-compliant service providers, but it then takes the extra step of performing effective due diligence.

This lesson has been reinforced at least three times in the past few weeks in separate PCI Security Standards Council (PCI SSC) guidance documents. One question is whether merchants—particularly small and midsize merchants—will ever hear this advice. As a QSA, PCI Columnist Walter Conway occasionally gets the impression that clients might not spend more time researching their next smartphone, laptop or sailboat than they do reviewing service provider contracts and service-level agreements (SLA). It is particularly important for merchants to realize the source of the advice. It comes not from the PCI SSC staff but from active PCI practitioners with first-hand experience.

Shoppers do the darnedest things, such as taking home packaging with attached EAS labels and then throwing it into the microwave oven. We’re not just talking about reheatable soups but about things like hamburger meat, complete with the styrofoam and ultra-meltable shrinkwrap plastic. Although the molten plastic is poisonous and smells awful, the EAS tag can catch fire. (Note: Fire, plastic chemicals, styrofoam and plenty of radiation is a recipe for a new microwave—and possibly a new kitchen.)

“Typically, people are trying to defrost beef, chicken, etc., in the original package after it is frozen and it’s difficult to remove the plastic,” said George Cohen, a spokesperson for EAS vendor Checkpoint. Checkpoint on Tuesday (Feb. 19) rolled out what it says is a microwave-safe EAS label. That may sound like a great idea, but when you’re faced with an EAS tag or label that refuses to stay deactivated, the idea of frying it in the breakroom’s microwave oven was always a nice failsafe.

On February 15, Best Buy (NYSE:BBY) put out a statement saying it had ended showrooming, and the sword it said will kill this merged-channel dragon is a new price-match program. Despite quite a few reports that Best Buy was making the price-match it launched in 2012′s holiday season permanent, the new program—set to kick in March 3—has very little in common with its holiday price-match effort. First, this program will clearly not eliminate showrooming, and Best Buy knows it. The new program cuts in half how long regular shoppers have to return merchandise for refunds, from 30 days to 15 days. The rest of the changes are making the program much stronger, eliminating many of the non-shopper-friendly elements from last year, such as making the price-matches conditional on associate discretion, limiting price-matches to appliances and electronics hardware, and even exempting all electronics accessories.

Is it a better program (other than the strange halving of the time for a return)? Absolutely. Will it likely reduce Best Buy sales lost to showrooming? Yes. Will it eliminate all showrooming losses? Of course not. And the fact that Best Buy is trying to argue it will is mind-boggling.

The PCI Council officially released its mobile payment guidelines Thursday (Feb. 14), a document that turned out to be anything other than a Valentine to retail IT execs who’d love to know the “all-clear” path to doing mobile payments and staying PCI compliant. Instead, it’s more of a pragmatic acknowledgement of the various mobile hurdles that the council sees as currently insurmountable.

The recommendations, of course, also offer the generic list of best practices for mobile device security (such as strongly encouraging full-disk encryption), which is certainly a handy checklist for chains just starting to seriously explore mobile payments. One key point of the report is to acknowledge the very complex nature of mobile systems, which have far more players than traditional fixed POS systems. For example, the report speaks of the desirability of lab validation for mobile devices and why it’s simply—and regrettably—not practical.

Some retailers sell products. Some retailers sell services. But companies like eBay (NASDAQ:EBAY), Amazon (NASDAQ:AMZN) and Craigslist sell something more—a marketplace. They are not simply a “store” but the entire mall—the downtown retail zone. If you can’t sell on eBay, Amazon or Craigslist, then, to a great extent, you can’t sell online. So what happens if you are banned for life from one of these marketplaces? A recent California Appellate Court decision substantially impaired the rights of consumers to have access to these marketplaces when the merchant/marketplace owner determines that the consumer did not follow the rules, pens Legal Columnist Mark Rasch.

Linda Genesta was a long-time eBay seller. For 18 years, beginning in 1999, she sold what she described as “high-end, high-quality, imported authentic European and American antique and vintage textiles, fabrics, pillows and trims,” Everything was fine until July 2008, when eBay allegedly removed Genesta’s items from the marketplace, alleging “unspecified ‘misrepresentations’” in violation of its Terms of Service. As a result, Genesta says, she is effectively “out of business.”

In another sign that investing in security isn’t enough, three customers of security vendor Bit9 ended up with malware in their systems. This happened after a digital code-signing certificate was stolen from the vendor—and that, in turn, happened because Bit9 failed to use its own product on some of its systems.

Never mind the physician-heal-thyself aspect of this incident (which is a little tough for us because, well, Bit9 did do exactly what it tells its customers not to). More to the point, it’s another sign that retailers need to stop trusting security and start thinking securely.

Electronic shelf tags have gone pretty much nowhere in recent years, but U.K. department store chain John Lewis is doing an interesting trial at one of its newest stores. The Exeter location, which the 39-store chain uses as a testbed for new technologies, has put in hundreds of e-paper shelf tags that will display both prices and QR codes that customers can scan to get offers and product information. John Lewis is calling this an omnichannel test, the idea being that if customers are going to have their phones out in the store, shelf tags are a good thing for them to scan.

True, there’s nothing in that part of the trial that couldn’t be done with paper tags, and that is part of what’s so interesting: Unlike a more traditional electronic shelf tag, customers won’t necessarily notice that these tags are electronic. That makes them less distracting and possibly less likely to be stolen, both of which have been problems with electronic tags in the past. In-store technology that all but hides the fact that it’s new technology sounds strange, but if it finally gets easy-to-update electronic tags on shelves—and maybe eventually into John Lewis’ 290-store Waitrose grocery chain—so much the better.

Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it delivers security edicts in a vacuum, with minimal regard to how different types of merchants function in the so-called real world. Such critics were given three golden examples this month. The examples, in the areas of cloud guidance, P2PE validations and Windows XP end of life, illustrate the types of collisions that are inevitable when committees seeking ideal security approaches run into chains with razor-thin margins (or losses), workforce reductions and store closings. Put more bluntly, it’s the age-old battle of the ideal versus the pragmatic.

This is explored in StorefrontBacktalk‘s February monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.

Nordstrom (NYSE:JWN) is six months into a 17-store trial in which shoppers are counted by way of Wi-Fi signals from their smartphones. The 236-store apparel chain is not storing any customer personal information from the trial, and it’s only being given aggregated data on customers by the vendor handling the trial. But that vendor, Euclid, is storing hashed versions of customer Wi-Fi MAC addresses—and is also running trials for some 35 other of the nation’s 100 largest retailers. That presents what could easily become an irresistible cross-retailer mobile tracking temptation.

Two very desirable—and potentially lucrative—sets of shopper data are being captured and saved here. But the retailers and the vendor involved are all pledging to not use it. The first is cross-retailer data, which is where the vendor will recognize a shopper’s phone’s MAC address when the shopper repeatedly walks into a Nordstrom and then detect that same shopper walking into a Nordstrom competitor. How much would that rival pay for such information? The second data set: Once one of those MAC addresses makes a purchase, the chain could connect that MAC address with the payment information. Voila, instant CRM-friendly data on whenever that customer walks into a store and, with enough sensors, every aisle he or she visits and how long the shopper lingers.

Everyone knows the standard advice when someone—especially someone who works in IT—is about to be fired or laid-off, all of their passwords and systems access are shut off right before they’re told. You never know how people are going to react. Perhaps it’s time to expand those HR termination rules to also cut-off access to all company social tools, including Facebook (NASDAQ:FB), Twitter, Google+ (NASDAQ:GOOG) and LinkedIn (NYSE:LNKD). That’s a rule 257-store British entertainment chain HMV probably wished it had.

In late December, the chain was in the process of telling employees about extensive layoffs when one of those employees—someone who had password access to the company’s Twitter feed—began sharing her thoughts, such as: “Sorry we’ve been quiet for a long time. Under contract, we’ve been unable to say a word or, more importantly, the truth.” Then this matter-of-fact tweet: “We’re tweeting live from HR where we’re all being fired. Exciting.” One of her last tweets before all tweets from the company went silent was this delightfully predictive one: “Just overheard our Marketing Director (he’s staying, folks) ask, ‘How do I shut down Twitter?’” The best ideas always seem to come just a little too late.

The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. The guidance document begins with a simple statement: “It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud.” Using the phrase “particularly challenging” communicates that a merchant’s PCI compliance will be easier or harder depending on the chosen cloud deployment model, pens PCI Columnist Walter Conway.

One gem tells retailers they need to “obtain the details of the CPS’s [cloud service provider's] compliance validation.” This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review “The Executive Summary and Scope of Work sections” of the CSP’s report on compliance (ROC) and the “specific components, facilities, and services that were assessed.” Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP’s assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.

Amazon’s newly issued patent for reselling digital goods raises some interesting concerns. The least interesting: Holy cats, Amazon has patented the idea of selling used e-books! (No, it hasn’t.) Much more intriguing: What happens when many retailers have their own online digital resale shops? To resell or give away that digital copy of Nineteen Eighty-Four I bought from Walmart (or Barnes & Noble or Target), will I have to get the original retailer involved?

Short answer: apparently so. And with digital content a potential CRM goldmine, more chains may soon start selling digital books, movies, music and audio books—which could get very sticky, for both customers and retailers.

When the PCI Council rolled out its cloud computing guidelines on February 7, one element—dealing with introspection—has been heralded as sound practice while being slammed as unrealistic and impractical. The problem speaks to the very nature of clouds.

In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.

For the past two years, the Payment Card Industry Security Standards Council (PCI SSC) has been taunting merchants with offers of a specialized (and simplified) Self-Assessment Questionnaire (SAQ) for those using “validated P2PE” approaches. At first, the council told merchants to wait while it drew up plans to validate the products. Then—finally—seven months ago, PCI SSC released its standards and told merchants to go right ahead and pick one of these validated options. There’s only one problem: As of Thursday (Feb. 7), the council hadn’t validated any.

That’s right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.

On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say “no,” but the California Supreme Court says “yes.” Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse—for both online and offline retailers, pens Legal Columnist Mark Rasch.

In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.

Chains are still inching toward making their mobile apps genuinely useful to customers, but at least they’re doing it in more technically useful ways. On Monday (Feb. 4), Walgreens announced a new application programming interface (API) that should make it easier for mobile app developers to deliver all sorts of prescription refill information to users, at least if Walgreens is willing to provide it.

Unfortunately, what this API currently does is pretty primitive: It accepts a prescription number and then reports back to the app that it has (or hasn’t) successfully requested a refill. Just the fact that there’s an API is a big step forward, because it means Walgreens can extend that API without breaking any apps that use it.

The California Supreme Court on Monday (Feb. 4) ruled that online merchants have the right to ask for Zip code and other personal information about shoppers who buy electronically downloadable products, but physical retailers do not. Given the clout of the highest court from the country’s largest state making such a ruling—which, in turn, makes it very likely that other states will follow—this decision could sharply change CRM and POS strategies.

Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court’s Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.

The NRF and the Electronic Payments Coalition (EPC) have launched what is essentially a flame war over the swipe surcharges that are allowed under the interchange settlement as of January 27. NRF launched the first broadside, calling surcharges a “ridiculous concept” and deriding “propaganda” suggesting any retailer would use them. EPC fired back on Tuesday (Feb. 5), calling NRF’s statements “false and misleading.”

This isn’t complicated—the retailers most likely to adopt swipe-fee surcharges are the ones currently offering discounts for using cash, and that group doesn’t include most big chains. But NRF is also fighting the interchange settlement and EPC is supporting it, which goes a long way to explain some otherwise pretty incomprehensible flaming.

Amazon has cut another distribution-center-for-sales-tax deal, this time in Connecticut. On Monday (Feb. 4), the E-Commerce colossus said it will be building a DC in Connecticut and will also start collecting sales tax from Connecticut customers—but not until November. (“Hey, we’re Amazon. We could do it tomorrow. But just to show you who’s running this show, you can wait nine months.”)

That’s all in line with Amazon’s recent delay-and-get-concessions approach to sales taxes. But the point of the exercise was always to give Amazon more flexibility when it comes to delivery—and with 16 states now potential locations for Amazon DCs, it may already have almost everything it needs. Amazon’s deal-cutting days may be almost over.

PCI DSS has two sunsets coming up. The first is the well-documented end of PA-DSS v1.2 this October. The second, and equally significant, sunset is Windows XP’s end-of-life just a few months later, and this event may have an even more direct impact on retailers. The demise of Windows XP will challenge retailers with POS or other payment applications running in that environment. These retailers will fall into one of three scenarios. How they choose to address the situation will affect their PCI compliance and, more importantly, their security. There may even be a little fallout for the PCI Security Standards Council (PCI SSC) itself, pens PCI Columnist Walter Conway.

On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant.

Duane Reade, the largest drugstore chain in New York City, announced on Tuesday (Feb. 5) it would be trying an unusual mobile effort: It is participating in an elaborate Google mobile-fueled virtual reality game. At one level, this is just silly fun. But from a retail mobile perspective, a lot more is going on here. The game, called Ingress, is from Google’s Niantic Labs and involves hiding barcodes throughout the stores. From the chain’s perspective, is it about getting shoppers to walk inside its 250 stores? No, although the game certainly does that. Is it about getting shoppers to not merely enter but have to go deep into the store, searching through shelves of products to find the game barcodes? Yes, but that’s not the biggest element.

The real payback for Duane Reade, owned by Walgreens, is about changing customer mobile behaviors. In English, that means getting shoppers comfortable with scanning barcodes and interacting with the resultant data. It will increase participation in more explicit mobile programs. This will mean more price comparisons—which Duane Reade is confident it will usually win—and, soon, it will soften resistance to mobile payments.

A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don’t give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of smartphone users surveyed have used PayPal, six times as many as runner-up Google Wallet) was something we’ve heard often enough: 47 percent say they’re concerned about “security/safety/theft/loss of phone” with digital wallets. To its credit, the ComScore report on the survey does point out that consumers don’t seem to understand the added security that digital wallets provide. (A real surprise: 29 percent say they have no mobile-wallet concerns.)

But we never see surveys that ask consumers “What concerns, if any, do you have about using a plastic credit or debit card to make purchases?” What percentage would say they’re worried about losing the card or having their wallet stolen? Without that, we don’t know if a question about mobile wallets means anything at all. If most consumers do fret about the risk of a stolen magstripe card but use it anyway, that’s clearly not what’s holding back mobile payments. Our theory: Consumers don’t actually care about security at all. Now will somebody please deliver numbers to prove us wrong?

As the online (and mobile) leader by a very wide margin, Amazon certainly generates a generous share of envy and hatred from E-tailers and retailers alike. They all quietly celebrate every Amazon misstep and piece of investor pain—except one. When Amazon has an outage and the E-Commerce king is trying to convince everyone that the site was not the victim of a D-DOS attack, every rival is in its corner.

On Thursday (Jan. 31), Amazon was down for about 49 minutes, which is certainly a notable event. One cyberthief group tweeted responsibility, claiming “we used a 7kbotnet running hoic 100 threads each. 80servers in botnet and a 16gbps booter.” Does it make much of a difference whether the outage was caused by an internal IT screw-up, an unexpectedly huge number of shoppers looking at a specific sale or an outside malicious group? Absolutely.

Restaurant reservations Web site Open Table just paid $10 million to purchase the app developer Foodspotting, which enables people to take pictures of, well, food. The idea behind the synergy is that consumers looking to make reservations can not only read the menu but actually see the food presentation “in the real world” by looking at pictures taken by bona fide customers.

This continues a trend of technology empowering consumers, observes Legal Columnist Mark D. Rasch. It’s also a way for restaurants and other retailers to get themselves into real legal trouble if they’re not very careful about how they identify their use of this type of social technology.

When JCPenney very publicly and very aggressively embraced a chain-wide, all-product item-level RFID strategy—with the promise of a full rollout by February 1 (2013)—executives cited supply-chain savings as a key driver. The chain has now reversed course, killing much of the RFID program to save money. When a chain is under this much financial pressure, a little savings today is a lot more valuable than a lot of savings down the road.

But of much greater significance is the digital domino effect. In this case, JCPenney was building its in-aisle checkout on the premise that it had item-level RFID fully in place. And if remodeled stores have dramatically scaled back the number of cashwraps (because customers would be doing in-aisle checkout), does that mean all those customers will have to line up for the limited number of cashwraps? That’s not going to be pretty—presuming JCPenney can actually get enough returning customers to make it a problem.