|
GuestView Columnist Joel Weise–the chief technologist for Sun Microsystems GSS Security Program Office–argues that although there are many qualified security assessors (QSAs), “a few who simply do not have the background and expertise in systems security manage to distort the original intent of PCI.” “A good QSA would ask not only if an antivirus package existed or if a firewall appliance was installed or if a unique user ID policy was followed, but also how these were designed, architected, implemented, configured and monitored,” Weise wrote. “A good QSA would ask to what security policy must applicable operational procedures adhere and whether anyone looks at the alerts and logs generated by the antivirus or firewall products.” Read more. |
When an order processing snafu shut down the delivery operations of one of the U.K.'s largest grocery chains, the $38 billion retailer acted starkly different than the typical U.S. retailer. The London-based 823-store Sainsbury's grocery chain immediately issued almost a half-million dollars' worth of vouchers.
A new Retail Systems Research report is challenging the way retail IT looks at application development backlogs. The report is based on a survey showing that some 79 percent of retailers have appdev backlogs of at least a year, with one-fifth of those hitting delays of more than two years.
The conventional wisdom has held that China is not likely to embrace E-Commerce, because of the Chinese aversion to credit payments and fears of piracy and poor quality products. But a Forbes story this week makes a powerful argument that E-Commerce—and a credit-card lifestyle in general—will be coming to China very soon and in a big way.
Although the question of RFID safety has been debated extensively over the years, with conflicting study results, a major new medical study released this week points to very specific electromagnetic dangers within nine inches of the transmitter.
In one of the first wide-scale studies of SMS' capability to hold up under volume pressure, the technology fared "surprisingly" poorly, according to Keynote Systems. This has particular significance for retailers, who are exploring the technology's use for mobile communications connecting to both online and in-store.
A U.K. company is pushing retailers to use voice-recognition to authenticate purchases over the phone and online. The Voice Commerce Group's Voice Transact package has consumers call the service, quote a pre-arranged product code and then a series of digits dictated by the automated system. 
A federal appellate court backed a group of retailers Monday (June 23)—including Best Buy, Circuit City, Costco and Lowe's—by ruling that their gift card systems do not violate any patents.
Internal audit is not staffed to enforce PCI at the store level, argues GuestView Columnist David Taylor. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.
Wal-Mart and a handful of others have been trying to do green the right away, with policies that will have a significant environmental impact and that also improve operations.
When Oracle finally introduced its Retail 13 integrated suite this week, after three years of acquisition and integration, the teams working for the world's largest enterprise software vendor might have breathed a sigh of relief.
After three years of acquisition and integration, Tuesday (June 17) saw the official launch of Oracle's Retail Release 13, consisting of some 33 retail applications, only four of which were new. The rollout was billed by Oracle as the be-all and end-all of end-to-end integrated retail application suites, but some analysts said the integration was lacking.
Are European retailers going to have any better luck than American retailers with consumer-facing biometric payments? The 750-store Albert Heijn supermarket chain, the largest such chain in the Netherlands, is about to find out.
The Moodys Investor Service has upgraded how important a retailer's E-Commerce activity is when assessing that retailer's overall economic health. Although this isn't a radical change for the financial firm—and the thought that E-Commerce is important is hardly surprising—it's one of several recent moves suggesting that the young teen-age Web is starting to be taken a wee bit more seriously.
North American self-service transactions will process $607 billion this year, a figure that is projected to soar to $1.7 trillion by 2012, according to report published Wednesday (June 18) by the IHL Group. When IHL began work on the report, "I did not expect the acceleration that we're seeing in the out years," said IHL President Greg Buzek. "I did not expect how fast it's growing."
One of the repeated arguments made in retail data security circles is that retailers tend to have much weaker security because it's not as much of a cultural priority as, for example, banking. So it's a little bit consoling that the latest ATM databreach is apparently not the result of a retail breach, not the result of social engineering and the trusting bank clerk, but is the first proven incident of a bank server's breach linked to ATM fraud.
A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what's changed?
One day after lawyers presented a proposed settlement in the Ameritrade 6.2 million-customer data breach, a U.S. federal court judge tentatively rejected the settlement (on June 13), questioning the value of the deal for the consumer victims and the size of the $1.87 million attorneys' fees.
A pair of unrelated reports out this week are challenging several fundamental IT security assumptions, including that data breach laws will reduce consumer losses and that insiders account for more thefts than external evil-doers.
Just in time for Friday the 13th, Oracle is finally ready to unveil Oracle Retail V 13, with a formal rollout slated for Tuesday (June 17). Oracle's main retail suite is not expected to undergo any radical changes (even the name change is expected to be slight); it's mostly claims of better integration and interoperability.
E-tailers in continental Europe are just now starting to get hit by slower growth, but they are still shining much more brightly than their U.S. counterparts, according to new figures from eMarketer.
Two incidents this week show how much less respect is paid to the online consumer than the brick-and-mortar one. Does the inherent anonymity in the Web cut both ways? Like the site visitors emboldened by their namelessness who post comments and get into flame wars that they would never have the nerve to try in person, are E-tailers treating their customers with a disrespect that they would never dare consider in a physical store?
For the second consecutive workday, Amazon.com suffered a major crash on Monday (June 9), with the increasingly unlikely scenarios explaining why the historically robust site is failing.
E-Commerce leader Amazon.com completely crashed for almost three hours on Friday afternoon (June 6), with one Web site performance tracking firm attributing the crash to excessive site complexity.
When Best Buy launched a Spanish version of its site last fall (2007), E-Commerce officials quickly noticed unexpected activity, such as customers spending twice as much time on the Spanish site.
Note to retailers looking to offer free Wi-Fi: It's a good idea to first make sure you can make the offer. Starbucks discovered that an offer of two hours of free Wi-Fi a day simply wasn't working. "Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Card accounts. We are working to fix the problem and ask that you please try again later," said a page shown to site visitors.
The Meijer department store chain—with 182 stores in Michigan, Ohio, Indiana, Illinois and Kentucky—is getting creative with its Web site, food recipes and online coupons.
New York State has started pushing to collect sales tax from e-tailers that have no physical presence in the state, prompting Amazon and Overstock to fight back. But all e-tailers are hoping against the odds that other states don't pull the same revenue-generating attempt. If New York gets legal greenlights, several more states will quickly mimic its efforts, leading to a flood of almost every state within two years.
Welcome to E-Commerce Semantics 101. Your philosophical question for the day: When is a site truly mobile-friendly? Mobile commerce today is in that familiar classic battle of Chicken.com versus Egg.com: Retailers know the mobile users are out there, but they also know that few are trying to use the devices for making purchases.
The worst performance grades were given to Foxnews.com, IGN.com, Gamespot.com, CNN.com, Break.com and ESPN.go.com. The best performance grades were given to Google.com, Live.com, Orkut.com and Craigslist.org.
GuestView Columnist David Taylor asks: What would you do if one of your employees decided to leverage your brand and set up a little side business inside your store, including selling products via an E-Commerce Web site, setting up a merchant bank account and taking credit cards? You'd probably fire the person, right? But, what if you couldn't?
Computerworld columnist Frank Hayes has a wonderful column out about why the Wal-Mart RFID effort is still having problems. Hayes makes a great point about how Wal-Mart's $2 per pallet non-RFID penalty reflects a lack of understanding of why suppliers have resisted RFID tagging.
Shoppers at Gap.com will now be able to use a single shopping cart and consolidate shipping at any of the chain's four brands, the Gap announced on Tuesday (May 27). But the change for The Gap, Banana Republic, Old Navy and PiperLime is delicate, as the company still wants those brands to maintain their distinct personalities. Those conflicting goals give the new site a bit of a Jekyll-and-Hyde feel.
Borders this week officially stepped out of the shadow of Amazon and re-launched Borders.com, with an effort that scores points for creativity. The physical side of Borders (as in brick-and-mortar as opposed to Olivia Newton-John) has been trying to arrange its bookshelves to display more of the covers.
Germany's METRO Group is experimenting with RFID inserts to track meat and to immediately locate any product that is about to expire or that has expired. METRO is placing the inlays into the foam meat packing trays used in their Future Store.
Barnes & Noble on Wednesday (May 28) launched its mobile E-Commerce site, which is pretty much a super-slimmed down version of its regular site. B&N Mobile includes search, store-finder, book availability and order tracking. It's not an especially sophisticated site, but it puts the world's largest physical world bookstore on a very short list of major e-tailers who have bothered to design a version of their site for the cellphone.
Like many ex-cons, when Martha Stewart got out of prison, she had a different outlook on life. So she's going to relaunch her E-Commerce site. But this time, she'll try and do it right by doing as little as possible.
New E-Commerce figures from e-Marketer show continued growth over the several years, but the rate of growth will quickly drop. The firm reported, for example, that last year's E-Commerce sales hit $127.7 billion, a figure that they are projecting to steadily rise to hit $218.4 billion in four years.
The Blockbuster movie-download kiosks—slated to start their trial in June—will download movies directly into consumer-owned portable devices in about two minutes, according to a demo at the company's shareholder meeting Wednesday (May 28).
MasterCard Canada this summer will start a 4-month NFC-phone trial, with the backing of some of Canada's largest retailers, including Loblaw, Petro Canada, Tim Hortons', Pioneer Petroleum, Rabba Foods, a major NHL arena and McDonalds.
At $388 billion in annual revenue, handling Wal-Mart's ERP financial application is nothing if not challenging. But when Wal-Mart last year turned to SAP to take over many of the financial functions that the chain had been handling with in-house software, it was a concession that it can't push its homegrown apps as far as it used to.
Guest View Columnist David Taylor believes that Web application vulnerabilities make up more than 60 percent of all software vulnerabilities. "They are so well known that the Open Web Application Security Project (OWASP) has published a list of these vulnerabilities. They are so easy to exploit that even the most junior hackers can find lists of popular Web application hacks and use them to break into your Web store."
Much has been made recently of TJX firing a store employee who posted public comments about weak security procedures that still exist at the retail chain that was the site of the worst data breach in credit-card history.
Amazon is preparing to expand its entertainment offerings, with a planned streaming video launch "in the next few weeks," according to a speech given Wednesday (May 28) by Amazon CEO Jeff Bezos.
A handful of grocery chains—including PriceChopper and Wegmans—have started using CRM data to alert customers to product recalls, an encouraging move to convince consumers that loyalty cards can be used to help them beyond taking 10 cents off a gallon of milk.
What do you get when you merge a kiosk with a vending machine? I'm not sure. But whatever it is, Macy's is putting it into some 392 stores right away, the chain announced May 22. That represents almost half of the chain's 800 stores.
Jane's contactless loyalty card is detected as the Des Moines attorney approaches the self-checkout. The system knows the counselor's shopping history and anticipates that the counselor likely has a dozen kiwis in her cart. So when she places the barcode-less fruit on the scale, the first fruit it displays in its list is kiwi, followed by the four fruits and vegetables that Jane typically buys.
Nordstrom on Tuesday (May 20) said they would support buy-online-pick-up-in-store for the first time. This e-commerce cross-channel classic has been popular for several years, but Nordstrom--with its stronger than average commitment to customer service--has resisted until now.
The grocery challenge with the theft of moist, fresh products—such as cheese—has frustrated retail loss prevention managers because such products tend to react poorly with EAS tags. Checkpoint and Sealed Air Cryovac announced Wednesday (May 21) one possible way around this issue.
More than 75 percent of enterprises are holding off on deploying server virtualization in the cardholder environment until the PCI Security Standards Council clarifies its stance on virtualization, which they hope will come in the October 2008 release of the 1.2 version of the standards. That is a mistake.
As more consumers use search engines to find products filtered by a single attribute—such as price—shopping cart abandonment rates are increasing, according to E-Commerce vendor MarketLive, which tracks such matters.
Using virtual reality, $18 billion consumer goods giant Kimberly-Clark is creating virtual depictions of stores, shelves, products and displays—even sounds and smells people encounter while shopping—to enhance traditional means of research.
A pair of British shopping centers is experimenting with a creative way to leverage consumer cellphones. The consumers are being surreptitiously tracked by the signals emitted by all mobile devices and a database notes when consumers "enter a shopping centre, what stores they visit, how long they remain there and what route they take as they walked around."
Although this doesn't shed any light on this year's recession, American consumers were certainly spending-friendly last year, having spent with retailers $201 billion more last year than the year before.
To use a chess analogy, many e-tailers today see the strength of their multimedia entertainment offerings as akin to controlling the center of the board. On top of recent moves by Sears, Blockbuser and Netflix, Napster on Tuesday (May 20) announced what it dubbed the world's largest music download site, with some 6 million selections.
Facing a much tighter financial picture (the latest quarterly report saw comparable net income almost cut in half), Sears has turned to online operations as its best hope for better margins.
The RFID market has a healthy future, looking at a 15 percent compound annual growth rate over the next five years, hitting $9.7 billion by 2013, according to a report issued Tuesday (May 20) by ABI Research.
Some British convenience stores are trialing a facial biometric program to try and improve the accuracy of guessing the age of customers for age-restricted alcohol purchases. The systems "capture facial measurements that will be checked against a database of profiles of known offenders."
Tesco's experiment with an all-self-checkout store in the U.S. is delivering surprisingly favorable customer satisfaction stats. Internal Tesco customer surveys for its Fresh & Easy stores are finding some 90 percent of its customers saying they were either "satisfied or very satisfied" with the checkout experience while another 27 percent say that "it doesn't matter" what format the checkouts take.
That which keeps consumers satisfied seems to be part of an E-Commerce site's culture, as top (and bottom) players tend to show little movement, year to year. The latest results from measurement firm ForeSee Results seem to reinforce that.
It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster's restaurant chain. But according to a federal indictment and U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.
When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry's worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing. No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent.
Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle "to explore the growth of contactless payment systems and the implications for consumer protection policy."
For e-tailers who still think that Web video may be a fad, consider this stat: In March, U.S. Internet users watched 11.5 billion online videos. That's a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.
Thanks in no small part to soaring traffic on YouTube, Google for the first time took the top slot in American consumer reach in April, besting Yahoo. But it took that top slot just barely, reaching 141 million Americans in April. Yahoo ranked second with 140.6 million visitors.
With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it's not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.
Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.
The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.
London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.
Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups. The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe's and Wal-Mart.
Like it or not (place this father defiantly in the "not" category), children are using the Internet's social network sites at a younger age, with retail marketers hovering close by. How young? New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll.
This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. A woman walks up to an ATM at a Hannaford's grocery store. She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves.
With an eye on retailers having to juggle payment systems between many varied environments—far beyond merely online and in-store—a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface.
Microsoft is "leaning toward going hostile in its pursuit of Yahoo," with an announcement "likely" on May 2.
GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments. Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives and encryption keys that are never changed. Fixing this stuff is not expensive, but it's not fun either.
Google says it has concocted a better way of searching for Web images, one that involves image-recognition to "see" what the image depicts as opposed to just reading the accompanying text. This technique, called Visual Rank, has tremendous potential to shake up E-Commerce, which heavily relies on product images.
Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."
April 16th, 2008 at 11:01 am
This excellent post should be required reading for every QSA in training and more importantly, every person responsible for their company’s PCI compliance.
PCI is not a checklist; it is a data protection standard. It is evolving as we speak, and we can expect some changes (big or small, no one yet knows) in the fall. A checklist mentality will blind you to the bigger picture.
Joel is also right in pointing out that security is an art. QSAs are people, so some will be better at their “art” than others. You can interview the QSA organization all you want, but the key is to meet and be comfortable with the individuals who will be working on your compliance project. Some questions you might ask are:
– Tell me what you know about my industry and how my customers pay;
– Can you help me move a lot of my systems out of scope (…my personal favorite question)?
– How will we resolve our differences? or
– What other (remediation) products and services are you selling?
The PCI Council is releasing a quality assurance program for QSAs and ASVs, but it needs merchant participation to be successful. Did you complete a QSA satisfaction survey form after your last audit? (BTW, they are required to give this survey to you; if they forgot, it is on the Council’s website.)
As Joel said, there are a lot of great, experienced, informed, and helpful QSAs out there. The idea is to make sure you get one of those.
April 16th, 2008 at 6:27 pm
Excellent piece Joel! You and I have had this very conversation many times, and we see it in the field ALL the time.
April 17th, 2008 at 10:29 pm
I agree with the premise and would hasten to add that there are many examples of assessment process issues in the PCI Knowledge Base.
Another issue that plays a major role in the QSA process is that assessors rely heavily on the vendors and products that they “know” or have experience with on other assessments. Some assessors go so far as to resell products, but most do not.
A result is that if an assessor is not familiar with a particular security product, the merchant (and sometimes the vendor) is placed on the defensive and must go to greater lengths to “prove” that specific functionality matches specific PCI DSS requirements.
This scenario tends to favor market leading security vendors and those vendors who have established “relationships” (formal or informal) with particular assessors. In some cases, assessors also sell their own security products, suggesting to merchants that there is a “Chinese Wall” that separates the different parts of the company.
My personal suspicion is that a notable breach, or merchant outcry, or government intervention will, at some point, serve as a “friendly reminder” that there is a lesson from the Enron case that some companies still need to learn. IMHO.