|
What’s the difference between mandates and PCI best practices? Best practices sounds nicer. It’s an important—and potentially the only—distinction that will be critical in less than two weeks. Just when you thought PCI was solidifying, when perhaps it was safe to swim again in your POS waters, GuestView Columnist David Taylor writes, there’s a major PCI-related deadline coming up on October 1, and most merchants aren’t aware of the details. Read more. |
Questions dominate a Dec. 20 incident where some 8,000 Macy's customers had their debit cards charged as many as three times for the same transaction. One source said it involved a payment processor's slowdown.
A financial report on the troubles found last year with major department stores places the blame for the revenue drop not on the economy, but on chains that are "increasingly out of touch. The problem is that these stores have relied too heavily on the things shoppers care least about, like coupons, loyalty programs, delayed payments and contests."
Some of the latest stats pouring in from the 2008 holiday shopping season are raising some interesting trends, including a sharp (not-before-seen) increase in traffic right after Dec. 25 along with a much deeper cut in site visits from those earning more than $150,000/year.
Amazon.com issued a statement on Thursday (Dec. 30) giving its customers fewer than 12 hours' hours notice that it was cutting off Bill Me Later as a payment option as of Dec. 31. The highly anticipated move was a result of Ebay's purchase of Bill Me Later in October.
E-Commerce holiday purchases this year dropped 3 percent from the corresponding period last year, hitting $25.5 billion, according to ComScore.
Allowing customers of Gap.com to easily jump to other Web sites in the Gap family, and put all their selections in one shopping cart, undermined perception of the brand and eroded user satisfaction, said the president of a company that tracks E-tail site satisfaction.
For years, Google has given its Google Checkout service to retailers for free, as long as they bought ads on Google. Alas, no more. Explained one Google manager: "Why have it as a loss leader if it's doing OK? We saw very healthy results after we decided to charge for the service."
Amidst the avalanche of downright depressing retail economic news this holiday season, there are recurring hints that E-tailers—as a group—fared far better. But because we're starving for any sign of optimism, are we interpreting those signs unrealistically?
As retailers debate how much they truly want to embrace mobile payment efforts, the Mercator Advisory Group is reporting that the tide will soon become unavoidable.
Extensive analysis of a consumer's Web interactions has been used for years to try and target sales pitches more effectively. But new research suggests that such analysis may pale in comparison to the next wave, where every digital comment made by consumers anywhere—in a product comment, an IM, on a social network site, in E-mail and via exchanges with a live chat tech support person, coupled with Web traffic analysis—can be mined for hints as to their emotions and other thoughts.
Tracking global retail from the United States, it's clear that Canada is the country most similar to the United States when it comes to retail procedures. Surprisingly, the next closest region is not the United Kingdom but Australia, and then arguably South Africa. So it's always interesting to see the few technology areas where American and Australian retailers diverge, and EPC is shaping up to be one of them.
Kraft Foods, Nestle and Procter & Gamble are now able to synchronize item data with Metro Group stores in Russia, a collaborative effort being touted by the players as a "landmark" deal that illustrates the rapid expansion of the Global Data Synchronization Network (GDSN). Not all are convinced, though.
The story of the technologist who crafted an elaborate RFID poker table, complete with an HD camera to stream real-time games globally, is interesting mostly in how he attached ultra-thin and extra-flexible RFID tags to each playing card in such a way as to make it not interfere with the way the cards felt. But does it have implications for the future of retail?
'Tis the season to be jolly. Unless you're in charge of uptime at upscale retailer J,Crew's Web site. Having suffered outages during Cyber Monday, J.Crew again became unavailable—to at least some prospective customers—for an extended period Wednesday (Dec. 17).
Despite the putrid economy and the tightening of holiday shopping lists globally, the number of site visits logged in at comparison shopping sites has gone down sharply, some 15 percent lower than was recorded during last year's identical period, according to Hitwise. More logically, Hitwise found an even larger increase—25 percent—in the number of visits to Web coupon sites this year.
In a sharply down economy, retail IT budgets are going to go on a roller coaster ride in the need for greater efficiency. And given how small a percentage of corporate spending is typically represented by the IT capital expenditure budget, IT will probably feel less of the pain than many other divisions. But...
One of every three customers walking into an Office Max store to buy a consumer electronics product left empty-handed (and probably bitter) this year because the product was unavailable, according to new research by IHL Group. But Office Max certainly wasn't alone in the research company's hall of shame, with Office Depot and Circuit City keeping it company.
On the one hand, many clicks on a retailer Web site indicate user engagement. And that's a good thing, unless cumbersome site design is forcing users to click unnecessarily. In its recent audit of Cyber Monday shopper activity, site-monitoring company ClickStream Technologies found that too many clicks during the checkout process prompt frustrated buyers to wriggle from the hook.
Online retailers are relying too little on automation to thwart online fraud, meaning too many employee hours are spent reviewing orders that shouldn't have raised any flags of suspicion.
Gift card exchange site Leverage, which had pushed one of the more creative CRM ideas out there, has laid off its entire workforce and is hoping economic fortunes will improve next year, according to company CEO/Co-Founder Mark Edward Roberts.
Around this time of year, GuestView Columnist David Taylor starts to wax nostalgic about the good old days at Gartner when he used to make grand announcements about his vision for the future of technology.
Amazon.com this week jumped in with a clever gift card strategy that bordered on brilliant, a tactic that could simultaneously boost revenue and steal sales from multiple competitors. So with such a wonderful plan, what would possess Amazon to put a statement that, at the most charitable, could be described as a phrasing so deceptive that even a New Jersey or Illinois politician would find it too over the top?
Amazon is far from alone this holiday season is pushing some new mobile efforts, standing alongside Walmart, Target, Gap and Sears in the popular holiday "let's fling random things at the cellular tower and see what sticks" game.
As the hoopla surrounding Black Friday and Cyber Monday mercifully subsided, some e-tailers were still struggling to keep their sites up, with Office Depot and Sephora suffering repeated outages while Walmart and Office Max—among others—experienced more sporadic mishaps.
The early holiday shopping season found fewer consumers hitting U.K. retail Web sites compared with last year's identical period, with some major sites seeing double-digit declines, according to Comscore.
Payments for taxis, parking and movies may prove less patient in waiting for new technologies than E-Commerce, a move that could be a bad sign for once-promising mobile payment method Near Field Communication (NFC).
Dollar General, the $10 billion discount retail chain, on Wednesday (Dec. 10) agreed to install specially-designed POS units intended to safeguard the privacy of visually-impaired consumers in all of its 8,300 stores in the U.S. "in less than eighteen months." The intent is to give those shoppers an alternative to touchscreen interfaces by offering tactile keys.
The economy sucks so GuestView Columnist David Taylor suggests that this would be an ideal time to shift budget away from regulatory compliance and spend it on something that will actually make money for your company, like direct mail advertising. No, he doesn't actually believe that, but he has the feeling that some executives are on the defensive when it comes to maintaining a focus on their areas during these dark times.
E-Commerce avatars—computer-generated 3-D replicas of consumers with precise measurements to help purchase clothes that fit better—may soon use digital video to incorporate a consumer's posture, facial expressions and smile.
Best Buy Chief Technologist Bob Anderson has been talking lately about the value of lending an ear to young innovators in the company. "You don't need a big, honking server and lots of funding or 50 people to start something innovative."
One columnist writes about the stampede death of a Wal-Mart assoiciate in New York when he was opening the doors for Black Friday shoppers. "No doubt," he wrote, "they were the same shoppers who complained bitterly about the appalling lack of help' in the store." Indeed.
A service level agreement (SLA) is a guarantee from a site that its uptime will be as promised, n'est pas? Actually, quite the opposite. It's more likely a complicated document designed to protect the site (not the retailer) in case of any problem.
Walmart.com is saying that they want to clarify that position, but then E-mailed a statement that, well, doesn't clarify much of anything. But it does do a nice job of hinting at something without actually saying it.
Whether the wing flapping of a bug can eventually cause a tornado is debatable, but Cyber Monday 2008 should serve as a warning to E-tailers to avoid the lesson learned by Staples and Dell on Monday (Dec. 1): Don't ignore the butterfly effect.
At about 6 AM New York time on Black Friday (Nov. 28), Wal-Mart's site went down for about an hour and then came back up. But this time, the company had moved its content pages to an outside service. Wal-Mart said this was a scheduled change, a concept that Gareth Evans, head of client services at Web tracking firm Sitemorse, finds unlikely.
Microsoft's Live Search cashback program—which gives rebates to those who comparison shop online and choose stores that are part of the program—was a bit too popular on Black Friday (Nov. 28) and crashed for several hours, leaving consumers with no cashback and a lot of anger.
Sears.com suffered the worst Web problems on Black Friday (Nov. 28), experiencing a series of complete site crashes for much of the day. Although no other major retailer came close, according to preliminary reports, many of the industry's largest merchants suffered site slowdowns or other Web problems, including Walmart, Kmart, Saks, Overstock, Amazon, Target, Kohl's, Costco and Buy.com.
In a trial initially limited to the United Kingdom, Switzerland, Israel and Italy, Visa Europe is starting a trial this month of a card with an 8-digit alphanumeric display, 12-button keyboard and a long-life battery. The card has the ability to offer reciprocal authentication, which is designed to allow consumers "making transactions via phone or the Web a way to identify the party on the other end before transmitting identifying credentials."
Black Friday (Nov. 28) E-Commerce sales hit $534 million, reflecting a one percent increase from last year's Black Friday, ComScore reported Sunday (Nov. 30).
A group of credit card thieves in Seattle tried to maximize their profits by using their stolen credit card data to open a loyalty card account with Best Buy, where they could get could extra benefits along with their stolen products, according to a federal indictment filed Nov. 19. One had tried a similar rewards scam with a Home Depot reward card and a Sears gift card.
Recently released numbers raise questions as to whether online will be much of a savior at all. New figures from eMarketer project that E-Commerce sales will top last year's numbers by some $5.6 billion, a 4.1 percent increase from $136.8 billion to $142.4 billion.
Eduardo Perez of Visa has called its fines for non-compliance "nuisance" fines. In other words, the fines are not large enough to be a big financial burden to retailers but are large enough to get the CFO pissed off about having to pay them and maybe large enough to get a CEO to at least show up for a meeting to discuss PCI.
The IT struggle with knowing where all payment data is—let alone trying to enforce rules that pretty much try and keep it there—was the topic of a StorefrontBacktalk a podcast this week with our own PCI columnist, David Taylor, and security specialist J.D. Oder, the chief technology officer at Shift4.
Wal-Mart has agreed to pay $1.4 million to settle complaints that it overcharged customers in California. The Nov. 24 deal involved the mispricing of some 1,043 items over four years. Some of the problems happened because associates would make pricing changes to items in the store's register database but not in the aisle.
There's an E-mail campaign that says consumers can identify American products by the first three digits of the barcode. In theory, this would allow people who only want to buy American products an easy way to do that. The only problem is that the trick doesn't always work, which means it could have the opposite effect.
When are related product lists helpful and when are they distracting? Is it an obviously useful upsell or is it doomed to the fate of the salesperson who shows a customer one too many choices? HP thinks it's often the latter and has sharply trimmed the number of related items it shows. And the company is claiming a 30 percent sales increase as a result.
As more retailers try to go where the customers are rather than getting them to come to the retailer, TiVo and Domino's are taking the next logical step with a TV-as-E-Commerce-Device approach.
We make calls on PCs and surf the Web on our phones. The lines of separation are blurring fast. But in the world of retail technology, the difference between a kiosk and digital signage is one of the more difficult distinctions to make. How to describe that difference? To one CFO, the answer was obvious: A poem. In rhyming verse. Rhyming verse that is so bad it's almost good.
The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computer that security managers would rather they didn't. GuestView Columnist David Taylor asks if these people might be doing things (e.g., downloading malware) that could bring down your company?
Podcast panelists debate card replacement problems, including inadvertently printing encryption keys on customer receipts and the refusal of the card brands to shorten how long expiration dates are valid. "We now have to worry about data that's been there as many as 12 years."
A loyalty card that consumers can turn on and off could potentially usher in a consumer revolution of sorts, allowing the majority to punish merchants they see as misusing CRM data that has been entrusted to them. At least that's one scenario painted by the president of the company that is pushing the card.
Amidst an avalanche of hype about the desirability of gift cards this holiday season, the National Retail Federation on Tuesday (Nov. 18) predicted a six perfect drop in gift card sales this season, from $26.3 billion spent during last year's holiday season to a projected $24.9 billion for this season.
Some 30 meters below solid bedrock underneath Stockholm, an abandoned nuclear bunker has been transformed into what could only be described as the world's coolest datacenter.
Several factors are lining up—including rushed technology upgrades, more site handoffs for everything from mobile to social networking widgets and a surge in traffic from bargain hunters—that could easily make this holiday shopping season one of the crashiest in years, if not the crashiest. (Note to copydesk: I don't care if crashiest is not a word. It should be.)
When Sears rolled out its mobile effort (Sears2go) this month, it illustrated the challenges for a retailer trying to craft a clean and stable mobile strategy at a time of extreme flux for the mobile space.
When E-Commerce execs try and understand abandoned shopping carts, they often overlook concrete clues. One of the best is whether shoppers clicked on the store locator link right before leaving. But deciding what to do about abandoned carts, that gets complicated. The innocuous-looking store locator is akin to waving a red cape in front of the face of an E-Commerce manager bull.
September 18th, 2008 at 2:14 pm
Come on David,
Most level 3 and 4 merchants do not have the technical bandwidth or financial resources to own the process or be directly involved with their vendor’s PA DSS assessment. We are talking about mom and pop business here. What is important is that they are not exempt and must deal with the new regulations. We need to help these merchants become secure and compliant. After all, they make up 80% of what drives our economy. The last thing we need to do right now is toss another road block in the way of small business. Let’s think economic recovery!
September 18th, 2008 at 2:50 pm
Good article but I do have to strongly disagree with the solution. The article states: “Merchants simply cannot assume that just because a payment application product is on some long list that there has been a thorough and complete review, comparable to a Level 1 merchant’s PCI DSS assessment. Merchants must review the detailed audit reports and even be directly involved in their vendor’s PA DSS assessment. Merchants must own this process, simply because they own the resulting liability and brand damage.”
There are several problems with this solution. First, most level 3 & 4 merchants don’t know what PCI is other than some costly regulations being force on them by their merchant service provider and scared into them by various vendors. Second, even with the minority of merchants that truly understand PCI, only a very small percentage of these will be able to decipher a “passing” grade on a particular issue of a PA-DSS assessment report versus an excellent or poor grade. Third, with the larger POS providers, there are not enough hours in a day to educate every level 3 and 4 merchant on the intricacies of a particular PA-DSS assessment.
To tackle the level 3 & 4 merchants, merchants need a PA-DSS approved list to reference. Sure, in a perfect world, every merchant fully understands every aspect of PCI and more importantly, data security. But we don’t live in a perfect world. In our world, only level 1 & 2 merchants can afford full time data security officers that can dedicate the time and resources to audit and review every assessment of every application in use – level 3 & 4 merchants will need lists. Lists that not only comply with PCI, but also convey some assurance to the merchant that the software they are using is truly secure. We need to better control the quality of what goes on the list. The list should also provide a level of liability protection as well for the merchant. Otherwise I would argue that a PA-DSS assessment is a waste of money because it is useless to the parties it is labeled to help the most, the merchant and the cardholder.
September 18th, 2008 at 6:41 pm
The fundamental assumption here is that using a PA-DSS compliant application (by any Merchant) provides protection against liability and brand damage. ISSA just posted a report by Verisign (Hizner and Sundaresan, 10 Tips to HACK the PA-DSS Standard) showing how a compliant payment application was able to be compromised. The smaller merchants are at the mercy of the PCI standards council without a strong voice to advocate on their behalf and with even less knowledge about IT systems or code review. Passing the burden to these smaller merchants is not the prescription to this problem.