|
Industry efforts to set precise security standards have left frustrated proponents frustrated with by a patchwork of contradictory interpretations, auditors selling the services they're critiquing and frustrated retailers who can't jump through infinite hoops forever. With growing concerns over major retail data breaches, many have been increasing pressure on retailers to become compliant with the retail industry's security standards—formally called the Payment Card Industry Data Security Standard (PCI DSS). Several states are trying to make such compliance legally required. But behind PCI is an alarming patchwork of contradictory enforcement, auditors selling the services they're critiquing and frustrated retailers who say they can't jump through infinite hoops forever. It's this combination that is behind some of the low PCI compliance figures released recently. PCI was designed to formalize what retailers considered to be the best security practices and procedures and to provide a precise, consistent way to get merchants to comply. In practice, however, it has slightly improved security while sharply improving raising retailer frustration. In general, the sensitive nature of a company's security procedures causes most retail IT executives to shy away from publicly discussing their operations and their plans. But the reason many of these executives are hesitant to vent their PCI frustrations is chiefly because of industry politics and the fact that merchants are constantly negotiating with the companies deciding whether or not they will be PCI compliant. For this column, several retail IT executives, auditors and others have agreed to speak not-for-attribution—and occasionally on-the-record—about the state of PCI enforcement today. In instances where accusations have been made on background, they have been confirmed by at least three independent sources. It's been said many times that being PCI compliant does not necessarily translate into being secure. The hoops that retailers have to jump through to achieve compliance have more to do with business purchases and relationships with the overseers than they do with security. PCI is managed by a group of retailers, banks and credit card associations, but—as a practical matter—it's strongly managed by one company: Visa. "Visa is definitely leading the charge," said David King, CIO of Regal Cinemas, the nation's largest theater chain with 529 theaters and $2.6 billion in annual revenue. "It's Visa calling people. It's Visa people setting regulations, dictating enforcement." Said the CIO of another multi-billion retailer: "PCI is nothing but a shell company for Visa." But below Visa is an army of auditors. But unlike the way publicly-held companies must deal with accountants for financial audits in this day of Sarbanes-Oxley, the auditors here work for private companies that invariably sell security software and hardware. In other words, the auditors who will decide—with remarkable discretion—whether or not a retailer is given the greenlight for compliance are also selling to that retailer services and products that they can decide will make them compliant. Consider an auditor saying, "Based on what I see here, I can't support your accreditation effort, but if you buy this here list of $9 million of our products and services, that would almost certainly change my mind." One PCI consultant who asked that his name not be used said it's a very straightforward business deal. "Assessments are low profit activities and rather repetitive. For an assessor to make a higher margin, they need to do other things. Since there is no requirement that prevents this (a la Enron-related rules for accountants), the assessors are going to use the knowledge gained from learning about the problems to 'solve' the problems," the consultant said. "Some assessors are also selling products for compliance purposes," the PCI consultant said. "I don’t have any evidence that assessors are deliberately manipulating findings to favor the products or services they resell, but the temptation is pretty great. Providing assessment isn’t nearly as high margin as providing compliance. Without clearer rules, it’s logical that some companies will cross the line." Regal's King said he's seen this before. "This used to be the climate that we all lived with before Enron. (Accounting firms) not only did the audits, they also did taxes and evaluated risks. One division created revenue for another division," King said. "The whole PCI compliance industry is like it used to be before all of that occurred." Linda Walker is the VP of IT Infrastructure and Security for Dick's Sporting Goods, a chain of more than 300 stores and about $3.1 billion in annual revenue. Walker is also taken aback by how far astray PCI regulation has gone today. "It amazes me that these auditors are even allowed to sell remediation services," Walker said. "If Visa wants to do the audit, then Visa ought to do the audit." Gordon Rapkin, the CEO of security services firm Protegrity, agrees with the striking parallels to what the financial accounting world looked like 10 years ago. "Didn't we learn anything from Enron? Here we have a bunch of assessors who have a catalogue of products to sell," Rapkin said. "You've got an assessor whose job is to tell you what's broken. This conflict of interest is the real issue. It's the big one. (The auditor will say) 'I can fix this and it will pass.' This is just a total conflict. We need assessors who will assess." Rapkin described a mid-May meeting he had in Europe with a group of representatives from Visa, MasterCard and AmericanExpress, plus a few others. When he complained about the conflict, he described their reaction as, "Yeah, that's true. That's right. And one said, 'We have lots and lots and lots of merchants that need to be assessed and not a lot of people who know how to do it or are willing to do it'" for the low fees that pure assessment can generate. Rapkin said the credit card executive then said, "I know that it doesn't sound right, but it gets us what we need" if we allow auditors to also sell their security products. "It was quite Machiavellian. The end will justify the means." That conflict of interest wouldn't be as much of a concern were these auditors not given such broad latitude to interpret the PCI requirements. The PCI auditing procedure enforcement guide is some 50 pages long and is full of very specific rules that could be interpreted in very different ways, said David Taylor, an auditor who is president of the PCI Security Vendor Alliance. "I could pick 10 items and tell you two or three different ways you can legitimately interpret the testing details." The fact that many rules are subject to varying interpretation is not what Taylor finds so troubling. It's the attitude that many auditors have that the rules are explicit, when they are often anything but. "There's going to be some variation in interpretation," he said. "That I consider inevitable. What is surprising is how adamant people are about their interpretation of things." Consider PCI requirement 2.2.4: "Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers." Taylor's take: "When it says 'all,' that's an absolute thing. But a few words later, think about the very concept of 'unnecessary.' Who determines what is necessary? That's a value judgment. Even though the word 'all' is an absolute, the word 'necessary' forces a judgment." Or consider requirement 3.6: "Fully document and implement all key management processes and procedures for keys used for
encryption of cardholder data." Again, that sounds explicit and specific, but what precisely consistutes something being fully documented? Said Taylor: "Guidance could be a couple of lines or 20 pages." The biggest Pandora's settop box with PCI today is compensating controls. The original rationale for compensating controls is that retailers have very different environments and that some requirements may not make sense for them. Therefore, the theory continues, PCI will permit a retailer to do some alternative method if that retailer can prove to the auditor that it has come up with a way that is as secure as what the PCI spec dictates. Protegrity's Rapkin sees compensating controls today being used as a way for some retailers to get out of abiding by the rules because it's too expensive or too difficult. "It's a 'Get Out Of Jail Free' card," he said. "Compensating controls today are at the whim of the assessor." Rapkin admits that his dislike for compensating controls stems from the fact that they are often used to avoid encryption and his company happens to sell encryption. Another argument for compensating controls is that they are a compromise and, the theory goes, the only viable alternative to further the goal of improving security. An analogy is the U.S. food pyramid. Nutritionists working on the latest government pyramid wanted to push beef products into the same category as candy—and to move whole grain products into its own category, away from white bread and white rice. But the government argued that many Americans would likely ignore such an extreme pyramid, thereby supporting the position that an adhered to but compromised pyramid would improve diets more than an ideal but ignored one. (OK, so cattle lobbyists also played a role, but let's not go there. It ruins the analogy.) The rationale behind compensating controls is that a strict adherence to the rules would cause a lot of retailers to stop trying. So in theory, a compromised—but realistic--security plan would make systems safer than an ideal but less-used plan. The inconsistency wrecks havoc on the plans of retailers. One CIO said that his PCI auditor just resigned and that they are begging the audit firm to force the new auditor to stick with the decisions made by the old auditor, rather than subject the retailer to starting over. One requirement that was mentioned by two CIOs—which is not explicitly referenced in the rules—is for closed-circuit video cameras to be installed for every Point-of-Sale terminal in the chain. The intent is to make it more difficult for intruders to install devices onto the POS readers to steal credit card data. The only reference in PCI is a vague requirement in 9.1.1 to "use cameras to monitor sensitive areas." The CIO of one chain calculated that such a move would—on its own—"vaporize north of $10 million, $15 million easily. And then there's an ongoing $2 million to $3 million a year to maintain it. That's $2 million to $3 million for life and it's only going to go up. And then there's inflation." That CIO continued: "What about storing the images? You have to have someone to monitor those. No one could possibly afford that. This is ridiculous. We can't do business like that. Then they (auditors) ask, 'Do you want to take credit cards or not?' Absolutely asinine." What was behind that particular demand? A concern about a POS system encryption procedure. "As soon as a credit card is swiped, we immediately encrypt it. But there's a fleeting moment—a micro nanosecond—between when the swipe has occurred and when it's encrypted, between the POS and the magnetic swipe reader." The alternative to the cameras was a higher-end POS system that the auditor's firm happened to sell. Another common criticism of the PCI program is retailer confusion. Mostly, that confusion involves whether or not they are compliant. There are several reasons for this confusion. Some larger chains have separate compliance efforts for different groups, so the CIO may not be certain which parts of his chain are compliant. But a more common issue is timing. Let's say that a retailer eventually gets a compliance letter on October 1, declaring his chain PCI compliant. That letter doesn't say the chain is PCI compliant for one year, as a driver's license might. Indeed, it doesn't even technically say the chain was compliant as of Oct. 1, but more likely means that the chain was compliant as of the date of the last completed full audit, which was likely several months earlier. So when that retailer’s CIO is asked, "Are you PCI compliant?" it’s not as easy as saying yes or no. He knows, for instance, that some auditors looking at systems now have different expectations than the auditors who examined the same systems six months ago.. He also knows that some systems have changed. This is an all too common situation. In fact, several CIOs interviewed for this piece were honestly not sure whether they were truly compliant, which is frustrating. "We are deep into quite a number of different initiatives in order to become compliant right now," said one Fortune 500 retail CIO. "But it's a changing landscape, a changing process. No matter what happens, we're going to be doing a lot of positioning and then negotiating back and forth with the auditor or whoever will ultimately be certifying it." Walker, from Dick's Sporting Goods, added that one historical problem with PCI was "finger pointing. Visa did not want to take responsibility to tell the merchant that they're compliant and the acquiring banks did not want to take the responsibility to do it," Walker said. "You don't want vague assurances of compliance or likely compliance. I want the letter for the wall. A letter from somebody saying I'm compliant or not compliant." One CIO detailed how his chain suffered under the whims of different auditors. This chain had an audit in October 2005 and was given a compliance confirmation in Feb. '06. "Then the rules started changing." For example, the PCI rules required an incident response plan. "The first year, just having a plan in writing was sufficient. The second year, the plan was scrutinized for content and we were told much more content was required," the CIO said. "For example, they wanted phone numbers for contacts such as the banks and law enforcement agencies. The criteria of how you get graded kind of shifted and things changed from auditor to auditor even in the same company and certainly from auditing company to auditing company." The same CIO cited encryption as another example. The chain segmented sensitive transaction data using strict network controls. "In 2005, this was accepted. In 2006, it was not. We are now implementing encryption. Despite an official PCI position that compensating controls are permitted, it seems as though our auditors now will no longer accept any compensating controls for encryption." Another issue with that chain involves something called a Report on Compliance (ROC), which is a form filled out by a retailer that is trying to get a compliance certification. "In 2005, if you were far enough along in a requirement and had a reasonable plan acceptable to the bank, you were considered compliant. They were then going to monitor your progress to the plan. Now you would be considered not in compliance if the plan is not completed." The retail also had issues with Web logging, where one auditor found logs acceptable and the next auditor insisted on much more extensive--monthly, weekly and daily—logs. Some retailers that are not Tier One merchants are filing self-audits, where the retailer's own personnel fills out the forms. Walker, of Dick's Sporting Goods, said she has a real problem with PCI self-audits. "I wouldn't ever be comfortable with a self-audit at Dick's. All companies in all tiers should have an external audit performed," Walker said. "Smaller companies don’t even have the in-house expertise to do a self-audit." Despite these and other problems, PCI has indeed improved retail security. Very few in retail doubt that it has. One CIO for a large retail chain said the requirements of PCI helped him purchase pieces of equipment—such as high-end routers--that also helped modernize non-security operations. "To give Visa some credit, they did shake things up and it's definitely improved retail security," the IT exec said. "I can't imagine what would have happened had I asked for $4 million dollars for security two years ago without the hammer of compliance. They would have looked at me like I had two heads."
|
Search Through All Stories
When an order processing snafu shut down the delivery operations of one of the U.K.'s largest grocery chains, the $38 billion retailer acted starkly different than the typical U.S. retailer. The London-based 823-store Sainsbury's grocery chain immediately issued almost a half-million dollars' worth of vouchers.
A new Retail Systems Research report is challenging the way retail IT looks at application development backlogs. The report is based on a survey showing that some 79 percent of retailers have appdev backlogs of at least a year, with one-fifth of those hitting delays of more than two years.
The conventional wisdom has held that China is not likely to embrace E-Commerce, because of the Chinese aversion to credit payments and fears of piracy and poor quality products. But a Forbes story this week makes a powerful argument that E-Commerce—and a credit-card lifestyle in general—will be coming to China very soon and in a big way.
Although the question of RFID safety has been debated extensively over the years, with conflicting study results, a major new medical study released this week points to very specific electromagnetic dangers within nine inches of the transmitter.
In one of the first wide-scale studies of SMS' capability to hold up under volume pressure, the technology fared "surprisingly" poorly, according to Keynote Systems. This has particular significance for retailers, who are exploring the technology's use for mobile communications connecting to both online and in-store.
A U.K. company is pushing retailers to use voice-recognition to authenticate purchases over the phone and online. The Voice Commerce Group's Voice Transact package has consumers call the service, quote a pre-arranged product code and then a series of digits dictated by the automated system. 
A federal appellate court backed a group of retailers Monday (June 23)—including Best Buy, Circuit City, Costco and Lowe's—by ruling that their gift card systems do not violate any patents.
Internal audit is not staffed to enforce PCI at the store level, argues GuestView Columnist David Taylor. Except for about a dozen leading retailers, most retailers do not have enough IT-skilled internal auditors to meet the requirement for a "continuous" review of store-level IT security.
Wal-Mart and a handful of others have been trying to do green the right away, with policies that will have a significant environmental impact and that also improve operations.
When Oracle finally introduced its Retail 13 integrated suite this week, after three years of acquisition and integration, the teams working for the world's largest enterprise software vendor might have breathed a sigh of relief.
After three years of acquisition and integration, Tuesday (June 17) saw the official launch of Oracle's Retail Release 13, consisting of some 33 retail applications, only four of which were new. The rollout was billed by Oracle as the be-all and end-all of end-to-end integrated retail application suites, but some analysts said the integration was lacking.
Are European retailers going to have any better luck than American retailers with consumer-facing biometric payments? The 750-store Albert Heijn supermarket chain, the largest such chain in the Netherlands, is about to find out.
The Moodys Investor Service has upgraded how important a retailer's E-Commerce activity is when assessing that retailer's overall economic health. Although this isn't a radical change for the financial firm—and the thought that E-Commerce is important is hardly surprising—it's one of several recent moves suggesting that the young teen-age Web is starting to be taken a wee bit more seriously.
North American self-service transactions will process $607 billion this year, a figure that is projected to soar to $1.7 trillion by 2012, according to report published Wednesday (June 18) by the IHL Group. When IHL began work on the report, "I did not expect the acceleration that we're seeing in the out years," said IHL President Greg Buzek. "I did not expect how fast it's growing."
One of the repeated arguments made in retail data security circles is that retailers tend to have much weaker security because it's not as much of a cultural priority as, for example, banking. So it's a little bit consoling that the latest ATM databreach is apparently not the result of a retail breach, not the result of social engineering and the trusting bank clerk, but is the first proven incident of a bank server's breach linked to ATM fraud.
A surprisingly large number of major retailers today are using inhouse or outsourced payment gateways to reduce the scope of their compliance effort as well as their costs. At some point in the last decade, nearly every organization involved in electronic commerce did an evaluation of payment gateways. So, what's changed?
One day after lawyers presented a proposed settlement in the Ameritrade 6.2 million-customer data breach, a U.S. federal court judge tentatively rejected the settlement (on June 13), questioning the value of the deal for the consumer victims and the size of the $1.87 million attorneys' fees.
A pair of unrelated reports out this week are challenging several fundamental IT security assumptions, including that data breach laws will reduce consumer losses and that insiders account for more thefts than external evil-doers.
Just in time for Friday the 13th, Oracle is finally ready to unveil Oracle Retail V 13, with a formal rollout slated for Tuesday (June 17). Oracle's main retail suite is not expected to undergo any radical changes (even the name change is expected to be slight); it's mostly claims of better integration and interoperability.
E-tailers in continental Europe are just now starting to get hit by slower growth, but they are still shining much more brightly than their U.S. counterparts, according to new figures from eMarketer.
Two incidents this week show how much less respect is paid to the online consumer than the brick-and-mortar one. Does the inherent anonymity in the Web cut both ways? Like the site visitors emboldened by their namelessness who post comments and get into flame wars that they would never have the nerve to try in person, are E-tailers treating their customers with a disrespect that they would never dare consider in a physical store?
For the second consecutive workday, Amazon.com suffered a major crash on Monday (June 9), with the increasingly unlikely scenarios explaining why the historically robust site is failing.
E-Commerce leader Amazon.com completely crashed for almost three hours on Friday afternoon (June 6), with one Web site performance tracking firm attributing the crash to excessive site complexity.
When Best Buy launched a Spanish version of its site last fall (2007), E-Commerce officials quickly noticed unexpected activity, such as customers spending twice as much time on the Spanish site.
Note to retailers looking to offer free Wi-Fi: It's a good idea to first make sure you can make the offer. Starbucks discovered that an offer of two hours of free Wi-Fi a day simply wasn't working. "Due to overwhelming interest in Card Rewards we are currently experiencing difficulty accessing Starbucks Card accounts. We are working to fix the problem and ask that you please try again later," said a page shown to site visitors.
The Meijer department store chain—with 182 stores in Michigan, Ohio, Indiana, Illinois and Kentucky—is getting creative with its Web site, food recipes and online coupons.
New York State has started pushing to collect sales tax from e-tailers that have no physical presence in the state, prompting Amazon and Overstock to fight back. But all e-tailers are hoping against the odds that other states don't pull the same revenue-generating attempt. If New York gets legal greenlights, several more states will quickly mimic its efforts, leading to a flood of almost every state within two years.
Welcome to E-Commerce Semantics 101. Your philosophical question for the day: When is a site truly mobile-friendly? Mobile commerce today is in that familiar classic battle of Chicken.com versus Egg.com: Retailers know the mobile users are out there, but they also know that few are trying to use the devices for making purchases.
The worst performance grades were given to Foxnews.com, IGN.com, Gamespot.com, CNN.com, Break.com and ESPN.go.com. The best performance grades were given to Google.com, Live.com, Orkut.com and Craigslist.org.
GuestView Columnist David Taylor asks: What would you do if one of your employees decided to leverage your brand and set up a little side business inside your store, including selling products via an E-Commerce Web site, setting up a merchant bank account and taking credit cards? You'd probably fire the person, right? But, what if you couldn't?
Computerworld columnist Frank Hayes has a wonderful column out about why the Wal-Mart RFID effort is still having problems. Hayes makes a great point about how Wal-Mart's $2 per pallet non-RFID penalty reflects a lack of understanding of why suppliers have resisted RFID tagging.
Shoppers at Gap.com will now be able to use a single shopping cart and consolidate shipping at any of the chain's four brands, the Gap announced on Tuesday (May 27). But the change for The Gap, Banana Republic, Old Navy and PiperLime is delicate, as the company still wants those brands to maintain their distinct personalities. Those conflicting goals give the new site a bit of a Jekyll-and-Hyde feel.
Borders this week officially stepped out of the shadow of Amazon and re-launched Borders.com, with an effort that scores points for creativity. The physical side of Borders (as in brick-and-mortar as opposed to Olivia Newton-John) has been trying to arrange its bookshelves to display more of the covers.
Germany's METRO Group is experimenting with RFID inserts to track meat and to immediately locate any product that is about to expire or that has expired. METRO is placing the inlays into the foam meat packing trays used in their Future Store.
Barnes & Noble on Wednesday (May 28) launched its mobile E-Commerce site, which is pretty much a super-slimmed down version of its regular site. B&N Mobile includes search, store-finder, book availability and order tracking. It's not an especially sophisticated site, but it puts the world's largest physical world bookstore on a very short list of major e-tailers who have bothered to design a version of their site for the cellphone.
Like many ex-cons, when Martha Stewart got out of prison, she had a different outlook on life. So she's going to relaunch her E-Commerce site. But this time, she'll try and do it right by doing as little as possible.
New E-Commerce figures from e-Marketer show continued growth over the several years, but the rate of growth will quickly drop. The firm reported, for example, that last year's E-Commerce sales hit $127.7 billion, a figure that they are projecting to steadily rise to hit $218.4 billion in four years.
The Blockbuster movie-download kiosks—slated to start their trial in June—will download movies directly into consumer-owned portable devices in about two minutes, according to a demo at the company's shareholder meeting Wednesday (May 28).
MasterCard Canada this summer will start a 4-month NFC-phone trial, with the backing of some of Canada's largest retailers, including Loblaw, Petro Canada, Tim Hortons', Pioneer Petroleum, Rabba Foods, a major NHL arena and McDonalds.
At $388 billion in annual revenue, handling Wal-Mart's ERP financial application is nothing if not challenging. But when Wal-Mart last year turned to SAP to take over many of the financial functions that the chain had been handling with in-house software, it was a concession that it can't push its homegrown apps as far as it used to.
Guest View Columnist David Taylor believes that Web application vulnerabilities make up more than 60 percent of all software vulnerabilities. "They are so well known that the Open Web Application Security Project (OWASP) has published a list of these vulnerabilities. They are so easy to exploit that even the most junior hackers can find lists of popular Web application hacks and use them to break into your Web store."
Much has been made recently of TJX firing a store employee who posted public comments about weak security procedures that still exist at the retail chain that was the site of the worst data breach in credit-card history.
Amazon is preparing to expand its entertainment offerings, with a planned streaming video launch "in the next few weeks," according to a speech given Wednesday (May 28) by Amazon CEO Jeff Bezos.
A handful of grocery chains—including PriceChopper and Wegmans—have started using CRM data to alert customers to product recalls, an encouraging move to convince consumers that loyalty cards can be used to help them beyond taking 10 cents off a gallon of milk.
What do you get when you merge a kiosk with a vending machine? I'm not sure. But whatever it is, Macy's is putting it into some 392 stores right away, the chain announced May 22. That represents almost half of the chain's 800 stores.
Jane's contactless loyalty card is detected as the Des Moines attorney approaches the self-checkout. The system knows the counselor's shopping history and anticipates that the counselor likely has a dozen kiwis in her cart. So when she places the barcode-less fruit on the scale, the first fruit it displays in its list is kiwi, followed by the four fruits and vegetables that Jane typically buys.
Nordstrom on Tuesday (May 20) said they would support buy-online-pick-up-in-store for the first time. This e-commerce cross-channel classic has been popular for several years, but Nordstrom--with its stronger than average commitment to customer service--has resisted until now.
The grocery challenge with the theft of moist, fresh products—such as cheese—has frustrated retail loss prevention managers because such products tend to react poorly with EAS tags. Checkpoint and Sealed Air Cryovac announced Wednesday (May 21) one possible way around this issue.
More than 75 percent of enterprises are holding off on deploying server virtualization in the cardholder environment until the PCI Security Standards Council clarifies its stance on virtualization, which they hope will come in the October 2008 release of the 1.2 version of the standards. That is a mistake.
As more consumers use search engines to find products filtered by a single attribute—such as price—shopping cart abandonment rates are increasing, according to E-Commerce vendor MarketLive, which tracks such matters.
Using virtual reality, $18 billion consumer goods giant Kimberly-Clark is creating virtual depictions of stores, shelves, products and displays—even sounds and smells people encounter while shopping—to enhance traditional means of research.
A pair of British shopping centers is experimenting with a creative way to leverage consumer cellphones. The consumers are being surreptitiously tracked by the signals emitted by all mobile devices and a database notes when consumers "enter a shopping centre, what stores they visit, how long they remain there and what route they take as they walked around."
Although this doesn't shed any light on this year's recession, American consumers were certainly spending-friendly last year, having spent with retailers $201 billion more last year than the year before.
To use a chess analogy, many e-tailers today see the strength of their multimedia entertainment offerings as akin to controlling the center of the board. On top of recent moves by Sears, Blockbuser and Netflix, Napster on Tuesday (May 20) announced what it dubbed the world's largest music download site, with some 6 million selections.
Facing a much tighter financial picture (the latest quarterly report saw comparable net income almost cut in half), Sears has turned to online operations as its best hope for better margins.
The RFID market has a healthy future, looking at a 15 percent compound annual growth rate over the next five years, hitting $9.7 billion by 2013, according to a report issued Tuesday (May 20) by ABI Research.
Some British convenience stores are trialing a facial biometric program to try and improve the accuracy of guessing the age of customers for age-restricted alcohol purchases. The systems "capture facial measurements that will be checked against a database of profiles of known offenders."
Tesco's experiment with an all-self-checkout store in the U.S. is delivering surprisingly favorable customer satisfaction stats. Internal Tesco customer surveys for its Fresh & Easy stores are finding some 90 percent of its customers saying they were either "satisfied or very satisfied" with the checkout experience while another 27 percent say that "it doesn't matter" what format the checkouts take.
That which keeps consumers satisfied seems to be part of an E-Commerce site's culture, as top (and bottom) players tend to show little movement, year to year. The latest results from measurement firm ForeSee Results seem to reinforce that.
It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster's restaurant chain. But according to a federal indictment and U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.
When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry's worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing. No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent.
Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle "to explore the growth of contactless payment systems and the implications for consumer protection policy."
For e-tailers who still think that Web video may be a fad, consider this stat: In March, U.S. Internet users watched 11.5 billion online videos. That's a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.
Thanks in no small part to soaring traffic on YouTube, Google for the first time took the top slot in American consumer reach in April, besting Yahoo. But it took that top slot just barely, reaching 141 million Americans in April. Yahoo ranked second with 140.6 million visitors.
With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it's not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.
Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.
The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.
London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.
Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups. The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe's and Wal-Mart.
Like it or not (place this father defiantly in the "not" category), children are using the Internet's social network sites at a younger age, with retail marketers hovering close by. How young? New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll.
This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. A woman walks up to an ATM at a Hannaford's grocery store. She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves.
With an eye on retailers having to juggle payment systems between many varied environments—far beyond merely online and in-store—a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface.
Microsoft is "leaning toward going hostile in its pursuit of Yahoo," with an announcement "likely" on May 2.
GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments. Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives and encryption keys that are never changed. Fixing this stuff is not expensive, but it's not fun either.
Google says it has concocted a better way of searching for Web images, one that involves image-recognition to "see" what the image depicts as opposed to just reading the accompanying text. This technique, called Visual Rank, has tremendous potential to shake up E-Commerce, which heavily relies on product images.
Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."
