Due to a mobile power supply issue, MasterCard has discovered that retailers using a smartphone as a portable POS may find that customers will need to hold their card right against the antenna, which is hardly the way it's supposed to work. The problem, which was discovered in internal MasterCard prototype phone testing, involves the fact that traditional POS AC powered from a wall outlet, whereas mobile phones are powered by small batteries.
Less power means shorter antenna range, which in turn means the payment card needs to be almost touching the antenna. "The read-rate is not what you need it to be, certainly not the 4 centimeters you expect it to be," said John Verdeschi, Senior Business Leader of Product Development at MasterCard.
Being greedy is the telltale sign of a good professional thief, but there are limits. And a pair of shoplifters this week learned that if you're going to steal $2 million worth of toys from Toys"R"Us—specifically, from 139 stores in 27 states—it's best to not use a loyalty card. Yes, it was that CRM card that led police to our duo.
Granted, these aren't the first thieves to be done in by those not-so-loyal cards—a Sears associate got zapped last year—but they are among the best. Seems that Michael Pollara of Florida was hitting quite a few Toys"R"Us stores using the ever-popular box stuffing trick (take a big box with a cheap item in it and replace the contents with something much more expensive).
The sites for Sears and KMart were down for about three hours on Wednesday (Aug. 15), starting around 9:00 AM New York time, in what the chain said was an intentional outage to prepare for an...
In another sign the FTC is putting some teeth in its enforcement, the commission followed up the announcement of its $22.5 million privacy settlement against Google on August 9 with a list of ways companies may be turning themselves into FTC targets.
Visa recently issued a bulletin with recommendations for implementing chip cards in the U.S. market. Don't ignore this document, writes PCI Columnist Walter Conway. You may not know all you think you do about Visa's plans and what retailers need to do. Most important, merchants must be sure their POS devices accept both EMV contact chip cards and traditional magnetic stripe cards. Make a mistake, and you might have to buy equipment all over again.
Unfortunately, not all acquirers are getting the right message out to merchants. One client recently related that an acquirer told the merchant there was no need to upgrade its devices to read chip cards.
There are two opposite views on the best way to protect sensitive retail data, including payment cards, CRM, inventory, pricing and payroll. The first is the vault approach: You try and throw up as...
One of the things last week's Starbucks-Square deal demonstrates is that Square found out just how hard it is to make a living selling services to small retailers and hotdog carts. For every coffee shop and dry cleaner that signs up to move their credit-card processing and POS to Square, there are likely dozens of other people who get a dongle strictly as a novelty, pens Retail Columnist Todd Michaud.
"People like me, or the Girl Scouts, who use it one month a year selling a few hundred dollars worth of cookies," he wrote. "They are basically a next-generation ISO that is riding the wave of Apple-fandom to bring credit-card processing to the masses."
A recent survey report from the National Retail Federation (NRF) touted how much would be spent on school supplies, sometimes more generically referred to as back-to-school spending. Even with that...
The latest batch of PCI compliance stats from Visa shows slight changes—all of one percent—in all categories with meaningful public numbers.
Level 1s dropped from 98 percent to 97 percent in the figures current as of June 30, 2012, while both Level 2 and Level 3 retailers increased (2s went from 92 percent to 93 percent and 3s went from 59 percent to 60 percent, when compared with Visa's reported March 31 figures).
In the Square deal Starbucks announced on Wednesday (Aug. 8), the coffee company sharply cut its payment processing costs by turning over all of its U.S. credit- and debit-card processing to the Visa-backed Square. Although Starbucks wouldn't comment on how deep the savings would be, some are suggesting that the processing savings—not the interchange fees—could be almost complete. Hey, a $25 million investment should be worth a little discount, no?
Also, despite what various media reports implied, when Starbucks starts accepting Square payments right before the holiday sales rush it will not be the mobile phone stays in the pocket customer identified by first name and a POS-displayed photograph approach that Square has done with a handful of smaller merchants. No, the Starbucks approach will mirror the exact method it's been using for its own mobile payments for years: Customers will display a 2D barcode on their mobile phone, the Starbucks associate will scan that code, and then the store's existing POS system will handle it normally.
eBay this month has joined Amazon in experimenting with same-day delivery. Although both are delivering same-day, they are doing it in almost the opposite way. Amazon's effort is being offered at a Premium price, while eBay is offering close to loss-leader pricing. Amazon—rightly or wrongly—is seen as a threat to brick-and-mortars, whereas eBay is emphasizing that it's buying from partner retail chains at full price. Amazon's same-day delivery requires very early morning orders and as long as 13 hours for delivery, whereas eBay is targeting—and, it claims, delivering—everything within one hour.
eBay's trial run seems to be deliberately low-cost and extra-fast delivery to truly see who would use such a service under the best of conditions. It's highly unlikely that a national rollout could continue such specs. eBay's approach isn't all good for retail partners; only the eBay brand is shown, which reduces the chains to unseen suppliers—albeit well-compensated unseen suppliers.
Security wasn't Google's top priority when it came up with its new architecture for Google Wallet—mainly, the Android-maker wants customers to actually start making mobile payments with it. But by replacing actual payment-card numbers on the phone with a Wallet ID that looks exactly like a payment-card number to processors, Google has raised some new security questions that so far don't have clear answers.
For example, what happens if a thief manages to scoop up that Wallet ID? Could that give him access to all a customer's payment cards? There's no current mechanism for shutting down all of a shopper's cards. That's the hole with today's fraud systems: Everything at the processor and card-brand level was designed to protect cards, not wallets.
In late July, a U.K. programmer was at his local Tesco store when he noticed something unusual about a barcode. As programmers are inclined to do, he spent an inordinate amount of time online trying to decipher the barcode. He was joined in that effort by other like-minded techie folk, who eventually deciphered it. If that was the end of the story, it would be unremarkable in the extreme. But it's not, and it's Tesco's reaction that makes things interesting.
Tesco's reaction—overreaction? Ludicrously counterproductive overreaction?—was fueled by the interaction of mobile and self-checkout. That mobile/self-checkout part is where barcodes can be fed into systems manually. But if you think this is no more dangerous than a shopper getting a $3 half-gallon of milk for 3 cents, think again. It goes way beyond fake product barcodes to include fraudulent coupons, forged giftcards and SQL injection attacks.
A very interesting mini-report from Nielsen came out on Wednesday (Aug. 8), one that ranked the top mobile shopping apps used in June. But when it also listed those with the highest time spent, it glaringly failed to say why. And that "why" makes all of the difference.
In that category, Shopkick blew everyone away with an average of 3 hours, 19 minutes and 11 seconds. So why did Shopkick blow everyone else away, average time spent wise? It has to do with the nature of that app, not that its users were so enraptured by the content.
Is it even worth hardening PIN pads against hacking? After last week's story on Verifone's device-breach problems, one StorefrontBacktalk reader commented: "Hardening PIN pads just kicks the can a few feet down the road, the way PCI kicked magstripes down to Chip-and-PIN. But it's still the same can and the same road, so why do we think the same problems won't keep chasing us?" His conclusion: Make payment cards much smarter and eliminate the PIN pad entirely.
That's a great idea for large chains. But smaller merchants will have to buy in, too—and they're the reason every attempt to improve payment cards so far has failed.
Charlotte Russe, a 500-store youth apparel chain, recently cited almost 100 percent read-rates on its text messages, which pretty much indicates the lack of understanding of text open-rates. In...
Like many QSAs, PCI Columnist Walter Conway frequently gets asked whether pre-authorization cardholder data—that is, card data written on paper or stored electronically before the transaction is authorized—is in scope for PCI. His answer has always been that if you have any cardholder data, you must handle it in a PCI-compliant manner. That advice applies whether the data is pre-, post- or somewhere in the middle of the authorization process.
Unfortunately, some vague wording and a quote from the very first PCI Community Meeting caused some merchants to question this conclusion. They argued that cardholder data only comes into PCI scope after the transaction is authorized. We now can put this question to rest. The PCI Council has come out with an official statement to QSAs declaring that all cardholder data is in scope, whenever and wherever it is.
Vivotech is in trouble. The contactless PIN pad maker, which counts Home Depot and McDonald's among its customers, announced on July 27 that it is trying to sell its hardware business and restructuring. This came amid reports earlier the same day that the company was shutting down. Either way, Vivotech is the latest casualty of the failure of both contactless cards and mobile payments to get traction with consumers.
It's also another blow to the credibility of Google Wallet and ISIS (both signed up Vivotech as a POS partner) as well as PayPal's in-store payment system (Vivotech put a "Pay with PayPal" button on all those Home Depot PIN pads).
Now that Verifone, at last week's Black Hat security conference, has confirmed one of its popular U.K. PIN pads was hacked, is it time to rethink how POS devices can be maintained, managed and upgraded? It's very convenient to do so over a network or using special maintenance cards. But we may be at the point where that's simply not secure.
To be clear, Verifone only acknowledged that one of three hacked PIN pads came from it. In addition, the secure electronic payment technologies vendor said it's already testing a fix. Great—that means other PIN pad vendors have similar security issues. We just don't know which ones.
Should major chain sites use "make an offer" pricing? It sounds heretical, but it's being considered at several major chains. The most interesting argument is that it's a great way for retailers to circumvent minimum advertised price (MAP) restrictions. But could it boost sales of slow-moving SKUs? Even more outlandish, could it move more top-selling items?
This discussion, though, is really about a much more strategic and fundamental issue. With showrooming and reverse showrooming and everything in between, does the very nature of retail Web pricing have to be rethought? Once the price comes off the Web page, everything is up for discussion. Customized pricing? Pricing based on how generous shoppers have been with their last five purchases? Is this another way to ditch the bottom-feeder bargain hunters? Will chains offer deeper discounts to people who shop with a short list of their most direct rivals? Will Target.com charge a lower price to someone coming to its site from an Amazon visit as opposed to a Barnes & Noble visit? And could this flex pricing ever make the transition to in-store, leveraging mobile?