Top Stories



Can Item-Level RFID Pay For Itself By Cutting Theft? Well, Sort Of

October 12th, 2011

According to American Apparel, item-level RFID can pay for itself by cutting employee theft. The 285-store chain’s VP of Technology, Stacey Shulman, told RFID Journal that in stores using RFID for inventory accuracy, internal shrinkage has dropped by an average of 55 percent. (The chain started by putting RFID in 50 of its stores with the highest shrinkage rates.) As a result, the savings covers the deployment cost. Of course, that’s something of an accounting trick. Deploy any surveillance technology in a store with lots of employee theft and some thieves will get nervous and stop stealing—for a while.

Shrinkage drops, and IT can declare that RFID’s ROI is 100 percent. Then, by the time the thieves start stealing again, it’s hard to argue with item-level RFID’s other benefits in better accuracy and faster replenishment, which is why Macy’s is pushing item-level RFID hard. Besides, the theft rate might never return to its original levels, right? It’s also wise to remember that the only retail people who care about ROI are the people can say “no”: your CFO’s team. And for IT projects, they check ROI once. So if it looks like thefts have been avoided, you get the credit. And given that the team won’t check again in four months, you’ll likely never get dinged if the reductions were short-lived. Short attention spans can be your friends.…


Count On Users To Foil NFC Payment Security

October 12th, 2011
Remember those demonstrations of how the payment-card numbers can be stolen from contactless cards by a thief carrying a card reader who bumps victims' wallets and purses in a crowd? Yes, it's been a staple of local TV news for years, and it's a legitimate potential security risk—a risk that was going to be eliminated by NFC mobile payments. That, it turns out, didn't quite work out the way the proponents of NFC phones were hoping it would.

The key to making phones more secure was supposed to be that a required PIN would prevent the NFC chip from being turned on most of the time, and the chip would be powered down quickly after a transaction when the screen went dark. That's certainly the way Google Wallet was designed for Android phones. But according to most of the reviews of Google Wallet, all that PIN-punching is a pain, and the phone's screen quickly going dark is annoying. Guess how secure that makes the NFC chip?Read more...


Why The NFC No-Show For Apple? It’s The Apple Experience

October 5th, 2011
Apple on Tuesday (Oct. 4) made the boldest—and smartest—mobile payment move it possibly could: nothing. Based on almost any metric—customer experience, market share domination, ROI/profit enhancement, pushing the sales of non-payment hardware/software, etc.—the right course now is for Apple to sit back and let Visa, Google, PayPal, Square and ISIS fight it out as they pay for the infrastructure. Then, when the bugs have been worked out so Apple can deliver its legendary "it just works" customer experience—then jump in.

Not unlike IBM in the 80s and 90s, Apple is in the highly enviable position that it can wait until it's time and then still dominate the market when it makes the move. Indeed, it might even be easier and more effective to do it that way. But that strategy will also determine who will define the retail NFC standards that matter—the ones on the checkout counter and in the retailer's datacenter. And that won't be Apple.Read more...


Amazon Tops Wal-Mart: Mobile Revenue 15X Greater

October 5th, 2011
Newly released mobile-commerce sales figures from major retail chains show a stunning difference success, with the largest M-Commerce retailer—Amazon—making more than 15 times as much as the next largest M-Commerce revenue retailer: Wal-Mart. M-Commerce revenue plunged after that, with Amazon, for example, making 156 times the M-Commerce revenue than Home Depot. Part of the explanation is that retailers, in general, are doing quite poorly in M-Commerce sales. A new extensive ranking of the 300 largest M-Commerce companies—sequenced by M-Commerce revenue—shows only two retailers in the top 10 list.

The $2 billion Amazon is projected to make via transactions made by consumer phones is a non-trivial figure, given its $34.2 billion in global revenue of all types, according to the figures published by Internet Retailer. But note how quickly the numbers drop with its rivals. Wal-Mart, the only other retailer to make the overall top 10, appeared at slot 4 with $127.7 million. The third largest retailer—Staples—comes in at a projected $45.3 million this year, followed by Best Buy ($37.9 million), Macy's ($33.2 million), ($32.5 million), Foot Locker ($32 million), Sears ($31.7 million) and Overstock ($31.6 million).Read more...


Use Wi-Fi In Retail? Be Ready To Get Sued

October 5th, 2011

A mysterious patent troll that has already quietly sued restaurant chains Au Bon Pain, Panera, Caribou Coffee, Cosi and Corner Bakery Cafe and regional grocery chains Meijer, Dominick’s and U-Save for their Wi-Fi use, last month added hundreds of individual hotels to its list of defendants. That’s despite the fact that the retailers and hotels bought their Wi-Fi equipment from Cisco, Motorola and other vendors that had already paid license fees for the Wi-Fi patents.

What’s particularly clever is that the plaintiff, a company called Innovatio that acquired the patents from Broadcom, is only asking for between $2,300 and $5,000 from each defendant. That’s cheap enough that fighting in court doesn’t make financial sense—but it makes CIOs look bad for buying what turned out to be extremely expensive technology. Cisco and Motorola have filed their own lawsuit asking that a court declare their customers to be non-infringing, but that could take years. In the meantime, be prepared to be served. “This is not a seat-of-the-pants, fly-by-night shakedown,” Innovatio’s lead litigator told patent blog The Patent Examiner—Innovatio plans to go after “anyone who’s wireless networking.”…

Federal Reserve Listens To Security Vendor CEO Rip Into PCI

October 5th, 2011
Before a typically staid Federal Reserve Bank of Chicago symposium last week, the CEO of a security device vendor violated Jim Croce's rule of not tugging on Superman's cape. In a speech, the CEO ripped into the PCI Council, dubbing it a "dangerous false God" and saying that "PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority. It has and will continue to stifle innovation by its often nonsensical rule making." And she then stopped pulling her punches.

To put this into context, PCI has unquestionably improved retail security in the U.S. and few have suggested a concrete alternative approach that wouldn't bring with it even worse problems. Like the criminal courts, a system can be very far from perfection and still be the best of all alternatives. It's also true that when security choices are made, some vendors are not going to be happy with the new rules. Even with all of that said, the directness and intensity of the speech by Magtek CEO Mimi Hart is worthy of note.Read more...

Neiman Marcus Social Experiment Doesn’t Go Nearly Far Enough

October 5th, 2011
Neiman Marcus on September 29 announced an unusual-sounding Foursquare marketing campaign. The chain hid cards giving away 15 $1,000 handbags (Nancy Gonzalez clutches, to be precise) in its stores and used Foursquare to reveal a clue to help shoppers find the product. A statement the chain issued said the system would "indicate whether the user is in the vicinity of a hidden clutch." But in actual fact, the system didn't know anything beyond the fact that the consumer had entered a particular store.

It then offered a clue. For a store in Ft. Worth, Texas, for example, the tease said: "It may be a Full House but we are convinced you will go bananas for this bag. Find it and win the bag." The promotion couldn't really indicate how close the customer was to the gift, because Foursquare's GPS signal typically ends the instant the customer enters the building. Neiman Marcus couldn't go any farther, "because of our infrastructure. We'd need to have sensors all over the store," said Jean Scheidnes, the chain's manager of social media. But what if a chain did deploy such a network of in-store sensors? The potential could go way beyond fun and games.Read more...

Macy’s Pledging Item-Level RFID Chain-Wide By 2013

September 28th, 2011
Macy's on Wednesday (Sept. 28) pledged an aggressive chain-wide RFID rollout, promising to item-level tag some 700,000 UPCs in every Macy's and Bloomingdale's by the end of 2013. That will represent about a third of all of the $25 billion chain's products and one of the most aggressive retail item-level deployments yet. Macy's won't be tagging any of the replenishment goods directly, leaving that task to its suppliers, who will ship products to Macy's already tagged.

This massive item-level selling-floor-to-the-stockroom project began as a pilot at the Bloomingdale's New York SoHo, which is a pilot-friendly place apparently—the chain is now using Bloomingdale's SoHo to test Google Wallet. As a practical matter, this rollout will give Macy's a wide range of technology options as the potential of full item-level RFID gets closer. But Macy's is officially focused fully on just one RFID function: faster and more accurate inventory.Read more...

Traditional POS Purchases To Plummet Due To Mobile, IHL Reports

September 28th, 2011
Over the next four years, retailers will buy an average of 10 percent fewer traditional POS units, opting instead to use mobile checkout, according to an IHL Mobile study slated to be released next week. But that may be a misleadingly small change, because some sectors—such as specialty retailers—will see traditional POS purchases plunge by 20 percent in that same timeframe, which means "roughly 200,000 units going away. That's more than NCR ships for an entire year worldwide," said IHL President Greg Buzek.

Several elements over the next few years—the report projects out to 2015—will make this change even more dramatic. Some 45 percent of new stores will be "mom and pops that are just starting. There you'll see a tremendous impact," because the stores won't even start with a traditional POS, Buzek said. "Why pay $3,000 [for a traditional POS] when I can get an iPad and put Square on it? This is going to fundamentally change the mall in the next three years."Read more...

Mobile POS Beta Site Fear Keeps Checkout Right By Exit

September 28th, 2011
When the manager of a Florida hobby store was about to begin testing in-store mobile checkout as part of an NCR beta test in June, she envisioned using the devices throughout the store, to both free up POS space and give shoppers a faster experience. But like so many mobile-payment issues, those plans yielded to the reality of hosts of unanswered loss-prevention questions about the mobile payments. The manager ordered the Apple-based units be restricted to an existing POS area right by the exit.

As mobile payments inch along, retailers are trying to balance two concepts: the ideals of mobile-payment strategies with the mundane, practical logistics issues. And nowhere did those two concepts collide more clearly than in the one-location $3.5 million specialty store in Plantation, FL. How could someone at the door verify that the receipt is legitimate? For that matter, if the associate at the door is shown a digital receipt, how is he/she to know if it's a valid receipt—as opposed to a doctored image—unless the associate scans the receipt's barcode and runs a check to see if that item was indeed purchased in the prior 10 minutes?Read more...

The Latest Grocery Chain To Ditch Self-Checkout Adds Theft And Other Issues To The Debate

September 27th, 2011
In the ongoing battle of words over retail self-checkout with Kroger and Albertsons—with each side arguing to its customers that true customer love means rejecting/retaining self-checkout—the latest comes from a 75-year-old $1.5-billion regional grocery chain that was late to the game in beginning self-checkout and right in the middle of the rush to jettison it. But even though the chain certainly argued a customer service reason for the swift chain-wide exit, it also said that it couldn't stomach the high theft rate.

The Big Y chain, with 61 stores in Connecticut and Massachusetts, announced this month that it would kill all of its self-checkout lanes. "In the battle of Service vs. Self Checkouts, service won," the chain said in a short statement. In a conversation with a chain executive, though, the decision sounded a lot more complicated. To be blunt, it didn't seem as if the chain had ever been all that fond of self-checkout, which it first deployed back in 2003. "We were one of the last chains to get into the self-checkout game. We were really dragging our feet," said Claire D'Amour-Daley, the chain's VP for corporate communications.Read more...

PCI Strategy: Avoiding The “Anything But SAQ D” Dilemma

September 27th, 2011
The PCI SAQ process needs work, but SAQ C is especially problematic. Retailers who qualify for SAQ C process payments on a payment application connected to the Internet. The target audience for SAQ C is small merchants with a payment application on their personal computer, which connects to the Internet to process card transactions. Other requirements are that the merchants store no electronic cardholder data and that their computer is not "connected to any other systems in your environment."

In the real world, many retailers and franchisors (and franchisees) try to qualify to use SAQ C. PCI Columnist Walter Conway calls this the "anything but SAQ D" approach. In his experience, the biggest challenge of SAQ C is isolating the application server(s) from the rest of the merchant environment. Conway knows merchants who have devoted a lot of effort and changed their network so they can qualify for SAQ C. A recent clarification by the PCI Council, however, limits the ability of many retailers and franchisors to use this SAQ.Read more...

Is It Apple Vs. Google In Mobile Payments?

September 22nd, 2011
When Visa announced Monday (Sept. 19) that it had officially sold a license to Google Wallet, it signaled a key next step in the mobile payment maneuvers. Google now appears to have the best position with retailers, while ISIS gets love from banks and card issuers, and PayPal is relying on its own online payment abilities. Then there's the mobile payment candidate waiting in the wings. Will Apple in a month or so make its NFC mobile move?

That's increasingly likely—at least if Apple is ready. This particular fight may be moving to the hearts and phones of consumers, where two players—ISIS and PayPal—have serious handicaps. But consumers see Google as a search engine that does a lot of stuff for them for free. And if any company generates even more warm-and-fuzzy feelings than Google, it's Apple. And Apple also has a host of rarely-discussed huge mobile payment advantages, starting with the fact that it's a retailer and a darn innovative one at that.Read more...

PayPal’s In-Store Mobile Pitch Doesn’t Seem To Know Problems Even Exist

September 21st, 2011
PayPal's not-quite-a-mobile-payments-announcement on September 14 was a nearly perfect primer on how not to convince retailers you're a serious player in in-store payments: Trot out a collection of rebranded (but unintegrated) technologies—everything from your own mag-stripe cards to self-checkout by phone to yet another nonstandard use of PIN pads—and then demo them without any hint that you recognize the unsolved problems they carry, never mind having solutions.

The problem isn't just that PayPal has apparently done nothing to pull together its pile of recently acquired technologies into a suite of payment services. It's that each of these services has real problems that have dogged retailers' efforts at mobile payments for years. And astonishingly, PayPal doesn't seem to have solved any of them.Read more...

Is KFC Now Finger Scannin’ Good?

September 21st, 2011

Is the KFC chain now going to have to tell employees that it’s Finger Scannin’ Good? That’s a possibility, given a move announced Tuesday (Sept. 20) by two of its franchisees to abandon password access to POS and switch to a fingerprint biometric authentication system.

The advantages are initially compelling, in that it makes it so much harder for associates to impersonate managers for fraud, whether it’s for stealing money directly, manipulating payroll records or letting employees falsely sign in for each other. The problem is that bored, persistent and resourceful KFC employees—armed with almost unlimited access to these biometric devices and potentially lots of free time during slower parts of the day—are quite good at finding security holes. Will it be a piece of Scotch sticky tape that will fool the system? Maybe the system can be fooled into accepting a new—and non-existent—manager? Given that the fingerprints are not being stored (only a numeric representation of the fingerprint’s datapoints), could the number be faked instead? All in all, this biometric approach is probably a very good idea. But few things are secure enough to hold up to under-paid, young, bored QSR employees, especially when management will likely be slow to react, preferring to believe that fingerprint biometrics are foolproof. …

The PCI SAQ Problem: Versions Are Much Too Incomplete

September 20th, 2011
The shortened versions of the Self-Assessment Questionnaire (SAQ) have only one problem: They are incomplete. There are PCI requirements every merchant should meet beyond what is specified in any shortened SAQ. Any retailer that limits its PCI compliance effort to completing one of the shortened SAQs trades off security for compliance. That is, any merchants who think they need only meet the requirements of a shortened SAQ risk a data compromise that can result in ruinous fines and land them in the headlines for reasons they would rather not be there.

The SAQ is an excellent starting point, pens PCI Columnist Walter Conway. But it is not (and does not promise to be) an all-inclusive approach to achieving—not just validating—PCI compliance. In a previous column, Walt noted the PCI Council's point that slavishly (his terminology) completing a SAQ may not be enough to be PCI compliant.Read more...

New PCI P2PE Rules Drop Compliance Requirements To 2

September 20th, 2011
Last week's 96-page PCI Point-to-Point Encryption (P2PE) validation requirements document from the PCI Council offered retailers a non-trivial compliance carrot: Implement P2PE according to the Council's specs and see your PCI scope drop from 12 requirements to just two.

The big news is where the Council says in the report that "it is expected that PCI DSS controls that will be applicable to a merchant's validation will include (but will not be limited to): Protection of media and devices; Maintaining information security policies and training for personnel; Processes for management of third-party providers (including P2PE provider); Incident response and escalation procedures." That means a retailer implementing approved P2PE might reduce its PCI compliance to just requirements 9 and 12 (and maybe 11.1). The Council's words "will include (but not be limited to)" are important. We have, effectively, a new PCI standard with the accompanying infrastructure: detailed hardware and software specifications, an independent P2PE validation process and two new flavors of specialized QSAs.Read more...

Has Charming Shoppes Really Improved The Accuracy Of Buying Clothes Online?

September 15th, 2011
One of the legendary challenges selling apparel online has been getting clothes to fit. Sometimes, the fault is that customers can't measure correctly—or perhaps they don't want to measure correctly. Either way, if the clothes don't fit, everyone loses. On Monday (Sept. 12), the 1,989 stores in the Charming Shoppes chains (in 48 states branded as Lane Bryant, Cacique, Fashion Bug, Catherines Plus Sizes and Figi's) announced a survey tactic that replaces sizes and measurements with questions about body perceptions.

Company officials say they expect the system to be—please forgive us—measurably more accurate than any E-Commerce apparel tactic being used elsewhere today. The process starts with a database of between 80 and 90 questions and asks between 20 and 22 questions of each shopper, with each answer dictating the next question. If all goes well, the entire process should be completed within three minutes and it's often closer to 1.8 minutes.Read more...

BestBuy CIO Discusses Quadrupling The Number Of Her IT Managers

September 15th, 2011
Trying to regain detailed operational control over Best Buy operations, CIO Jody Davids has gotten board permission to do what major retailers are doing today: Hiring new IT managers by the hundreds. Indeed, what had initially looked like a 200-person boost—which alone would have roughly tripled the number of dedicated, salaried Best Buy IT people from about 100 to 300—is now looking like perhaps a 300-person boost, Davids said. Either way, it means a very different IT environment at the $50 billion chain.

Historically, those 100 Best Buy IT folk have managed "several thousand" IT contractors, Davids said, which puts Best Buy—albeit in a rather extreme way—in the same position as many other chains. Outsourced IT certainly has the advantages of scale and instant experts, in that it's a lot easier to bring in a team to create a specialized app for one business group and to then not rehire them when the project is over. That's much easier than having to hire and train employees and to then have to try and lay them all off.Read more...

ToysRUs Turns Friends Pick Up Into A CRM Goldmine

September 15th, 2011
When ToysRUs on September 8 added a "Family And Friends Pick Up" feature to its buy-online-pick-up-in-store service, it at first seemed like a nice little enhancement. But behind this seemingly cost-free convenience are layers-upon-layers of rich and highly actionable CRM data and other goodies.

The idea is straight-forward enough. If a ToysRUs customer can't easily get to the local store, he/she asks a friend/relative to pick up the item as a favor. The initial customer simply is asked to give the picker-upper's first/last name, E-mail, phone number, address and the relation to purchaser. The picker-upper gets a direct E-mail message indicating the item is ready for pickup. Before going any further, ToysRUs is now picking up a bunch of verified E-mail addresses of people who are near its stores, along with other bits of wonderful data. Not only is the E-mail address verified (they had to receive the confirmation notice), but so is the name and address, courtesy of the driver's license or other ID they had to show when picking up the merchandise.Read more...

PCI’s New P2PE Rules Won’t Kick In Until Spring 2012 Or Later

September 15th, 2011
The PCI Council on Thursday (Sept. 15) will detail its initial guidelines for point-to-point encryption (P2PE), but retailers need not—and should not—take any near-term action. Nor should they sign any imminent contracts involving P2PE. Why? The Council will stress that the document—a 96-page detailed description of various P2P approaches and common-sense security processes for each—is only "the first set of validation requirements" and that key parts of the program won't even be in place for six to eight months and might be delayed even further.

Why such delays? First, the Council wants retailers to contract only for P2PE applications that appear on a Council list of applications validated to be PCI compliant. The problem? That list doesn't yet exist, and the list's creation is "targeted for Spring 2012," according to a draft copy of the Council's document. A second reason for the delay is PCI training of assessors. The Council isn't promising to identify the testing procedures until "the end of 2011" and "training opportunities" (which we assume means classes) won't be detailed until "Spring 2012." The report will say that the guidelines—even if perfectly followed—won't offer a path for a retailer to be considered out-of-scope. The best that a chain can hope for, according to the document, will be "reduced scope." But nowhere does the document say what exactly that would and wouldn't include.Read more...

Macy’s Statement Argues That IT Really Matters To Wall Street. Now If Only Wall Street Really Believed That

September 14th, 2011
When Macy's on Tuesday (Sept. 13) issued a statement summarizing a wide range of IT investments, including stores borrowing inventory from each other, a cosmetics kiosk, some tablet deployments, digital receipts, Wi-Fi, Google Wallet support and online chats (Really? No touting those newfangled UPC codes?), the fact that many of these IT efforts happened months ago made the compilation news release seem baffling. Baffling, that is, until we figured out the point: IT is now cool. Or at least Wall Street thinks it is.

To be specific, Wall Street doesn't think that all IT investments are cool. It's when IT investments come from companies where it's not expected. When eBay or, heaven forbid, Amazon invest in IT, Wall Street lets them have it with both spreadsheets, in a way that it would have never criticized Wal-Mart for opening new stores. But when the Sears and Macy's of the world start talking about these space-age computer thingies, stock analysts get all starry-eyed.Read more...

Now For All StorefrontBacktalk Readers: Five Monthlies Covering E-Commerce, Mobile, Security, In-Store And CRM

September 14th, 2011
Starting today (Sept. 14), we are making our monthly topic-specific newsletters available for all of our readers, for free. These five newsletters—each one covering solely E-Commerce, Mobile, PCI/Security, In-Store or CRM issues—have until now only been available to Premium subscribers.

For readers focused on any of those areas, the Monthlies provide an easy way to keep up-to-date and to make sure you don't miss any story important to your operation. The Monthlies also have two other helpful features.Read more...

When Wi-Fi Gets Too Fast, In-Store Customer Wi-Fi May Be Doomed

September 14th, 2011
What happens when Wi-Fi gets too fast to be useful to retailers? We should know in about three years. On Monday (Sept. 12), analyst firm ABI Research predicted that the next generation of Wi-Fi (officially known as IEEE 802.11ac) will become the dominant wireless protocol by 2014. The new Wi-Fi will be fast enough to pump out multiple streams of high-definition video—which will be a nightmare for stores offering customers Wi-Fi, because letting customers slurp up that much data would require each store to have an Internet connection roughly the same size as a large ISP.

Of course, that's only a problem if that high-bandwidth content comes from the Internet. If it's served from within the store, customers could receive a constant stream of commercials, product pitches and other videos on their smartphones and tablets. There's just one difficulty: If customers are accustomed to having a huge pipe to the Internet on their personal devices, they won't react well to retailers that have cut back their bandwidth ration to just enough for the Web, E-mail and Twitter—unless there's someone else available to blame.Read more...

Point-To-Point Encryption Guidance Arrives: Device Testing and Possible Surprises For Early Adopters

September 14th, 2011
The PCI Council on Thursday (Sept. 15) is releasing a guidance document on point-to-point encryption (P2PE). This technology—properly implemented—has the potential to reduce PCI scope greatly, and several retailers have already implemented it. But one issue may have early adopters digging up their vendor agreements: Are they sure their your implementations—particularly the encrypting POS devices—will pass the Council's new Secure Card Reader testing program? Will their vendors replace the POS devices with compliant ones, assuming they can, and what will that cost?

The idea behind P2PE, pens PCI Columnist Walter Conway, is that an encrypting POS terminal encrypts the cardholder data (the first "point") immediately as the customer's card is swiped. A third-party service provider (the second "point," and often the merchant's card processor) manages both encryption and key management. The third party is the only one that can access the actual cardholder data. The result is that when P2PE is properly implemented, almost all the merchant's systems are out of PCI scope because the merchant has no way to decrypt the data or ever to get access to the clear-text cardholder data. Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.