Top Stories


IT Strategy / Industry

CRM Isn’t Everything: Amidst An Outage, American Eagle Tries To Build Customer Trust

August 10th, 2011
American Eagle Outfitters suffered a Web site outage for more than 24 hours on Monday (Aug. 8), but the retailer came up with a clever way to keep customers from feeling completely in the dark. From about 6 a.m. Monday until 7 a.m. Tuesday, the site was unusable for E-Commerce and intermittently unavailable at all. But through most of the outage, customers saw a page headlined "Be Right Back!" that continued: "Leave your E-mail address and we'll give you a heads up when we're up and running. No worries, we won't add you to any lists or bother you in the future."

The retailer wouldn't say how many customers signed up for the notification or whether they received any special offers as an apology for the site being down. But the "leave your E-mail address" tactic is especially interesting because it specifically promised that the E-mail addresses would not be used for anything except notifying customers when the site was back up. That was probably a lost CRM opportunity, but it may have been much more valuable in rebuilding customer trust.Read more...


Borders Bankruptcy: Forget The Books. How Much Do You Want For Those IPv4 Addresses?

August 10th, 2011

As federal bankruptcy courts dismantle every last remaining piece of the once-mighty Borders book chain, including a CRM database of some 43 million loyalty-program customers, one asset caught the eye Wednesday (Aug. 10) of liquidators: IPv4 addresses.

In light of the severe global shortage of IPv4 addresses, this asset—far removed from the books and online files—may be the most valuable of all. “In addition to its trademarks and E-Commerce assets, Borders is the holder of a contiguous block of IPv4 addresses, which it seeks to transfer to a qualified buyer,” said Wednesday’s statement from Streambank, the company retained by the Bankruptcy Court for the Southern District of New York to market and sell the chain’s intellectual property assets. “Borders has established a worldwide reputation as a leading destination for buyers of physical and digital media including books, eBooks, eReaders and related accessories. Borders remains engaged with its customers through the E-Commerce site, which it expects to continue in business until transitioned to a new operator.” How sad is it that one of the nation’s largest bookstore chains is ripped apart and the most exciting asset is IP addresses? Talk about ego-deflation.…


Defining E-Commerce Is A Thorny Issue

August 10th, 2011
If a rose, by any other name, was purchased online but picked up in-store, would it still be E-Commerce? What if it was examined in-store but then purchased online—the showroom approach? That may sound like sophistry, but when retailers announce E-Commerce figures, are the numbers comparable?

Consider the latest E-Commerce stats released Monday (Aug. 8) by E-Commerce tracking firm ComScore. It reported some $37.5 billion worth of E-Commerce spending in Q2 2011, a 14 percent increase from a year ago. Even setting aside for the moment what the best definition for E-Commerce should be today, does merely thinking of rigid E-Commerce figures separately from in-store, isolated from mobile and apart from call center undermine retail merged-channel thinking? Anything purchased on Wal-Mart's mobile site is certainly M-Commerce, but what if a customer is accessing Wal-Mart's full Web site through a BlackBerry, iPhone or Android? And what if it's happening in-store and the search in question was activated by a barcode scan? The bard himself could barely have written the bonus plan that adequately covers that situation.Read more...


Will Visa’s Support For EMV Mean Fewer QSAs?

August 10th, 2011
Visa is now promising to waive PCI DSS compliance validation requirements if merchants have the right POS devices. Did we just hear Visa announce the end of the QSA Full Employment Act, a.k.a. PCI compliance validation, asks PCI Columnist Walter Conway? Will MasterCard, American Express and Discover likely follow suit? The program says that, after next October, a merchant meeting the program requirements does not need to re-validate its compliance. In other words, participating merchants are on the honor system for PCI. They neither need a QSA to assess their compliance, nor do they even need to file a self-assessment questionnaire (SAQ).

In the past, when the card brands wanted merchants to introduce new technology, they offered incentive (i.e., lower) interchange rates. This time, Visa is offering no interchange fee discount. Instead, the incentive is the opportunity for Level 1 and some Level 2 merchants (those with more than one million Visa transactions a year) to reduce the cost of their outside assessments. Bottom line: the Technology Innovation Program (TIP) doesn't cost Visa or its issuers a penny. Before, issuers paid for merchants to implement new technology (e.g., TIIF and TIIF2 incentive interchange rates). Now they are saying, "Hey, we'll keep the interchange but save you having to pay QSAs. But if you get breached, the same fines apply." Neat. They're transferring who pays.Read more...


Heartland Jumps Into Mobile Payments—And New Security Problems

August 10th, 2011

If you thought only phone makers, payment-card brands, mobile carriers or startups believe they can do mobile payments—well, add card processors to that list. On Tuesday (Aug. 9), Heartland Payment Systems announced Mobuyle, its own app and $75 hardware plug-in for Android phones to let its merchant customers take card payments via mobile. Like Square, the plug-in card swiper attaches to the phone’s audio port; unlike Square, the Heartland hardware encrypts the card data before it’s sent to the phone. (Heartland has been big on end-to-end encryption ever since its headline-making $129 million data breach in 2008.)

Heartland is pitching Mobuyle only to its own customers, so it dodges some complications—Mobuyle just has to mimic a Heartland PIN pad. But plenty of so-far-unresolved mobile-payment issues still come into play. If a retailer enters a card number manually, could it be captured by malware before it’s encrypted? What if an OS update breaks the security? Will retailers even have the legal right to send that type of data from their phones? How well Heartland deals with such questions could determine whether it will end up in the headlines all over again.…

eBay Could Be The New Amazon Under Internet Sales-Tax Law

August 4th, 2011
Online auctioneer eBay is leading the fight against a proposed federal law allowing Internet sales taxes, and for very good reason: eBay, which currently collects no sales taxes, could find itself in the position of having to not only collect sales taxes for thousands of jurisdictions but spend a huge amount of effort closely tracking every auction to determine where buyers are located and whether sales tax is required on each item.

The "Main Street Fairness Act" introduced on July 29 would require conventional online retailers—including Amazon, which supports the bill—to collect sales taxes for states that meet the law's requirements (24 states currently do). But exactly how the law would apply to non-traditional retailers like eBay isn't so clear. That means Amazon could find itself no longer appealing a lawsuit in New York, launching a ballot measure in California and fighting "Amazon law" brushfires in other states—while eBay could face an IT nightmare.Read more...

Instant Face ID: CRM Will Never Be The Same

August 4th, 2011
In a development that will have a huge impact on retail CRM and IT security operations, a series of Carnegie-Mellon University experiments has established startling recent improvements in facial recognition. The biometric technology improvements would be meaningless, though, were it not for a social-media-fueled avalanche of tagged images and personal information.

The combination makes absolutely practical a science-fiction-like scenario of customers being identified as they walk into a store by virtue of their face alone. Cameras at POS could match faces with names from a payment card, thereby enabling the customer to be subsequently identified and tracked without a loyalty card. The CMU experiments suggest an even more powerful privacy-smashing scenario, with consumers walking into a store identified by any site that has ever posted their pictures. Imagine a loyalty program with 90 percent participation, requiring no effort—nor, for that matter, intent or consent—from any customers. An absence of laws will make the ethics of retail senior executives the only boundary. (Uh-oh.)Read more...

More Bad News For EMV Security

August 3rd, 2011
For years, EMV has been touted as a more secure payment card approach. But a presentation being made at this week's Black Hat conference is the latest to say that the technology has fatal security flaws and, indeed, that its sophistication is its Achilles' heel.

For the U.S. retailer, this news may further erode any movement toward Chip-and-PIN, an effort that had already effectively been stalled by retailer apathy. Despite a push last year by Wal-Mart, retailers have shown almost no interest in making the change. The move in the U.S. toward mobile payment, which is unlikely to be easily compatible with current-day EMV efforts, is the latest Chip-and-PIN roadblock.Read more...

Does Card Present Make Sense Any More? What Should It Look Like In A Year?

August 3rd, 2011
When a payments vendor last week touted a Webcam-based E-Commerce method that would be considered card present, it raised questions over whether the very concept of card present in a late-2011 retail world needs to be updated.

With mobile-payment trials in the wings from Google, PayPal, ISIS and Visa, among others, what should card present mean? Does it have to mean the actual card? Can it mean all of the data—including Track 1 and 2—from such a card? As payment form factors evolve, does the interchange definition need to grow with it?Read more...

What Would PCI Say About Filming Payment Cards? We Shouldn’t Use That Type Of Language

August 3rd, 2011
Words matter. When one uses terms like "two-factor authentication," "sensitive authentication data" or "high vulnerability" in the context of PCI DSS, the words convey a very specific meaning. Each term conveys specific information, and misuse leads to confusion and errors, pens PCI Columnist Walt Conway. A recent payment vendor move—using Webcam footage of payment cards supposedly to deliver some card-present-like advantages—misused some important payment-card terminology. The product also raises new security problems. Confusion is bad, but increased risk is far worse.

If increased risk is not enough, using video to capture payment-card information means that retailers would have to absorb all the cost of complying with every PCI requirement without the benefit of lower interchange fees. One also has to wonder if using video cameras to validate cards means retailers will need to search for rogue video devices the same way they must test for the presence of rogue wireless access points today. Speaking of videos, another bad-guy trick could be harvesting legitimate cardholders' videos and selling them like stolen PANs. This technology could result in an entirely new secondary carders market.Read more...

Visa: Sorry, We Can’t Help Australia Collect Sales Tax

August 3rd, 2011
E-tailers aren't the only ones facing demands that they charge customers sales taxes that are hard for anyone else to collect. Visa has sent a letter to Australia's Productivity Commission explaining why the card brand can't collect the country's goods and services tax (GST) on overseas transactions done with Visa cards. This response comes after the commission asked for technical details about whether that tax collection would be possible. Visa's pointedly polite explanation: It can't be done, at least not by Visa.

Visa's response comes in the context of increasing efforts on the part of taxing authorities trying to deal with E-Commerce that stretches beyond their borders. In the case of Australia, any overseas transaction less than $1,000 has been exempt from the GST. Although local brick-and-mortar retail chains are pushing to end that exemption, Australian tax bureaucrats have already concluded it's impractical to collect the GST on small purchases—it would cost more to collect than the tax would bring in.Read more...

M-Commerce Speed Differences Can Hit 13-Fold

August 3rd, 2011
Nowhere in the electronic commerce world is speed more critical than with mobile commerce, where an extra few seconds on an Android can feel to a consumer a lot longer than those same few seconds on a desktop. And just to prove that the solar system has a sense of humor—or perhaps a sense of sadism—nowhere are performance differences more sharp than in retail M-Commerce.

The latest stats from Web performance tracker Gomez show some of the faster sites (including QVC and Amazon) sometimes delivering speeds 13 times faster than what their slower counterparts (including Target, HSN and Netflix) are delivering. In April, for example, QVC had an average response time of 2.2 seconds, while Netflix delivered 28.6 seconds. In May, QVC scored 1.5 seconds to Netflix's 11.3 seconds and Office Depot's 8.5 seconds. In June, QVC was clocked at 2.3 seconds and Amazon at 4.6 seconds, compared with Wal-Mart at 9.7 seconds, Target at 9.6 seconds and HSN at 10.8 seconds.Read more...

Buy Online-Pick-Up-In-Store, Grocery Style. Hannaford’s Efficiency Experiment

August 3rd, 2011
The 178-store Hannaford grocery chain is trialing a grocery tweak on buy-online-pick-up-in-store, where shoppers select almost anything from the test store's 40,000 SKUs and then drive to the store, where the order is loaded into the customer's trunk. The effort, which involves three isolated temperature-controlled holding areas, pits employee efficiency against thin grocery profit margins. The Hannaford-to-go program is also likely to cost the chain some impulse purchases, but that's the downside of any E-Commerce effort. The question is whether this program will lure in more customers and/or build more loyalty from existing shoppers.

The trial, which was launched in mid-March at one New Hampshire store and is slated to expand to a second store "in the fall," has "gotten off to a better start than we expected. We found that [customers] shopped the whole store. That surprised us a bit," said Mike Norton, a spokesman for the five-state regional chain, with stores in Maine, New Hampshire, Vermont, Massachusetts and New York.Read more...

Level 3 Merchants Hit PCI Compliance At 60 Percent, Visa Confirms Numbers For The First Time

August 3rd, 2011

Visa’s latest PCI compliance stats report Level 3 compliance for the first time, and it opened at a discomforting 60 percent. The 3,024 retailers in Level 3—which reflects those processing 20,000 to 1 million Visa E-Commerce transactions annually—had before only had their compliance level marked as “moderate.” The 377 Level 1 merchants (processing more than 6 million Visa transactions annually) saw their compliance inch up from 96 percent six months earlier to 97 percent as of June 30.

The 881 Level 2 merchants (1 million to 6 million Visa transactions annually) maintained their exact compliance level from the end of 2010, holding at 96 percent. The compliance level of the more than 5 million Level 4 merchants—those retailers processing fewer than 20,000 Visa E-Commerce transactions annually, along with retailers processing as many as 1 million Visa transactions of any type annually—is still secret, with Visa continuing to identify it as “moderate.” It’s hard to read too much into that moderate designation, but it’s not too far-fetched to assume that Visa wanted to wait until Level 3 compliance was high enough to announce. If so, that would suggest that Level 4s are now well south of 60 percent, a suggestion that should surprise absolutely no one. …

Instant Insider: Harvard Hacker Breaches Network Security By Walking Right In

July 27th, 2011
This month brought another reminder that retailers have to defend their networks not just against thieves hacking in—but also against thieves walking in. A Harvard University activist (and fellow at Harvard's Center for Ethics, for what that's worth) named Aaron Swartz was indicted this month after he walked into an unguarded basement on the MIT campus, connected a laptop to a switch in a network wiring closet and spent the next two months illegally downloading millions of documents from a university archive.

If that doesn't sound like a template for your worst security nightmares, just substitute "shopping mall" for campus and "payment-card transactions" for documents. True insiders may be the source of most security problems—such as a fired Gucci network administrator—but when network wiring is unprotected, any thief can become an instant insider. What makes Swartz's success even more chilling is that MIT's network security team had spotted and blocked his access a month before. But once Swartz connected directly to the switch, because he was attacking from an unexpected direction, network security didn't notice for months.Read more...

“Card-Present” Transactions From Across The Web? Not Exactly

July 27th, 2011
New ideas for keeping E-Commerce payments secure are coming thick and fast—and some of their purveyors are playing just a little fast and loose with the benefit buzzwords. Case in point: On Tuesday (July 26), Jumio announced a service called Netswipe, which lets E-Commerce customers hold payment cards up to their PC's webcam for processing. The Netswipe software takes over the webcam to scan the card using secure streaming video, decide if the card is real or fake and then extract the card number. The idea is clever. Not so clever is Jumio's boast that this approach lets E-tailers do "card-present" transactions remotely.

Card present? That's certainly the right buzzword to get the attention of big retailers, who know it means lower interchange fees. But what exactly does it mean to have a card-present transaction where the card is only present at the far end of an Internet connection? Answer: Not much.Read more...

California Book Legislation Doesn’t Understand How Retailers Work

July 27th, 2011
If you're selling books in California, you may soon have to handle all customer data very differently. If a piece of legislation now winding its way through the California legislature becomes a law, new restrictions on your record-keeping and file maintenance will extend far beyond the sales of actual books.

The legislation, which has more holes than a chuck of Swiss cheese, would place these burdens on retailers while ignoring a lengthy list of other people in the retail environment who have access to the identical data. The key problem, pens Legal Columnist Mark Rasch: The writers of the legislation didn't think much about how retailers do their magic.Read more...

Sears Canada Gambles On An Online Group-Coupon Deal That Excludes Online Customers

July 27th, 2011

Cross-channel retailing doesn’t display its weird moments any more clearly than this: Last week, Sears Canada offered a group-coupon deal ($25 for a coupon good for any merchandise worth $50) through Canadian Groupon competitor All 5,000 vouchers sold by the first afternoon of the three-day deal, so the promotion was clearly a success. But Sears wants the coupons to pull customers into its stores now, during the lull before back-to-school shopping starts. As such, the coupons specifically exclude online sales—they’re good in-store only. Unfortunately for Sears, and as usual with such deals, the coupons are good for 90 days—long past Sears’ target shopping window.

That means the promotion could be a sell-out success and a complete failure if coupon buyers decide to just wait a month until they would have hit the stores anyway. The in-store-only requirement could also irritate the online-oriented customers Sears was targeting. And even if a group-coupon promotion works for the first time with a big retailer that is not a discount apparel chain, sorting out why it worked may be impossible. There may just be too many built-in contradictions for Sears to be able to work out whether this is a case of highly tuned cross-channel retailing—or just dumb luck.…

Macy’s Won’t Make Its RFID Move Until Everyone Else Does

July 27th, 2011
Macy's is quickly moving ahead with its RFID item-level tagging efforts, with one report saying the testing has expanded to six distribution centers. But the retailer is saying that significant additional moves will only happen when key competing retailers make their item-level RFID moves. It seems that the $25 billion chain has figured out the difference between being an industry leader and leading an army of one.

Nowhere is that distinction more critical than with item-level RFID. Suppliers will resist—if they resisted the early Wal-Mart edicts and risked the wrath of Bentonville, they'll resist Macy's—and they'll only sign on either when they see concrete benefits or when the percentage of retailers making the move is so high that they have no option but to comply.Read more...

Despite—And Actually Because Of—The Numbers, Hispanic Retail Sites Are A Bad Idea

July 27th, 2011
With more than 30 million Hispanic consumers in the U.S. spending tens of billions of dollars a year, it would seem to be a no-brainer that major retail chains should have Spanish-language versions of their sites. In reality, not only is it not a no-brainer to create such a site, it turns out to be an impressively bad idea to try.

It's not that the Hispanic segment is not a critically important one for retail. It absolutely is. But the reality is that there are far better ways to reach that audience than a Spanish Web site—and that such site creations come with massive downsides. It's not a trivial investment to create a full version of a chain's site in another language, which means that the benefits have to overcome that. And that's where the math comes in.Read more...

More Relief For Retailers: Giftcard Patent Case Unlikely To Be Appealed As Plaintiff Is Running Out Of Money

July 27th, 2011
The dozens of major retail chains that have been sued for giftcard patent violations have received more good news. As the rapidly dissolving cases against them dissolved yet further, the suing vendor released a statement saying that an appeal of an unfavorable key ruling is becoming less likely as its dollars run short.

The vendor, Card Activation Technologies (CAT), has sued quite a few major chains over the last years, including RadioShack, 7-Eleven, Nordstrom, Macy's, Starbucks, JCPenney, Sears, OfficeMax, TJX, McDonald's, Walgreens, Barnes & Noble, Aeropostale, Lane Bryant, Blockbuster, Fashion Bug, Cabela's, Guess, Panera Bread, Giorgio Armani, Caché, Denny's, Sunglass Hut Trading and the Brown Group Retail (doing business as Famous Footwear). But CAT's position began to implode earlier this month when a federal judge invalidated all but three of its claims against the retailers. That move followed a preliminary report from the U.S. Patent Office that it was also about to invalidate all of CAT's claims. CAT then surrendered its last claims, pending an appeal.Read more...

With Mobile Money, Does Scale Beat Speed? ISIS Hopes So

July 21st, 2011
ISIS is all about scale. That seems to be the message from the mobile-payments consortium backed by AT&T, Verizon and T-Mobile, which on Tuesday (July 19) announced that it has cut deals with Visa, MasterCard and American Express for its mobile wallet trials next summer in Salt Lake City and Austin. Unfortunately for ISIS, it's up against Google, which starts testing its own mobile wallet this September with a dozen big retailers in five major cities. That's a whole different type of scale. True, having the four biggest U.S. payment-card brands on board (Discover has been with ISIS from the start) should indeed give ISIS all the scale it needs to set up a very large mobile-payments system. Adding lots of card-issuing banks is next on the to-do list, according to an ISIS spokesman. But all that scaled-up payment infrastructure won't do ISIS much good until it can scale up its appeal to retailers and customers—and then convince them that ISIS' coupons-and-loyalty-cards mobile wallet is worth waiting for, especially when Google will have almost a year's head start for something that sounds remarkably similar. Read more...

Sears Price Glitch: Is It Time To Slow Down Third-Party Site Access?

July 21st, 2011
Allowing third parties to directly control parts of your site is a great way to improve efficiency: They can generate online disasters at a fraction of the cost of doing it yourself. Such is the lesson that Sears learned—or should we say re-learned—last week when the retailer found itself selling $500 iPads for $69.

Sears has at least learned to share the pain, as the Sears third party that glitched the pricing—GSM Onsale—found its site down within hours. GSM said the pricing error was "due to a software maintenance error." What happened to its site is more of a mystery. went down shortly after the Sears glitch, with a note that said "our online site is currently closed for maintenance. Please visit us again soon." Six days later, the site is still down. Also, the message had something that we've never seen before with a site that expects to be back up anytime soon: a large red "Closed" icon in the middle of the page.Read more...

California Law Will Mean More Privacy For Book Buyers—And Much More Paperwork For Booksellers

July 21st, 2011
California is about to ban booksellers from sharing information about what their customers buy. The Reader Privacy Act, which has already passed the state Senate and is well on its way to becoming law, would prohibit bookstores—including almost any retailer that sells books—from disclosing what a customer reads unless the customer agrees or a judge orders it.

The legislation reaches well beyond bookstores and physical books, covering audio books and E-readers as well as almost any retail chain that includes a books section. (Barnes & Noble? Definitely. Wal-Mart? Certainly. Safeway? Maybe.) The bad news: Retailers covered by the law will be required to create a detailed, publicly available annual report covering how much customer information was disclosed the previous year—whether it was disclosed with customer approval or not.Read more...

Macy’s LP Approach Of Monitoring Dressing Rooms From The Inside Is In Major Need Of An IT Fix

July 21st, 2011
A Macy's loss-prevention program, which involved security employees surreptitiously having a complete view of customers getting changed in its dressing rooms, is embarrassing primarily because it could have been avoided with some help from the retailer's IT group.

The program was reported on by a Florida TV station, when an apparent Macy's LP employee revealed that the slots on some dressing room doors were turned upside down, thereby providing an unobstructed view of sometimes naked customers. The station said it confirmed the program in Macy's stores in Florida and Washington, D.C.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.