Top Stories


Payment Systems

Russian Mall Trying Unorthodox Bluetooth Tactic

January 23rd, 2013

An unorthodox use of Bluetooth is being tested at a huge Russian shopping mall for both in-store customer location and payment transactions. The catch: It’s extremely nonstandard. Instead of pairing with customer smartphones the way Bluetooth devices usually would, individual devices throughout the store broadcast amped-up signals (range: 100 meters, rather than Bluetooth’s usual 30 to 50 meters) that tell a smartphone app about discounts and specials. If the signal from, say, the display of Bartlett pears is strongest (because it’s the nearest broadcaster) and if it meets various demographic criteria (send this one to only males, this one to shoppers older than 70, etc.), that’s the signal the app displays. Meanwhile, other Bluetooth signals with very low range (a few millimeters) are used for payments—no NFC required.

We saw this demonstrated at last week’s NRF show by vendor WiseSec, and it’s clever. But WiseSec says some retailers with especially large footprints may need as many as 50 or 60 Bluetooth beacons per store. With a 100-meter range, multiple stores in a mall will overlap, which is why the differentiation of signal makes sense. A potentially bigger problem: If you’re using high-powered, nonstandard Bluetooth signals, could they interfere with other Bluetooth devices (in-store that means everything from customer phone headsets to POS keyboards)? Not that we don’t trust the Muscovites, but we’ll like this a lot better once we see it not interfering with American or Western European customers and their toys.…


Retail Facial Recognition Comes Of Age

January 23rd, 2013
Some years ago, Legal Columnist Mark Rasch demoed an ATM that had no card, no chip, no PIN and only a limited keyboard. The ATM used facial recognition software to identify him, so he only had to walk up to the machine, type in $20 from checking and, voila! Money dispensed. Assuming that everything works as promised and that facial recognition software is close to 100 percent accurate and reliable, retailers should consider the legal, privacy and compliance issues related to biometrics before rushing in.

Like all innovative technologies (from credit cards to loss prevention devices), it's not clear yet whether consumers will embrace or reject the new technology, or how regulators will ultimately react.Read more...


Are Franchisees The New Sweet Spot For Card Data Thieves?

January 17th, 2013
The payment-card breach revealed on January 11 by 560-store restaurant chain Zaxby's throws a light on what may be the near-future of major breaches. The chain said it found malware on systems at 108 stores across the southeastern U.S. after card processors identified the stores as common points of purchase for fraudulent card activity.

But Zaxby's doesn't operate any of the stores—they're all franchisees, putting both the company and the franchisees in a worst-of-both-worlds situation.Read more...


MCX Embracing QR Codes, The Cloud And Unparalleled Vagueness

January 17th, 2013
Merchant Customer Exchange, the retail group trying to offer its own mobile wallet, plans on using QR codes as the heart of its cloud-based payment app, the group announced Monday (Jan. 14). But beyond the QR code detail and the names of a few new retail members—including Meijer and Wawa—little was discussed during an hour-long panel that meaningfully addressed how the group plans on making a difference, beyond the general platitudes MCX has stressed since its March 2012 launch.

What was different this time, though, is that members were more candid in explaining why they have the goals they do, even if they were not especially forthcoming in how they plan on achieving those goals. The group, for example, re-stressed its intent that data from one chain will not be shared with another chain. Jay Culotta, the treasurer at regional convenience chain Wawa, said many of the mobile vendors say they are not—today—planning on sharing data, but they refuse to say what will happen down the road. "It's not a forever situation," Culotta said, adding that the temptations for leveraging such data will likely be overwhelming. "It's unclear what their business case would be without monetizing that data."Read more...


Reassembling Albertsons: It Won’t Be Easy, But It Has To Be Fast

January 16th, 2013
Putting Albertsons back together again won't be as easy as it looks. The grocery chain was split in 2006 between Supervalu and private equity firm Cerberus Capital Management, with both chains using the same logo in different geographic regions. But on January 10 the two owners decided to reunite what will now be a 650-store chain in a complicated deal that leaves only one thing very clear: These money managers aren't thinking about IT when it comes to reassembling the chain.

Yes, the Albertsons logo is the same on both sides. But seven years later, everything from self-checkout to loyalty to POS to prescription systems is now different across the soon-to-be-unsplit chain. And everything will have to be merged—and fast.Read more...

Home Depot Privacy Pratfall: Spotting Web Shoppers In-Store

January 16th, 2013
Home Depot has been using a CRM practice that uses payment-card numbers to match in-store customers with their online purchases. It's a move that, although likely passable for PCI, is rather unnerving to privacy advocates. Home Depot officials stress that they only use the technique with shoppers who opt in, an argument that is somewhat tempered by how often consumers don't even notice privacy opt-in and opt-out Web site declarations. The chain has been using this technique for various purposes, including E-mailing in-store customers to ask them to review their recent purchases.

Home Depot's use of the card-matching procedure is not that unusual among major chains, but the norm is for the effort to be kept internal, to help improve general marketing. It was Home Depot's reaching out to customers that made some of them realize what was going on. And therein lies the problem.Read more...

PayPal Is Touting Everything Mobile It Can, Except Shoppers Using It

January 16th, 2013
Sometimes, it's what is not talked about in a news release that is much more informative than what is. Consider PayPal. On Monday (Jan. 14), the eBay subsidiary named 21 chains signed up to offer brick-and-mortar PayPal (along with two more chains too shy to be identified) and said its system is now available in 18,000 store locations. That's the good news: PayPal is now the most widely available U.S. mobile-payments provider, with more stores using it at POS than even the very successful Starbucks approach.

The bad news: PayPal has said nothing whatsoever about how many shoppers in all of these stores, plus Home Depot, JCPenney, Abercrombie & Fitch, Toys”R”Us, Foot Locker and Barnes & Noble, have actually used the service. And of those who did, how many came back to use it again? How many dollars are shoppers pushing through the retail PayPal system? You know that if those figures were anything less than humiliating, they'd have been released by now.Read more...

The Legal Quicksand Of Giving Online Stuff Away For Free

January 16th, 2013
We all love to get stuff for free. Whether it is a coupon, a sample or a trial, if it's free, it's good. For retailers, offering a freebie can get customers used to using their products or services, may engender goodwill and may be a smart business decision. But if those retailers fail to adequately define the terms of the free trial, pens Legal Columnist Mark Rasch, they may be setting themselves up for a disaster.

This holiday season, Rasch was walking through the mall seeking out the See's Candies ladies with their free samples. "I would gladly take a chocolate lollipop or a toffee square, circle the mall and come back for another. The free sample came with no terms or conditions and no obvious limitations on access or use. Could I then argue that, because See's was giving away chocolate lollipops, these items were 'free' and that I was, therefore, lawfully entitled to take six or seven boxes from behind the counter without paying for them? Absurd. But why? Because in the real world, we have loosely formed social conventions and a system of shaming to enforce them."Read more...

How Many Will Join The Lone Systems Integrator On PCI’s New List?

January 9th, 2013
The PCI Council's Qualified Integrator and Reseller (QIR) program is officially up and running. Reliant Security is the first systems integrator to qualify under the QIR program and be listed on the PCI Council's Web site. Qualifying the first systems integrator is a significant milestone, one that follows last May's announcement of the QIR program and the beginning of formalized training this past autumn.

What everyone involved in retail payments will now want to see, pens PCI Columnist Walter Conway, is how many other resellers and systems integrators will join Reliant. The ultimate success of the QIR program depends on the decisions made by retailers, payment application vendors and, quite possibly, the PCI Council and even the card brands, too. Read more...

Interchange Settlement Not Done, But Clock Is Ticking Anyway For Retailer Surcharges

January 9th, 2013

The legal fight over the interchange settlement is still going on, but the deal’s first effects will still show up this month. Beginning January 27, retailers will have the option of tacking on a surcharge for payment-card transactions. No, the class-action settlement still hasn’t gotten final approval, but the terms take effect 60 days after U.S. District Court Judge John Gleeson gave it preliminary approval in November 2012. (It’ll be rolled back if the settlement is ultimately rejected.)

Let’s be clear: Add-on swipe fees are still illegal in New York, California, Florida, Texas, Connecticut, Massachusetts, Maine, Colorado, Oklahoma and Kansas, which together represent about 40 percent of U.S. retail sales. And many big chains have already said they think a surcharge will encourage customers to walk away at the POS, so they’re not doing it. That means retailers who do implement a surcharge will make a nice lab test for the rest of retail to see how much customers are willing to accept. The answer is probably “not much”—U.S. customers love their plastic—but we may yet be surprised. There was a time when banks and airlines thought they couldn’t get away with nickel-and-diming their customers to death, either.…

StorefrontBacktalk‘s Next Chapter

January 8th, 2013
As the founder of StorefrontBacktalk, I am thrilled to announce today that StorefrontBacktalk is now a member of the FierceMarkets family of B2B publications. FierceMarkets is a wholly owned subsidiary of the Questex Media Group.

Our voice and approach—for good or for bad—will not change, and we have been told to continue delivering the same mix of breaking retail IT stories, analysis and opinion columns. (Yes, and some truly awful jokes. It's in the contract that those stay.) The bylines here will stay, as Frank Hayes, PCI Columnist Walt Conway, Legal Columnist Mark Rasch and the rest of the team will continue to do that which we do. Me, too.Read more...

New Child Protection Rules Create A Retail Catch-22

January 2nd, 2013
A few days before Christmas, the U.S. Federal Trade Commission (FTC) approved major changes to its online child protection rules, including adding geolocation data, IP address and mobile device ID to the information that can't be recorded from a site visitor who is younger than 13 years old.

The problem for retail chains is the vagueness of definitions for sites aimed at children. Is the toy section of such a site? What about games at Then there's the Catch-22 of asking ages online. If you ask, you'll be required to segregate the data from anyone in that age group and handle it—no pun intended—with kid gloves. (No pun intended. That was a play on words, not a pun.) And if you don't ask, you have the perfect defense that you didn't knowingly collect data from under-age shoppers without parental consent. Did the FTC really intend to encourage what Legal Columnist Mark Rasch calls the Sgt. Schultz Defense?Read more...

Shoppers Want Mobile To Replace Cards And Cash, Just Not Their Cards And Cash

December 12th, 2012
If you're looking for more evidence of the bipolar nature of mobile shoppers, look no further. The Harris Poll people have what you need. In what should be called the NIMBY (Not In My Backyard) effect, some 66 percent of Americans polled said they expect mobile payments to eventually replace payment cards and even cash—but not their cards and cash.

When asked if they personally want to use mobile as a payment device, the overwhelmingly strongest answer—across literally every demographic group sampled—was the single answer of "not very or not at all interested." That's a wonderful statistical illustration of today's challenge for mobile payment: A lot of people think it's a great idea, but they personally have no interest in doing it. It's great, though, they believe, for everybody else.Read more...

Appeals Court Deals Another Blow To Card Activation Giftcard Patent Lawsuits

December 12th, 2012

The ongoing saga of Card Activation Technologies (CAT)—the gift card patent owner that has been suing many of the nation’s largest retailers including RadioShack, 7-Eleven, Nordstrom, Macy’s, Starbucks, JCPenney, Sears, OfficeMax, TJX, McDonald’s and Walgreens—took another bad turn for CAT as a federal appeals panel upheld on Monday (Dec. 10) a federal court that had ruled against CAT. CAT has previously said that all of its survival hopes are based on a successful appeal. The financially strapped CAT’s only choice now is to try an appeal to the full circuit or even to appeal to the U.S. Supreme Court directly, both of which would be considered long shots.

Still, CAT attorney Mark Peterson said his client has about 30 days to decide its next move. The case that the Third Circuit sustained included a memorable line from Kent A. Jordan, who was serving as trial judge but who is primarily a member of the appellate panel. Jordan referred to one CAT claim, involving granting another party more time to amend a complaint, with the comment that “it takes some chutzpah to mount those objections.” It’s likely to take more than chutzpah for CAT to mount another appeal.…

Microsoft Pop-Up Stores: Apple (And Walmart) Shouldn’t Sweat

December 5th, 2012
Microsoft has retail dreams to rival Apple's chain of stores, but we're pretty sure this isn't going to help: A blogger on November 29 reported buying a Surface tablet at a Microsoft pop-up store in a New York City mall and then watching the PC-based POS system crash twice, requiring two separate reboots to complete the transaction.

This would be a little less embarrassing for Microsoft if not for the fact that the repeatedly crashing operating system was either Windows or Microsoft's own customized version that it sells as a POS system. This is not the way you demonstrate your retail expertise—or compete with Apple.Read more...

Is Bluetooth, *Gasp,* A Viable Mobile Checkout Alternative?

December 4th, 2012
In the world of in-aisle mobile checkout, device size and convenience are critical, given that today's typical associate ships with only two arms. That would certainly argue against associates having to carry two devices, synched via Bluetooth, to perform a checkout. But the almost-having-cornered-the-market nature of iPads and iPhones in in-store mobile checkout, coupled with Apple's new and incompatible Lightning connection port, may force some inconvenient near-term options.

On Monday (Dec. 3), a European mobile and E-Commerce payments and POS card reader vendor (Adyen) introduced a device that can handle both magstripe and EMV, which certainly makes sense for Europe. The interesting part, though, is that the Adyen approach uses two units (a reader/scanner and the Apple or Android smartphone or tablet) connected by Bluetooth. That's a lot of hardware for an associate to lug around in the aisles, but it's apparently necessary (at least now) for the EMV functionality. It also nicely—if unintentionally—sidesteps the Apple Lightning problem. Indeed, Bluetooth would theoretically avoid other interface upgrade issues, too. Is the trade-off worth it?Read more...

Retail Lessons From South Carolina’s Data Breach

December 3rd, 2012
PCI Columnist Walter Conway has been thinking about South Carolina, which is living through a major data breach involving millions of personal and corporate records, and a few hundred thousand payment-card numbers. The State is doing some things well. Governor Nikki Haley has been a visible public face of the State's response, and Walt's guess is that she is finding out more about data security than she ever thought she needed—or wanted—to learn. The State also is making it clear there are consequences from the breach. Published reports indicate the head of the Department of Revenue will be resigning as a result.

The question for every retailer is: "What can my company learn from South Carolina's experience?" Lesson #1: Don't skimp on training. PCI DSS Requirement 12.6 requires all merchants to "implement a formal security awareness program to make all personnel aware of the importance of cardholder data security." In South Carolina's case, published reports indicate the hackers broke into the State's systems by sending an E-mail with the malware attached. Once an employee clicked on the attachment, the malware was downloaded and started grabbing user IDs and passwords. Read more...

Visa To Pull Back On Mobile/Online Verification For Low-Risk Transactions

November 28th, 2012
With a goal of trying to get mobile transactions moving, Visa on Monday (Nov. 26) floated a way to let shoppers not be bothered by password or other authentication for transactions the brand considers low-risk. The approach, dubbed the Visa Consumer Authentication Service, is designed for traditional E-Commerce transactions but will also work for any in-store mobile transactions that use the Internet (meaning it won't work for direct mobile-to-POS transactions, such as those fueled by NFC).

One new element here is Visa's use of various phone and tablet attributes to try and authenticate the device being used. (Sign of the times: In Visa parlance, laptops are no longer considered mobile.) "There are more than 100 different fields that we can get back from a particular device," including frequency, operating system version, the existence of antivirus software and physical location, said Mark Nelsen, Visa's head of risk and authentication product development.Read more...

Must PCI Compliance Conflict With Customer Service?

November 27th, 2012
PCI Columnist Walter Conway recently had a client ask: "Why is PCI making me stupid?" By that the client meant she was considering reversing a number of technology innovations her company had implemented over the last couple of years. Basically, those innovations had the unintended consequence of expanding her company's PCI scope, and the resulting cost of compliance was too much.

The issue is not unique to PCI. Innovations in retail technology happen everyday, but standards adapt to these changes much more slowly. Every retailer lives in this situation. A mobile app works great, but it is not PCI compliant. Web orders get outsourced nicely, but processing mail order and telephone order (MOTO) transactions on a workstation either means lots of network reengineering, separate devices or lots of increased PCI scope (or all of the above). Sometimes, PCI compliance and security even seem to be at odds with each other. What is a merchant to do?Read more...

Are JCPenney’s Latest Moves Bold Or Foolish?

November 27th, 2012

When a CEO takes over a troubled chain, bold moves are generally encouraged. But when the chain is a much-beloved 110-year-old, 1,100-store, $17 billion household name, bold can be very bad. Enter Ron Johnson—fresh from Apple and formerly from Target—and his taking over JCPenney. The chain is melting impressively quickly, and Johnson’s boldness is a textbook example of taking the wrong lessons from retail history.

This is explored in StorefrontBacktalk‘s November monthly column in Retail Week, the U.K.’s largest retail publication. The column lives here at Retail Week. For those who don’t have a Retail Week subscription—shame on you!—here’s a copy at StorefrontBacktalk. You can also check out all of our recent Retail Week columns here.…

Really, Visa? You’re Counting On Banks For

November 15th, 2012

Visa officially went live with its online payment service on Tuesday (Nov. 13), and there’s a lot to be underwhelmed about. After a year of testing the service—in which customers type in a login and password at an E-Commerce site and have all their payment and delivery information automatically filled in—’s marquee E-tailers are and, along with about two dozen more. Visa has also lined up 50 banks (the best known is U.S. Bank) with a total of about 55 million card customers.

But none of that may matter, because Visa is counting on the banks to promote to their customers. Yes, the same banks who have sent millions of contactless cards to their customers without telling them they were contactless cards—that’s who Visa believes can convince cardholders to use a service they’ve never heard of instead of PayPal and Amazon. The likelihood they’ll ever hear about it in a meaningful way from their card-issuing bank? Just slightly less than’s infinitesimal chances.…

Forget Fancy Hacking, Card-Data Theft Is Now All About PIN Pads

November 15th, 2012
A ring of Canadian thieves who were caught with 30,700 stolen payment-card numbers is providing a view inside the process of tampering with PIN pads—and it's not pretty. On November 9, Toronto police said a five-man gang arrested in September had tens of thousands of stolen card numbers on PCs and USB thumb-drives, along with at least a dozen stolen POS devices.

It's the PIN pads that are disturbing. They make it clear this gang was regularly swapping compromised PIN pads for the legitimate versions on retailers' counters. Even more disturbing: It wasn't the PIN pads that got these thieves caught.Read more...

Guitar Center Gets Behind PayPal In A Big Way, And For A Good Reason

November 15th, 2012
When 235-store Guitar Center agreed to a PayPal proposal to offer the alternative payment method inside its stores, the music chain had very good reason to believe its shoppers would embrace PayPal in a way that the customers of other in-store PayPal retailers—including Home Depot, JCPenney, Abercrombie & Fitch, Toys"R"Us, Foot Locker and Barnes & Noble—might not. Musicians spend a lot of time buying and selling used instruments and audio gear on eBay, which means most have a healthy amount of PayPal dollars in their accounts.

Giving those shoppers an in-store option to use that PayPal currency, a place that has used (along with new) instruments and audio equipment and where said equipment can be touched and listened to before being purchased, made a lot of sense to Wes Muddle, Guitar Center's VP for Finance. So it's not surprising that the chain made it a priority to let every customer know about the PayPal option, through lots of store signage and associate training. And, gasp, Guitar Center is even considering offering cash incentives—though it would much rather PayPal do that instead.Read more...

The Digital Way To Kill EAS Tags And Keep ‘Em Dead

November 15th, 2012
EAS tags have an annoying tendency to come back to life after being deactivated. That's embarrassing for the shopper who sets off the alarm, but it's far more embarrassing for the LP executive whose people grow tired of the false alarms and start ignoring them—especially at peak times. One EAS vendor on Tuesday (Nov. 13) tried to end the LP Frankenstein monsters by switching to a digital—rather than a mechanical—tag mechanism, one that can be fully fried by the typical 10-volt deactivation pad jolt. "We make this happen at the nano level, leveraging very very small geometries," said Amir Mashkoori, CEO of EAS vendor Kovio.

The tags are soft tags and Kovio's approach is to try and get manufacturers to embed them deep within shoes and other clothing so they are not visible to the shopper, which makes the removal of the devices almost impossible without severely damaging the product. Mashkoori argues that this could change many standard retail tactics, such as having only one shoe on the floor and forcing the associate to go to the backroom to get the mate.Read more...

Papa John’s Texting Lawsuit Raises Troubling Mobile Marketing Issues For All Retail

November 14th, 2012
When a federal judge certified class-action status against Papa John's on November 9, the pizza chain became the poster child for mobile text-messaging abuse. But this case raises some key questions retailers need to wrestle with—and which the court will decide—including the use of POS data for non-payment functions, the chain's reasonable responsibilities for the decisions of very independent franchisee owners and what constitutes a business relationship sufficient to establish marketing permission (and in any definition, does buying one slice of pizza reasonably trigger it?).

The specifics of this Papa John's case involve a vendor that never worked for Papa John's but was retained by quite a few franchisees. That vendor, OnTime4U, sent a huge number of texts to customers of Papa John's franchisees and never received explicit permission from any of those customers. If this had been a case of whether OnTime4U had violated the Telephone Consumer Protection Act (TCPA), it would be a very easy case. But because the case is focused on the retailer that never retained the vendor, things get much trickier.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.