Top Stories


Security / Fraud

Google’s NFC Move Thursday—with Walgreens, Macy’s, Subway, American Eagle—Goes Beyond Plastic

May 25th, 2011
Several major retail chains—including Walgreens, Macy’s, American Eagle Outfitters, Toys R Us, RadioShack and Subway—have agreed to be guinea pigs for a Google Android near field communication (NFC) mobile-payment system, and the four will announce their effort Thursday (May 26). But the five-city trial will be really riding atop existing contactless-payment systems, specifically MasterCard’s PayPass terminals, so it's not clear how much new ground this effort will break.

The key question: Why will consumers be more open to this Google NFC effort than they have been with contactless payment? Presumably, Google and the retailers will be smart enough to flood consumers in the selected cities—New York, San Francisco, Los Angeles, Chicago and Washington, D.C., according to Bloomberg—with seriously generous discount coupons to give them a compelling reason to change their buying behavior and try NFC. Some have argued that the trick of making NFC work will not be in a strengths/weaknesses battle with rectangular pieces of plastic, but in the power of the mobile phone to be comprehensive.Read more...


PCI-Less Card Payments: Square’s Mobile Scheme

May 25th, 2011
A new Square mobile POS offering introduced on Monday (May 23) quietly delivers something that many vendors have falsely promised but never delivered: Absolute escape from PCI rules. Yes, the much-promised-but-never-realized claim of PCI out-of-scope actually does exist within the Square offering. It enables a retailer's customers to pay with Visa (a key backer of Square), MasterCard or American Express without having to abide by any PCI restrictions. And, yes, there are a few (admittedly major) limitations, but the exclusion appears quite real.

When you push all rhetoric aside, PCI in-scope simply comes down to this: If a customer hands a payment card to any of a retailer's employees/contractors—or swipes or waves the card into a device inside or controlled by a retailer or types the information on that card into a Web site branded and controlled by a retailer—that retailer is subject to PCI. If customer doesn't, the retailer isn't. What Square's new approach, dubbed Card Case, does is fully take the retailer out of the line of fire of the card information.Read more...


Starbucks And Consumer-To-Consumer: A Way To Save Stores?

May 25th, 2011
Last week, a Starbucks mobile director made a casual comment during a Seattle panel discussion: "There's us to you and you to us and the third generation will be how do consumers interact with each other around our brand. That's where the power will be," said K.C. MacLaren. It goes beyond mere limitless discussions in a brand environment.

Envision an approach that merges geolocation, mobile communication, social sites and—critically—a trusted retail brand and in-store interactions. Put it all together and the future may not look so dim for in-store, after all. Starbucks, which did not want MacLaren elaborating on the concept, said he gave one example as Starbucks’ existing For the sake of humanity, let’s hope his vision is light years beyond that site, which has a strangely narcissistic quality to it.Read more...


With Social Data Mining, Start Searching Where You Know The Gold Is

May 24th, 2011

As companies start to make inroads into mining the vast social data fields, early strategies are emerging. For example, one company—Attensity—says the best course is not to take a customer database and try and match it with social profiles floating around. It’s better to do the reverse—find the data in Social Land, look for helpful datapoints and then try and match it with the customer list. Why is that approach better? It’s more efficient. The discovered useful datapoints are valuable on their own, even without a customer match.

Attensity hasn’t done this for a retailer directly, but it is working with two chains through Teradata. When Catherine van Zuylen, Attensity’s VP of global product management, was asked how she feels about the privacy ethics of doing these searches and associations, she paused and said wisely: “We just make the tools. It’s really up to the individual retailers to use those tools for good or evil.” Didn’t Maxwell Smart say that?…


Justice Department Stomps On VeriFone-Hypercom-Ingenico Three-Way

May 24th, 2011

It’s not often that the U.S. Justice Department gets an antitrust win this fast. But on May 20 the DOJ announced that POS terminal makers VeriFone and Hypercom had given up on the idea of selling Hypercom’s U.S. POS business to Ingenico, to clear the way for VeriFone to swallow Hypercom. That decision came just a week after the DOJ filed a lawsuit to block the merger. “We are gratified that the parties recognized the anticompetitive nature of the agreement and abandoned its divestiture plan promptly,” said Christine Varney, the Assistant Attorney General in charge of the case.

But VeriFone and Hypercom are still trying to do a deal—just one that won’t leave two companies controlling 90 percent of the card-swiper market. The most likely candidate to buy Hypercom’s U.S. business is now Vivotech, which is already big in contactless POS terminals, with 70 percent market share—and would become a lot bigger if it gets Hypercom.…

The New SAQ C Complicates PCI For Some Retailers, Franchises

May 23rd, 2011
PCI version 2.0 brought several changes, most of which are evolutionary and not particularly dramatic. There was, however, one subtle but important change that will significantly complicate how some Level 2 (and smaller) retailers and franchises validate their PCI compliance. Interestingly, this change seems to have sailed under most retailers' (and most QSAs') radar so far.

The change is in the new version of self-assessment questionnaire (SAQ) C. It now stipulates that retailers can use this SAQ only if their payment application serves a single store location, pens PCI Columnist Walter Conway. In other words, any retailer that connects a branch or an additional location to their POS system, or any franchisee (or franchisor) that processes payments for more than a single location, can no longer use a simplified SAQ. In practical terms, this change means that instead of using the old SAQ C, which had about 50 items, these retailers and franchise operators will need to complete SAQ D, which includes all 280-ish requirements of the PCI DSS. For these retailers, validating PCI compliance will take more time and likely cost a lot more money, too.Read more...

In-Store Cigarette Tweak: Reducing Theft By Not Having Associates Turn Around

May 23rd, 2011

Given age-restrictions, cigarette sales often have to be manually handled. Store designs generally place the cough cartons on the wall behind associates, forcing them to turn their backs to customers while searching for the requested brand. A Montreal vendor last week proposed an automated cigarette package dispenser designed to cut down on thefts that occur during this process. This is not IT in the traditional sense, but it’s still a clever in-store tech approach to deal with shrink.

The product, from the Artitalia Group, claims that the Audimac “not only has all the cigarette packages separated by brand and size, but also dispenses them at a push of a button.” The anti-theft element here is not necessarily designed to thwart people stealing cigarettes as much as it is trying to block the theft of everything else while the associate searches for the cigarettes. Maybe they should have a new cigarette warning for store associates? “Your chain’s IT General warns that the cigarette sales process could be hazardous to Loss Prevention.” Or maybe, “If you can see these cigarette SKUs, you can’t see the customer stealing from you right now.”…

Kiosk Privacy? A New Porn Kiosk Makes The Case For Why It’s Not Private, While Arguing That It Is

May 23rd, 2011
We don't typically do stories about pornography—marketing claims within retail IT are usually obscene enough for anybody—but the inherent retail privacy contradictions in this porn kiosk announcement were too much to resist. There is already an imminent consumer privacy collision with kiosks, given their data-sharing and network connections nature.

While this porn kiosk touts privacy, which would seem to make sense, it also requires a driver's license and a payment card. Those two documents certainly are good ideas, especially when arguing to retailers that the machines will not be usable by minors, but both also obliterate the claims of privacy. The issue speaks to all kiosks, but this case is a wonderfully extreme example.Read more...

Canada Now On Cyber-Threat List

May 18th, 2011

A time-honored fraud detection technique is flagging transactions from high-risk countries and triple-checking them. The counter-move from cyberthieves has been to push operations to countries seen—for the moment, at least—as low-risk. That’s how Canada is suddenly becoming the home-away-from-home for a cyberthief’s stolen data. Canada has now locked in the number-two global slot for hosting phishing sites in 2011, a 319 percent increase from the prior year, according to stats released Wednesday (May 18) from security firm Websense.

When it comes to more aggressive cybercrime, Canada moves up on the list from 13th place to sixth place, reflecting a 53 percent increase. (Naturally, when it comes to criminal activity, the U.S. holds the number-one slot on both lists.) Rounding out the top phishing countries: Egypt in third; Germany in fourth; UK in fifth; The Netherlands in sixth; Russia in seventh; South Korea in eighth; France in ninth; and Brazil in 10th. For cybercrime hosting: France has the second slot; Russia the third; Germany the fourth; China the fifth; The Netherlands the seventh; South Korea the eighth; Romania the ninth; and UK the 10th.… No Valid Address Required. Oops!

May 18th, 2011
L.L.Bean will let online customers complete a purchase with only a payment-card number and expiration date—no name, billing address match or other authentication required. A number-and-expiration-date-only policy for card-not-present transactions could be a huge problem today: With huge numbers of consumers walking around with contactless payment cards in their wallets, thieves can brush up against purses and backsides in any crowd and collect card data automatically.

Contactless backers have always pooh-poohed this as a security threat, pointing out that customer names, security codes and other authentication information isn't transmitted by the cards. But if retailers are only relying on numbers and expiration dates, with one contactless grab—or one well aimed digital picture snap from a mobile—thieves get all they need. And although the E-tailer's customer-service department insists that card numbers with the wrong name attached should be rejected, a simple experiment made it clear that at least some transactions are approved that way. (Two out of two media tests had transactions approved and shipped.) If it had been fraudulent, it would have been up to the payment-card holder to notice, complain and get the charge reversed.Read more...

Bing And Facebook Start Down A Very Frightening Social Media Analytics Path

May 18th, 2011
Finding and analyzing the collective thoughts in all the conversations happening in social media today has been a retail goal for several years now. Not coincidentally, that's exactly how long retail has failed in doing anything meaningful with that data. This week, though, an ISV and Microsoft's Bing search engine are at least making noises as though they are making a little progress. Bing on Monday (May 16) said it is working with Facebook to use a small portion of those social site discussions—limited to the ones on Facebook and further limited to the people in the friends list of that Web searcher—to help provide more valuable results to consumers.

The idea of aggregating the shopping and other experiences of a closed community is a good one, with lots of potential to boost the meaningfulness of such results. There's also a downside with this aggregation approach, namely that most consumers trust different friends to very different degrees.Read more...

Nordstrom’s Mobile Checkout Difference

May 18th, 2011
In what is likely the most complex mobile POS rollout yet in retail, Nordstrom this summer will deploy thousands of iPod Touches and other mobile mechanisms. The IT twist, though, is that the rollout is not tied to a single type of device. That means the chain's software developers have already nailed down an architecture where the heavy POS lifting is done on the back end, not on the mobile device itself.

As a result, it should be easier for Nordstrom to quickly add new devices and new functions to the mobile POS system. Features that the iPod doesn't support, such as contactless payment, might be available on other devices. In theory, with a well-structured architecture, new devices could be swapped in on an as-needed basis. Unlike mobile POS pioneers Home Depot (which uses a highly customized handheld for its mobile POS) and Apple (which can only use Apple, naturally), Nordstrom can exercise its option to do small-scale experiments with devices from multiple vendors in the midst of its big rollout. That will also discourage developers from tying code too tightly to one device—giving Nordstrom the chance to do even more quick-hit experiments in the future.Read more...

Under The Law, Location May Not Be Private—But Your Customers May Have Their Own Ideas

May 18th, 2011
In a brief filed with the U.S. Supreme Court last month, the Department of Justice suggests that there is no expectation of privacy in location data and that the only limitations relate to the manner in which such data is collected—specifically, if it is collected from a phone company or by other means. "Look," the DOJ essentially argues, "you are on a public street/sidewalk/office building. Anyone can see you. How can you expect that to be private?"

Even if the Supreme Court rules that customers don't have a right to privacy in their location, retailers still face a dilemma, writes Legal Columnist Mark D. Rasch. For example, smartphone apps can leverage GPS or other location data and enable new sales and marketing opportunities. But consumer backlash may result in new regulation to restrict the collection and use of this information. If you fail to have clear and unambiguous privacy policies that state what you are collecting and why and then follow these policies, either the consuming public or the government will make you do it.Read more...

As Europe Tightens Up On Location Data, Retailers Need To Get Customers’ Buy-In

May 18th, 2011
Europe is coming down on the mishandling of mobile-phone location data—even if it's not coming down very hard. On Friday (May 20), a European Commission group is expected to recommend that mobile location data be treated as personal data, The New York Times. That would theoretically give location data much better legal protection. But the recommendation is nonbinding, and Apple and Google are likely to be much more concerned about individual EU countries investigating their practices than this toothless advisory opinion.

Beefing up security for more than payment-card data isn't a new idea, but it's unfortunate for retailers that Apple got so sloppy with its users' location data. Spotting customers as they're headed for a store is the holy grail of retail mobile-location technology, whether via GPS, Wi-Fi, cell-tower triangulation or POS tracking, and right now that's all getting a slightly creepy reputation. But in practice, it's going to become the norm—retailers will just need to get their best customers to opt in.Read more...

Bank Lobbyist: High Debit Interchange Needed To Pay For Retail Security Breaches

May 16th, 2011

What’s the real price of a security breach? Customers aren’t usually driven away when a retailer loses payment card data, and the financial costs are usually painful but not crippling. But if one Beltway lobbyist gets its way, the price of security failure will be higher interchange fees for debit cards—not just for breach victims, but all retailers. The Center for Regulatory Effectiveness asked the Federal Reserve Board last Friday (May 13) to raise interchange rates, which were pushed down by last year’s Dodd-Frank Act. The argument: Retail security breaches cause unreimbursed costs for card-issuing banks, and banks need high interchange rates to pay those costs.

If the Fed buys the argument, that would certainly put a real pricetag on security failures. Of course, that price would have no relationship at all to whether a retailer had lousy security—everyone would see higher debit interchange fees, whether you’re locked down tight or leaking data everywhere. And the lobbying outfit used one other nice touch: Instead of asking the Fed directly to raise interchange rates, it sent a letter to the Fed’s CIO, asking her to make the pitch. Hey, they had to try somebody.…

Burlington Coat Factory’s Site Shut Down By DDOS Attack, 45-Hour Incident Complicated By Comments

May 12th, 2011
Cyberthieves attacked and shut down the Burlington Coat Factory chain's site late Sunday (May 8) with a distributed denial of service attack, one that kept the site and its mobile counterpart shuttered until mid-afternoon Tuesday (May 10). The 45-hour incident was complicated by a CIO statement that "there was no breach of security systems"—proving a negative is never easy—and by some customer service representatives who told customers a very different story.

Problems were first detected with Burlington's main site—called—about 4 PM (New York time) on Sunday (May 8), when Web uptime tracking site AlertBot noticed "intermittent outages." The site then went completely dark at about 5:20 AM Monday (May 9), said AlertBot's Justin Noll. Burlington's official version is slightly different, with a statement issued by CIO Dennis Hodgson saying that the chain "was subjected to a denial of service attack early" Monday.Read more...

Michaels Replaces All Of Its PIN Pads, Following 20-State Coordinated Attack

May 12th, 2011
The 1,045-store Michaels chain confirmed Wednesday (May 11) that it had been hit with an unusually geographically widespread physical attack on its PIN pads. As a result, the chain replaced all of its PIN pads—some 7,200 units—after having confirmed breaches in 80 stores spread across 20 states. The fact that it impacted stores in 20 states is frightening. But of even greater concern is that the impacted stores crisscrossed the nation, from Delaware and Georgia to Colorado and Oregon.

Typically, such a PIN pad attack is done physically. However, with this many stores, a network attack from pad to pad is also possible. In a Q&A issued by Michaels, it was the chain itself that first raised the question of whether employees could have engaged in the fraud.Read more...

Are Intrusive Questions From Kiosks Still A Customer’s Preference?

May 12th, 2011
As kiosks have been getting more sophisticated, retailers have been relying on them to handle more functions. When it comes to sensitive issues, such as body type for an apparel chain or paying for groceries with foodstamps, chains have discovered that consumers are often more comfortable interacting with a machine.

One convenience chain found that level of anonymity sharply boosted profits when selling triple-sized sandwiches and Pennsylvania is hoping that having a machine tell customers they're too drunk to buy wine will be less humiliating. But with data breaches an almost daily news story and data-sharing presumed to be everywhere, will customers continue to stay comfortable with sharing intimacies with kiosks? That question is being raised now with the latest push on clothing kiosks that use radio waves to take hundreds of thousands of measurements to deliver what the machine promises will be the perfect clothing fit.Read more...

Visa’s Mobile Magic: Using POS As A Beacon

May 11th, 2011
When Visa rolled out its location-based mobile coupons service—with apparel chain Gap as its first client—it did so with a twist. Visa uses POS transactions to track a customer's location, so it doesn't have to cooperate with mobile operators or merchants. It doesn't have to deal with geolocation challenges like the inaccuracy of triangulating cell towers. It can even collect location information from stores that have nothing to do with its coupon program—including competitors of the retailers that do. It doesn't need customers to have smartphones, Wi-Fi or GPS, nor do those capabilities have to be turned on.

Most current mobile-payment approaches—including the mobile wallet Visa announced this week—are still based on the payment-card accounts Visa currently makes its money from. But eventually someone will come up with a better way and leapfrog over the card companies. Then Visa will be stuck with a large, expensive network for real-time transaction processing. That could explain why Visa wants to use its new service to follow cardholders around from one retailer to another.Read more...

Wal-Mart Makes Sure Customers Find Its Web Survey, But Prints Different URLs

May 11th, 2011

There’s a reason Shakespeare didn’t pen “That which we call a URL, by any other name would smell as sweet.” He didn’t write that, because the Bard knew darn well the precise phrasing of a URL makes a difference. It’s a lesson Wal-Mart apparently still needs to learn. Wal-Mart was running an in-store survey. To make sure consumers found the survey, it did three things: printed the survey URL on the POS receipt; printed it again on a pea-green piece of paper that associates were supposed to staple to the receipt; and, just in case its customers don’t know what a URL is, it provided instructions on how to use a browser.

Problem One: the URLs on the two pieces of paper didn’t match. (There’s a nice photo of the mismatch on the Dotweekly blog.) Problem Two: The stapled piece of paper instructs customers “do not use a search engine,” even though Bing, Google and Yahoo’s engines all immediately sent visitors to the right place. Lastly, does Wal-Mart really need to use a triple sub-domain ( …

Handcuffed Man Breaks Away From Police, Goes To Home Depot For Bolt Cutters

May 11th, 2011

A man arrested by police on Sunday (May 7) for assault and burglary in Pensacola, Fla., escaped from custody, while still wearing his handcuffs. His destination? The nearest Home Depot, where he went to get a bolt-cutter to de-handcuff himself. We’re guessing he heard that Home Depot was a do-it-yourself store. If he was more brazen, he should have stormed over to customer service, complained that the handcuffs he purchased from don’t work—as they won’t unfasten—and insisted they remove the cuffs right away. By the way, might want to check its search engine specs. Although the site does not sell handcuffs, a site search for handcuffs does return something. (Well, it has hands and cuffs, so maybe the search engine has a point.)

Speaking of strange retail stories, this one from satire site The Onion is really worth watching. It’s about a crime scene at Wal-Mart, with everyone—including Wal-Mart PR people—stressing that they don’t ever shop there.…

U.S. Senator Introduces Do-Not-Track E-Commerce Bill, With Exemption That Makes It Irrelevant For All

May 11th, 2011
On Monday (May 9), a U.S. Senator introduced a bill to limit or prevent E-tailers from capturing information about their customers without asking. Like prior Senate technology efforts, the exemptions to the bill make it unable to execute its core purpose. Even if the bill—called the Do Not Track Online Act Of 2011 and introduced by Sen. Jay Rockefeller—didn't suffer from those rather generous exemptions, it's unclear how much of an impact it would have. Its telephone solicitation predecessor is the Do Not Call list. Quick show of hands: How many reading this article have signed up for that list? Of those who did, how many have continued to get lots of phone solicitations, with no practical way to make them stop? 'Nuff said.

To further minimize worries, as of Wednesday (May 11), the bill had zero cosponsors. As such, it certainly doesn't look like the Senate will pass the bill anytime soon. Is it possibly a news release bill, one designed to justify a news release but never be actively pursued? Just in case it does go anywhere, here's what the bill actually mandates.Read more...

Is Sony Making The Business Case For PCI?

May 11th, 2011
The PCI Council has stated that compliance is cheaper than noncompliance. The idea is that security is a good investment and that, although meeting all the PCI requirements may be expensive in terms of time, technology, management attention and money, the alternative costs more. The problem with such a statement is that, although it sounds good, we do not have much evidence to support it.

That situation may be changing with the recently announced data breaches at Sony, says PCI Columnist Walter Conway. Sony's experience could provide the business case for why every retailer should want to be PCI compliant. Some large retailers have been breached in the past, but their customers eventually came back. Many of these customers may even have felt they were more secure after the remediation efforts undertaken by the merchant. We've even seen a major processor suffer a data breach, but it's still going strong.Read more...

Think You Can Use Smartphones In-Store? Read The Contract First

May 11th, 2011
With many retailers contemplating the use of iPhones or other smartphones for mobile payments or as in-store selling aids, overly restrictive contract terms aren't going to fly. But that is exactly what a typical smartphone wireless contract is full of, writes Legal Columnist Mark D. Rasch. For example, apps that use data or stream video so an iPhone can work as an in-store sales aid may be a contract violation. And on the customer side, mobile-payment apps violate contract terms, too.

It's bad enough for retailers that smartphones can't be locked down against software changes. But terms like these (which are becoming the norm) mean payment-card transactions and many types of data that retailers may want to use would violate a mobile operator's contract—and could make smartphones practically unusable for in-store purposes. This assumes, of course, that the telcos opt to enforce these clauses, which were probably crafted with little thought about the likely mobile-payment world of 2012.Read more...

Amazon’s Details Expose Cloud’s Ugly Side

May 4th, 2011
In a detailed postmortem of its days-long cloud-storage outage, Amazon on April 29 delivered a blow-by-blow explanation of what went wrong: One networking mistake generated a cloud full of "stuck" storage, which in turn filled up all available space with junk data in an attempt to automatically recover and finally required Amazon to bring in lots of new storage hardware to unjam the system.

The cascading problems were the result of Amazon's efforts to promise continuous availability of its cloud storage. That meant no downtime for maintenance windows—Amazon's network techs had to work without a net, and this time they were unlucky. But a dive into the details of the outage suggests that a cloud like Amazon's may not be worth the risk, or even offer an advantage, for big retailers—even though Amazon itself is one of the biggest.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.