Top Stories


Security / Fraud

Rivals Hate Amazon, Except During A D-DOS Attack. Retailers Then Are A Band Of HTML Brothers

February 1st, 2013
As the online (and mobile) leader by a very wide margin, Amazon certainly generates a generous share of envy and hatred from E-tailers and retailers alike. They all quietly celebrate every Amazon misstep and piece of investor pain—except one. When Amazon has an outage and the E-Commerce king is trying to convince everyone that the site was not the victim of a D-DOS attack, every rival is in its corner.

On Thursday (Jan. 31), Amazon was down for about 49 minutes, which is certainly a notable event. One cyberthief group tweeted responsibility, claiming "we used a 7kbotnet running hoic 100 threads each. 80servers in botnet and a 16gbps booter." Does it make much of a difference whether the outage was caused by an internal IT screw-up, an unexpectedly huge number of shoppers looking at a specific sale or an outside malicious group? Absolutely.Read more...


Social Media Makes It Easy To Blog Or Tweet Your Way Into FTC Fines

January 31st, 2013
Restaurant reservations Web site Open Table just paid $10 million to purchase the app developer Foodspotting, which enables people to take pictures of, well, food. The idea behind the synergy is that consumers looking to make reservations can not only read the menu but actually see the food presentation "in the real world" by looking at pictures taken by bona fide customers.

This continues a trend of technology empowering consumers, observes Legal Columnist Mark D. Rasch. It's also a way for restaurants and other retailers to get themselves into real legal trouble if they're not very careful about how they identify their use of this type of social technology.Read more...


JCPenney’s RFID Reversal Guts In-Aisle Checkout

January 30th, 2013
When JCPenney very publicly and very aggressively embraced a chain-wide, all-product item-level RFID strategy—with the promise of a full rollout by February 1 (2013)—executives cited supply-chain savings as a key driver. The chain has now reversed course, killing much of the RFID program to save money. When a chain is under this much financial pressure, a little savings today is a lot more valuable than a lot of savings down the road.

But of much greater significance is the digital domino effect. In this case, JCPenney was building its in-aisle checkout on the premise that it had item-level RFID fully in place. And if remodeled stores have dramatically scaled back the number of cashwraps (because customers would be doing in-aisle checkout), does that mean all those customers will have to line up for the limited number of cashwraps? That's not going to be pretty—presuming JCPenney can actually get enough returning customers to make it a problem.Read more...


PCI’s Potential Black Friday Nightmare

January 30th, 2013
October promises to be a big month for everyone involved with PCI, but maybe not for the expected reason. On Oct. 28, 2013, every payment application validated under Payment Application Data Security Standard (PA-DSS) version 1.2—and there are a lot of them—will see its validation expire. The applications will no longer be acceptable for new deployments, a potential nightmare for every retailer using a validated payment application. If a retailer has any payment app that glitches in early November, it could have far fewer—if any—choices as a replacement. The problem: A large number of applications still haven't been revalidated under PA-DSS 2.0. Given the time that has already elapsed, coupled with the human tendency to delay the unpleasant, we're looking at a likely crush of last-minute validation renewal requests that could strain both PA-QSA and PCI SSC resources.

For retailers, says PCI Columnist Walter Conway, this means applications that may still be secure won't necessarily be supported by vendors. Much worse, this situation could create a huge backlog of applications to be evaluated by PA-QSAs and then approved by the PCI Council. That process will take weeks, and quite possibly months, to work through. Retailers should note that this will be happening barely one month before Black Friday. Fear not, though. All of these problems can be averted if software vendors all act quickly, well ahead of deadline. (Editor's Note: In other words, we're all doomed.)Read more...


MCX Sees ACH As Interchange Salvation. Many Chains Not So Sure

January 23rd, 2013
The secret sauce for beating interchange is ACH. That, at least, is the plan of the Walmart-led Merchant Customer Exchange (MCX), according to sources familiar with the payment system being developed by the retailer consortium. By using ACH transactions to debit bank accounts or credit lines instead of going through payment-card brands' networks, MCX expects to reduce transaction cost to as little as four cents—and cut Visa and card-issuing banks out of the loop.

MCX still hasn't revealed most of the details of the system, but some things are becoming clear. Others are still up in the air—like whether banks will accept a few pennies per transaction when an ACH withdrawal typically costs them more than that. Also, will banks want to get into such an effort, knowing the toxic politics surrounding any effort to knock out Visa and MasterCard? The much more fundamental issue for MCX is whether it can come up with—and agree to fund—a compelling reason for shoppers to participate. That, coupled with what some retailers—namely, those who have been pitched—see as an overly aggressive approach, has prompted some to question whether MCX can deliver the interchange relief it promises. One example of the pitch approach some have cited: MCX demanding $30,000 from retailers just to see the official PowerPoint. Chains are also being asked to commit to three-year mobile payment app exclusivity, meaning they won't support any non-MCX mobile payment other than any mobile payment app they have already deployed.Read more...

Did Best Buy Coupon Take Merged Channel Too Far, Or Not Far Enough?

January 23rd, 2013
Best Buy's $50-off fiasco this week is a reminder of a simple fact of merged-channel retail: A little technology usually isn't enough. Early on Monday (Jan. 21), Best Buy E-mailed a coupon to some customers, offering $50 off most purchases of $100 or more if the customer paid by MasterCard, with the discount good for a week. Word quickly spread on bargain-hunter Web sites, and soon customers were online, reporting their successes ($2,500 in Amazon giftcards for $1,250) and failures (one store manager insisted it must be a hoax). By Monday afternoon, Best Buy had pulled the plug on the offer.

Automating coupon-based offers is fine. But if you're going to Internet-up paper-style coupons, you really have to go all the way. And these pretty clearly were conceived as paper coupons. One clue comes in the boilerplate on the coupon, which had relatively few restrictions on products that could be bought (no Apple, Sony or Nikon) but also specified the coupon was good in-store only. It also sported classic paper-coupon language, including "No copies."Read more...

Alipay’s Retro Pay-By-Noise System May Be More Useful Than It Sounds

January 23rd, 2013

In-store mobile payments are still looking for the right technology, with NFC struggling for a foothold and QR codes only successful in pockets (or, more accurately, in Starbucks). But a new smartphone mobile wallet announced on January 18 by China’s Alipay takes a new tack: It communicates via what Alipay describes as “white noise.” (We’re pretty sure what that really means is “it sounds like the hiss of a dial-up modem, just without all the screeching.”) The Alipay wallet isn’t currently supporting POS payments, just data transfers between phones. But there’s no special reason it couldn’t be used for transactions, especially because that’s the business Alipay is in.

True, a hissing phone would be really easy to eavesdrop on, but you’d want that transaction data encrypted anyway. And as retro (and annoying) as it would sound at a POS, a pay-by-hiss system would work even for smartphones without a camera and high-resolution screen—all the phone needs is a speaker and microphone. Still, there’s that hiss, which certainly would be out of place in a tony store and might be inaudible on Black Friday. But maybe there’s a retro solution for both those problems. Acoustic couplers, anyone?…

Retail Facial Recognition Comes Of Age

January 23rd, 2013
Some years ago, Legal Columnist Mark Rasch demoed an ATM that had no card, no chip, no PIN and only a limited keyboard. The ATM used facial recognition software to identify him, so he only had to walk up to the machine, type in $20 from checking and, voila! Money dispensed. Assuming that everything works as promised and that facial recognition software is close to 100 percent accurate and reliable, retailers should consider the legal, privacy and compliance issues related to biometrics before rushing in.

Like all innovative technologies (from credit cards to loss prevention devices), it's not clear yet whether consumers will embrace or reject the new technology, or how regulators will ultimately react.Read more...

Are Franchisees The New Sweet Spot For Card Data Thieves?

January 17th, 2013
The payment-card breach revealed on January 11 by 560-store restaurant chain Zaxby's throws a light on what may be the near-future of major breaches. The chain said it found malware on systems at 108 stores across the southeastern U.S. after card processors identified the stores as common points of purchase for fraudulent card activity.

But Zaxby's doesn't operate any of the stores—they're all franchisees, putting both the company and the franchisees in a worst-of-both-worlds situation.Read more...

MCX Embracing QR Codes, The Cloud And Unparalleled Vagueness

January 17th, 2013
Merchant Customer Exchange, the retail group trying to offer its own mobile wallet, plans on using QR codes as the heart of its cloud-based payment app, the group announced Monday (Jan. 14). But beyond the QR code detail and the names of a few new retail members—including Meijer and Wawa—little was discussed during an hour-long panel that meaningfully addressed how the group plans on making a difference, beyond the general platitudes MCX has stressed since its March 2012 launch.

What was different this time, though, is that members were more candid in explaining why they have the goals they do, even if they were not especially forthcoming in how they plan on achieving those goals. The group, for example, re-stressed its intent that data from one chain will not be shared with another chain. Jay Culotta, the treasurer at regional convenience chain Wawa, said many of the mobile vendors say they are not—today—planning on sharing data, but they refuse to say what will happen down the road. "It's not a forever situation," Culotta said, adding that the temptations for leveraging such data will likely be overwhelming. "It's unclear what their business case would be without monetizing that data."Read more...

The Legal Quicksand Of Giving Online Stuff Away For Free

January 16th, 2013
We all love to get stuff for free. Whether it is a coupon, a sample or a trial, if it's free, it's good. For retailers, offering a freebie can get customers used to using their products or services, may engender goodwill and may be a smart business decision. But if those retailers fail to adequately define the terms of the free trial, pens Legal Columnist Mark Rasch, they may be setting themselves up for a disaster.

This holiday season, Rasch was walking through the mall seeking out the See's Candies ladies with their free samples. "I would gladly take a chocolate lollipop or a toffee square, circle the mall and come back for another. The free sample came with no terms or conditions and no obvious limitations on access or use. Could I then argue that, because See's was giving away chocolate lollipops, these items were 'free' and that I was, therefore, lawfully entitled to take six or seven boxes from behind the counter without paying for them? Absurd. But why? Because in the real world, we have loosely formed social conventions and a system of shaming to enforce them."Read more...

How Many Will Join The Lone Systems Integrator On PCI’s New List?

January 9th, 2013
The PCI Council's Qualified Integrator and Reseller (QIR) program is officially up and running. Reliant Security is the first systems integrator to qualify under the QIR program and be listed on the PCI Council's Web site. Qualifying the first systems integrator is a significant milestone, one that follows last May's announcement of the QIR program and the beginning of formalized training this past autumn.

What everyone involved in retail payments will now want to see, pens PCI Columnist Walter Conway, is how many other resellers and systems integrators will join Reliant. The ultimate success of the QIR program depends on the decisions made by retailers, payment application vendors and, quite possibly, the PCI Council and even the card brands, too. Read more...

StorefrontBacktalk‘s Next Chapter

January 8th, 2013
As the founder of StorefrontBacktalk, I am thrilled to announce today that StorefrontBacktalk is now a member of the FierceMarkets family of B2B publications. FierceMarkets is a wholly owned subsidiary of the Questex Media Group.

Our voice and approach—for good or for bad—will not change, and we have been told to continue delivering the same mix of breaking retail IT stories, analysis and opinion columns. (Yes, and some truly awful jokes. It's in the contract that those stay.) The bylines here will stay, as Frank Hayes, PCI Columnist Walt Conway, Legal Columnist Mark Rasch and the rest of the team will continue to do that which we do. Me, too.Read more...

Amazon Got Had By A Chat/Phone Fraudster. Would Your CS Team Fare Any Better?

January 2nd, 2013
When was the last time you ran anonymous security testing on your call center customer service reps—both on the phone and via chat—trying various social engineering tricks on them to see if they'll divulge security info while trying to be customer-friendly? An Amazon security glitch was delightfully well documented this holiday season, but the frightening part is that none of it would have worked on the site directly.

The attack sought order numbers—which in turn enabled a shipping address to be changed and free replacement merchandise to be dispatched—and it highlighted various problems that retailers could easily fix but don't. For example, do CS reps take the time to review chat transcripts and activity history in an effort to spot repeated fraud attempts? Shouldn't a change of address set off all types of alarm bells? In this instance, it was to a maildrop that reshipped packages overseas, and that specific address had been noted in Amazon's own records. The system hadn't been told to flag anything going there, even after it had been discovered?Read more...

Human Error Is Still Amazon Cloud’s Achilles Heel

January 2nd, 2013
The Amazon Cloud outage on December 24—the one that knocked Netflix offline for much of Christmas Eve—was due purely to human error. And it was the dumbest sort of human error: an Amazon developer with special privileges mistakenly ran a maintenance process against the production system, wiping out critical state data—and then didn't realize he had crippled the system until hours after it began causing problems for customers, according to the version of events Amazon released on Monday (Dec. 31).

It then took more than 12 hours (including a false start or two) for Amazon's team to re-create the data, and several more hours to slowly get the system working again. Total outage time: 23 hours and 41 minutes. In short, Amazon's cloud forgot everything it knew about how to let customers do load balancing.Read more...

Holiday Recap 2012: Hardly Any Downtime, Surprising Traffic Stats

January 2nd, 2013
Either retailers are getting better at handling the online holiday crunch or they're getting luckier. The biggest single outage of the 2012 holiday season was at, which was down for more than three hours on December 26, according to Web monitoring company Panopta. That was after the biggest Christmas crunch—but still in time to irritate Walmart shoppers trying to do returns and use giftcards.

Runner up was Victoria's Secret, which had 18 hours of total downtime but spread it over more than 30 short outages, mostly between 3:00 AM and 5:00 AM. That smacks of maintenance outages that were actually planned, even if they weren't planned very far in advance.Read more...

What Year Is This Again? Online Grocer Ready To Miss Domain Name Registration Again In 2022

January 2nd, 2013

It’s no secret that NYC-area online grocer FreshDirect had an outage on Christmas Day. And it’s no secret why: The company apparently lost track of the fact that its domain name registration expired on December 23. That’s bad enough. What’s worse is that the grocer still doesn’t seem to be on top of its domain name problem.

After the site was back online, FreshDirect told The Wall Street Journal and Bloomberg News that its registration has now been renewed until 2024. Except, well, it hasn’t: The Whois record for says the domain name now expires in 2022—and once again, right before Christmas. Any bets as to whether next time FreshDirect will remember to pay its domain bill a year earlier than it thinks it needs to?…

New Child Protection Rules Create A Retail Catch-22

January 2nd, 2013
A few days before Christmas, the U.S. Federal Trade Commission (FTC) approved major changes to its online child protection rules, including adding geolocation data, IP address and mobile device ID to the information that can't be recorded from a site visitor who is younger than 13 years old.

The problem for retail chains is the vagueness of definitions for sites aimed at children. Is the toy section of such a site? What about games at Then there's the Catch-22 of asking ages online. If you ask, you'll be required to segregate the data from anyone in that age group and handle it—no pun intended—with kid gloves. (No pun intended. That was a play on words, not a pun.) And if you don't ask, you have the perfect defense that you didn't knowingly collect data from under-age shoppers without parental consent. Did the FTC really intend to encourage what Legal Columnist Mark Rasch calls the Sgt. Schultz Defense?Read more...

Shoppers Want Mobile To Replace Cards And Cash, Just Not Their Cards And Cash

December 12th, 2012
If you're looking for more evidence of the bipolar nature of mobile shoppers, look no further. The Harris Poll people have what you need. In what should be called the NIMBY (Not In My Backyard) effect, some 66 percent of Americans polled said they expect mobile payments to eventually replace payment cards and even cash—but not their cards and cash.

When asked if they personally want to use mobile as a payment device, the overwhelmingly strongest answer—across literally every demographic group sampled—was the single answer of "not very or not at all interested." That's a wonderful statistical illustration of today's challenge for mobile payment: A lot of people think it's a great idea, but they personally have no interest in doing it. It's great, though, they believe, for everybody else.Read more...

Best Buy’s iPad Dilemma: The Tricky World Of Shipping Errors

December 8th, 2012
Best Buy this month was in the news for apparently shipping five iPads to at least two customers, each of whom had only ordered one. The chain decided to get some good press for a change and encouraged the customer to "keep the additional iPads and give them to people in need."

Some news stories, having picked up on a published U.S. Federal Trade Commission (FTC) Q&A, said that Best Buy wasn't being generous, that federal law required that the consumer could keep the extra iPads and not pay for them. Like almost all matters legal, pens Legal Columnist Mark Rasch, the truth is not quite that clean. The laws referenced are intended to punish retailers from shipping items to people who bought nothing and then trying to force them to pay. A shipment in error—especially one to a legitimate customer—was never envisioned, nor was accidentally sending a larger quantity of that which was legitimately being purchased.Read more...

Sears Black Friday Confirmation Snafu: Just Check Inventory, OK?

December 6th, 2012

Didn’t we learn this lesson last year with Best Buy? On Black Friday morning, a Houston-area couple got up at 2:00 AM to order thousands of dollars’ worth of appliances from Sears. They got their order confirmation E-mail, went back to bed—and woke up to find another E-mail telling them their order had been canceled. Then the appliances were delivered, but charged at the regular prices thousands of dollars higher. It took a local TV station’s cage-rattling to get Sears to honor the Black Friday prices.

Sears’ explanation—the system sent confirmations before checking inventory but sent the cancellation E-mail almost immediately—misses the point. It’s 2012, not the dawn of E-Commerce. Inventory is online. Customers don’t need to be reminded that they just placed an order, only notified that their order will be honored. There’s no reason for two E-mails, nor is there any excuse for confirming an order by E-mail before checking inventory. That will take an extra 30 seconds? Five minutes? It’s E-mail. Nobody expects sub-second response times, not even customers. They do expect a “confirmation E-mail” to confirm they’ve made a purchase—and it’s long past time for retailers to get that message.…

Is Nordstrom’s Data-Retentiveness A Sign Of Trouble For CRM?

December 5th, 2012
The fight over customer data just keeps getting nastier. Nordstrom has now joined Gap and as retailers who no longer cooperate with an Intuit service that lets customers aggregate all their bank and payment-card balances so they can manage their money better.

This data-retentiveness puts these chains in a tricky position. Every retailer wants large quantities of CRM information from customers. Telling those same customers they don't have control over information about their store-branded credit-card accounts (as in, customers can access it themselves but can't have an aggregator collect it for them) risks turning the image of chains from a friendly retailer to that of a paranoid Big Brother—especially as chains start behaving more like banks.Read more...

Is Bluetooth, *Gasp,* A Viable Mobile Checkout Alternative?

December 4th, 2012
In the world of in-aisle mobile checkout, device size and convenience are critical, given that today's typical associate ships with only two arms. That would certainly argue against associates having to carry two devices, synched via Bluetooth, to perform a checkout. But the almost-having-cornered-the-market nature of iPads and iPhones in in-store mobile checkout, coupled with Apple's new and incompatible Lightning connection port, may force some inconvenient near-term options.

On Monday (Dec. 3), a European mobile and E-Commerce payments and POS card reader vendor (Adyen) introduced a device that can handle both magstripe and EMV, which certainly makes sense for Europe. The interesting part, though, is that the Adyen approach uses two units (a reader/scanner and the Apple or Android smartphone or tablet) connected by Bluetooth. That's a lot of hardware for an associate to lug around in the aisles, but it's apparently necessary (at least now) for the EMV functionality. It also nicely—if unintentionally—sidesteps the Apple Lightning problem. Indeed, Bluetooth would theoretically avoid other interface upgrade issues, too. Is the trade-off worth it?Read more...

Retail Lessons From South Carolina’s Data Breach

December 3rd, 2012
PCI Columnist Walter Conway has been thinking about South Carolina, which is living through a major data breach involving millions of personal and corporate records, and a few hundred thousand payment-card numbers. The State is doing some things well. Governor Nikki Haley has been a visible public face of the State's response, and Walt's guess is that she is finding out more about data security than she ever thought she needed—or wanted—to learn. The State also is making it clear there are consequences from the breach. Published reports indicate the head of the Department of Revenue will be resigning as a result.

The question for every retailer is: "What can my company learn from South Carolina's experience?" Lesson #1: Don't skimp on training. PCI DSS Requirement 12.6 requires all merchants to "implement a formal security awareness program to make all personnel aware of the importance of cardholder data security." In South Carolina's case, published reports indicate the hackers broke into the State's systems by sending an E-mail with the malware attached. Once an employee clicked on the attachment, the malware was downloaded and started grabbing user IDs and passwords. Read more...

Amazon Looks At Doing Its Tax Dance All Over Again

November 28th, 2012
Amazon's "level playing field" is back. On Tuesday (Nov. 27), a U.K. Parliamentary committee published Amazon's sales, profit and tax payment figures for the U.K., while executives at big U.K. chains called for Amazon to pay more taxes—and for a level playing field. (Gee, where have we heard that before?)

The Amazon financials (which were supposed to be confidential) showed 2011 U.K. sales of $5.36 billion, which is just a tad higher than the $331 million in revenue that Amazon UK officially reported and paid corporate taxes on. But that playing-field line—and the obvious irritation of MPs on the Public Accounts Committee—makes it pretty clear Amazon has more trouble ahead.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.