Will Warranty Enforcement Be Amazon Marketplace's Achilles' Heel?

When it comes to competing against Amazon, eBay or even Japan's Rakuten, one of the more challenging aspects is their third-party marketplaces, which give each a seemingly endless inventory at minimal risk. But the odds may be getting more even, as shoppers are starting to notice that some manufacturers are strictly enforcing their authorized reseller rules.

The immediate impact on shoppers is they may find that the expensive flat-screen TV, surround-sound speakers or refrigerator that looked like such a bargain on Amazon voids the warranty. The arguably-unrealistic expectation from consumer goods manufacturers—which sharply strengthens the hands of traditional e-tailers trying to fight against these third-party marketplaces—is that shoppers would not only notice the actual name of the merchant shipping the item, but would take the time to run that name on the manufacturer's site to see if they are truly an authorized reseller. Or they could just make the purchase from or and know for certain.

Top Stories


FTC Says It’s Now Going After A Lot More Than Just Violated Privacy Policies

August 15th, 2012
In another sign the FTC is putting some teeth in its enforcement, the commission followed up the announcement of its $22.5 million privacy settlement against Google on August 9 with a list of ways companies may be turning themselves into FTC targets.

In a blog post on Monday (Aug. 13), FTC Senior Attorney Lesley Fair said that following a published privacy policy isn't enough. The FTC could go after businesses that misrepresent privacy protections in their opt-out and customization instructions—or even just those that join an industry self-regulation group but then don't follow its code of conduct.Read more...


Chip Card Confusion Could Challenge Chains’ POS Plans

August 15th, 2012
Visa recently issued a bulletin with recommendations for implementing chip cards in the U.S. market. Don't ignore this document, writes PCI Columnist Walter Conway. You may not know all you think you do about Visa's plans and what retailers need to do. Most important, merchants must be sure their POS devices accept both EMV contact chip cards and traditional magnetic stripe cards. Make a mistake, and you might have to buy equipment all over again.

Unfortunately, not all acquirers are getting the right message out to merchants. One client recently related that an acquirer told the merchant there was no need to upgrade its devices to read chip cards.Read more...


Security Personnel Need To Assume That Cyberthieves Are Smarter Than They Are

August 15th, 2012

There are two opposite views on the best way to protect sensitive retail data, including payment cards, CRM, inventory, pricing and payroll. The first is the vault approach: You try and throw up as many high-quality firewall locks as you can, and then place all of your goodies in that protected space. The second approach is minimization: You store the data in as many different secure places as you can, so if anyone breaks in they can only access a tiny portion of your data from that single attack.

Retailers very much want to believe in the first approach—and to find legitimacy in the vendor hype pushing it—because it’s so much easier and cheaper. But, as we detail in our August column for Retail Week, the U.K.’s largest retail publication, the only sound security approach has always been: Assume the bad guys will break in, and then make all of your decisions based on that assumption. Please check out the column in Retail Week or, for those of you who are not Retail Week subscribers, you can read it right here at StorefrontBacktalk. …


Starbucks-Square Deal Says More About Square Than Starbucks

August 15th, 2012
One of the things last week's Starbucks-Square deal demonstrates is that Square found out just how hard it is to make a living selling services to small retailers and hotdog carts. For every coffee shop and dry cleaner that signs up to move their credit-card processing and POS to Square, there are likely dozens of other people who get a dongle strictly as a novelty, pens Retail Columnist Todd Michaud.

"People like me, or the Girl Scouts, who use it one month a year selling a few hundred dollars worth of cookies," he wrote. "They are basically a next-generation ISO that is riding the wave of Apple-fandom to bring credit-card processing to the masses."Read more...


At $83.8 Billion A Year For School Supplies, The Definition Is Broader Than Most Assume

August 13th, 2012

A recent survey report from the National Retail Federation (NRF) touted how much would be spent on school supplies, sometimes more generically referred to as back-to-school spending. Even with that encompassing umbrella term, the figures seemed to be quite a reach. We noticed this when American Express—citing the NRF data—talked about parents spending $83.8 billion in school supplies this year.

It seems the NRF has a return to classes for K–12 families costing $688.62, with estimates of $95.44 on actual school supplies, $129.20 on shoes, $246.10 on clothes and $217.88 on electronics. Families with college students will average $929.35, but that includes things like dorm furniture and college-branded apparel items. Also food, which was never something I thought of as a back-to-school item. Wouldn’t parents have to buy clothes, shoes and electronics for their K–12 kids even if they weren’t in school? And don’t college students eat pretty much continuously throughout the year? (About every hour, according to my recollection.) That said, food is being sent to school with students and many of these categories have some relevance. It’s a huge number, but retailers might want to rethink what they consider school supplies.…

PCI Compliance Update: Level 1 Down Slightly, Levels 2 and 3 Up Just As Slightly

August 13th, 2012
The latest batch of PCI compliance stats from Visa shows slight changes—all of one percent—in all categories with meaningful public numbers.

Level 1s dropped from 98 percent to 97 percent in the figures current as of June 30, 2012, while both Level 2 and Level 3 retailers increased (2s went from 92 percent to 93 percent and 3s went from 59 percent to 60 percent, when compared with Visa's reported March 31 figures).Read more...

Starbucks Mobile Deal Chops Its Card Costs

August 9th, 2012
In the Square deal Starbucks announced on Wednesday (Aug. 8), the coffee company sharply cut its payment processing costs by turning over all of its U.S. credit- and debit-card processing to the Visa-backed Square. Although Starbucks wouldn't comment on how deep the savings would be, some are suggesting that the processing savings—not the interchange fees—could be almost complete. Hey, a $25 million investment should be worth a little discount, no?

Also, despite what various media reports implied, when Starbucks starts accepting Square payments right before the holiday sales rush it will not be the mobile phone stays in the pocket customer identified by first name and a POS-displayed photograph approach that Square has done with a handful of smaller merchants. No, the Starbucks approach will mirror the exact method it's been using for its own mobile payments for years: Customers will display a 2D barcode on their mobile phone, the Starbucks associate will scan that code, and then the store's existing POS system will handle it normally.Read more...

eBay’s Same-Day Delivery Contrasts With Amazon’s Same-Day In Just About Every Way

August 9th, 2012
eBay this month has joined Amazon in experimenting with same-day delivery. Although both are delivering same-day, they are doing it in almost the opposite way. Amazon's effort is being offered at a Premium price, while eBay is offering close to loss-leader pricing. Amazon—rightly or wrongly—is seen as a threat to brick-and-mortars, whereas eBay is emphasizing that it's buying from partner retail chains at full price. Amazon's same-day delivery requires very early morning orders and as long as 13 hours for delivery, whereas eBay is targeting—and, it claims, delivering—everything within one hour.

eBay's trial run seems to be deliberately low-cost and extra-fast delivery to truly see who would use such a service under the best of conditions. It's highly unlikely that a national rollout could continue such specs. eBay's approach isn't all good for retail partners; only the eBay brand is shown, which reduces the chains to unseen suppliers—albeit well-compensated unseen suppliers.Read more...

Will Google Wallet ID Give Thieves Access To More Cards?

August 9th, 2012
Security wasn't Google's top priority when it came up with its new architecture for Google Wallet—mainly, the Android-maker wants customers to actually start making mobile payments with it. But by replacing actual payment-card numbers on the phone with a Wallet ID that looks exactly like a payment-card number to processors, Google has raised some new security questions that so far don't have clear answers.

For example, what happens if a thief manages to scoop up that Wallet ID? Could that give him access to all a customer's payment cards? There's no current mechanism for shutting down all of a shopper's cards. That's the hole with today's fraud systems: Everything at the processor and card-brand level was designed to protect cards, not wallets.Read more...

Tesco’s Barcode Scan Security Dilemma

August 8th, 2012
In late July, a U.K. programmer was at his local Tesco store when he noticed something unusual about a barcode. As programmers are inclined to do, he spent an inordinate amount of time online trying to decipher the barcode. He was joined in that effort by other like-minded techie folk, who eventually deciphered it. If that was the end of the story, it would be unremarkable in the extreme. But it's not, and it's Tesco's reaction that makes things interesting.

Tesco's reaction—overreaction? Ludicrously counterproductive overreaction?—was fueled by the interaction of mobile and self-checkout. That mobile/self-checkout part is where barcodes can be fed into systems manually. But if you think this is no more dangerous than a shopper getting a $3 half-gallon of milk for 3 cents, think again. It goes way beyond fake product barcodes to include fraudulent coupons, forged giftcards and SQL injection attacks. Read more...

What Does Time Spent Mean For A Mobile App? Not What You Might Think

August 8th, 2012
A very interesting mini-report from Nielsen came out on Wednesday (Aug. 8), one that ranked the top mobile shopping apps used in June. But when it also listed those with the highest time spent, it glaringly failed to say why. And that "why" makes all of the difference.

In that category, Shopkick blew everyone away with an average of 3 hours, 19 minutes and 11 seconds. So why did Shopkick blow everyone else away, average time spent wise? It has to do with the nature of that app, not that its users were so enraptured by the content.Read more...

Should PIN Pads Be Hardened? This Reader Says They Should Be Dumped

August 8th, 2012
Is it even worth hardening PIN pads against hacking? After last week's story on Verifone's device-breach problems, one StorefrontBacktalk reader commented: "Hardening PIN pads just kicks the can a few feet down the road, the way PCI kicked magstripes down to Chip-and-PIN. But it's still the same can and the same road, so why do we think the same problems won't keep chasing us?" His conclusion: Make payment cards much smarter and eliminate the PIN pad entirely.

That's a great idea for large chains. But smaller merchants will have to buy in, too—and they're the reason every attempt to improve payment cards so far has failed.Read more...

Can Timing Text Ads Make A Difference?

August 8th, 2012

Charlotte Russe, a 500-store youth apparel chain, recently cited almost 100 percent read-rates on its text messages, which pretty much indicates the lack of understanding of text open-rates. In E-mail, an open-rate means someone has read the subject line and the from line, and then decided the message is worth exploring. In text, “opening” means far less, if anything at all. But that doesn’t mean there are no good ways to gauge message effectiveness—redemption rates do a wonderful job—and it also doesn’t mean there are not good ways to make those messages get read more often. Consider, for example, a customized honeypot approach—sort of CRM for texting.

Few retailers are using text timing as a means to send such messages more effectively. Most consumers tend to open and respond to texts during certain hours, based on their schedules. To determine those optimal times requires little more than sending some very deep discount offers—offers too good to resist—to get targeted shoppers to respond quickly. By sending two or three such honeypot messages over the same number of weeks (use different days to gather more data), you can map the best times to send messages to those shoppers. This approach goes beyond tailoring the message to the individual shoppers. It also tailors when to send that text.…

It’s Official: Pre-Authorization Data Is In Your PCI Scope

August 6th, 2012
Like many QSAs, PCI Columnist Walter Conway frequently gets asked whether pre-authorization cardholder data—that is, card data written on paper or stored electronically before the transaction is authorized—is in scope for PCI. His answer has always been that if you have any cardholder data, you must handle it in a PCI-compliant manner. That advice applies whether the data is pre-, post- or somewhere in the middle of the authorization process.

Unfortunately, some vague wording and a quote from the very first PCI Community Meeting caused some merchants to question this conclusion. They argued that cardholder data only comes into PCI scope after the transaction is authorized. We now can put this question to rest. The PCI Council has come out with an official statement to QSAs declaring that all cardholder data is in scope, whenever and wherever it is.Read more...

As The POS Turns: Vivotech Is On Life Support

August 1st, 2012
Vivotech is in trouble. The contactless PIN pad maker, which counts Home Depot and McDonald's among its customers, announced on July 27 that it is trying to sell its hardware business and restructuring. This came amid reports earlier the same day that the company was shutting down. Either way, Vivotech is the latest casualty of the failure of both contactless cards and mobile payments to get traction with consumers.

It's also another blow to the credibility of Google Wallet and ISIS (both signed up Vivotech as a POS partner) as well as PayPal's in-store payment system (Vivotech put a "Pay with PayPal" button on all those Home Depot PIN pads).Read more...

Are PIN Pads Insecure By Design?

August 1st, 2012
Now that Verifone, at last week's Black Hat security conference, has confirmed one of its popular U.K. PIN pads was hacked, is it time to rethink how POS devices can be maintained, managed and upgraded? It's very convenient to do so over a network or using special maintenance cards. But we may be at the point where that's simply not secure.

To be clear, Verifone only acknowledged that one of three hacked PIN pads came from it. In addition, the secure electronic payment technologies vendor said it's already testing a fix. Great—that means other PIN pad vendors have similar security issues. We just don't know which ones.Read more...

Could “Make An Offer” Pricing Ever Work In-Store?

August 1st, 2012
Should major chain sites use "make an offer" pricing? It sounds heretical, but it's being considered at several major chains. The most interesting argument is that it's a great way for retailers to circumvent minimum advertised price (MAP) restrictions. But could it boost sales of slow-moving SKUs? Even more outlandish, could it move more top-selling items?

This discussion, though, is really about a much more strategic and fundamental issue. With showrooming and reverse showrooming and everything in between, does the very nature of retail Web pricing have to be rethought? Once the price comes off the Web page, everything is up for discussion. Customized pricing? Pricing based on how generous shoppers have been with their last five purchases? Is this another way to ditch the bottom-feeder bargain hunters? Will chains offer deeper discounts to people who shop with a short list of their most direct rivals? Will charge a lower price to someone coming to its site from an Amazon visit as opposed to a Barnes & Noble visit? And could this flex pricing ever make the transition to in-store, leveraging mobile?Read more...

Michaels Breach Convictions Point To The Most Sophisticated PIN Pad Attack Yet

August 1st, 2012
More than a year after the 1,100-store Michaels chain was breached after PIN pad tampering, the feds have their first convictions: two Los Angeles street gang members, who were apparently recruited just to collect money from debit-card victims' bank accounts. But the crooks who actually executed the attack are still on the loose—and, apparently, still completely unknown.

But we now know more about the breach, which involved physically replacing PIN pads in 84 stores across the country to capture at least 94,000 card numbers. And with those new details, chains have more reason than ever to be worried.Read more...

Walmart Confirms Chain-Wide Self-Checkout Glitch

August 1st, 2012
When a picture of a Walmart self-checkout screen showing the wrong total for a purchase made its way around the Web this week, many assumed it had been altered or perhaps the screen had been captured the instant before an update. But Walmart has now confirmed that a software update impacted almost all the chain's self-checkout units for about two weeks, causing incorrect and confusing displays. The receipts and the amounts charged, however, were reportedly correct.

Sometime in mid-July, the machines were given a "routine update" via a blast from a Walmart server, said Walmart spokesperson Ashley Hardie.Read more...

The Message Recall: Diabolical or E-Mail Ignorant?

August 1st, 2012

Despite the efforts of helpdesks everywhere, the belief persists among retail users that E-mails sent externally can be recalled. Even though they can’t be recalled, people still try. But we’re now seeing folk using the misunderstood recall E-mail function to do the opposite—to get people to pay attention to their E-mails. The tactic should be applauded for its diabolical, Machiavellian nature. A message is sent, and then—about a minute later—recalled. Nothing in the world is more irresistible than an E-mail that is supposed to be deleted unopened.

Interestingly, a recall when there’s really an issue (“Dear boss: You’re an idiot and everyone knows it. Drop dead!”) will never work. But a fake recall, one that prompts people to not only read your message but study it for whatever salacious bit of dirt you’re now trying to hide, will work. So if you want people to really focus on your E-mail, a little recall never hurt.…

Integrating Mobile Into In-Store, U.K. Style

August 1st, 2012
Mobile integration into in-store is fraught with very mundane and pragmatic issues, such as "how should an associate carry around a tablet? It's too big for a pocket." One chain, Aurora, has gone so far as to design customized associate satchels just for its iPads. Our media partner, Retail Week, has explored how U.K. retailers have been dealing with these issues.

When retailers bank so significantly on in-store connectivity to boost their customers' experience, considering both usability and the store's design is vital. Lee Broom, the interior designer responsible for the look of the recently launched Coast, said the integration of iPads as payment devices was integral to the new store's look. Read more...

Petco Is Latest Victim Of The All-Too-Common Data Breach Via Stolen Laptop

August 1st, 2012
Petco this week became the latest retailer to suffer a data breach by way of auditors and stolen laptops. The breach in this instance involved sensitive employee data—names and Social Security numbers—but neither customer data nor payment-card information. Still, this situation raises the questions: What data-handling requirements for contractors are reasonable, and when do they become absurd?

In the case of Petco's auditors, quite a few good precautions had been used. The "laptop computers were protected with a strong password and the Plan information was contained in a software program that is protected with an encrypted password," according to an employee memo.Read more...

Kentucky Cyberthief Uses Cloned Credit Card To Buy Pizza, Has 50 More On Her When Police Make The Delivery

August 1st, 2012

Lesson #1 for all cyberthieves: If you’re going to use a stolen or fake credit card to get a pizza, do not have it delivered. As one Kentucky woman discovered, the police might make the delivery. But this gets better.

As police approached the 23-year-old who had phoned the order into Papa John’s, they asked to search her purse. She complied, and inside police discovered more than 50 credit-card numbers, some including names, addresses and telephone numbers. Lesson #2: Use one fake payment mechanism at a time. Going to get the pizza purchased with one bogus payment device while carrying the information to create more than four dozen more? That’s like ordering the Papa John’s everything pizza, and then eating it right before bed. It’s a move you’ll very likely regret. The new tagline for Papa John’s: Better Ingredients, Better Pizza, Better LP.…

JCPenney: A Sign Of Bad Judgment

August 1st, 2012

Sometimes, even when people are doing something absolutely proper, the way they do it can send the opposite message. Case in point: How JCPenney tried to take down the sign from a California store it was closing. Specifically, a blowtorch crew was sent at 10:30 PM to remove the store’s famous neon sign—and the crew covered up their vendor name with a rag, in addition to covering their truck’s license plate. Yeah, that just screams “I’m not doing anything wrong, and you can’t prove I did it.”

The chain had reason to be cautious when removing the sign, because of some intense neighborhood protests against the store’s closing. Why provoke the crowd? But getting caught trying to take the sign down secretly? Hardly a crowd-pleaser. …

Even Cutting-Edge IT Couldn’t Save Burlington Coat Factory From $1.5 Million Penalty

August 1st, 2012
For decades, Burlington Coat Factory has been one of the most cutting-edge retail IT shops anywhere by being first—or close to first—in its deployments of Unix, Oracle, the Web, E-mail, TCP/IP, symmetrical multiprocessing and Linux, among many others. But even that type of IT pedigree couldn't help the discount clothier do what hundreds of associates could do manually. Last week, that cost the chain a $1.5 million penalty for selling recalled children's clothing.

The penalty, from the U.S. Consumer Product Safety Commission (CPSC), was issued because the government said Burlington had deliberately and knowingly sold recalled children's clothing.Read more...


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 17,000 retail IT leaders who subscribe to our free weekly email. Sign up today!
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.