Evan Schuman's StorefrontBacktalk

According to American Apparel, item-level RFID can pay for itself by cutting employee theft. The 285-store chain’s VP of Technology, Stacey Shulman, told RFID Journal that in stores using RFID for inventory accuracy, internal shrinkage has dropped by an average of 55 percent. (The chain started by putting RFID in 50 of its stores with the highest shrinkage rates.) As a result, the savings covers the deployment cost. Of course, that’s something of an accounting trick. Deploy any surveillance technology in a store with lots of employee theft and some thieves will get nervous and stop stealing—for a while.

Shrinkage drops, and IT can declare that RFID’s ROI is 100 percent. Then, by the time the thieves start stealing again, it’s hard to argue with item-level RFID’s other benefits in better accuracy and faster replenishment, which is why Macy’s is pushing item-level RFID hard. Besides, the theft rate might never return to its original levels, right? It’s also wise to remember that the only retail people who care about ROI are the people can say “no”: your CFO’s team. And for IT projects, they check ROI once. So if it looks like thefts have been avoided, you get the credit. And given that the team won’t check again in four months, you’ll likely never get dinged if the reductions were short-lived. Short attention spans can be your friends.…

The key to making phones more secure was supposed to be that a required PIN would prevent the NFC chip from being turned on most of the time, and the chip would be powered down quickly after a transaction when the screen went dark. That's certainly the way Google Wallet was designed for Android phones. But according to most of the reviews of Google Wallet, all that PIN-punching is a pain, and the phone's screen quickly going dark is annoying. Guess how secure that makes the NFC chip?Read more...

Not unlike IBM in the 80s and 90s, Apple is in the highly enviable position that it can wait until it's time and then still dominate the market when it makes the move. Indeed, it might even be easier and more effective to do it that way. But that strategy will also determine who will define the retail NFC standards that matter—the ones on the checkout counter and in the retailer's datacenter. And that won't be Apple.Read more...

The $2 billion Amazon is projected to make via transactions made by consumer phones is a non-trivial figure, given its $34.2 billion in global revenue of all types, according to the figures published by Internet Retailer. But note how quickly the numbers drop with its rivals. Wal-Mart, the only other retailer to make the overall top 10, appeared at slot 4 with $127.7 million. The third largest retailer—Staples—comes in at a projected $45.3 million this year, followed by Best Buy ($37.9 million), Macy's ($33.2 million), Buy.com ($32.5 million), Foot Locker ($32 million), Sears ($31.7 million) and Overstock ($31.6 million).Read more...

A mysterious patent troll that has already quietly sued restaurant chains Au Bon Pain, Panera, Caribou Coffee, Cosi and Corner Bakery Cafe and regional grocery chains Meijer, Dominick’s and U-Save for their Wi-Fi use, last month added hundreds of individual hotels to its list of defendants. That’s despite the fact that the retailers and hotels bought their Wi-Fi equipment from Cisco, Motorola and other vendors that had already paid license fees for the Wi-Fi patents.

What’s particularly clever is that the plaintiff, a company called Innovatio that acquired the patents from Broadcom, is only asking for between $2,300 and $5,000 from each defendant. That’s cheap enough that fighting in court doesn’t make financial sense—but it makes CIOs look bad for buying what turned out to be extremely expensive technology. Cisco and Motorola have filed their own lawsuit asking that a court declare their customers to be non-infringing, but that could take years. In the meantime, be prepared to be served. “This is not a seat-of-the-pants, fly-by-night shakedown,” Innovatio’s lead litigator told patent blog The Patent Examiner—Innovatio plans to go after “anyone who’s wireless networking.”…

To put this into context, PCI has unquestionably improved retail security in the U.S. and few have suggested a concrete alternative approach that wouldn't bring with it even worse problems. Like the criminal courts, a system can be very far from perfection and still be the best of all alternatives. It's also true that when security choices are made, some vendors are not going to be happy with the new rules. Even with all of that said, the directness and intensity of the speech by Magtek CEO Mimi Hart is worthy of note.Read more...

It then offered a clue. For a store in Ft. Worth, Texas, for example, the tease said: "It may be a Full House but we are convinced you will go bananas for this bag. Find it and win the bag." The promotion couldn't really indicate how close the customer was to the gift, because Foursquare's GPS signal typically ends the instant the customer enters the building. Neiman Marcus couldn't go any farther, "because of our infrastructure. We'd need to have sensors all over the store," said Jean Scheidnes, the chain's manager of social media. But what if a chain did deploy such a network of in-store sensors? The potential could go way beyond fun and games.Read more...

This massive item-level selling-floor-to-the-stockroom project began as a pilot at the Bloomingdale's New York SoHo, which is a pilot-friendly place apparently—the chain is now using Bloomingdale's SoHo to test Google Wallet. As a practical matter, this rollout will give Macy's a wide range of technology options as the potential of full item-level RFID gets closer. But Macy's is officially focused fully on just one RFID function: faster and more accurate inventory.Read more...

Several elements over the next few years—the report projects out to 2015—will make this change even more dramatic. Some 45 percent of new stores will be "mom and pops that are just starting. There you'll see a tremendous impact," because the stores won't even start with a traditional POS, Buzek said. "Why pay $3,000 [for a traditional POS] when I can get an iPad and put Square on it? This is going to fundamentally change the mall in the next three years."Read more...

As mobile payments inch along, retailers are trying to balance two concepts: the ideals of mobile-payment strategies with the mundane, practical logistics issues. And nowhere did those two concepts collide more clearly than in the one-location $3.5 million specialty store in Plantation, FL. How could someone at the door verify that the receipt is legitimate? For that matter, if the associate at the door is shown a digital receipt, how is he/she to know if it's a valid receipt—as opposed to a doctored image—unless the associate scans the receipt's barcode and runs a check to see if that item was indeed purchased in the prior 10 minutes?Read more...

The Big Y chain, with 61 stores in Connecticut and Massachusetts, announced this month that it would kill all of its self-checkout lanes. "In the battle of Service vs. Self Checkouts, service won," the chain said in a short statement. In a conversation with a chain executive, though, the decision sounded a lot more complicated. To be blunt, it didn't seem as if the chain had ever been all that fond of self-checkout, which it first deployed back in 2003. "We were one of the last chains to get into the self-checkout game. We were really dragging our feet," said Claire D'Amour-Daley, the chain's VP for corporate communications.Read more...

In the real world, many retailers and franchisors (and franchisees) try to qualify to use SAQ C. PCI Columnist Walter Conway calls this the "anything but SAQ D" approach. In his experience, the biggest challenge of SAQ C is isolating the application server(s) from the rest of the merchant environment. Conway knows merchants who have devoted a lot of effort and changed their network so they can qualify for SAQ C. A recent clarification by the PCI Council, however, limits the ability of many retailers and franchisors to use this SAQ.Read more...

That's increasingly likely—at least if Apple is ready. This particular fight may be moving to the hearts and phones of consumers, where two players—ISIS and PayPal—have serious handicaps. But consumers see Google as a search engine that does a lot of stuff for them for free. And if any company generates even more warm-and-fuzzy feelings than Google, it's Apple. And Apple also has a host of rarely-discussed huge mobile payment advantages, starting with the fact that it's a retailer and a darn innovative one at that.Read more...

The problem isn't just that PayPal has apparently done nothing to pull together its pile of recently acquired technologies into a suite of payment services. It's that each of these services has real problems that have dogged retailers' efforts at mobile payments for years. And astonishingly, PayPal doesn't seem to have solved any of them.Read more...

Is the KFC chain now going to have to tell employees that it’s Finger Scannin’ Good? That’s a possibility, given a move announced Tuesday (Sept. 20) by two of its franchisees to abandon password access to POS and switch to a fingerprint biometric authentication system.

The advantages are initially compelling, in that it makes it so much harder for associates to impersonate managers for fraud, whether it’s for stealing money directly, manipulating payroll records or letting employees falsely sign in for each other. The problem is that bored, persistent and resourceful KFC employees—armed with almost unlimited access to these biometric devices and potentially lots of free time during slower parts of the day—are quite good at finding security holes. Will it be a piece of Scotch sticky tape that will fool the system? Maybe the system can be fooled into accepting a new—and non-existent—manager? Given that the fingerprints are not being stored (only a numeric representation of the fingerprint’s datapoints), could the number be faked instead? All in all, this biometric approach is probably a very good idea. But few things are secure enough to hold up to under-paid, young, bored QSR employees, especially when management will likely be slow to react, preferring to believe that fingerprint biometrics are foolproof. …

The SAQ is an excellent starting point, pens PCI Columnist Walter Conway. But it is not (and does not promise to be) an all-inclusive approach to achieving—not just validating—PCI compliance. In a previous column, Walt noted the PCI Council's point that slavishly (his terminology) completing a SAQ may not be enough to be PCI compliant.Read more...

The big news is where the Council says in the report that "it is expected that PCI DSS controls that will be applicable to a merchant's validation will include (but will not be limited to): Protection of media and devices; Maintaining information security policies and training for personnel; Processes for management of third-party providers (including P2PE provider); Incident response and escalation procedures." That means a retailer implementing approved P2PE might reduce its PCI compliance to just requirements 9 and 12 (and maybe 11.1). The Council's words "will include (but not be limited to)" are important. We have, effectively, a new PCI standard with the accompanying infrastructure: detailed hardware and software specifications, an independent P2PE validation process and two new flavors of specialized QSAs.Read more...

Company officials say they expect the system to be—please forgive us—measurably more accurate than any E-Commerce apparel tactic being used elsewhere today. The process starts with a database of between 80 and 90 questions and asks between 20 and 22 questions of each shopper, with each answer dictating the next question. If all goes well, the entire process should be completed within three minutes and it's often closer to 1.8 minutes.Read more...

Historically, those 100 Best Buy IT folk have managed "several thousand" IT contractors, Davids said, which puts Best Buy—albeit in a rather extreme way—in the same position as many other chains. Outsourced IT certainly has the advantages of scale and instant experts, in that it's a lot easier to bring in a team to create a specialized app for one business group and to then not rehire them when the project is over. That's much easier than having to hire and train employees and to then have to try and lay them all off.Read more...

The idea is straight-forward enough. If a ToysRUs customer can't easily get to the local store, he/she asks a friend/relative to pick up the item as a favor. The initial customer simply is asked to give the picker-upper's first/last name, E-mail, phone number, address and the relation to purchaser. The picker-upper gets a direct E-mail message indicating the item is ready for pickup. Before going any further, ToysRUs is now picking up a bunch of verified E-mail addresses of people who are near its stores, along with other bits of wonderful data. Not only is the E-mail address verified (they had to receive the confirmation notice), but so is the name and address, courtesy of the driver's license or other ID they had to show when picking up the merchandise.Read more...

Why such delays? First, the Council wants retailers to contract only for P2PE applications that appear on a Council list of applications validated to be PCI compliant. The problem? That list doesn't yet exist, and the list's creation is "targeted for Spring 2012," according to a draft copy of the Council's document. A second reason for the delay is PCI training of assessors. The Council isn't promising to identify the testing procedures until "the end of 2011" and "training opportunities" (which we assume means classes) won't be detailed until "Spring 2012." The report will say that the guidelines—even if perfectly followed—won't offer a path for a retailer to be considered out-of-scope. The best that a chain can hope for, according to the document, will be "reduced scope." But nowhere does the document say what exactly that would and wouldn't include.Read more...

To be specific, Wall Street doesn't think that all IT investments are cool. It's when IT investments come from companies where it's not expected. When eBay or, heaven forbid, Amazon invest in IT, Wall Street lets them have it with both spreadsheets, in a way that it would have never criticized Wal-Mart for opening new stores. But when the Sears and Macy's of the world start talking about these space-age computer thingies, stock analysts get all starry-eyed.Read more...

For readers focused on any of those areas, the Monthlies provide an easy way to keep up-to-date and to make sure you don't miss any story important to your operation. The Monthlies also have two other helpful features.Read more...

Of course, that's only a problem if that high-bandwidth content comes from the Internet. If it's served from within the store, customers could receive a constant stream of commercials, product pitches and other videos on their smartphones and tablets. There's just one difficulty: If customers are accustomed to having a huge pipe to the Internet on their personal devices, they won't react well to retailers that have cut back their bandwidth ration to just enough for the Web, E-mail and Twitter—unless there's someone else available to blame.Read more...

The idea behind P2PE, pens PCI Columnist Walter Conway, is that an encrypting POS terminal encrypts the cardholder data (the first "point") immediately as the customer's card is swiped. A third-party service provider (the second "point," and often the merchant's card processor) manages both encryption and key management. The third party is the only one that can access the actual cardholder data. The result is that when P2PE is properly implemented, almost all the merchant's systems are out of PCI scope because the merchant has no way to decrypt the data or ever to get access to the clear-text cardholder data. Read more...