Evan Schuman's StorefrontBacktalk

The answer to all these questions is simple, pens PCI Columnist Walter Conway: Things change. And those changes are typically caused by one of three things: PCI DSS itself changes; the threat environment changes as the bad guys adopt new tactics; or, most often, the retailer's own payment environment and, therefore, its PCI scope, changes. Think about it. How many times does a year go by in which reailers don't expand their network, add new servers and expand the number of end users?Read more...

But in a perverse twist, that was also what finally blew the cover off the theft. A local Chicago-area bank spotted the connection between ATM fraud that victimized its depositors and the fact that they were Michaels customers. If that's the new pattern thieves are likely to use, it may be time for card companies to take a lot more interest in smaller banks—especially if those banks are stuck doing Visa and MasterCard's job.Read more...

The ruling elevates language over substance, and it may leave consumer information at unnecessary risk if retailers take it as a green light to print full credit-card numbers on electronically mailed receipts, writes Legal Columnist Mark Rasch. After all, which is more risky: having a printed receipt with your credit-card number in your wallet or having an electronic version of that same document floating around the Internet?Read more...

The most glaring difference was for projected hiring. When compared with the national numbers and against seven other verticals (manufacturing; finance, insurance and real estate; professional services; construction; wholesale; transportation; and business services), retail CIOs were the most optimistic about hiring IT people, tying manufacturing, with 9 percent of both segments' CIOs saying they plan to add staff and one percent saying they plan to reduce staff. The national average is 7 percent to hire and 3 percent to reduce. Three percent of wholesale CIOs say they plan to hire, with zero planning to reduce. Finance CIOs also have 3 percent planning to hire, although 8 percent plan to reduce.Read more...

Big retailers that handle groceries are theoretically ready to handle DataBar coupons at POS, but the reality is that there has never been a large-scale, full-on test of these coupons with no UPC-A codes to fall back on. And no one from the barcode's sponsoring organization seems to be offering practical advice on cutting the risks—which could lead to unhappy customers and a backlash among grocers.Read more...

The more chains try to dictate merged channel strategies—where online, mobile, in-store and call center are all part of one big happy homogeneous family—the more day-to-day realities interfere. Today’s object lesson is from Best Buy. (Yes, again.) The merged channel issue here is compensation and credit; specifically, price-matching products from BestBuy.com in-store. The problem: Price-matching the E-Commerce site erodes margins and makes the store look bad, while sending the customer to a kiosk or their phone to order online makes the problem go away. The corporate problem: That’s against policy. The corporate solution: Make the problem go away by ordering it to go away.

The issue started with one store (that we know of) posting a homemade sign telling customers, in effect, “Hey! You want online prices? Go buy online. You want to buy in our store? Pay what’s on the &^@&! pricetag.” Best Buy corporate heard about the sign and ordered all stores to indeed play by the rules and price-match. That’s fine, except the chain didn’t address the underlying issue. If that memo said brick-and-mortar managers will no longer have to take the hit for the lower margins of a dot-com price-match, then the problem would go away. Given Best Buy’s history on this issue, it is certainly likely.…

If Apple, PayPal and others opt for their own approaches, which seems inevitable, the fragmentation will make it even harder for consumers to embrace mobile payments and for any retailer to get enough traction for mobile to be profitable. Indeed, the Google exec who handled much of the rollout—Google Payments VP Osama Bedier—used that event to lay out the case for why multi-platform support is so crucial. At the time, though, he was making the case for openness everywhere other than mobile platforms. Still, his argument works.Read more...

The security issue cropped up because the chain wanted to do extensive beta testing with customers before offering the final version of the application to the world. Security policies with Apple's iPhone and Research in Motion's BlackBerry, among others, require that only tested and approved apps can be installed on their phones. Android's more lax application security process made it the more desirable platform. "The service is only available publicly to Android phone owners at this time, because we don't want the app in its current state going into the public app stores. Only Android easily offers the ability to install apps from 'Unknown Sources,'" wrote Nick Lansley, who manages IT R&D projects at Tesco.Read more...

Gigabit Wi-Fi is coming to customers’ mobile devices, chipmakers say, and the new 802.11ac and 802.11ad standards (yes, they’ve used up a whole alphabet and started over) will run at about 7 gigabits per second—around 20 times the speed of current Wi-Fi. That’s fast enough to watch high-definition video on a phone or tablet, which is great for stores that want to pitch glossy commercials at customers but not so great for retailers that offer Wi-Fi as a customer convenience.

It’s one thing for customers to surf the Web or make Skype calls using your store’s Wi-Fi connection—your current in-store Internet connection can handle that. But it won’t take many customers watching multi-gigabit videos from the Internet before you’ll either see lots of unhappy customers or need a much bigger pipe to keep them satisfied. Fortunately, the new standards aren’t expected to be finalized until the end of 2012. What impact would high-resolution real-time video calls with consumers and customer service have? What if during an answer, the rep could play demo videos? What if the customer could stream video of the product he/she is asking about?…

Actually, the news reports were based on local-news stings in only two cities, Sacramento and Philadelphia, where reporters specifically bought holiday items at full price and then waited until the items went on sale before returning them with gift receipts. And because Wal-Mart's gift receipts include a barcode containing the price, it seems likely that the training of customer-service associates could be to blame. Besides, why would Wal-Mart sabotage its own CRM and inventory-management efforts by intentionally mishandling returns?Read more...

The key question: Why will consumers be more open to this Google NFC effort than they have been with contactless payment? Presumably, Google and the retailers will be smart enough to flood consumers in the selected cities—New York, San Francisco, Los Angeles, Chicago and Washington, D.C., according to Bloomberg—with seriously generous discount coupons to give them a compelling reason to change their buying behavior and try NFC. Some have argued that the trick of making NFC work will not be in a strengths/weaknesses battle with rectangular pieces of plastic, but in the power of the mobile phone to be comprehensive.Read more...

When you push all rhetoric aside, PCI in-scope simply comes down to this: If a customer hands a payment card to any of a retailer's employees/contractors—or swipes or waves the card into a device inside or controlled by a retailer or types the information on that card into a Web site branded and controlled by a retailer—that retailer is subject to PCI. If customer doesn't, the retailer isn't. What Square's new approach, dubbed Card Case, does is fully take the retailer out of the line of fire of the card information.Read more...

Envision an approach that merges geolocation, mobile communication, social sites and—critically—a trusted retail brand and in-store interactions. Put it all together and the future may not look so dim for in-store, after all. Starbucks, which did not want MacLaren elaborating on the concept, said he gave one example as Starbucks’ existing MyStarbucksIdea.com. For the sake of humanity, let’s hope his vision is light years beyond that site, which has a strangely narcissistic quality to it.Read more...

It’s not often that the U.S. Justice Department gets an antitrust win this fast. But on May 20 the DOJ announced that POS terminal makers VeriFone and Hypercom had given up on the idea of selling Hypercom’s U.S. POS business to Ingenico, to clear the way for VeriFone to swallow Hypercom. That decision came just a week after the DOJ filed a lawsuit to block the merger. “We are gratified that the parties recognized the anticompetitive nature of the agreement and abandoned its divestiture plan promptly,” said Christine Varney, the Assistant Attorney General in charge of the case.

But VeriFone and Hypercom are still trying to do a deal—just one that won’t leave two companies controlling 90 percent of the card-swiper market. The most likely candidate to buy Hypercom’s U.S. business is now Vivotech, which is already big in contactless POS terminals, with 70 percent market share—and would become a lot bigger if it gets Hypercom.…

The change is in the new version of self-assessment questionnaire (SAQ) C. It now stipulates that retailers can use this SAQ only if their payment application serves a single store location, pens PCI Columnist Walter Conway. In other words, any retailer that connects a branch or an additional location to their POS system, or any franchisee (or franchisor) that processes payments for more than a single location, can no longer use a simplified SAQ. In practical terms, this change means that instead of using the old SAQ C, which had about 50 items, these retailers and franchise operators will need to complete SAQ D, which includes all 280-ish requirements of the PCI DSS. For these retailers, validating PCI compliance will take more time and likely cost a lot more money, too.Read more...

Given age-restrictions, cigarette sales often have to be manually handled. Store designs generally place the cough cartons on the wall behind associates, forcing them to turn their backs to customers while searching for the requested brand. A Montreal vendor last week proposed an automated cigarette package dispenser designed to cut down on thefts that occur during this process. This is not IT in the traditional sense, but it’s still a clever in-store tech approach to deal with shrink.

The product, from the Artitalia Group, claims that the Audimac “not only has all the cigarette packages separated by brand and size, but also dispenses them at a push of a button.” The anti-theft element here is not necessarily designed to thwart people stealing cigarettes as much as it is trying to block the theft of everything else while the associate searches for the cigarettes. Maybe they should have a new cigarette warning for store associates? “Your chain’s IT General warns that the cigarette sales process could be hazardous to Loss Prevention.” Or maybe, “If you can see these cigarette SKUs, you can’t see the customer stealing from you right now.”…

While this porn kiosk touts privacy, which would seem to make sense, it also requires a driver's license and a payment card. Those two documents certainly are good ideas, especially when arguing to retailers that the machines will not be usable by minors, but both also obliterate the claims of privacy. The issue speaks to all kiosks, but this case is a wonderfully extreme example.Read more...

The centerpiece, from a company called Aetrex, is something the store calls iStep Wave and its claim is that it can go beyond measuring shoe size to examine arch type and pressure points—and do it all in half-a-minute. The store says the device uses "3,744 gold-plated barometric sensors that measure the pressure exerted by your foot every 0.25 cm squared and 1,326 infrared LEDs and receptors that are aligned every half millimeter."Read more...

The idea of aggregating the shopping and other experiences of a closed community is a good one, with lots of potential to boost the meaningfulness of such results. There's also a downside with this aggregation approach, namely that most consumers trust different friends to very different degrees.Read more...

As a result, it should be easier for Nordstrom to quickly add new devices and new functions to the mobile POS system. Features that the iPod doesn't support, such as contactless payment, might be available on other devices. In theory, with a well-structured architecture, new devices could be swapped in on an as-needed basis. Unlike mobile POS pioneers Home Depot (which uses a highly customized handheld for its mobile POS) and Apple (which can only use Apple, naturally), Nordstrom can exercise its option to do small-scale experiments with devices from multiple vendors in the midst of its big rollout. That will also discourage developers from tying code too tightly to one device—giving Nordstrom the chance to do even more quick-hit experiments in the future.Read more...

Even if the Supreme Court rules that customers don't have a right to privacy in their location, retailers still face a dilemma, writes Legal Columnist Mark D. Rasch. For example, smartphone apps can leverage GPS or other location data and enable new sales and marketing opportunities. But consumer backlash may result in new regulation to restrict the collection and use of this information. If you fail to have clear and unambiguous privacy policies that state what you are collecting and why and then follow these policies, either the consuming public or the government will make you do it.Read more...

Logistically, though, those types of things are not that easy with about 14,000 employees spread over 1,206 stores. For bonding, videoconferences and company-wide E-mails can only take someone so far. The chain's answer? Arrange—surreptitiously, mind you—for 5,300 pizzas to be cooked and delivered on Sat., May 14.Read more...

Beefing up security for more than payment-card data isn't a new idea, but it's unfortunate for retailers that Apple got so sloppy with its users' location data. Spotting customers as they're headed for a store is the holy grail of retail mobile-location technology, whether via GPS, Wi-Fi, cell-tower triangulation or POS tracking, and right now that's all getting a slightly creepy reputation. But in practice, it's going to become the norm—retailers will just need to get their best customers to opt in.Read more...

Problems were first detected with Burlington's main site—called Coat.com—about 4 PM (New York time) on Sunday (May 8), when Web uptime tracking site AlertBot noticed "intermittent outages." The site then went completely dark at about 5:20 AM Monday (May 9), said AlertBot's Justin Noll. Burlington's official version is slightly different, with a statement issued by CIO Dennis Hodgson saying that the chain "was subjected to a denial of service attack early" Monday.Read more...

Typically, such a PIN pad attack is done physically. However, with this many stores, a network attack from pad to pad is also possible. In a Q&A issued by Michaels, it was the chain itself that first raised the question of whether employees could have engaged in the fraud.Read more...