Evan Schuman's StorefrontBacktalk

As a QSA, PCI Columnist Walt Conway argues that he would pay particular attention to patches the vendor identifies as critical, because those have to be installed within 30 days. Will you be able to see a log or other evidence that the patches were installed on all in-scope systems? Another example is your internal and external vulnerability scans. You need to have the CSP provide reporting each quarter on both your complete internal vulnerability scans and your external scans, which an ASV must perform. Read more...

The CIO at apparel chain Ann Taylor—Mike Sajor, who was recently promoted from serving as the chain's CTO—argued that the very nature of mobile devices will force a lot of good things. But as much as it will help retailers, it will also force their hands.Read more...

With all of the recent mobile payment activity as a backdrop, the recent freeze on any mobile security decisions from the PCI Council becomes even more frustrating for retailers. But the frustrations from the PCI delay are matched by a baffling lack of any public activity at all from ISIS, the joint mobile payment effort from AT&T, Verizon and T-Mobile that was announced back in November. Note to ISIS: When BlackBerry passes you by in momentum, it’s a really bad sign.

It’s hard to find a less aggressive pace set by any mobile player than the one owned by Research In Slow Motion, but ISIS is managing it. It’s like a new Aesop’s Fable: The Turtle and The Tortoise. Meanwhile, New York drug store chain Duane Reade has been toying with Device Fidelity systems to turn phones into contactless payment devices—but the phone is just decorative. All of the processing is performed by the chip, which slides into a phone slot. It’s in a phone, but it could just as easily be on a transistor radio or, for that matter, a pair of ski gloves. It’s essentially the old sticker contactless payment shtick, just done with some mobile props.…

That's not a done deal by any means. But PayPal has already said it plans to get its payment system into brick-and-mortar stores by the end of 2011, and earlier this month hired a former gift-card executive, Don Kingsborough, to make that happen. Getting 180 friendly retailers to sign on will make it much easier to break the plastic monopoly on in-store payments—something no other alternative payments system has been able to do.Read more...

Some cynical sorts might say that the paper receipt requirement's purpose is similar to the rebate form, namely to reduce the monies that are due by making consumers give up to avoid the hassle. With a time-unlimited return, the passage of time makes it increasingly unlikely that the receipt will be retained (and that the consumer would be able to find it). This raises the disturbing question of whether there's much of an incentive for IT to do away with the paper receipt. How will mobile impact all of this? The idea of printing a receipt from a mobile device seems Victorian quaint. Would John Lewis accept a receipt image displayed on a mobile device?Read more...

Retailers have always longed for consumers’ phone numbers, but consumers know that a phone number is very hard to take back once given. Unless customers change their number, they’re giving merchants access for a very long time. With mobile growth today and the ability to also text, never has the divide been more pronounced: retailers want to collect this info more and consumers are resisting giving it out more.

A startup called KipCall might—just might—have a possible way around this impasse, where it uses a Facebook API to hide consumers’ numbers and gives them a way of shutting out retailers the instant they feel like it. When consumers want to be left alone by a chain, they simply “unfriend” that merchant and the retailer has no way to reestablish contact. If this approach works—and it’s a fairly big if—it might greatly help retailers get phone contact information, because consumers would have less reason to fear handing over their number. There’s one catch: If the consumer opts to purchase anything from that retailer directly from a mobile device, there’s a good chance the customer’s actual phone number will be seen, thereby undercutting the whole exercise. Still, it’s a creative way to deal with this impasse.…

Wal-Mart's initial move will include 23 Pennsylvania stores, using the state's own self-serve wine kiosks. These kiosks have had mixed results, with some wine enthusiasts pushing back against the machines. But those are not legal issues and, believe me, these machines offer enough such issues to keep entire law firms gainfully employed.Read more...

In short, in the hands of an evil-minded competitor (in retail, are there any other kinds?), that Google-provided password could do a huge amount to slow down a rival, in addition to knowing inventory shipment plans so they can be countered. It represents a critical security breach—and one that started with the simple decision to put a confidential manual in a Web site subdirectory. That single password—which was printed in that Google-available PDF—unlocked a third-party's servers and revealed a supply-chain security hole large enough to drive a fleet of Mack trucks through.Read more...

Tesco made an interesting move last month in its long-running battle with rival ASDA, when it promised customers to compare what they paid at Tesco against ASDA’s prices and to then refund the customer double the difference. That campaign, launched on February 28, was indeed quite bold.

But the more-than-5,000-store chain learned the classic lesson that no retail deed ever goes unpunished. This week, just one month after the promotion’s launch, the chain lowered its £100 refund limit to £20 after being hit by customers who were gaming the system. (No one anticipated that?) “A very small number of customers have used Price Check just to hunt down products which a competitor has on promotion and to make some money by using our guarantee. We commend their ingenuity, but this isn’t why we set up the system,” said Tesco spokesperson James Wiggam. Wiggam said the chain doesn’t expect this setback to undermine the program in any meaningful way because, he said, “Fewer than one in 5,000 customers have been awarded vouchers over £20.”…

"A big thing to think about is how you are going to train your in-store personnel and educate them on the mobile strategy and the mobile app. We found many customers walking into restaurants, asking our personnel how to use the iPhone app. That can get lost in the mix," Concors said. "How are you going to redirect those consumers to the right level of support when those things come about? There's no way you are going to train all your personnel how to troubleshoot an iPhone app. In 99.99 percent of cases, there's no problem with the app itself. It's because the person doesn't understand or there's a problem with their phone or there's a problem with the network. If there's a problem with the app, we will see it across the board."Read more...

On Tuesday (March 22), payment processor First Data rolled out a mobile service that nicely illustrates the problem. A program dubbed mVoucher (for mobile vouchers) is a service to support gift cards, prepaid value cards and coupons for mobile users. Why couldn't most large retailers do it themselves, given that the functionality here is not overly complex? The answer is that they can. So why might they not? Simply put: the POS fear, when mobile is involved. It's an interesting twist on the age-old FUD (Fear Uncertainty and Doubt) selling tactic. But in this case, the vendor isn't spreading FUD about its products. It's relying on retailers already having FUD about connecting mobile with POS, creating an opportunity for an outsourced service that might not have otherwise existed.Read more...

Disruption just isn’t what it used to be. On Monday (March 21) consulting giant Deloitte issued a report on what it calls 10 “disruptive and emerging technologies” that will be a big deal to big companies over the next 18 months. The list includes cloud computing, software as a service (SaaS), visualization, analytics, social computing, mobile applications, ERP—wait, these are disruptive and emerging? Some of them emerged and did their disrupting decades ago. At this point, they’re about as disruptive as a cash register or a credit card.

It’s always hard for consultants to strike a balance, looking for the sweet spot in technology and trends that all their potential customers haven’t already adopted but are far enough past bleeding-edge status that they’re not a wild-eyed gamble. This time, Deloitte missed that sweet spot by about five years—this list isn’t even interesting. But we’ll be watching closely for next year’s report to see if that newfangled E-mail thing makes Deloitte’s list.…

Is this what we've come to? You have to wonder what would have happened if Pugh had tried robbing a Safeway. By the time he'd finished filling out the application for a Club Card, he'd be halfway to jail.Read more...

The food allergy example is probably the most extreme, because it literally can threaten the life of the consumer. It also is the most difficult retail customization to deliver, because it requires full cooperation from every supplier—something that is virtually impossible. Also, the whole idea of customization puts the burden of delivering on the retailer.Read more...

"I am reminded of the ill-fated Barbie Doll that whined: 'Math class is tough.' The maker pulled it from the market after numerous well-justified complaints. Maybe it's the old mathematics teacher in me, but I am wondering if we need a new Barbie that says, 'PCI is tough!'"Read more...

The move, which hit at least one of the delisted vendors on January 31, is part of PCI's effort to create a proverbial level playing field. There are good and bad sides to this effort. The good is that it's noble in intent. It acknowledges that mobile payments have so many crucial differences from earlier payment methods that merely tweaking today's guidelines won't work. And it also notes that it would be unfair to let vendors that happened to have already been approved be the only applications with the seal of approval, as the door slamming on everyone else. The bad is that it's seeking the perfect at the expense of the good.Read more...

"Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals," said Tom Siegler, VP of Strategic Market Development at UIC USA, another vendor in the payment space. "The reader must be key-injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gate the transaction and charge a fee for the service. This was VeriFone's and MagTek's business model. All encrypted transactions would generate revenue. Nice business, if you can get it."Read more...

Why delay? Consider the Veterans Administration's data breach, which involved the theft of a laptop computer containing millions of records pertaining to veterans. The VA, upon learning of the theft from a contractor, notified all of the affected individuals, at a cost of millions of dollars. A few weeks later, the VA recovered the stolen laptop intact and discovered that no VA records had actually been touched. A delayed response in that case would have not only saved money but also prevented what turned out to be needless worry.Read more...

Both debuted at this week's South by Southwest Interactive show in Austin, Texas. The Amex trial was with Foursquare, and it let consumers associate their American Express card with Foursquare and then use that check-in service to get automatic discounts through mobile devices. Sounds good and mobile, no? Not at all. Turns out that the program requires consumers to use their rectangular mag-striped plastic for each purchase. In short, both Foursquare and mobile were solely decorative. Amex could have accomplished the same thing by issuing a news release and putting up posters announcing that its card users could get instant rebates at select retailers.Read more...

When you’re the largest company in the world, you can get away with a lot. There simply aren’t that many companies that could support a key retail strategy almost seven years after most of its rivals and get away with branding it as new. And yet, Wal-Mart did just that with its March 10 rollout of Pick Up Today, which is the chain’s name for Buy-Online-Pick-Up-In-Store. Remember when Best Buy and others did that in 2004?

How does one possibly admit to being almost seven years late to this key merged channel effort? Walmart.com GM Steve Nave did it in style: “Walmart is uniquely positioned to combine the power of E-Commerce with our national retail footprint to offer a leading, multichannel experience that delivers the best savings and convenience to our customers.” The move is a good one and well overdue, but come on. At least address the fact that you’re so very late. Then again, in retail, if Wal-Mart hasn’t done it yet, then maybe it hasn’t really been done? …

"If you think about mobility, interesting applications tend to leverage three things: presence; authentication; and location. Presence: Are you there? Are you on the network? Are you live? Can somebody see you? Location: Where are you physically? And to what level of granularity can you see that? Authentication: Are you who you say you are?" Sajor said. "Those are the three crown jewels. You can't do much interesting unless you have those three things locked in to some degree or another."Read more...

But it took 25 years (most of which Woodland worked for IBM, which wasn't much interested in the invention) for optical scanning technology to catch up so the idea could be adopted as UPC codes in 1974. And even though barcodes were on their way to becoming the most important technology in retail, by 1976 BusinessWeek pronounced it a failure. Analysts had predicted 1,000 stores would have scanners by then, but only 50 did. Clearly, barcodes were a flop. A decade later they were everywhere.Read more...

VeriFone did this all to attack a much smaller rival called Square, which it repeatedly identified by name. The ironies continue. VeriFone posted a special page for this content, including a domain name referencing its rival, Square: http://www.sq-skim.com/. A key part of that page was a YouTube icon that would play the video. But YouTube quickly took down the video, breaking the link.Read more...

Lack of training, coupled with little or no signage and marketing support, will be the silent killer of many in-store retail mobile efforts. For example, Starbucks' mobile payment scheme remains invisible in some stores, where associates still don't know how to use the scanners that read payment codes off customers' mobile phone screens. And Shopkick is in many retail locations where there's no signage about Shopkick and the associates don't even know what it is.Read more...

The patent itself is fairly straightforward, in that the system assumes software will activate the group of cards by scanning (or keying in) the first card number, along with the number of cards sought. The patent spoke of variations of this approach: "The point-of-sale device can request a confirmation of the last number in the pack of cards. Thus the clerk can either swipe or hand key in the number of the last card that makes up the pack of cards," the patent filing said.Read more...