Evan Schuman's StorefrontBacktalk

In March, Western Union cut a deal with Amazon to let the E-Commerce giant's customers use the 44,000 Western Union locations with fees ranging from $3 to $8. Then Bank of America and Citi got into the act with a one-time use card, another tactic to make sure the payment is only used for the immediate purchase price and nothing else. Last Thursday (Sept. 3), eBillMe offered its version, where the payment company is working with MoneyGram—and others—to offer cash-only options at about 75,000 walk-in locations, for a $5 fee. Read more...

Last Wednesday (Sept. 2), TJX struck quite a bargain and settled with the handful of remaining banks. In settling all charges with four different financial institutions—AmeriFirst Bank, HarborOne Credit Union, SELCO Community Credit Union and Trustco Bank—TJX agreed to pay $525,000 to be split between the four businesses. Was that punitive or was that something closer to a nuisance payment for the $19 billion retail chain? Punitive would generally mean covering all legal costs plus reimbursing the banks for all out-of-pocket costs and then paying them something to compensate them for the pain of the litigation. The payment specifically excluded legal fees. According to the statement TJX issued, the settlement didn't even cover all of the banks' out-of-pocket expenses let alone offer anything for their efforts. Oh and it also allowed TJX to say that it "has denied all wrongdoing." The amount enough that it was already covered in a reserve that TJX took back in the second fiscal quarter of 2007.Read more...

But what does any of this have to do with M-Commerce? A lot. If they finally get around all of the technical and logistical hurdles of M-Commerce, they will be trying to get millions of consumers to interact with their sites—via their phones—and see product lists, read reviews, watch multimedia demonstrations, interact with social sites, download PDF instruction manuals and even ask their peers for feedback on their shopping choices before consummating those purchases. That's all great, but—if successful—will it turn the Home Depots, Walmarts and Targets of the world into examples of what may become known as "The AT&T Factor"?Read more...

Grocery chains have historically been afraid to reach out to consumers with personalized pitches, fearing the consumers would be put off by what might be seen as a privacy intrusion. But with privacy expectations now much lower, more chains are willing to take the chance. Case in point: the $4.6 billion 1,400-store Big Lots grocery chain will launch its first CRM program in the Fall, the latest in a series of grocery chains slowly embracing official loyalty programs.

The Buzz Club card will offer consumers a discount when they make 10 purchases of more than $20 each, according to this DMNews report. The story quoted Big Lots CEO Steven Fishman as saying: “The program will allow us to learn more about our core customers’ shopping tendencies and opens up micromarketing capabilities we’ve have never had before as a business.” It will be used to create personalized follow-up offers and Fishman said that all of the chain’s “messages going forward will be more aggressive.” …

Look for Gonzalez to officially plead guilty to the federal charges from Boston, primarily involving TJX, BJ's Wholesale Club, Boston Market and Sports Authority and New York, primarily involving Dave & Buster's, on Sept. 11.Read more...

In the trial—conducted over 13 weeks and published Monday (Aug. 24)—looked at a non-item-level store (the control store) and one item-level store and the same limited product area (denim jeans) were examined for both.Read more...

A 500-store franchise chain, for example, could easily have to indulge more than 50 different POS configurations, given various owner demands. Each location is likely to have it’s own nuances and, in a franchise environment, each store will likely have different needs than the rest. So what do you do when you have 500 locations that each have their own needs? You need to think of the rollout as more like 500 little project plans. Asks Franchisee Columnist Todd Michaud: Now doesn’t that sound like fun?Read more...

If a retailer will invariably be declared non-compliant after a breach, what's the point of doing the assessment right? Turns out, there are quite a few points.Read more...

And yet, if any segment of retail was underutilizing the magic of interactive E-Commerce, it's the glossy side of facial retailing: makeup. Drugstore.com—and one unidentified pharmacy chain, although it's not one of the four largest—are about to try and address that. The retailers will encourage customers to upload photos of themselves and the system will then project what various makeups will look like on their skin, leveraging facial recognition software.Read more...

In the world of retail CRM programs, warehouse chains such as Costco, BJ’s and Wal-Mart’s Sam’s Club occupy a very specialized niche: they can boast that their customers use their loyalty cards just about 100 percent of the time, allowing for near-perfect purchase histories for all customers. Of course, requiring that the membership/loyalty card be displayed to get into the store and to make any purchases certainly doesn’t hurt. But it’s equally noteworthy how little those chains have pushed those extraordinary purchase history databases. Sam’s Club has now made such a move, claiming to be the first warehouse club chain to offer automatic paperless coupons. These chains have typically provided deeper-than-normal discounts, but they make it up with membership fees and, much more importantly, volume purchases.

That’s not merely buying huge quantities of products, but packaging the products to force consumers to buy larger quantities at any one time. If the consumer can use 100 bars of soap, they can enjoy that financial benefit. “There are no coupons to clip and no rebate forms to complete and mail,” said a Sam’s Club statement. “Members will receive customized offers tailored to them and discounts will be automatically taken at the register using their existing membership cards.”…

But the indictment revealed several key contradictions with 7-Eleven and Heartland and one major retailer's security executive found the government's specifics to be a convincing indictment against PCI.Read more...

Retailers tend to get so caught up in their global rollout plans and product strategy that they often forget to look at things from the store owner's perspective. That phrase is what many franchisees hear when talking to their chain hierarchy about all the great things that the brand wants to do with detailed data from the store. “By analyzing the data that we collect from these various sources, we will be able drive sales far more effectively.” But, similar to other grand plans they have been sold in the past, franchisees are skeptical that that yellow brick road is so easy to follow.Read more...

The idea is for shoppers to phone the service and then speak the product name and the automated voice system will say the exact location of that product. If it works, the system's creators envision successor systems that will turn that consumer phone number into an impromptu CRM customer-identifier. Baalmann, who will try the system at a store in Desperes, MO (right outside St. Louis) starting Tuesday (Aug. 18), already has people ready to call manufacturers this week to sell them the ability to send text codes to customers who ask about certain product categories.Read more...

This begs the question: How does an IT department successfully deliver retail technology that meets the needs of both a franchisor and the chain? Both sides need to change the way they think about large-scale IT projects. StorefrontBacktalk's new Franchise IT Columnist Todd Michaud contends that this is a lesson that shouldn't be ignored by non-franchise chains, too, as today's reality of Web-enabled, mobile-fueled, social-network-infested high-turnover low-margin is forcing everyone to play by very different rules or to die not trying.Read more...

Payment processors seem to be all marching to the same end-to-end encryption tune, although each is arguing that its version is different. Following Heartland’s announcement of an end-to-end encryption effort for its customers by the end of the year, EPX and RBS separately this week announced their own versions.

EPX on Monday (Aug. 10) offered up a version that tries to meld encryption and tokenization (“We’re disputing that encryption is the safest way to go,” said EPX COO Matt Ornce. “The sooner you can get it tokenized, the better”) while RBX on Tuesday (Aug. 11) announced that it would be using VeriFone’s VeriShield Protect as its end-to-end for encrypting payment card data. …

Heartland Payment Systems on Tuesday (Aug. 4) said it spent $32 million this year paying for costs related to the major data breach it disclosed in January, including $22.1 million to cover fines from key payment card brands and a settlement offer. Heartland did not say how the $22.1 million was split between the fines and the settlement offer, but it did provide clues.

For example, the breach costs of just the second quarter came to $19.4 million and it said that the “majority” of those costs was for the settlement offer, suggesting that the settlement was more than $9.7 million. Legal fees make that precise calculation tricky as well as the lack of a percentage of that majority. “The remainder of the expenses and accruals related to the Processing System Intrusion recorded in the three and six months ended June 30, 2009 were primarily for legal fees and costs the Company incurred for investigations, remedial actions and crisis management services,” Heartland said.…

But worst of all, from Lawhorn's perspective, the display told passersby that the order confirmation board (OCB) was quite completely connected to the store's LAN and POS, which is enough to tell someone that it's worth trying to hack into. And with a relatively unprotected network connection plugged into the behind-the-store box, that's not an especially daunting task.Read more...

EBay's PayPal group went dark worldwide for all users for an hour Monday, starting at about 1:30 PM (New York time). Many users were unable to make purchases for a much longer period, until the final users were restored by about 6:30 PM. Ebay said the cause of the outage was an "internal network hardware issue" and that EBay was "looking into how to address our affected merchants." If EBay wants to compensate—or, more precisely, console—merchants who were scared POSless on Monday, forget about compensation checks. Instead, do two things. Read more...

It would be nice to be able to remotely—and automatically—lock or unlock all doors throughout a retail chain at designated times, potentially leveraging RFID and wireless network access. Nice, that is, for bad guys who want easy access to your warehouse and other secure areas. At least that’s the premise of one researcher who cracked an electronic access system at the network control level and opened a door with a spoofed command sent over the network. As a nice touch, he also bypassed the audit log so the system wouldn’t see that someone opened the door.

What enabled it all was a system programmer who used predictable TCP sequence numbering, according to this nicely done story in Wired. “The problem occurs between the door controller and the server, which communicates with a persistent TCP session with ‘very, very predictable sequence numbering.’ Essentially, it increments by 40 for each new command,” the story said. “This means an attacker on the network can, while conducting a man-in-the-middle attack, intercept a ‘door unlock’ command and easily guess the next sequence number. Then, any time he wants to open a targeted door, he can sniff a packet to determine the current sequence number and send an ‘unlock’ command into the session with the next sequence number and the IP address of the administrator, fooling the system into thinking it’s a legitimate command. The command could remotely unlock one door or all the doors on an entire facility.”…

Disneyland Paris is planning to test contactless payments with cards and near field communication (NFC) phones this fall and, unlike so many others that have dabbled in these trials, it is offering discounts and loaning phones to boost participation. We’ve asserted people won’t bother with contactless payments unless they get a benefit beyond the questionable convenience usually touted by those pushing it. Only a handful of retailers, including Dairy Queen, have dangled carrots, such as discounts, to push contactless.

According to a report in Near Field Communications World, the resort is offering 25 percent discounts at Disneyland shops and 20 percent discounts at restaurants to patrons who use their NFC phones or contactless cards to make payments in the shops and restaurants. The trial, set to begin in October, will be available to those with annual passes to the resort who also have accounts in the Paris area branches of two French banks. Prospective users must first fill-out online applications. The people wishing to try NFC will be issued an NFC phone that must be returned when the trial concludes. This also addresses—or, more precisely, sidesteps—concerns about hardware differences with NFC devices. By handing out the phones, Disney is guaranteeing that hardware differences won’t impact their trial results.…

In another sign of movement in the contactless payment space, the 450-store Sports Authority chain has now agreed to accept contactless payment, which is on top of this month’s agreement from Home Depot that it would also accept contactless payment. But it’s also the same month when Best Buy said that they might stop accepting Visa contactless payment.

MasterCard has been offering key retailers generous checks to cover the cost of contactless deployment—and then some—to try and drive acceptance. Many retailers—Home Depot and Subway in particular–have agreed to accept contactless payment (and the bribery checks associated with it) but are unusually non-supportive of it. Even the convenience claim has been challenged by some chains that have agreed to deploy. Not clear how much benefit contactless will receive with a list of reluctant deployers, but that will become clear with the next (non-incentivized) layer of deploying retailers. The interchange fee issue—from Visa debit, which charges retailers more if a transaction is done contactlessly—is also damping down retail enthusiasm. As for consumer enthusiasm for contactless, that’s also been in very short supply.…

An intriguing blog discussion over at the Verisign security site, with the suggestion made that MasterCard has rapidly started upping its fines for PCI compliance issues. As the post asks, “Who poked MasterCard hard enough to wake them from hibernation?”

“MasterCard traditionally fined post-breach and, in some cases, we learned that MasterCard would fine merchants small, but consistent amounts to get the attention of accountants and finance gurus inside the company,” the post said, adding that times have now changed. ” So Level 1 merchants are being fined, at most, $25K more from MasterCard than from Visa, and Level 2 merchants are being fined a whopping $315K more from MasterCard. If your company is actually made up of multiple Level 2 retailers, this potentially means that you could owe double, triple, or more. MasterCard rolled out another change to acquirers as well and will require newly boarded Level 1 & 2 merchants to provide a compliant ROC from a QSA before they are allowed into the network. So those Level 2 merchants that have been changing processors every year, it finally caught up to ya.”…

When working on its annual study of manufacturer Web sites that try selling directly to consumers, Forrester Research pretty much found what it expected to find: that manufacturer sites are great for research with brand-loyal consumers, but the purchases are invariably made elsewhere. Forrester’s Sucharita Mulpuru, the principal analyst for Retail eBusiness and arguably the sharpest E-Commerce analyst working HTMLs today, said that, sometimes, the market works just as it’s supposed to. Many manufacturers were originally scared about offering direct-to-consumer deals, fearing that they’d undermine their channel and cannibalize sales. Turns out that consumers are smarter than they look and the product-maker sites haven’t hurt retail partners one little bit.

As Hershey’s concluded this month, the E-Commerce community trusts manufacturers to make stuff, not to sell it. It’s the exceptions that make the rule, Mulpuru said, pointing to two rare manufacturers that actually do make some direct to consumer sales: Apple and Dell. Apple does it by an almost biblically strict adherence to price, making the prices same regardless of whether the product is purchased directly, while Dell has a lengthy history of only selling directly (although it now sells through the channel). Still, Mulpuru argues that manufacturers should still offer E-Commerce for the CRM data collection and customer feedback info it provides.…

We point to this delightful story in Consumer Reports' The Consumerist site, where a frustrated consumer unsuccessfully tried to buy a pair of air conditioners from Sears. The point of this for us, though, is that consumer placed the order on the phone—dealing with a Sears call center—and yet he was being charged a couple of hundred extra dollars because of fine print on Sears.com. But given that the order was placed on the phone and that the call center rep mentioned nothing about the consumer being expected to go online to read a lengthy "anything we do wrong is not our fault" document, it seems something that Sears can not reasonably enforce.Read more...

This technique of analyzing the light-reflection has a few potential advantages, such as bokodes are much more difficult to fabricate, meaning it will be much more difficult for thieves to use consumer-grade printers to make fake stickers or to print bogus codes on product containers. Also, it can trump RFID tags in a few ways, both for security and supply-chain efficiency.Read more...