Evan Schuman's StorefrontBacktalk

In short, in the hands of an evil-minded competitor (in retail, are there any other kinds?), that Google-provided password could do a huge amount to slow down a rival, in addition to knowing inventory shipment plans so they can be countered. It represents a critical security breach—and one that started with the simple decision to put a confidential manual in a Web site subdirectory. That single password—which was printed in that Google-available PDF—unlocked a third-party's servers and revealed a supply-chain security hole large enough to drive a fleet of Mack trucks through.Read more...

"A big thing to think about is how you are going to train your in-store personnel and educate them on the mobile strategy and the mobile app. We found many customers walking into restaurants, asking our personnel how to use the iPhone app. That can get lost in the mix," Concors said. "How are you going to redirect those consumers to the right level of support when those things come about? There's no way you are going to train all your personnel how to troubleshoot an iPhone app. In 99.99 percent of cases, there's no problem with the app itself. It's because the person doesn't understand or there's a problem with their phone or there's a problem with the network. If there's a problem with the app, we will see it across the board."Read more...

On Tuesday (March 22), payment processor First Data rolled out a mobile service that nicely illustrates the problem. A program dubbed mVoucher (for mobile vouchers) is a service to support gift cards, prepaid value cards and coupons for mobile users. Why couldn't most large retailers do it themselves, given that the functionality here is not overly complex? The answer is that they can. So why might they not? Simply put: the POS fear, when mobile is involved. It's an interesting twist on the age-old FUD (Fear Uncertainty and Doubt) selling tactic. But in this case, the vendor isn't spreading FUD about its products. It's relying on retailers already having FUD about connecting mobile with POS, creating an opportunity for an outsourced service that might not have otherwise existed.Read more...

Disruption just isn’t what it used to be. On Monday (March 21) consulting giant Deloitte issued a report on what it calls 10 “disruptive and emerging technologies” that will be a big deal to big companies over the next 18 months. The list includes cloud computing, software as a service (SaaS), visualization, analytics, social computing, mobile applications, ERP—wait, these are disruptive and emerging? Some of them emerged and did their disrupting decades ago. At this point, they’re about as disruptive as a cash register or a credit card.

It’s always hard for consultants to strike a balance, looking for the sweet spot in technology and trends that all their potential customers haven’t already adopted but are far enough past bleeding-edge status that they’re not a wild-eyed gamble. This time, Deloitte missed that sweet spot by about five years—this list isn’t even interesting. But we’ll be watching closely for next year’s report to see if that newfangled E-mail thing makes Deloitte’s list.…

The food allergy example is probably the most extreme, because it literally can threaten the life of the consumer. It also is the most difficult retail customization to deliver, because it requires full cooperation from every supplier—something that is virtually impossible. Also, the whole idea of customization puts the burden of delivering on the retailer.Read more...

But instead of trying to shore up the popular but aging SecurID system, there's a better way for RSA to go: It could just publish the hashing algorithms and convert its SecurID users to mobile devices that could be updated on-the-fly at any time. That would eliminate all the advantage gained by the thieves who stole RSA's secrets, while making things more secure for SecurID users.Read more...

That's got to be galling for Apple, which made a big display of licensing 1-Click from Amazon a decade ago. But it's frustrating for all E-tailers, who thought they would only have to pay 1-Click tribute once, to Amazon. Now it looks like they may have to buy the same rights twice—unless Amazon (which isn't named in last Monday's lawsuit) can win its fight to be the only 1-Click game in town.Read more...

"I am reminded of the ill-fated Barbie Doll that whined: 'Math class is tough.' The maker pulled it from the market after numerous well-justified complaints. Maybe it's the old mathematics teacher in me, but I am wondering if we need a new Barbie that says, 'PCI is tough!'"Read more...

If your call center records phone calls and you ask customers for the security code from the back of their cards, you need to stop the practice and make sure your voice recording software cuts out and does not record the SAD. For many call centers that means upgrading or reprogramming their voice recording application or changing their process (for example, substitute address verification). Once you stop recording, the next step is to purge all SAD from the existing recordings.Read more...

The punitive response options from the PCI Council were designed for chains that violate current PCI guidelines, in that those businesses engaged in explicitly forbidden behavior. But the rules have no standard way to deal with new technology. A new payment system, unanticipated by the rules, is neither PCI Approved nor PCI Rejected. It is, frankly, PCI Limbo.Read more...

Sean Bunner, HSN's Operating VP, echoed Kinzey's sentiment. "It's such an early channel to get so granular. There's some overall trend stuff we're more interested in, like 'what category of merchandise are they purchasing?' From what we've seen, mobile is significantly different than Web or, for us, TV," he said. "But even within mobile, between mobile Web and apps. You see pretty significant shifts in categories, so we then have to get into CRM activity to see 'Why is that?' Do you want to merchandise that store differently?"Read more...

The problem isn't near field communications (NFC) itself. Apple could easily stick the hardware into the next iPhone, just as Samsung put an NFC controller and security hardware in its Nexus S Android-based phone. But Apple is worried that there's no industry-standard way for apps to communicate with that hardware, which is also why the Nexus S can't currently behave like a Visa PayWave or MasterCard PayPass card, either. Once Google updates Android to add a software stack that can do payments, the process of hashing out that standard can begin in earnest.Read more...

After the RFPs are evaluated through simple "count the number of Yes answers" and other sophisticated techniques, a select few will get the full questioning and even fewer will get to do demos and participate in a trial. As long as no one holds vendors to the answers their teams originally gave (and who even bothers to check?), the incentive to be truthful in an RFP is nil.Read more...

The move, which hit at least one of the delisted vendors on January 31, is part of PCI's effort to create a proverbial level playing field. There are good and bad sides to this effort. The good is that it's noble in intent. It acknowledges that mobile payments have so many crucial differences from earlier payment methods that merely tweaking today's guidelines won't work. And it also notes that it would be unfair to let vendors that happened to have already been approved be the only applications with the seal of approval, as the door slamming on everyone else. The bad is that it's seeking the perfect at the expense of the good.Read more...

"Using an encrypting reader is not as simple as plugging it in. Very few POS processing systems can handle encrypted data. The vast majority of card data is processed as clear text ASCII. That includes the data read by most VeriFone terminals," said Tom Siegler, VP of Strategic Market Development at UIC USA, another vendor in the payment space. "The reader must be key-injected by a certified vendor with the key for the acquiring processor. This typically costs from $15 to $40. Some vendors want to gate the transaction and charge a fee for the service. This was VeriFone's and MagTek's business model. All encrypted transactions would generate revenue. Nice business, if you can get it."Read more...

Retailers looking to leverage social media are quickly learning that it’s a powerful tool—and it’s sometimes far too powerful. That’s a lesson Groupon learned in January, when it tried launching a new service in Japan. For those who need another reminder, a 16-year-old girl in Australia is only too happy to oblige. Seems that the girl posted an invite to her 16th birthday party on Facebook (with her address) and didn’t properly set the privacy settings.

It went viral, and almost 200,000 people said they would show up at her house. The party was canceled (which is a shame, given that the family apparently didn’t calculate the potential eBay revenue from selling all of those gifts), but it’s a critical reminder for retail. If a promotion goes viral, what seemed like a great idea can quickly morph into a disaster. Think Sorcerer’s Apprentice: social media is the magic spell and your impressively unhappy customers are the water. And those angry customers—facing hand-scribbled out of stock signs, huge lines and terrible customer service— will likely not forget. They won’t be bringing gifts, either.…

Why delay? Consider the Veterans Administration's data breach, which involved the theft of a laptop computer containing millions of records pertaining to veterans. The VA, upon learning of the theft from a contractor, notified all of the affected individuals, at a cost of millions of dollars. A few weeks later, the VA recovered the stolen laptop intact and discovered that no VA records had actually been touched. A delayed response in that case would have not only saved money but also prevented what turned out to be needless worry.Read more...

"If you think about mobility, interesting applications tend to leverage three things: presence; authentication; and location. Presence: Are you there? Are you on the network? Are you live? Can somebody see you? Location: Where are you physically? And to what level of granularity can you see that? Authentication: Are you who you say you are?" Sajor said. "Those are the three crown jewels. You can't do much interesting unless you have those three things locked in to some degree or another."Read more...

Lack of training, coupled with little or no signage and marketing support, will be the silent killer of many in-store retail mobile efforts. For example, Starbucks' mobile payment scheme remains invisible in some stores, where associates still don't know how to use the scanners that read payment codes off customers' mobile phone screens. And Shopkick is in many retail locations where there's no signage about Shopkick and the associates don't even know what it is.Read more...

Still, are the extreme bandwidth and related demands of streaming video going to end up undermining more strategic network functions, such as selling stuff? Pizza Hut CIO Baron Concors was afraid that it might indeed do that. He still went ahead with video. But he wanted a third party—one that would keep these bandwidth-breaking B-movies far away from his pizza-selling sites—involved. "I was not interested in undertaking the effort to build out a YouTube-like infrastructure, along with the concerns about bandwidth, security and site performance," Concors said.Read more...

Google has reached into users' mobile devices at least once before to delete apps in the name of security. Most users may not mind—certainly not as much as, say, Amazon reaching into their Kindles to delete mistakenly published e-books. But for retailers that want to use an Android device as a point-of-sale unit, the ability of a vendor—or any outsider—to modify the device by long distance could make getting a QSA's approval impossible.Read more...

Increasingly, retailers are looking at mobile payment systems that do not require their own dedicated infrastructure. Using ubiquitous handheld devices over regular Internet connections, these devices are cheap, easy to maintain and hold great promise for line-busting, inventory management, offsite purchases and a host of applications we haven't even thought of. An example of such a device is the "square" payment system. This small cube-shaped device plugs into any iPhone's audio plug and, with the downloadable software and a square processing account, allows anyone to process credit cards.Read more...

The move itself certainly made sense. The retailer tried moving non-customer traffic—such as search engine bots and agents trying to track a variety of Web performance elements—to some slightly slower servers, with the intent of making the experience much faster for paying customers. And if a bot for Bing, Yahoo or Google get its data a little bit more slowly, no harm done. That was the theory. But slowing down performance for a Google spider, for instance, will in turn cause Google to assume your site is slower and that could impact a retailer's ranking on the search giant. It also caused some companies that track—and report publicly—Web performance to see the retailer's Web presence as slow or, in this case, down completely.Read more...

"The carriers know something about you. They authenticate you, and it's reasonably difficult to falsify or spoof that authentication. If you're holding that device, there's a pretty darn good chance that you are who you say you are, as you've authenticated with the mobile network," said Sajor, who was recently promoted to CIO from Chief Technology Officer. "Wouldn't it be interesting, wouldn't it be nice to use that authentication to authenticate you for your mobile experience all the way through the entire mobile payment channel? That would take away the logins and all of that kind of thing. You'd probably want to have some secondary protection: PINs or whatever. But if you could actually use that authentication in a sensible way to seamlessly permeate the entire experience, now you get a much more holistic experience based on what the carrier already knows. The data is already there. We just have to be able to get to it. I don't think we're quite at that point yet." But Pizza Hut's CIO urges caution until the U.S. cleans up mobile standards.Read more...

Their consensus: The First Phone works, but it still has a long way to go. That's what you'd expect from a first try at a mobile POS device, though, and that first draft won't get better without lots of listening on the part of IT. The comments of the Home Depot associates go a long way to point out the challenges mobile POS faces as it rolls out at Home Depot, Nordstrom and other retailers.Read more...