Evan Schuman's StorefrontBacktalk

The $5.3 billion European chain Woolworths has switched CIOs, with CIO Stephen Bradley resigning “to pursue consulting and charity work,” according to this interesting ZDNet Australia story.

Woolworths has promoted its GM of IT, Daniel Beecham, to the CIO slot, promoting the 12-year company veteran on May 14. His first priority, the story said, will be to complete a new POS rollout across the chain.…

When the Texas assembly this month unaninously approved a bill mandating PCI compliance, it set in motion a potentially interesting retail security development.

The state bill–which still needs the blessing of the Texas state senate and the Texas governor-doesn’t directly impose penalties on non-compliant retailers, but it does shield compliant merchants from banks trying to collect damages, a protection that is explicitly missing for those can’t prove PCI compliance.

If other states take their cue from Texas, it would cerainly give additional teeth for PCI compliance programs, but it wouldn’t necessarily solve the problems that is causing so many retailers to not comply. It’s also not clear how national retailers would be impacted. Could banks simply sue somewhere outside of Texas? But if other states start to adopt, this could get very interesting very quickly.…

As mobile computing devices start invading in-store operations—both what customers bring into the stores and what the stores will hand to those customers—the very nature of in-store networking is likely to undergo a dramatic change.

Consider this scenario: A customer walks into a favorite retail outlet and grabs a handheld shopping helper from a rack near the entrance. The handheld unit can communicate with RFID-enabled smart-shelves and their tagged item-level cousins, as well as signal digital signage to change based on the CRM profile of the approaching customer.Read more...

If you're going to be in the Boston area June 5th and 6th, would love to hook up with some of you at the ERIexchange show at The Boston Convention Center.

That show is actually shaping up to be quite significant, with keynotes from BestBuy CIO Bob Willett, CircuitCity CIO Bill McCorey and Metro Group managing director Gerd Wolfram, among other notables.Read more...

One piece of legislation that is now winding its way from the U.S. Senate to the U.S. House of Representatives prohibits pharmaceuticals from using RFID in anti-conterfeiting measures, according to this interesting story in RFID Update.

Although pharma and government uses of RFID are quite distinct from retail deployments, this effort–which is far from final–does signal several things that could impact retail RFID efforts.

First, it signals that the current legislative climate is open to severe RFID restrictions, which is a foreboding trend with consumer privacy protection issues in the wings. Secondly, pharma is a potential massive user of RFID. Anything that materially reduces that is going to impact volume pricing for all RFID uses. Much of the current RFID tag price reduction projections have assumed more-than-healthy pharma deployments. All said, it’s an important piece of legislation to watch. …

I don’t typically do this, but today’s Dilbert says something so critical about CRM and performance management that it’s simply impossible to not share.…

Amazon is truly trying to make a go of the online grocery segment, and the Subscribe & Save feature it introduced on Tuesday is a good example of how. But the new program—which promises customers automatic delivery of grocery products with discounts of 15 percent and free shipping—is also an illustration of Amazon's initial weakness.

Several E-Commerce sites have tried to make a profit with grocery online, with Priceline probably the most notorious at making a big noise and a big loss. One of the few that seems to be making some serious headway is Peapod, which has the pedigree to do grocery right: It's owned by Stop & Shop.

TJX reported Tuesday that, in the three months leading up to April 28, it spent another $12 million dealing with the data breach the company announced in January. That's on top of $5 million TJX said it spend in the immediately previous three months to deal with the breach.

These figures, while not trivial, are dramatically below some industry projections of billion-plus-dollar losses. Customer loyalty—and apathy—is proving to be the key difference.Read more...

A new survey of U.S. and U.K. mobile web users shows that the number of people engaging in cellphone/PDA Internet activity is already almost one-fifth the size of their PC counterparts. The study from ComScore and Telephia found 19 percent in the U.K. and 17 percent in the U.S.

The U.K. study found 5.7 million people used a mobile device to access the Web during January 2007 compared with the 30 million people age 15 or older who accessed the Web from a PC. The U.S. figures for the same month showed 30 million opting for the PDA/Cell route, compared with 176 million U.S. PC Web users. “Similar to the Internet 10-15 years ago, men under the age of 35 are the early adopters of new technology and more likely to use mobile devices to access the Mobile Web than women or men aged over 35, ” said Bob Ivins, managing director of comScore Europe.…

A new report has emerging technology–which it defines as electronic shelf labels, RFID and self-checkout terminals–shipments hitting $238 million by next year among European retailers. That’s about 52 percent more than the $157 million worth that the Venture Development Corporation (VDC) report estimated was shipped last year.

“While in the near term, traditional technologies will still dominate the market, these emerging technologies are expected to experience long-term growth due to technology refresh cycles, increasing end-user comfort levels (as a result of field-proven ROI with these technologies), and rapid price erosion in order to remain competitive,” said Andrew Nathanson, Director of VDC’s Automatic Identification and Data Collection Practice. “In order for the market to reach its full potential, retailers must view these emerging technologies as a mechanism for strategic pricing, inventory control and management, and a method in which to improve customers’ in-store experience — not merely a replacement for traditional technologies.”…

For those who still cling to the Tinkerbell belief that consumers will shun any retailers who are shown to not protect their data, TJX’s latest sales figures will deliver a rude awakening.

This concept is not new, as ample evidence already existed that consumers don’t really care about security, but when TJX reported Thursday that its April sales increased another 2 percent, to $1.28 billion, the conclusion became unavoidable. More importantly, for the thirteen weeks ended May 5, 2007, sales reached $4.2 billion, a 7 percent increase over last year’s $3.9 billion. Even with those healthy increases, TJX CEO Carol Meyrowitz said the sales were below her expectation, mostly because of weather. If they were going to feel a consumer backlash, it would have been evident months ago, let alone now.…

The ongoing lawsuits against major retailers for printing prohibited information on credit card receipts is allowed to proceed, with judge describing a key retail defense "absurd" and "bizarre."

U.S. District Judge Gary Allen Feess shot down the retailer's arguments that the law is confusingly worded. "Adidas attempts to obfuscate this plain meaning by advancing two 'competing' interpretations that border on the absurd. First, Adidas contends that the statute could be read to 'allow a business to print the credit card's expiration date on the receipt so long as no more than the last 5 digits of the card appear.' Second, Adidas argues it could be read so that the phrase 'last 5 digits' modifies both 'card number' and 'expiration date,' and thus that a business would be in compliance so long as it truncated the card number and printed only the last five digits of the expiration date. Each interpretation is bizarre," the judge wrote.

When Visa released the latest stats on how many retailers are complying with PCI security rules, many large retailers don't even seem to be trying anymore.

Visa itself puts an even more favorable spin on the figures, with a statement from Visa attributed to Eduardo Perez, vice president, Payment System Risk, Visa USA, saying, "Among the top merchants, which account for over half of Visa's transaction volume, the majority are either fully compliant or working toward eliminating any deficiencies."Read more...

Amazon fired off lovely rhetoric in December, but it surrendered in the conference room. As one lawyer put it, Amazon said in December "This is extortion" and in May, said "And we're paying it."

The issues and the symbolism couldn't have been more the quintessential old versus new battle. IBM is no stranger to nasty fighting and is a company that sees something beautiful about a well-executed stealth patent. That's where a company files a patent and sits on it—quietly—to see if anyone uses the approach and if that company happens to have any money. Think of it as a Patent Speedtrap.

IBM and Amazon today announced that that they come to terms–undisclosed, naturally–on patent issues, with Amazon forking over to IBM “an undisclosed amount of money” and agreeing to “a long-term patent cross-license agreement.”

This is quite a trip from the Amazon rhetoric in December, when Amazon officials said that IBM over-reaching to an epic degree.

“IBM’s broad allegations of infringement amount to a claim that IBM invented the Internet. If IBM’s claims are believed, then not only must Amazon.com pay IBM, but everyone conducting electronic commerce over the World Wide Web (indeed, every Web site and potentially everyone who uses a Web browser to surf the Web) must pay IBM a toll for the right to do so,” court papers filed by Amazon in December said. The original IBM lawsuit raised questions of obviousness, which were addressed by …

Throughout the five-month public history of the TJX data breach fallout, the industry has repeatedly tried to simplify it, to label one cause as the explanation, whether it was incompetent IT execution, an inside job, an open wireless port or some other clean explanation. But the TJX situation is complex, complicated and defies a simple explanation, just as their intruders were a lot more sophisticated, creative, relentless, daring and professional than anyone in the industry wants to believe.

A 5-second glance at the latest details has led many people to dismiss this as another wireless problem. The truth is that TJX offered intruders a generous smorgasbord of security holes, enabling the intruders to plant a trojan horse, steal an encryption key, sidestep less-than-diligently-monitored traffic logs and be able to grab credit card data before it was to be encrypted. So let's not paint TJX as security Eagle Scouts who happened to let their guards down on wireless.

The Wall Street Journal is reporting that the TJX break-in started in July 2005 with a wireless hack of a Marshalls in St. Paul, Minn, where the thieves “pointed a telescope-shaped antenna toward the store and used a laptop computer to decode data streaming through the air between hand-held price-checking devices, cash registers [POS presumably]and the store’s computers. That helped them hack into the central database of Marshalls’ parent, TJX, to repeatedly purloin information about customers.”

The news that the attack was wireless is not unexpected, as wireless attacks have become very popular means of attacking retail chains and because hints that the TJX attacks were wirelessly based have been frequent. But the level of specifics in the Journal story are surprising. Read more.…

Following lawsuits in February against some of the nation's largest retailers for illegally revealing too much credit card information on printed receipts, two of those retailers are now suing their POS vendors.

In the last couple of weeks, two of those retail defendants—Charlotte Russe and Shoe Pavillion—have sued their POS vendors, saying that the retailer relied on them and if the retailer is liable, then the POS vendor should pay for it.Read more...

Two security firms have crafted a fully-functional credit card with a tiny monitor and button that will issue one-time passwords. But whether any banks will offer the expensive formfactor is another question.

The concept of the card is powerful and timely, as retailers are desperately trying to improve POS security, especially for E-Commerce transactions. With thefts of credit-card identifying data growing rampant, the idea of an authentication code that—in theory—couldn't possibly be stolen from some retailer's database is quite compelling.

The world's largest retailer on Tuesday reaffirmed it's support for RFID, citing one-third fewer out-of-stocks, slashing of excess supply chain inventory and reduced customer waits.

In a statement issued Tuesday, Wal-Mart CIO Rollin Ford said that RFID-supported pallet locators are now being used at Wal-Mart subsidiary Sam's Club "increasing inventory accuracy and reducing member waiting time as well as future benefits in pharmacy accuracy, grocery freshness, software, CD and DVD authentication, and 30-second store checkouts."

The Association for Retail Technology Standards has launched the SOA Blueprint for Retail project, a program designed to create guidelines and best practices for implementing a service-oriented architecture. Among the initial backers are Kohl’s, Big Lots, CSK Auto, IBM, Oracle, Cisco, SAP and Microsoft.

Retailers interested in participating in the SOA Blueprint for Retail project or finding out more about it can do so by contacting Richard Mader at maderr@nrf.com.…

Checkpoint Systems on Tuesday will introduce a combined tag product, which is designed to deliver EPC inventory and item-level tracking along with EAS anti-theft capabilities. But the move has prompted an unusual amount—and diversity--of criticism, ranging from privacy and health risk issues to standardization and support for retail returns.

What Checkpoint rolled out on Tuesday—in the backyard of Disneyworld—was a new family of dual-function labels called Evolve. The line appears to be the first product to attempt to merge the inventory and anti-theft measures. The patent-pending line will be Gen2-compliant and will operate in the UHF band of 860 to 960 MHz, but at 8.2 MHz for RF-EAS systems, according to Checkpoint.Read more...

As the U.S. Senate is considering national standards for retail data breaches, the National Retail Federation (NRF) issued a statement that some provisions could actually cause consumers to be repeatedly notified for the same incident.

The NRF statement supported the legislative efforts, but tried suggesting some pragmatic problems with the approach the Senate is considering. "Disparate notification standards create significant compliance burdens for businesses that operate in many different states and may also lead to confusion for consumers," NRF Senior Vice President for Government Relations Steve Pfister said.

The U.S. House of Representatives has decided to turn up the heat on TJX, with plans now confirmed to hold a hearing on the TJX data breach in May.

Details are sketchy, with witness lists and an exact date within May still being finalized, but the House subcommittee on Commerce, Trade and Consumer Protection has decided to indeed explore the circumstances surrounding the info theft. The class-action civil lawsuits against TJX are looking to go to trial in about a year (May 8, 2008), with the discovery process about six months away. Will the Congressional testimony offer any nuggets of gold for plaintiff counsel? About 100 lawyers certainly hope so.…

In another in a lengthy line of lawsuits against TJX involving the massive data breach that it announced in January, the Massachusetts Bankers Association (MBA) sued the retail chain on Tuesday for "negligent misrepresentation" because it had said that it had been "safeguarding and disposing of cardholder data," a statement the bankers group said was false at the time it was made.

(The Register in the U.K. also covered this story. I mention that only to sadly say that they can get away with headlines that I can't. Their head: "TJX finds self at bottom of 300-bank pig pile.") MBA CEO Daniel Forte said his association hopes to make this a much broader issue than one retailer and one very large data breach. "If we're successful against TJX, the nation's major retailers will finally wake up to the fact that not protecting consumer data is an unfair trade practice and that investment in data management systems to protect consumers and shield consumers against fraud and identity theft is required," Forte said.