Evan Schuman's StorefrontBacktalk

As if QR codes weren’t having enough trouble getting traction among young consumers who should be their biggest fans, now it turns out that the codes are not only widely unused, they’re also unsafe. On September 9, mobile security blog Kaotico Neutral pointed out that because many mobile apps, when fed a QR code containing a URL, will immediately send the browser to that Web site—no questions asked—QR codes can easily be used to inject malware from an infected site into any phone or tablet that scans it.

Worse still, because the checkerboard codes are often on stickers or posters in public places, a QR on a retailer’s legitimate advertising can be turned evil by someone using a replacement QR that covers the original—even in-store. That means QR codes represent a triple threat (literally) for retailers: Many customers don’t know what they are. The ones who do are at risk if they read them. And cybercrooks can use your own advertising and signage to damage your reputation. Yeah, that certainly sounds like the mobile retail gimmick you need.…

Of course, that's only a problem if that high-bandwidth content comes from the Internet. If it's served from within the store, customers could receive a constant stream of commercials, product pitches and other videos on their smartphones and tablets. There's just one difficulty: If customers are accustomed to having a huge pipe to the Internet on their personal devices, they won't react well to retailers that have cut back their bandwidth ration to just enough for the Web, E-mail and Twitter—unless there's someone else available to blame.Read more...

The idea behind P2PE, pens PCI Columnist Walter Conway, is that an encrypting POS terminal encrypts the cardholder data (the first "point") immediately as the customer's card is swiped. A third-party service provider (the second "point," and often the merchant's card processor) manages both encryption and key management. The third party is the only one that can access the actual cardholder data. The result is that when P2PE is properly implemented, almost all the merchant's systems are out of PCI scope because the merchant has no way to decrypt the data or ever to get access to the clear-text cardholder data. Read more...

That sounds just a wee bit hypocritical, especially because Wal-Mart is unquestionably required to collect sales taxes online given that it has both brick-and-mortar stores and an E-Commerce distribution center in California. But the problem—and Wal-Mart's excuse—points out a legitimate issue when it comes to collecting those taxes online. A traditional store's boundaries are pretty straightforward. But online, it can get a lot harder to tell where one retailer ends and another begins, and exactly who is supposed to be collecting which taxes.Read more...

Although you got a telephone number and directions, Google got information about not only what people in general were searching for (people in Piscataway picked pizza) but also what a specific person was looking for (John Smith—or John's telephone—searched for the number for an AIDS clinic, then a drug store, then life insurance). Again, because Google isn't a phone company or particularly regulated in any way, it could use or sell this information in any way consistent with whatever privacy policy it wrote. But Google got much more than that. Read more...

In yet another example of mobile rewriting almost everything retail, the most recent quarterly POS terminal shipments spiked nearly twice as much as had been predicted, according to new figures from IHL. One of the key factors driving those shipments was retailers eager to upgrade their POS to be in a better position to accept mobile payments. “The biggest surprise was the resiliency of the POS market and the level of shipments, which was nearly double what we had predicted for the quarter,” said IHL CEO Greg Buzek. “In a global economy that slowed tremendously in the second quarter due to fuel prices, earthquakes, tsunamis and other factors, the retail POS market was particularly strong.”

IHL is now projecting a $7.3 billion worldwide POS spend for 2010—which includes hardware, software, and maintenance—and it expects 2011 to hit $7.78 billion. For the “pave the way for advancements” category, Buzek pointed to mobile as well as CRM, loyalty and merged-channel capabilities. On the more pragmatic side, many of these purchases are most likely equipping stores that were ordered long before the global recession peaked. “These were capital campaigns that were in the works before the economy soured, so it is 2010 results, creating budgets and new stores, and that creates a need for new POS,” Buzek said.…

It's not just that the new homepage is cleaner and more open to make it easier to browse (and buy) from a tablet. The same changes—bigger buttons, less clutter and small print—will make the site much friendlier to other customers, too. That could force other E-tailers to throw out the rulebooks for their own aging Web site designs—most of which probably seemed like a good idea in 1995, but haven't been completely revamped since E-Commerce became serious business a decade ago.Read more...

The September 1 Visa Bulletin was primarily to tell merchants that five VeriFone units (Everest Plus units P003-400-01, P003-400-02, P003-400-03, P003-400-12 and P003-400-013) have been ruled "susceptible to compromise" and were indeed "used in tampering and skimming attacks" in the U.S. The list had already included other VeriFone units plus one from Ingenico (the eN-Crypt 2400, also known as the C2000 Protégé) and two from Hypercom (S7S and S8).Read more...

When Lowe’s, PacSun and Urban Outfitters added their names to the ever-growing list of retailers deploying handheld Apple units for in-store mobile checkout, we asked whether this meant Apple was locking up the in-store checkout space. When word came down this week that the 896-store Ann Taylor apparel chain is also deploying the Cupertino red-fruit-named devices, the answer is now clear: Yes.

Ann Taylor CIO Michael Sajor said Wednesday (Sept. 7) that the chain will deploy slowly, starting with about 50 to 70 stores this year—using about 400 Apple IPod Touches—and expanding nationally from there. Asked whether Apple had sewn up the market, Sajor said it had, but stressed that it wasn’t anything Apple had done directly. “Apple didn’t do a damn thing. It’s the guys who made the sleds,” he said, adding that his team is only aware of three or four sled makers for the mobile card-swipes and that they are all using Apple. Still, it’s hard to imagine that Apple didn’t have a thing or two to do with those sled makers all choosing its hardware. Either way, it’s not likely that many chains will have Androids or BlackBerries handling their mobile apps. Score this one Apple red.…

Although there are lots of factors at play here, the primary power benefit of mobile is its battery power supply and, to be quite cold about it, the fact that the customer's device is powered by the customer. The power benefit of M-Commerce is that its power supply is probably a long distance away, somewhere not impacted by whatever is causing a store's power outage.Read more...

The dream—and nightmare—of every E-Commerce head is to start over from scratch, scrap all the legacy kludges that developers have been working around for years and build a Web site that does exactly what the chain wants. Most retailers will never be able to cost-justify that greenfield approach, of course. Target's site, however, had to be built from scratch because its decade-long deal with Amazon to operate its online business had expired.Read more...

To be precise, Urban Outfitters is already using them for mobile POS, while Lowe's is just doing inventory and Web site checks but not POS—yet. PacSun on Tuesday (Aug. 23) said that it has already put the Apple devices into more than 300 stores, with 100 stores slated by the end of the year. Combine that with Nordstrom, JCPenney and Gucci all piloting iPads for in-store use, and it begins to look like Apple really does have a lock on in-store mobile devices.Read more...

While U.S. retailers—including Macy’s and JCPenney—are just starting to get comfortable with item-level RFID, a pair of German supermarket chains is already taking the next step—tagging associates, too. By using active tags, the chains are able to not only handle access to sensitive areas but flag when an employee has been in a freezer too long and may need help.

The grocers, ALDI and Lidl, wanted to offer hands-free access to security areas, said this report from RFID Journal. “Lidl installed a reader inside the freezer near its entrance. When a person with a transponder arrives, the ID number is recognized, unlocks the door and allows him entrance,” the story said. “As he remains in the freezer, the reader continues to read the tag once each second. If it is still reading the tag in 15 minutes, it triggers a loud siren that can be heard outside the freezer.” It’s long been argued that RFID can deliver retail ROI, but only if retailers forget what vendors have promised and start getting creative about discovering their own ways to profitably use the tags to do what can’t easily be done any other way. Looks like ALDI and Lidl have already started thinking outside the box—and inside the freezer.…

PCI compliance doesn't come in grades and is a very clean pass-fail situation. That's why the vendor's headline caught our eyes: "Transaction Wireless First Cloud-Based Digital Giftcard Platform to Earn Highest PCI Level 1 Certification." That is a truly delightful piece of sleight of hand.Read more...

Suppose a customer's phone contains a shopping list of specific apparel items she wants to buy from another retailer—including images of those items or even links to them on the retailer's Web site. A shared screen could make it very easy for an associate to suggest alternatives or help the customer mix and match, whether the items are in the store or not.Read more...

A recent credible survey, however, found that not only are most younger consumers oblivious to what QR codes are, but the many who do know what they are can't get them to function. In short, 83 percent of the 1,300 14- to 24-year-olds surveyed couldn't access a QR code regardless of how good the offer was. Looks like some people skipped an important step in product rollout. That news is pretty bad, given the strong mobile interest—or general high-tech and experimentation comfort level—of that demographic. If they're confused or apathetic, the numbers won't likely get better as surveys examine consumers in their 30s, 40s, 50s, 60s and beyond.Read more...

The developer, Broken Thumbs Apps, isn't a retailer. But the case sets a standard for retailers whose apps may be used by children under 13: Offering underage customers kid-friendly activities puts you squarely in the FTC's sights unless you get parents' permission for every child's information—even if the information will only be used internally.Read more...

The token guidance that the group and the PCI Council staff ultimately released on August 12 was a classic compromise, in that it pleased few in the group but was a huge step forward for retail security. The purpose of such guidelines is not to get so specific that it benefits any vendor, but to give instructions to QSAs and retailers on what is permissible and what isn't. Reaction to the document has fallen into these two camps: one saying that the document was not nearly specific enough and is passing the buck to QSAs, and the other saying that this guidance represents major progress and that it should be applauded.Read more...

PCI Columnist Walter Conway thought a token was a token. Whether a particular token, or tokenization approach, was in or out of PCI scope seemed to depend on how well it was constructed and how the tokenization engine and token vault were implemented. But it seems that some tokens are more equal than others. For example, E-Commerce merchants who use tokens for one-click ordering and repeat purchases (leaving the underlying primary account numbers with their processor or another third party) just learned their tokens will still be in scope for PCI. Wonder if that hotel room keycard (or resort account) used to charge meals is a high-value token because it generates a payment-card transaction? How about the tokens used for exception-item-processing such as chargebacks and refunds. Are they high-value tokens because they impact (even if it is to reverse) transactions?Read more...

Granted, there are shopping carts full of complexities and nuances in analyzing such profiles—generating a meaningful influence rate, if you will—but that's where the fun comes in. Even worse, beyond those analytical complexities, there's the issue of how to get this data in front of the eyes of store associates and also how to do it in a timely matter. Of course, to start things off, there needs to be a reliable way to identify these influencers as they enter your store.Read more...

When Wal-Mart confirmed a major E-Commerce reorganization on August 12—including the loss of Walmart.com chief Steve Nave and global E-Commerce exec Raul Vazquez—it was said that E-Commerce management in developed countries will now report to the senior in-store executive for each country. That’s a change from those positions reporting into Global E-Commerce boss Eduardo Castro-Wright. If we set aside the personnel issues—the loss of execs such as Nave will likely hit hard—the strategy involved here is both compelling and actually the right approach.

One of the most vexing merged-channel issues today is how to compensate online and in-store execs so they don’t solely push their primary channel. By having the chief of Wal-Mart’s U.S. stores, for example, also responsible for Walmart.com sales in the U.S., that compensation/conflict-of-interest issue goes away. Well, it theoretically could go away, assuming the U.S. president makes sure the compensation of various direct reports is similarly merged. The ideal here is for everyone to be focused on selling Wal-Mart products however they can, with no financial incentive to push mobile, online, in-store, call center or any other specific channel. To the extent that this reorg helps bring the chain closer to that goal, it’s a good thing.…

Leach added that the biggest token-related mistake he's seen retailers make is enabling the data to be de-tokenized during chargebacks, refunds or for loyalty tracking. "That's probably the oversight we see most often: not recognizing back channels where the merchant still may receive that account information."Read more...

Visa's new approach will also likely spell the end—within about five-to-seven years—of mag-stripe cards in the U.S., a move that many payment security advocates say is years overdue. To make all of this happen, Visa is bringing its global EMV incentive program—officially the Technology Innovation Program (TIP)—to the States, along with its PCI-relaxation components. (PCI relaxation? There are two words I never expected to see used consecutively.) This means chains that start using specific EMV chip-enabled terminals will be permitted to forego the annual compliance validation nightmare. But Visa has added such a lengthy list of qualifiers and exceptions to the program—along with the practical fact that some chains will opt to do the assessments anyway, for pure security purposes—that it's not clear how many chains will find that incentive compelling enough to do massive hardware swaps.Read more...

Nohl told The New York Times that mobile operators turn off GPRS encryption "to be able to monitor traffic, to detect and suppress Skype, or to filter viruses, in a decentralized fashion." Unfortunately, that also means thieves with reprogrammed mobile phones can eavesdrop on many M-Commerce transactions using GSM smartphones. And even if payment-card information gets its own layer of encryption, there's still plenty of other personal data that customers would probably prefer not to fall into the hands of thieves.Read more...

This still means there are three big card-swipe terminal vendors in the U.S.—and Hypercom retail customers are at least a little less likely to learn that their products have suddenly reached end-of-life. Under the DOJ-approved deal, Gores is taking over the #3 PIN-pad business in the U.S., with about 18 percent market share. That's big enough that the DOJ wasn't willing to let either VeriFone (at 48 percent) or Ingenico (at 26 percent) simply snap up that chunk of the market. And it should leave three large-enough players to discourage too much coziness, which is certainly what the DOJ was afraid of when it filed a lawsuit in May to block the original shuffle of the business. Read more...