Evan Schuman's StorefrontBacktalk

This question also applies to other end of the transaction. Should a retailer feel more secure if it uses a card processor that suffered a data breach in the past but has fully remediated and is now validated (or revalidated) as PCI compliant today? Conversely, should a processor feel increased confidence in signing a merchant that has emerged from a data breach and has now validated its PCI compliance? PCI Columnist Walt Conway ponders this philosophical issue this week. Read more...

Timothy Kasbe, a celebrated IT exec who arrived at the chain in February 2009 after having served as the CIO of India's largest retail chain, quietly left the company early last month. Very quietly.Read more...

Walt's first request is for the PCI Council to publish a full, one-year schedule of training sessions. The Council's training programs are excellent. Because of that, they are very popular and fill up quickly. As of this writing, the Council has not yet posted future training classes on its Web site. When that list is posted, Walt's wish is that it be a complete schedule for all 2011 courses. Read more...

A key takeaway from these attacks is that retailers are becoming increasingly at risk for data losses from systems they can't control. This goes beyond E-mail campaigns and includes a wide range of mobile programs, in addition to social site campaigns.Read more...

Why little pain? A $399,000 settlement is not a huge deterrent for a $50 billion chain, but it might become more annoying if it spreads to many other states. The actions required—the halting of the deceptive kiosk program—are also trivial, as that program had basically run its course and mobile devices pretty much make it irrelevant.Read more...

On Monday (Dec. 13), eBay announced a term it wanted to standardize: “Mobile Sunday.” This news prompted us to declare Tarantula Tuesday, the day when Web spiders work harder than any other day of the year. Or perhaps Webcast Wednesday, to celebrate the highest traffic day of the year for Webcasts that declare some other stupid made-up-day event. But wait, the eBay news release gets even better.

Quoteth the release: eBay “sets records on the busiest mobile shopping day ever,” a feat that is even more impressive because it’s the “second year in a row” such mobile records have been broken. Isn’t this akin to a retailer in 1995 declaring that it just had the highest E-Commerce traffic ever? M-Commerce is just kicking in, so of course everybody is having their highest mobile year ever. In fact, I’ll bet that everyone is experiencing amazing triple-digit percentage growth in mobile, too. Retail stats are confusing enough without marketing making up bogus days and offering silly comparisons.…

To at least get a sliver of silver bells in for 2010, the chain is rushing to get the mobile devices activated by Saturday (Dec. 18) at its stores in the Chicago and New York metro areas. The rest of the chain will kick in by February 2011, according to a statement from Shopkick, the vendor handling the mobile deployment.Read more...

The PCI Security Standards Council, as expected, has officially declared it will not sign off on any mobile application for quite some time. If it helps, the Council added that mobile “will be a key focus for the Council in 2011.” (Unfortunately, the PCI statement didn’t note how many key focuses the Council plans on having next year.)

“Until such time that it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape,” the statement said, “the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated PA-DSS applications unless all requirements can be satisfied as stated.” This statement comes on the heels of a column by StorefrontBacktalk’s PCI columnist Walter Conway in which he described this as the Council’s position and noted it is permitting—encouraging?—acquirers to fill the void and approve payment applications on their own and then offer them to their merchants. …

Although that's certainly true, it won't make a dent. Impulse purchases are indeed emotional, and rationality does not come nearly as naturally. For every in-aisle price- and feature-comparison that an Android or iPhone enables, there will be 20 purchases in the heat of the moment. And those impulse purchases will be enabled by mobile. Consider a movie whose star is wearing a really cute sweater or using an especially intriguing gadget. In the lobby seconds after the closing credits start to roll, consumers will be able to find and buy those items. That in-the-heat-of-the-moment urge to buy may have easily calmed long before the consumer gets home to a laptop. But the always-on mobile device will—for the first time—enable such emotional instant buys.Read more...

Now the customer enters the store, tries on the shoes, opens a price-comparison app, scans the barcode on the shoebox, finds the same shoes for 20 percent less online with free overnight shipping, takes off the shoes and leaves the store looking a bit smug because she's just found a bargain—and another impulse purchase is dead.Read more...

In a move that Home Depot CIO Matt Carey said makes the chain stand alone, the home improvement giant has deployed a mobile device to associates at every one of its U.S. locations. This Motorola device—which Home Depot is calling First Phone—is a mobile register, in addition to providing access to all inventory, locating products, handling buy-online-pick-up-in-store purchases and functioning as a walkie-talkie. And, oh yes, it’s also a phone.

Carey described the device in an analyst conference call Wednesday (Dec. 8). Earlier, CEO Frank Blake stressed that the mobile device “was developed through close cooperation with our store operations and IT teams, perhaps the best collaboration we’ve ever had on a project like this.” Elsewhere during the call, Home Depot Online President Hal Lawton said his site has more than 8 million visits a week, but even more interesting was this statistic: 45 percent of Home Depot’s site visitors visit the stores right after reviewing the Web pages. That is much higher than industry norms for multi-channel retailers, Lawton said, adding that Home Depot will finally offer buy online pick up in-store chain-wide in 2011. …

Gartner Analyst Avivah Litan thinks that within five years, at least 15 percent of all payment-card transactions will be validated using mobile location. "After all, our mobile phone is practically tied to our umbilical cord—we rarely leave home without it. Visa knows it, and so do the rest of us. Why shouldn't it serve as a useful tool for preventing fraud against us?" she wrote in her Gartner blog. That's all true—as long as everyone keeps in mind that using a mobile phone to confirm cardholder location still isn't the panacea that every retailer would love to have.Read more...

MasterCard’s and Visa’s sites were partially knocked out Wednesday (Dec. 8), ostensibly by aggrieved supporters of WikiLeaks, which MasterCard recently cut off from its network. MasterCard made no reference to a denial-of-service attack, only indicating that it was “experiencing heavy traffic on its external corporate Web site—MasterCard.com. We are working to restore normal speed of service.” It then added: “There is no impact whatsoever on our cardholders’ ability to use their cards for secure transactions.” A later MasterCard statement said: “Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some Web-based services, cardholders can continue to use their cards for secure transactions globally.”

Hmmmm. “Limited interruption in some Web-based services?” When MasterCard said that its “core processing capabilities have not been compromised,” is that indicating other processing capabilities were affected? If neither MasterCard nor Visa can fully protect it site against a highly predictable consumer attack, how would the sites fare under a full-scale well-financed terrorist hit? Both brands make much of their highly robust systems. Although there’s no initial reason to suspect that the payment-processing network itself was impacted, this attack certainly doesn’t fill retailers with abundant confidence.…

However, by fueling the fears of every anti-RFID privacy advocate, these faux buttons may do far more harm than good. To be fair, these may not be faux buttons, in that they may actually function as buttons. In which case, they're not faux: They're Trojan horses. But in this version of the classic Trojan War tale, the soldiers inside the horse might turn around and attack their retail Greek creators.Read more...

The real question, though, is not whether this move makes sense for The Gap, but whether it's something that other chains should now seriously consider. There are plenty of mobile applications—and far more developers eager for work—that can deliver similar if not identical functionality. Will the convenience of using Apple's devices make that the way to go?Read more...

That kind of insider theft would never have gone unnoticed if it involved payment cards. But when retailers think about the security of loyalty-card data at all, they're usually focused on protecting personal information. Customer loyalty points have such a low value—typically 1 or 2 cents for each dollar spent—that it's easy to dismiss the risk of counterfeit points. Unless those point totals are treated like cash; in which case, an insider with the right kind of access can generate enough to cost a store real money.Read more...

Even though many chains for years have price-matched any legitimate rival offer—including, of course, online deals from their own chains—Wal-Mart's new program excludes all online offerings, even those from walmart.com. How is that the industry's best price-match program? More importantly, though, let's explore what this online-exclusion means.Read more...

More than two years ago, Visa mandated—effective July 1, 2010—that "Acquirers must ensure their merchants, [VisaNet Processors] and agents use only PA-DSS compliant applications." With nearly 800 PA-DSS validated applications listed on the PCI Council's Web site, retailers have a wide choice. Unless, that is, they are looking for a mobile commerce application. Read more...

StorefrontBacktalk is moderating these two panels at the show, and we'd love for any readers to drop by. (If you don't boo, who will?) We actually have these wonderful IT giants discussing two of the most critical retail tech issues: Security and Mobile.Read more...

They stressed everything except the only thing that will ultimately persuade any major chains to support them: Revenue share, processing fees and other ways for retailers to say "Put a deal on the table that is sharply better than what I now have with Visa and I'll sign."Read more...

On the "not much at all" side, we have the fact that it's barely 5 seconds worth of effort. Isn't $2 for a 5-second mobile swipe pretty good money? On the "quite a bit" side, it's a very different shopping action. To get consumers to engage in this beyond-comfort-zone new behavior will take a meaningful incentive. That will be triply-true once the novelty wears off.Read more...

Many of the privacy arguments in Washington surround what advertisers can do online, but few focus on the data that retailers collect from site/mobile visitors. Does that mean that retailers are in the clear or merely that politicians have yet to figure out that loophole? In much the same way, Facebook's privacy restrictions focus on allowing others to access a member's information. But it says nothing about restricting what a user can do with his friends' info. In other words, consider the info that a Facebook user legitimately has about people on his/her friends list. Can they then share that with anyone else, without getting their friends' permission? And where do retailers fit in?Read more...

How far can standardization go when it comes to mobile commerce? The applications for mobile in retail seem endless, from geolocation and product information to coupons and payments. But they all depend on standards that can be used by many retailers, service providers and other partners. And with so many different opportunities and so many players—along with the chicken-and-egg dance that always surrounds early standards efforts—getting them all to work together seems almost impossible.

One way to think about where to start on mobile standards is to step back and ask a few basic questions: What does a retailer expect customers to use their mobile devices for? How will they use mobile? When will they use it—and when won’t they? We dig into these and other issues in the latest StorefrontBacktalk podcast on mobile standards. To listen to the podcast, please click here.…

That's great for PayPal users. For PayPal, it's a problem. The success of its iPhone app means there are millions of users at risk. And PayPal's promise to reimburse any fraud loss related to that risk means there's nothing to motivate users to upgrade from the old version that, to users, seems to be working just fine. Result: All the risk is on PayPal—and the only way to get out from under that risk is to irritate its customers.Read more...