Evan Schuman's StorefrontBacktalk

Initial indications suggest that Oracle’s $25 billion retail app buying spree may have been quite shrewd, according to this Bloomberg story.

The story painted a picture of a move that at the time seemed quite risky. Risky, that is, to anyone who didn’t work in retail. “With margins as thin as 1 percent, retailers were among the most conservative software buyers, typically purchasing the cheapest programs and using them for as long as possible,” the story said. “Department store owners and other retailers changed as supply and inventory management became more complex, merchants offered goods from more overseas companies and Internet sales expanded.”…

The good news is that major companies are now actively pushing mobile. The bad news is that they're pushing in different directions. The mobile phone e-commerce activities you're seeing today are going to fall victim to the same amnesia fog that envelopes all of those early Web searches done on text-based browsers.

Although the Web had been around for years, it was the graphical browser that got the industry to agree on one way to create Web pages that could fire the imagination of businesses and consumers. That defining moment has yet to hit mobile commerce. Forget design and programming issues. There hasn't yet even been broad agreement on how m-commerce is supposed to work. Let's start with simple payment.

McDonalds is experimenting with the ultimate line-buster in South Korea, where customers purchase food on their cellphones, which then ring when the order is ready.

But this trial is much more an RFID effort than a traditional mobile experiment. Most of the phone's communications capabilities and its display are barely used, with customers having to download a McDonalds application into their phone.

In another unintended consequence example, contactless payment and mobile payment efforts seem to have stunted the growth of retail biometrics. Is this a marketing fault or the death of an idea that never had much of a chance?

A few years ago, retail biometrics had what seemed to be a very bright future. They promised superior security and a permanent CRM association. If that customer switched credit cards, moved to another state, changed their name and changed cellphone companies, the fingerprint would still allow all purchases to be associated with an individual customer.

Retailers of all sizes need to intensify their data security protections, but different kinds of threats merit different kinds of defenses.

With all of the PCI and data breach talk these days, it's easy for retailers of all sizes to be on edge. Although it's undeniable that merchants and all sizes need to protect themselves, different issues threaten Wal-Mart and Phil's Bait Shop.

Larger retailers can be seen as the better targets in the Willy Sutton School Of Thought (when asked why he robbed banks, the legendary holdup man is said to have replied, "That's where the money is"). But smaller merchants can be attractive for the opposite reason, namely that they are likely to have less sophisticated defenses. The term cyber thief today actually describes bad guys in three very distinct groups.

Consumers spent more than $137 billion in retail self-checkout in 2006, with increased self-checkout use in do-it-yourself stores, superccenters and warehouse clubs mostly responsible, according to an IHL study released Thursday. That's 24 percent more than was self-checkouted in 2005, IHL said.

The study also reported consumer resistance to the machines starting to dilute, with 44 percent saying they "really like self-checkout" and "only nine percent say they will not use the technology," IHL said, citing its 1,000-consumer survey conducted in the Spring/Summer of 2007.

Visa’s partial authorization pre-paid approach got a huge boost on Thursday, with Shell Oil and its 6,000 gas stations (I wanted to say “service stations” but who are we kidding?) publicly committing to the service.

The partial payment tactic is designed for customers making a purchase that is larger than the dollars remaining on that card. Traditionally, such a payment is rejected, potentially losing the sale.

With Visa’s partial approach and Shell, the gas pumps would be programmed to only dispense as much product as the customer has on the card. (They’ve automated the old Vaudeville sales joke. “How much is it?” “Depends. How much do you have in your wallet?”) This doesn’t work for all products, but it should work well with gasoline sales.…

For e-tailers that use their in-store inventory also as their online inventory, they are discovering a problem with the supply-chain blackhole: which products invisibly enter when they leave the shelf and don't re-emerge until they are paid for.

This is particularly an issue with retailers trying to make shop-online-pickup-instore work. Without item-level tracking, the concept of a realtime inventory is almost impossible to deliver. This problem is only going to get worse during the holiday onslaught, especially when online purchasers are trying to get the hottest and most popular gift.

PCI deployment isn't perfect, but it's quite impressive how far it's come given the mammoth obstacles. As its most public face, Visa has taken a lot of the criticism, but it also deserves much of the credit.

As a group, humans are a tough audience. Cruelly and quixotically, the more difficult and massive the task, the quicker we are to point out the shortcomings rather than praise the accomplishments. Please don't get me wrong. There are plenty of issues with PCI deployment today. But let's not be too quick to attack the very good for not achieving the unattainable perfection.

U.S. postal inspectors are investigating if there is a Ukranian connection to the TJX data heist, according to this Boston Globe story. The 24-year-old suspect was arrested weeks ago in the Turkish resort city of Kemer, according to this Associated Press story.

It’s not news that authorities have suspected Eastern European cyber thief syndicates as being involved in the TJX incident, given it’s massive scope (info from more than 45 million cards taken), sophisticated methods and long (multi-year) duration. But the investigators have identified a specific Ukranian–Maksym Yastremskiy–as having “sold card numbers through online forums hosted overseas, sometimes in Cyrillic or that were password protected. He is likely the largest seller of stolen TJX numbers.”

Prices ranged from $20 to $100 per stolen card, and the cards were sold in batches of up to 10,000, depending on factors like the credit limits of the consumer accounts being traded, the story said. …

The love-hate relationship that is the American retailer-bank-credit-card marriage is nothing if not complex. There are few partners that ignite such wrath and venom within retailers than their credit card partners and their—well, let's just say "generous"—interchange fees. On the flip side, the banks and credit card firms seeing themselves as having to pay the PCI piper whenever there's a data breach, even if—from the bank/card perspective—that breach was the fault of the reckless retailer.

But like so many business relationships, hatred can be trumped by only one thing: greed. Which is the most terrifying? The prospect that a retailer may no longer be able to accept major credit cards or that the banks and card companies will lose all of that revenue to alternative payment vendors?

For more than a year, Visa has ominously warned large retailers that it would enforce a strict Sept. 30, 2007, deadline for many of the nation's largest retailers to either be certified that they comply with industry credit card security requirements or face fines and being expelled from discounted credit card fee programs.

But as the deadline has gotten closer—and the percentage of retailers certified as compliant is still quite low--Visa has been forced to back off, albeit slightly. This month, Visa has been quietly floating memos that will soften the pain for non-compliant retailers, as it's become clear that non-compliants will have strength in numbers come early October.

When the $17 billion retailer reported that pre-tax $168 million possible hit for its data breach, did it see it as anything more than a cost of doing business? And a minor cost at that?

With all of the numbers that TJX issued in its Tuesday earnings statement, the one that has generated the most attention was a $168 million estimated hit associated with the data breach announced in January, which saw consumer information from an estimated 46 million debit and credit cards walk out the door.First, the optimistic side. TJX did not, in fact, say that it actually has spent—or necessarily will spend—anything more than a tiny fraction of those dollars. The overwhelmingly largest charge—a $107 million after-tax figure for the chain's second 2008 fiscal quarter—was merely a "reserve," a nestegg for what TJX fears its costs may be. Theoretically, its costs might be much lower.

New credit card security rules will require a wide range of companies working with audio files from retailers to protect credit card information. According to a memo being circulated within the PCI Security Standards Council, the new rule is aimed at protecting card validation codes and values "received by call centers on audio recordings."

The problem is not necessarily with call center employees that might use the data improperly—as they could access such data in quite a few easy ways—but with outsourced companies that review the tapes for customer service purposes.

In mid-September, London will launch its first large-scale contactless payment trial, with some 2,000 retailers slated to participate. Although Europe has more aggressively embraced various wireless technologies than the U.S., it has sharply lagged the U.S.—and certainly parts of Asia—with contactless payment.

"As in many major cities across Europe, millions of people across in London use contactless ticketing on public transport. However, when it comes to contactless payments, challenges remain with regard to business models and partnerships," said Jonathan Collins, an RFID senior analyst with ABI Research.

Dell and SAP confirmed Tuesday that the pair are pairing on a POS offering.

Under the agreement, retailers will be able to buy a bundle with SAP for Retail software sitting atop Dell’s Retail OptiPlex 745 POS systems and Dell PowerEdge servers.…

How did the TJX breach start? Reports that the attack began using a wireless entry point have been confirmed by multiple investigators, but reports that circulated in March that the attacks began via an in-store employment kiosk have re-emerged.

Could both be true? It’s unlikely, as both entry attempts were reprotedly successful, raising the question of why the second was attempted. Could TJX have actually been the victim of two simultaneous and unrelated attacks, one using wireless and the other a jobs kiosks that was not firewall-protected?

The latest kiosks reports have the terminals being opened and the bad guys using USB drives to load software. Read more.…

In the never-ending uphill battle to try and convince consumers that self-checkout systems are their friends, NCR has released a survey with a new twist: self-checkout can be less embarrassing.

In an NCR survey done with Australian and New Zealand consumers—it’s a bit of a distance away, but the details make it worth the trip—, various products were ranked according to their red-face-generating capabilities.

The winners were: “libido enhancing vitamins” (the winner with 44 percent of Austalians and 35 percent of New Zealanders), hemorrhoid cream (a respectable showing at 29 percent and 37 percent respectively), incontinence products (28 percent and 38 percent) and condoms (20 percent and 25 percent).…

In the ongoing saga of retailers being sued for not properly truncating consumer receipts, this week came word that Apple’s brick-and-mortars have now been added to the mysterious case of “Truncated Receipts Don’t Tell Tales.”

Apple’s bite of the forbidden receipt fruit comes from this Florida lawsuit filing.. The lawsuit is different from other FACTA lawsuits in that the plaintiffs were online shoppers and the receipts were electronic files E-mailed to the plaintiffs.…

The folks at ExactTarget discovered a few bits of space in E-Commerce land that weren’t already supporting advertisements. Such blatant examples of straight communication could not be tolerated. Their target: transactional E-mails.

Here’s how they described their plan in a message sent to reporters: “Transactional E-mails, as defined by CAN-SPAM, are those sent after a purchase, confirming a subscription or sharing product update news. In the past, transactional E-mails have been limited to IT systems that used a server to generate an automatic confirmation message. There was no marketing messaging, or up-selling possibilities included in the messages. This was a huge missed opportunity.”

Maybe. Or maybe it was intentional, as they didn’t want critical confirmation messages to be ignored or deleted. My favorite part is where they bring up the CAN-SPAM Act of 2003—which was intended to prevent unsolicited ads from being sent to consumers—as though it supports this action. …

With many trying to out-service and out-specialize Wal-Mart, grocery chains are looking to spend more than $9 billion over the next year, according to a new report from the IHL Consulting Group.

One of the big trouble spots that IHL saw for grocery chains is the lackluster performance of many loyalty programs, which IHL President Greg Buzek attributes to most retailers deploying the packages poorly. The programs are generally used more as discount programs ("come in with your card and you'll get discounts on 400 specially-marked items") than as an attempt to understand individual customer's buying habits and to make their experiences better, Buzek said.

In our Retail Week In Review audiocast for Aug. 8, our panel looked at: Consumer Reports story that U.S. consumers lost more than $7 billion over the two years to viruses, spyware and phishing schemes; the Black Hat conference and its demo of how easily cookies can be captured online and used to fake identification; and the security issues surrounding contactless payment, as MasterCard announced this week a sharp expansion of its PayPass contactless card program.

Panelists this week were: Mark Rasch, former head of the U.S. Justice Department’s high-tech crimes unit; Motorola’s Chris Hinsz, who is the newest member of the PCI Security Standards Council; and Dave Taylor, president of the PCI Security Vendor Alliance, whose dayjob is with Protegrity.

Site visitors can listen to the full 30-minute discussion or to panel introduction plus just the conversations about Online or Contactless Payment or Cookies.…

McDonald’s is testing a POS unit that uses images to try and reduce the number of flawed orders.

This is indeed a concern for the fast-food leader because it has fared quite poorly in order accuracy, finishing 16th out of 25 restaurants this year and finishing 25th and 20th for accuracy the prior two years, according to this story in Chicago Business. The register, now in 10,000 of McDonald’s worldwide 32,000 restaurants, has a touch screen with large, colorful images of each menu item instead of small buttons with product abbreviations.

With an expanding menu and an increasing number of workers whose first language is not English, it will be easier to train employees with photos on the registers. McDonald’s CEO James Skinner is quoted as saying the new POS approach would improve accuracy 33 percent and allow restaurants to serve about a dozen more cars an hour.…

Amazon.com has started beta-testing an update its payment offering, tweaking its redirect service to be more competitive against PayPal and GoogleCheckout, according to this story in the Seattle Post-Intelligencer.

The Amazon Flexible Payment Services was launched Friday as a beta test, and it is the first one built specifically for software developers, the company said. The program allows developers to send and receive money, create specific instructions on how payments can be made, aggregate micro-transactions such as a penny into larger transactions and view account balances. Amazon.com receives a fee for every transaction, the story said, but the Seattle-based company has a sliding scale based on whether payments occur through credit cards, bank drafts or from transfers within Amazon accounts. …

We looked at the top security topics of the week on Friday, in an audiocast with Avivah Litan, Gartner’s security analyst, and Chris Hinsz, the newest member of the PCI Security Standards Council, who happens to hail from Motorola. Readers can listen to the entire 30-minute audiocast or check out just the segments that interest them most: An analysis of the latest Visa PCI statistics, with thoughts on improving the credit cards themselves and the key reasons why forbidden data is still being retained; How TJX is faring after the disclosure of the retail industry’s largest data breach; The latest information about the insider security threat and how the records stolen from Fidelity National Information Services and Certegy is now at 8.5 million records, which is a lot more than was originally revealed.…