Evan Schuman's StorefrontBacktalk

When you push all rhetoric aside, PCI in-scope simply comes down to this: If a customer hands a payment card to any of a retailer's employees/contractors—or swipes or waves the card into a device inside or controlled by a retailer or types the information on that card into a Web site branded and controlled by a retailer—that retailer is subject to PCI. If customer doesn't, the retailer isn't. What Square's new approach, dubbed Card Case, does is fully take the retailer out of the line of fire of the card information.Read more...

Envision an approach that merges geolocation, mobile communication, social sites and—critically—a trusted retail brand and in-store interactions. Put it all together and the future may not look so dim for in-store, after all. Starbucks, which did not want MacLaren elaborating on the concept, said he gave one example as Starbucks’ existing MyStarbucksIdea.com. For the sake of humanity, let’s hope his vision is light years beyond that site, which has a strangely narcissistic quality to it.Read more...

As companies start to make inroads into mining the vast social data fields, early strategies are emerging. For example, one company—Attensity—says the best course is not to take a customer database and try and match it with social profiles floating around. It’s better to do the reverse—find the data in Social Land, look for helpful datapoints and then try and match it with the customer list. Why is that approach better? It’s more efficient. The discovered useful datapoints are valuable on their own, even without a customer match.

Attensity hasn’t done this for a retailer directly, but it is working with two chains through Teradata. When Catherine van Zuylen, Attensity’s VP of global product management, was asked how she feels about the privacy ethics of doing these searches and associations, she paused and said wisely: “We just make the tools. It’s really up to the individual retailers to use those tools for good or evil.” Didn’t Maxwell Smart say that?…

Mining tens of petabytes of data may sound like overkill for most retailers, but on May 20 IBM announced new tools for analyzing that level of data in less than a second. The move is really not too much overkill. As retailers start searching social-networking sites to flesh out their CRM data on customers, adding huge amounts of data from mobile on top of more facts being retained from M-Commerce, this capability could prove a lot more useful.

Unlike data on actual purchases, social-network data is literally out of anyone’s control. It ranges from static Facebook data to rapid-fire information in tweets. If a chain can track such data and react to it in real time, that could make huge-data analysis useful—even if it means merely spotting customer complaints bubbling up. But it would be especially useful if the analysis lets a retailer see almost everything customers are interested in. The fact that Big Blue is claiming to be able to tackle those mountains of data while it is still in its native format makes this announcement even more intriguing.…

It’s not often that the U.S. Justice Department gets an antitrust win this fast. But on May 20 the DOJ announced that POS terminal makers VeriFone and Hypercom had given up on the idea of selling Hypercom’s U.S. POS business to Ingenico, to clear the way for VeriFone to swallow Hypercom. That decision came just a week after the DOJ filed a lawsuit to block the merger. “We are gratified that the parties recognized the anticompetitive nature of the agreement and abandoned its divestiture plan promptly,” said Christine Varney, the Assistant Attorney General in charge of the case.

But VeriFone and Hypercom are still trying to do a deal—just one that won’t leave two companies controlling 90 percent of the card-swiper market. The most likely candidate to buy Hypercom’s U.S. business is now Vivotech, which is already big in contactless POS terminals, with 70 percent market share—and would become a lot bigger if it gets Hypercom.…

When Pizza Hut last week rolled out new versions of its mobile app for Android and iPad, the latest features included the ability to order without an account and to enter payment-card data right on the phone. Such capabilities have been commonplace on E-Commerce sites for years. But what’s old hat on E-Commerce is often cutting edge on mobile. Although such functions are important on desktops, the very nature of mobile devices makes them essential. So why didn’t Pizza Hut include these capabilities in its initial rollout last January? “We had to get the app out early based on consumer demand,” said Pizza Hut CIO Baron Concors. “You balance functionality versus speed-to-market.”

Concors also confirmed what more retailers are concluding, that the BlackBerry’s viability as an M-Commerce platform is rapidly dwindling. Saying that his team was focused on platforms from the “top-tier players,” he added, “We don’t see BlackBerry as one of the options. It was discussed early on [in staff meetings], and it was quickly eliminated. They haven’t strategically put themselves in a position to compete.” (Ouch! Talk about your RIMshots.)…

The change is in the new version of self-assessment questionnaire (SAQ) C. It now stipulates that retailers can use this SAQ only if their payment application serves a single store location, pens PCI Columnist Walter Conway. In other words, any retailer that connects a branch or an additional location to their POS system, or any franchisee (or franchisor) that processes payments for more than a single location, can no longer use a simplified SAQ. In practical terms, this change means that instead of using the old SAQ C, which had about 50 items, these retailers and franchise operators will need to complete SAQ D, which includes all 280-ish requirements of the PCI DSS. For these retailers, validating PCI compliance will take more time and likely cost a lot more money, too.Read more...

Given age-restrictions, cigarette sales often have to be manually handled. Store designs generally place the cough cartons on the wall behind associates, forcing them to turn their backs to customers while searching for the requested brand. A Montreal vendor last week proposed an automated cigarette package dispenser designed to cut down on thefts that occur during this process. This is not IT in the traditional sense, but it’s still a clever in-store tech approach to deal with shrink.

The product, from the Artitalia Group, claims that the Audimac “not only has all the cigarette packages separated by brand and size, but also dispenses them at a push of a button.” The anti-theft element here is not necessarily designed to thwart people stealing cigarettes as much as it is trying to block the theft of everything else while the associate searches for the cigarettes. Maybe they should have a new cigarette warning for store associates? “Your chain’s IT General warns that the cigarette sales process could be hazardous to Loss Prevention.” Or maybe, “If you can see these cigarette SKUs, you can’t see the customer stealing from you right now.”…

While this porn kiosk touts privacy, which would seem to make sense, it also requires a driver's license and a payment card. Those two documents certainly are good ideas, especially when arguing to retailers that the machines will not be usable by minors, but both also obliterate the claims of privacy. The issue speaks to all kiosks, but this case is a wonderfully extreme example.Read more...

A time-honored fraud detection technique is flagging transactions from high-risk countries and triple-checking them. The counter-move from cyberthieves has been to push operations to countries seen—for the moment, at least—as low-risk. That’s how Canada is suddenly becoming the home-away-from-home for a cyberthief’s stolen data. Canada has now locked in the number-two global slot for hosting phishing sites in 2011, a 319 percent increase from the prior year, according to stats released Wednesday (May 18) from security firm Websense.

When it comes to more aggressive cybercrime, Canada moves up on the list from 13th place to sixth place, reflecting a 53 percent increase. (Naturally, when it comes to criminal activity, the U.S. holds the number-one slot on both lists.) Rounding out the top phishing countries: Egypt in third; Germany in fourth; UK in fifth; The Netherlands in sixth; Russia in seventh; South Korea in eighth; France in ninth; and Brazil in 10th. For cybercrime hosting: France has the second slot; Russia the third; Germany the fourth; China the fifth; The Netherlands the seventh; South Korea the eighth; Romania the ninth; and UK the 10th.…

Contactless backers have always pooh-poohed this as a security threat, pointing out that customer names, security codes and other authentication information isn't transmitted by the cards. But if retailers are only relying on numbers and expiration dates, with one contactless grab—or one well aimed digital picture snap from a mobile—thieves get all they need. And although the E-tailer's customer-service department insists that card numbers with the wrong name attached should be rejected, a simple experiment made it clear that at least some transactions are approved that way. (Two out of two media tests had transactions approved and shipped.) If it had been fraudulent, it would have been up to the payment-card holder to notice, complain and get the charge reversed.Read more...

The centerpiece, from a company called Aetrex, is something the store calls iStep Wave and its claim is that it can go beyond measuring shoe size to examine arch type and pressure points—and do it all in half-a-minute. The store says the device uses "3,744 gold-plated barometric sensors that measure the pressure exerted by your foot every 0.25 cm squared and 1,326 infrared LEDs and receptors that are aligned every half millimeter."Read more...

The idea of aggregating the shopping and other experiences of a closed community is a good one, with lots of potential to boost the meaningfulness of such results. There's also a downside with this aggregation approach, namely that most consumers trust different friends to very different degrees.Read more...

As a result, it should be easier for Nordstrom to quickly add new devices and new functions to the mobile POS system. Features that the iPod doesn't support, such as contactless payment, might be available on other devices. In theory, with a well-structured architecture, new devices could be swapped in on an as-needed basis. Unlike mobile POS pioneers Home Depot (which uses a highly customized handheld for its mobile POS) and Apple (which can only use Apple, naturally), Nordstrom can exercise its option to do small-scale experiments with devices from multiple vendors in the midst of its big rollout. That will also discourage developers from tying code too tightly to one device—giving Nordstrom the chance to do even more quick-hit experiments in the future.Read more...

Even if the Supreme Court rules that customers don't have a right to privacy in their location, retailers still face a dilemma, writes Legal Columnist Mark D. Rasch. For example, smartphone apps can leverage GPS or other location data and enable new sales and marketing opportunities. But consumer backlash may result in new regulation to restrict the collection and use of this information. If you fail to have clear and unambiguous privacy policies that state what you are collecting and why and then follow these policies, either the consuming public or the government will make you do it.Read more...

Logistically, though, those types of things are not that easy with about 14,000 employees spread over 1,206 stores. For bonding, videoconferences and company-wide E-mails can only take someone so far. The chain's answer? Arrange—surreptitiously, mind you—for 5,300 pizzas to be cooked and delivered on Sat., May 14.Read more...

Beefing up security for more than payment-card data isn't a new idea, but it's unfortunate for retailers that Apple got so sloppy with its users' location data. Spotting customers as they're headed for a store is the holy grail of retail mobile-location technology, whether via GPS, Wi-Fi, cell-tower triangulation or POS tracking, and right now that's all getting a slightly creepy reputation. But in practice, it's going to become the norm—retailers will just need to get their best customers to opt in.Read more...

Here’s a reminder that governments are starting to treat online payments like real money. On May 12, Chinese E-Commerce giant Alibaba Group said it transfered its online payment business, Alipay, to Alibaba founder Jack Ma last year because of new government regulations that could outlaw foreign ownership of Internet payment services in China. (It made financial headlines in the U.S. because Yahoo, which owns 43 percent of Alibaba, said it didn’t know about the transfer and hadn’t been compensated for losing ownership of a sizable chunk of that business.)

It’s hard enough for E-tailers to deal with cross-border business complexities like taxes, duties and local bureaucracies. But this is one more argument against trying to manage E-Commerce by yourself from halfway around the world: In big markets like China, the government literally may not let outsiders handle the E-money. Either make sure you choose payment partners who will definitely pass muster with xenophobic regulators—or be prepared to change partners fast.…

What’s the real price of a security breach? Customers aren’t usually driven away when a retailer loses payment card data, and the financial costs are usually painful but not crippling. But if one Beltway lobbyist gets its way, the price of security failure will be higher interchange fees for debit cards—not just for breach victims, but all retailers. The Center for Regulatory Effectiveness asked the Federal Reserve Board last Friday (May 13) to raise interchange rates, which were pushed down by last year’s Dodd-Frank Act. The argument: Retail security breaches cause unreimbursed costs for card-issuing banks, and banks need high interchange rates to pay those costs.

If the Fed buys the argument, that would certainly put a real pricetag on security failures. Of course, that price would have no relationship at all to whether a retailer had lousy security—everyone would see higher debit interchange fees, whether you’re locked down tight or leaking data everywhere. And the lobbying outfit used one other nice touch: Instead of asking the Fed directly to raise interchange rates, it sent a letter to the Fed’s CIO, asking her to make the pitch. Hey, they had to try somebody.…

Problems were first detected with Burlington's main site—called Coat.com—about 4 PM (New York time) on Sunday (May 8), when Web uptime tracking site AlertBot noticed "intermittent outages." The site then went completely dark at about 5:20 AM Monday (May 9), said AlertBot's Justin Noll. Burlington's official version is slightly different, with a statement issued by CIO Dennis Hodgson saying that the chain "was subjected to a denial of service attack early" Monday.Read more...

Typically, such a PIN pad attack is done physically. However, with this many stores, a network attack from pad to pad is also possible. In a Q&A issued by Michaels, it was the chain itself that first raised the question of whether employees could have engaged in the fraud.Read more...

One convenience chain found that level of anonymity sharply boosted profits when selling triple-sized sandwiches and Pennsylvania is hoping that having a machine tell customers they're too drunk to buy wine will be less humiliating. But with data breaches an almost daily news story and data-sharing presumed to be everywhere, will customers continue to stay comfortable with sharing intimacies with kiosks? That question is being raised now with the latest push on clothing kiosks that use radio waves to take hundreds of thousands of measurements to deliver what the machine promises will be the perfect clothing fit.Read more...

Most current mobile-payment approaches—including the mobile wallet Visa announced this week—are still based on the payment-card accounts Visa currently makes its money from. But eventually someone will come up with a better way and leapfrog over the card companies. Then Visa will be stuck with a large, expensive network for real-time transaction processing. That could explain why Visa wants to use its new service to follow cardholders around from one retailer to another.Read more...

There’s a reason Shakespeare didn’t pen “That which we call a URL, by any other name would smell as sweet.” He didn’t write that, because the Bard knew darn well the precise phrasing of a URL makes a difference. It’s a lesson Wal-Mart apparently still needs to learn. Wal-Mart was running an in-store survey. To make sure consumers found the survey, it did three things: printed the survey URL on the POS receipt; printed it again on a pea-green piece of paper that associates were supposed to staple to the receipt; and, just in case its customers don’t know what a URL is, it provided instructions on how to use a browser.

Problem One: the URLs on the two pieces of paper didn’t match. (There’s a nice photo of the mismatch on the Dotweekly blog.) Problem Two: The stapled piece of paper instructs customers “do not use a search engine,” even though Bing, Google and Yahoo’s engines all immediately sent visitors to the right place. Lastly, does Wal-Mart really need to use a triple sub-domain (www.entry.survey.walmart.com)? …

Do you have one of those impossible to shop for propeller heads on your gift list? Wondering what to get for the retail geek who has everything? Worry no more. A site called Barcode Gallery has just the thing. It’s framed artwork that depicts a giant 2D barcode. But it gets better.

The barcode is actually a secret message that the buyer chooses, and it becomes visible when using a mobile device to look at it. It’s the ultimate in geek-to-geek party communication. The message is limited to 300 characters, which I suppose is something for which we should all be grateful. Says the product’s creator: “The end result is the creation of a ready-to-hang piece of colorful modern art,” apparently using “modern art” as a euphemism for “strange geeky eyesore.” Then again, for that coder on your gift list, it may be a thing of beauty.…