Evan Schuman's StorefrontBacktalk

Braden Black, a senior enterprise architect (and security specialist) for 305-store shoe chain DSW, said that, in his opinion, the biggest problem with chip-and-PIN—as it's currently deployed—is that banks have little incentive to make these systems secure because they no longer have any liability if they're repeatedly breached. That liability has been pushed to the retailers. "The ramifications of this attack are most disturbing when viewed in light of the fraud liability regulations that were adopted alongside the technology. Essentially, the banks offloaded fraud liability to merchants and cardholders." Read more...

From a security perspective, PCI Columnist Walt Conway pens, retail CIOs should understand a few things about these chip cards or smart cards (i.e., payment cards with an embedded integrated circuit or microchip). Chip cards can reduce fraud losses, but chip-and-PIN zealots can overstate the benefits.Read more...

But the economic hardships of last year may have shined a tiny ray of light on some bargain-hunting retailers at the expense of Big Blue. IHL President Greg Buzek said second quarter POS shipments last year for IBM plunged more than 40 percent worldwide, and a good chunk of that was a flood of barely used, ludicrously discounted POS units from chains that never made it to 2010.Read more...

Saying that it was "a result of additional market feedback," the Council ruled that the sensitive payment date on the digital recordings could be retained if the retailer can prove that the data in question can't be queried. "The Council is now saying that call centers can keep this data—even if digital—so long as they protect it per PCI. That is big," said Walter Conway, a 403 Labs QSA who is also StorefrontBacktalk’s PCI columnist.Read more...

Let's flip it the other way. You're in the market for a new couch. Your Google search shows you a page with 35 results and they all, at a glance, seem interchangeable. You've already limited your search geographically, so most of these places (OK, granted, Google's geography limiter doesn't do much) are nearby. Most consumers tend to only focus on the first two or three results and choose from there. But what if there were thumbnail photographs of the insides of all of those stores, sized and positioned so that you could meaningfully flip through them all in seconds? Might that draw your eye to Result 26?Read more...

Franchisee Columnist Todd Michaud adds that the kicker is that most retailers don’t even know it’s happening. We're talking about your closest competitors having access to some of your customer profiles (at a much deeper level than what you probably are aware of), the purchase patterns of those customers and the amount they are spending on each visit. And you have no idea. Sound scary? It is.Read more...

Concors said he was lucky; his senior management team is open to creativity and was willing to roll the pizza dough dice on what sounded like an interesting idea for the world's largest pizza chain, with its more than 7,500 U.S. restaurants and more than 5,600 shops in 97 countries and territories globally. But few CIOs are in that position, and that's a piece of reality that could cripple the nascent retail mobile app space. "A lot of companies are struggling with whether to enter this space because of the ROI issue," Concors said. A big part of the problem is that far too many retailers are deploying mobile apps for the wrong reason or doing it the wrong way.Read more...

No, this isn't some IT apparel version of Revenge of the Sith (although that would be cool, in a sort of geeky wool-blend kind of way). It's merely the unexpected path taken by the 53-store chain’s IT leader, who wanted to see how much of a Butterfly Effect he could cause in E-Commerce customer satisfaction by making small improvements in fulfillment operations. The computers in question are not of the Cyborg type, and they look less like C3PO and more like a cross between R2D2 and what Rodgers calls a "giant Roomba"—you know, those robotic self-running vacuum cleaners. They're orange and made by a robotics startup called Kiva Systems, which has placed these squat robots in the warehouses of retailers including Gap, Crate & Barrel, Walgreens and Staples.Read more...

FACTA, the federal law that prohibits POS receipts from displaying full credit card numbers and expiration dates, does not apply to E-Commerce purchases, a federal judge has ruled. The fear had been that the electronic purchase receipts E-mailed to customers might have to comply with the same paper receipt truncation rules, but U.S. District Court Judge John W. Darrah (Northern District of Illinois) ruled that E-tailers are immune from the Fair and Accurate Credit Transactions Act (FACTA).

“E-mail order confirmations are not entitled to FACTA protection” because they “are not electronically printed receipts under FACTA,” Darrah said. “Second, an E-mail order confirmation is not provided at the point of sale or transaction under FACTA. Although plaintiff posits that print is commonly understood to mean ‘to display on a surface (as a computer screen) for viewing,’ this argument is unpersuasive.” …

For the last few years, the payments industry has made convenience a top priority. Promising it, not delivering it. Biometric authentication was the first attempt (when your slogan is “Don’t Swipe. Just Give Cashiers The Finger,” it’s rarely a good omen), until vendors realized that no one wanted it. Contactless payment was the next effort. This effort has delivered lackluster performance; major retailers only offered it when the bribes exceeded the effort. Finally, Visa has hit on a convenience method that is actually likely to be faster. It’s called cutting corners.

Visa on Monday (Feb. 8) agreed to waive the retail requirement to get consumer signatures for purchases costing $25 or less. “With the changes announced today, approximately 98 percent of all U.S. merchant category codes in the Visa system will be covered by the No Signature Required program,” a Visa statement said. Although it could be seen as diluting a time-honored anti-fraud tactic, signatures have been fairly worthless for years; almost no chain asks its cashiers to spend the time even looking at a customer’s signature and comparing it to the one on the card. Without that verification, there’s no reason to not waive the requirement for a lot more than $25 purchases. Set the amount at $200 or more, and not only will it truly accelerate lines, but it will allow chains to justify having cashiers really look at every signature for those purchases that still require them.…

Target said Monday (Feb. 8) it will start accepting gift cards—but only its own, for now—displayed from customers’ mobile phones. The chain will redeem the cards via associates scanning the barcodes at checkout, a process that some retailers have avoided because of a high number of scanning errors.

Target issued a statement claiming that it “is the first major retailer with the ability to scan mobile barcodes in all of its stores. Guests may access their Target Mobile GiftCards to add value at store registers, and check GiftCard balances at any time via the Target.com mobile site. In addition, Target Mobile GiftCard functionality allows guests to save multiple GiftCards to their account and label each one for easy reference.” This approach may prove to be a good move for Target, but it will almost certainly give a lot of cover to executives who want to try mobile gift card scanning. Unanswerable Question Of The Day: Is it better for the associate to hold the consumer’s phone during the scan—risking liability if, for example, a high-priced iPhone is dropped and shattered—or for the consumer to hold the phone—making a consistent scan much more difficult?…

"Visa sent customized settlement information packets to the affected financial institutions on January 14, 2010. In order to accept the settlement, a financial institution was required to affirmatively complete and return the settlement paperwork to Visa by January 29, 2010," said the statement from lawyers representing some of the impacted banks. "The offers--at least those reviewed by class counsel--appeared to be less than 10 cents on the dollar for most financial institutions and some at less than 1 cent on the dollar."Read more...

This game is a sure loser for all concerned, and that includes retailers that are primarily brick-and-mortar, E-tailers and manufacturers. Manufacturers: Welcome to the year 2010. There are all kinds of non-traditional ways your products will make you money. Beyond eBay, even Amazon and others have toyed with recycling used products. Your ability to control prices is limited, but the bigger concern is your efforts to allow lower prices but to prohibit them from being discussed out loud. In the day of the Web, mobile and Twitter, this strategy simply won't work. In the meantime, while you are futilely trying to make it work, you'll alienate consumers and retailers. Read more...

He's proposing the creation of a CIO Do Not Call List, where tech vendors can be placed on a "do not buy from" list if they violate even the slightest rule.Read more...

Barely a week after Intel and Microsoft announced their own futuristic digital signage plans—including PDA integration and analytics software linked to hidden digital cameras—NEC is talking up its own approach to digitally guessing consumers’ age and gender (plus counting them, but that’s so 1990s). Takeshi Yamamoto, vice president of NEC America’s IT software group, is quoted in the Wall Street Journal saying that the program is pretty good at getting within 10 years of a consumer’s age, that the program tracks a person’s age and gender but discards the digital footage, and that the data is aggregated.

“The program uses an algorithm that draws upon a database of thousands of faces as a reference. It looks at distinguishing points of the face, from the shape of the ears and eyes to hair color, to determine the age. The database expands as more people walk past the camera, allowing the program to make better judgment calls with time,” Yamamoto said. “The technology originated in Japan, where it was easier to implement because Japanese physical traits are more uniform. Mr. Yamamoto acknowledged that the U.S. market would be more difficult because of the diverse population.”…

Social media sites are driving retail marketers crazy. They clearly know that powerful things are happening on these sites, but they’re clueless about how to get involved. CVS on Wednesday (Feb. 10) launched a series of programs on Twitter, indicating that the chain simultaneously gets Twitter and doesn’t get it. An E-mail blast from a PR firm representing CVS promised anyone following CVS on Twitter “special discounts, coupons, money-saving tips and ‘inside scoop’ updates” as well as “a secret discount code for 25 percent off nearly everything on CVS.com.”

Where to start? Given that a Twitter feed is offered to anyone and everyone, using the words “secret” and “inside scoop” demonstrates either a lack of understanding of what Twitter is or an impressive lack of concern for truth. Neither is a great trait for a pharmacy chain trying to gain the trust of Twitter users. But much more meaningfully, the whole concept of Twitter for retailers is to use it to open a dialogue and solve customer problems. Using Twitter as a coupon feed misses the point of the service. If you want to read a really powerful book on the topic, check out Twitterville, Shel Israel’s take on the service. The book makes a surprisingly strong case for retail Twitter use if and only if the chain is willing to make it two-way.…

Although contactless payment is going through a tough time in the U.S. these days, its global efforts got a huge boost this month. Europe’s largest chain—French grocery giant Carrefour—announced the purchase of 12,000 EMV contactless PIN pads, with immediate plans to deploy the pads “at 210 of its French hypermarkets, as well as at all of Carrefour’s petrol stations in France.” The world’s second-largest retailer’s latest contactless deployment, which started in October 2009 but wasn’t announced until last Thursday (Feb. 4), is using readers from Hypercom, the chain said. The vendor would only describe Carrefour’s investment as “multi-million dollar.”

Domestically, contactless is having problems, with Best Buy kicking out Visa’s contactless program and Discover having its own technical problems with contactless . Even many of the U.S. chains that have deployed contactless have done so very unenthusiastically, including Home Depot and Subway.

…

The smart ones—and the only vendors you should be talking to, by the way—will tell you that there is no silver bullet to make PCI go away, which is a victory for reality over marketing hype. But there is one thing you should know about reducing your PCI scope: It is pretty important. If retailers are going to get the full value for their investment in either or both of these technologies, opines PCI Columnist Walter Conway, they better look carefully at their implementation or they may find they will not get all that they paid for.Read more...

At a glance, that sounds like a fine consumer-oriented focus, but let's delve a bit deeper. Apple is by no means coming out against geolocation. The problem is how Cupertino is defining both the good ("provide beneficial information") and the bad ("deliver targeted ads"). Who's to say that a cleverly targeted ad doesn't, in fact, potentially provide beneficial information?Read more...

Much of this defense sentencing recommendation tries to argue down how many dollars Gonzalez' activities have lost. Federal sentencing guidelines force judges to factor in how much damage the defendant's actions have caused and use that to help calculate the length of the sentence. It starts by suggesting that TJX weathered the cyberattack remarkably well. "The government has (produced) no evidence regarding the extent to which the stolen TJX data was ever used to an individual cardholder's detriment, as opposed to simply remaining on the server," wrote Gonzalez defense attorney Martin Weinberg. "And, as to TJX, a telling (indicator) of the degree of damage it suffered is found in the fact that during one of the most devastating economic periods in the country's history, TJX's stock value rose 30 percent."Read more...

Mobile communications in general—and M-Commerce in particular—are predicated on promises of speed and convenience. But that supposition tends to run counter to robust security, and therein lies the inherent conflict between mobile and security. Meanwhile, Facebook stands as the leader of social networks, and those networks also are based on convenience.

Our tale today involves a recent problem that Facebook experienced, where registered users logged in to the social site and saw the personal contacts and messages of other users rather than their own. But the glitch only happened when users were coming in through AT&T. That glitch is the topic of our weekly security column on McAfee’s blog.…

This situation involves the U.S. government's General Services Administration (GSA) and some GSA interactions enjoyed by Benjamin Moore & Co. (the paint people). The conflict cropped up when the chain was dealing with some military accounts in Hawaii. The issue comes down to needing that payment card copy in the files (tax-exempt rules) but being unable to save the copy of a Visa payment card (PCI rules).Read more...

Some major retailers have been debating whether the buying and selling of used merchandise (please shoot me if I ever say “pre-owned”) is a business model worth pursuing. Wal-Mart and Best Buy, after pushing the idea for about six months, have surrendered plans to buy and sell used video games. But Amazon, always the more adventurous of E-tailers, thinks the idea has huge potential. A Financial Times of London story cited an Amazon ad for programmers: “As people upgrade to the latest and greatest there is a plethora of valuable, perfectly good products that need a new home. We help facilitate the pairing of new owner with device, while also creating an open marketplace.”

What makes the Amazon concept so intriguing from an IT perspective are the CRM implications. Instead of tracking purchases to merely profile the customer, the new requirement is to also profile the products purchased. What is each product’s life expectancy? What is the optimal point to make an offer to a customer who might be starting to get bored with that product? How much of an upgrade can that consumer afford? Should the company start pitching new prospects based on a software projection of what already-sold merchandise will likely come back into play? And you thought Amazon needed a huge data warehouse before?…

In its examination of 10 major E-tail sites—Amazon, Barnes & Noble, Best Buy, Costco, Dell, Foot Locker, Musician’s Friend, Sears, Target and Walmart—the very fastest site (Best Buy) averaged more than twice Keynote’s acceptable slow estimate, crawling in at 8.3 seconds. Again, that was the fastest mobile site. The slowest site delivered its average page in 34 seconds. Keynote officials steadfastly refused to identify which site was the slowest. That said, points made by Keynote while discussing the study pretty much eliminated all of the tested retailers other than Costco from being candidates for the slowest performing site.Read more...

One of Bradley's first takeaways from the $2.8 billion HSN was that consumers' interactions with content are strongly influenced by their physical location. Why? It's expectation. Consumers see brick-and-mortars as places to look, touch and buy products. Video demos feel out of place in that context. At home watching TV, however, the expectations are much more tolerant. "Depending on where a person physically is can dictate how you can have their attention," Bradley said. "Out on the street? She'll have seconds. In-store? A minute or two. On the Web? Maybe 15 minutes. But on the TV? Hours. People go to the Web with certain goals in mind. There's a lot of bouncing back and forth as they're trying to solve a problem. There's more ADD, bouncing around."Read more...