J.C.Penney Is Now The SEO Bad Boy Poster Child. Somebody Had To Be

Written by Evan Schuman
February 17th, 2011

J.C.Penney this week became the latest retail chain to serve as poster child for improper retail procedures, which almost all other retailers have done for years. TJX was—and is—the poster child for weak security, when what it was doing wasn’t materially different than what plenty of other similarly sized chains did. American Eagle Outfitters is the whipping boy for weak backup procedures. J.C.Penney is now the SEO monster.

What all three chains had in common: They were following industry norms, and they were the first big player to get caught doing it.

J.C.Penney’s turn came this week, when it was in the news because The New York Times did a piece about its gaming Google, to ace out other chains during the holiday season’s E-Commerce battle. The techniques Penney’s used were considered to have violated ethical search engine rules. The chain blamed its SEO firm and fired that company.

It’s true that the techniques used (involving a huge number of link-exchanges with sites that were ludicrously irrelevant) were naughty, in the SEO world. The real issue, though, is that J.C.Penney outsourced its responsibility. But J.C.Penney is an $18 billion retail chain. If anything can be outsourced to a contractor with minimal supervision or micromanagement, shouldn’t it be SEO?

Yes, what the firm did was naughty. But it certainly seems plausible that no one in J.C.Penney management—or even a rank-and-file J.C.Penney salaried staffer—had any knowledge of it. When a chain hires a real estate firm to search for locations, is there a need to spot-check that the realtor is evaluating all possible locations? At what point can a firm be trusted to do what it’s supposed to do?

Retail execs must focus and closely oversee many strategic areas, but SEO efforts? It’s an honest question for any retail IT execs reading this. A show of hands, please: How many of you have assigned staffers to review exactly what your SEO consultant was doing? Not just that they were delivering results, but checking on their exact procedures for doing so? Had you found that one of your team was spending a lot of hours doing that, would you have been pleased?

Everyone will be doing that checking now, but it’s because J.C.Penney got caught. This is similar to what American Eagle Outfitters experienced last summer. Its site was down—ranging from complete crash to various levels of the site being crippled—for eight days. Much of the cause was a backup system—managed by IBM and Oracle—that didn’t have functional backups, because no one had bothered to check.

Bad? Sure. Did most chains of American Eagle’s size get into the weeds to the point of physically verifying that the people who are being paid handsomely to run back ups are actually doing so? It’s the same issue with J.C.Penney. A business has to trust contractors at some level or it can’t function. American Eagle became the poster child for lax backup verifications, even though it was doing what just about every other retail chain was also doing. The difference? Penney’s got caught.

And what about TJX? Mention TJX to a group of retail IT execs and it’s shorthand for weak retail security. They chain was indeed the site of the largest retail data breach ever and—even worse—subsequent investigations did demonstrate a wide range of lax security procedures.

Here again, were TJX’s data security mechanisms back in 2005 materially worse than most other multibillion-dollar retail chains? The industry’s dirty secret is that, for the most part, no, they weren’t. But TJX got caught, and it was the wakeup call for the rest of retail to clean up its security act.

This isn’t anything that retail has exclusively. There’s still something unfair about being castigated for doing what all of your rivals are also doing. Then again, that’s what “getting caught” is all about. J.C.Penney, you have our sympathies, but you drew the short straw. Welcome to the Retail Poster Child club for naughty procedures.


One Comment | Read J.C.Penney Is Now The SEO Bad Boy Poster Child. Somebody Had To Be

  1. SoftwareDeveloper Says:

    So what is the big deal. Big time retail works in a very gray area when it comes to the web and everyone knows it. Lets take American Eagle, does anyone outside of American Eagle care? So I could’t connect to their site big deal. So American Eagle had internal communication problems big deal. Did they violate any laws? I don’t think so, they just had IBM, who is known to spend a lot on marketing and a lot on vapor and terrible service. This is where one gotcha wipes out a ton of ataboys.

    The issues outside of TJMax are internal and have nothing to do with security problems and PCI. Good for JC Penny.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.