advertisement
advertisement

Top Stories


advertisement

CRM


The Delicate Legal, Ethical Dance Of Selling To Children

May 16th, 2012

Here’s one for the marketing ethicists out there (is “ethical marketing” an oxymoron?): 18-year-olds come into the retail CRM world as clean slates, even if they have been active E-Commerce and M-Commerce shoppers for eight or nine years. It is illegal to solicit or sell data about children younger than 13—and what can be collected and used about those aged 13 to 17 is highly restricted. When that veteran shopper turns 18, though, can all of his or her juvenile shopping history be sold or even used?

One online payment vendor is preparing to sell tons of youth purchase data—apparently, this is the first time anyone has tried—avoiding immediate legal problems by offering the data in aggregate.

Read more...

advertisement

Will A Store-And-Forward In-Store Mobile Tactic Work?

May 16th, 2012

What if having wireless in-store access isn’t really that important? Retailers’ efforts to make sure customers have constant Wi-Fi access—to fuel mobile functions such as barcode scanning, demo watching and, potentially, even mobile wallet efforts—has certainly proven problematic, whether the reasons are wireless-unfriendly old buildings or young shoppers gulping all of the bandwidth with movies or games.

Beyond encouraging shoppers to use over-the-air access that chains need do nothing to facilitate, what if apps used the mobile device’s memory to play those demos and to look up those barcodes, and then waited to update until the device was reconnected? Shopkick is using one version of this modified store-and-forward mobile strategy, as of an update deployed last month.

Read more...

advertisement

Big Data Is Exactly What You Think It Isn’t

May 16th, 2012

Who cares about Big Data? You should. All of a sudden, Web logs that were kept simply for troubleshooting purposes can now be mined to determine valuable information about customers’ preferences, writes Retail Columnist Todd Michaud.

Logs that are created by physical machines can now be analyzed en masse to look for information to help advance a business. Data from social networks can now be mined for customer sentiment. These problems were too big and too complex before. But now, answers are within reach.

Read more...

advertisement

A Better Way To Search StorefrontBacktalk

May 16th, 2012

With more than 3,000 stories, columns and GuestViews in the content database here at StorefrontBacktalk, we thought it was time to do a little upgrading. Starting this week, readers (both free and Premium) can search for stories by limiting the search to just the story’s headline—as opposed to the headline and the full text. (Note: Right below the search bar, readers can choose HED Only or Story And Hed.)

The ability to isolate a search to the headline can be useful in two ways. If you happen to remember that the headline mentioned Target, for example, you need not see every story that mentioned Target (or even used the word “target”). The second way is practical. If you want a story that is primarily about tokens—and not a story that merely mentions the word somewhere—the headline-only search can be helpful.


advertisement

MasterCard Aims To Take Mobile Wallet Rivals Apart

May 9th, 2012

What Google, PayPal and ISIS are trying to assemble in mobile payments, MasterCard wants to dismember. On Monday (May 7), the number-two payment-card brand unveiled a mobile wallet and an E-Commerce payment system that are designed to cut out any middlemen horning in between customers and retailers and payment networks.

Ironically, while MasterCard’s PayPass Wallet for NFC-equipped phones got most of the attention, that’s still largely a pipe dream—MasterCard hasn’t even talked any mobile operators into giving it access to the NFC chip. But the online payments effort will offer tokenization to reduce PCI scope for E-Commerce. The bad news: You can probably forget about any interchange relief.

Read more...

Peapod’s QR Train Station Grocery Trial Shows Mobile Bias

May 9th, 2012

In a series of mobile trials in subway and train stations in Philadelphia and Chicago, online grocer Peapod has been trying to drive sales of milk, diapers and dog food to commuters with a few minutes on—and a smartphone in—their hands. The trials had to deal with mobile technologies with a very uncertain future—such as QR codes—and the frustrating logistics of demoing in cramped public transportation centers.

Peapod got the idea from a wildly successful mobile QR trial that Tesco did in South Korean subways. Peapod’s attempt is apparently the first to try and replicate the Tesco efforts in the U.S.

Read more...

Disney’s RFID iPad Trial Is An Important Lesson When Battling Showrooming

May 9th, 2012

As E-tailers continue their incursions into rivals’ physical stores, the only viable defense is to radically upgrade customer service and the overall store experience. Two of the retailers most known for this are Apple and Walt Disney World Resort. Have you ever heard of an E-Commerce site cutting into the revenue at Disney? What specific tactics can brick-and-mortars steal? Here’s a good one: Disney this month is experimenting with an RFID/iPad combo to upgrade its famous FastPass system—for letting people reserve tickets/times and thereby get much faster access to rides and events. As Disney employees carry iPads, customers’ RFID bracelets will interact with CRM and ride information.

It’s fair to argue that Disney has always been the retail exception. It pushed contactless payment by offering deep discounts, and Disney even successfully got customers to use digital biometrics (fingerprints) for park access. But that’s just the point. With a heavy enough emphasis on experience and customer service, shoppers are willing to do almost anything, including—just perhaps—forgetting all about Amazon.


The Analytics Hole: Does Anyone Connect The Dots From Mobile To Web To In-Store?

May 2nd, 2012

Retailers spend an awful lot of time and money gathering and analyzing online and in-store stats about customer behavior. But what most seem to not do is try and connect the dots.

What did the shopper do right after scanning that barcode? If the answer can be found in mobile analytics data, you’re fine. But if the answer can only be found by overlaying that mobile data with in-store CRM data, most won’t see it. What about synching E-Commerce activity with calls to the call center two minutes later? Or linking an E-Commerce search to an in-store POS action 20 minutes later? How about social activity matched with any of the above?

Read more...

Wacky Legal Idea: Using Class-Action Lawsuits To Gather CRM Data

May 2nd, 2012

Here’s your wacky legal strategy idea of the month: Settling a mostly frivolous multimillion-dollar lawsuit can be such a great CRM data generation mechanism that companies might consider filing such class-action suits against themselves. One recent class-action settlement delivered more marketing value to the defendant than it could have ever hoped for, pens Legal Columnist Mark Rasch.

That defendant is using the litigation to collect consumer information. It is learning the names, addresses, E-mail addresses and some purchasing habits of not only actual consumers but, presumably, about people who never bought the product and yet are interested enough (in either the product or the $20) to lie about having bought the product. There doesn’t appear to be any limitation on how that information can later be used for marketing.

Read more...

Walmart’s Online Cash Creates New Fraud Problem

May 2nd, 2012

When Walmart launched its E-Commerce cash program on April 26, did it open the door to evil-minded rivals by giving them the means to falsely lock up merchandise? That is just one example of the many implications behind Walmart’s move to enable people to use cash to make online purchases.

Beyond new security holes on the risk side, the reward side is equally huge. While everyone seems to have focused on the general unbanked audience, a much more interesting prospect for this program is teenagers. Plus, this is sort of an anti-showrooming move, where online shoppers are being lured into the stores. Revenue sharing between Walmart channels is also a point of nervousness with this program. And a store’s inability to cancel such online orders—even if the customer then finds the item on the shelf—is problematic, too. This is a rare example of the kinds of compromises—between online and in-store operations—chains must make these days.

Read more...

The Privacy Triple Play: Digital Giftcards Using Facebook Data And Geolocation

May 2nd, 2012

The challenge of giftcards has always been getting customers to remember them when they’re actually near the store where they can be used. With that goal in mind, a giftcard service—working with Gap and Sephora—is trying for a marketing triple play: mobile geolocation on top of Facebook data on top of customized giftcards. When a customer is near a retailer whose giftcard they have, it will loudly flag that fact to the customer.

The geolocation opt-in alerts are an interesting twist, especially when a consumer is walking in a city (locally or when traveling) and has no idea that a particular retailer has a store three blocks to the right.

Read more...

A Real Sign Of Change At Wal-Mart: The Board Adding A Google VP

April 17th, 2012

When Wal-Mart announced Monday (April 16) that it was nominating Google exec Marissa Mayer to its board of directors—indeed, it was expanding the size of the board so she could be added—the retailer telegraphed an awful lot about its thoughts on social media, merged channel and, in particular, mobile.

It’s striking, though, how much of a contrast the 36-year-old Mayer makes compared with the existing members—with an average age of 60, the board is heavily weighted with CEOs of non-tech companies, venture capitalists and Wal-Mart veterans. The board seems to be acknowledging that it may not be the ideal group to oversee Wal-Mart’s moves into the worlds of Twitter, Facebook, YouTube, geofencing and Foursquare.

Read more...

Sorting Makeup By Age, Hair Color And Ingredients. Sephora’s Customization Effort

April 11th, 2012

When Sephora, the global cosmetic chain, updated its Web site on Monday (April 9), it made some very impressive tagging decisions to enable personalization at the age and makeup ingredient level. Below the stats the 300-store chain released—such as that each product will now be tagged with 25 different characteristics and that this tagging took 50 people 5,000 hours to complete—is the obvious in hindsight observation that a 16-year-old girl is probably not interested in seeing the same cosmetics that would appeal to a 70-year-old woman.

The goals of hiding different things—say wrinkles versus pimples—would suggest different products, as would skin tone, hair color, eye color, lighting (office versus nightclub) and even clothing. Sephora will also enable searches by ingredients—for consumers who are allergic to specific chemicals—and fragrance. (It also enables search by price, but Sephora doesn’t get any brownie points for that.) And although it certainly helps the customers find the right product, it does even more for CRM files. Age, hair color, allergies and full cosmetics preferences? Welcome to CRM heaven, cosmetics-style.


FTC Report Slams Geolocation Data Use But Is Otherwise Retail-Friendly

March 30th, 2012

For retailers thinking about ways to use mobile data, the U.S. Federal Trade Commission on March 26 made things slightly more difficult. Mobile geolocation information has now officially been categorized as “sensitive data,” right alongside medical records, info about children and Social Security numbers.

That means the government will ask for—and Congress might insist on—extensive additional limits on using and even collecting such data. If a chain is going to collect specific geolocation data, the retailer needs to do more than inform those shoppers, said Peder Magee, an attorney in the FTC’s division of Privacy and Identity Protection. “You need to ask for permission,” he said.

Read more...

The Project Every Retailer Needs And No One Wants: Big Data Marketing Automation

March 29th, 2012

Retailers everywhere are finding themselves being hit upside the head with big data. This data is generated by their internal systems, external systems and end customers, and it’s growing at exponential rates. Quietly, this trend is going to add a new player to the corporate ranks: the Chief Data Scientist.

Organizationally, these functional experts will challenge the traditional organizational structure. Data scientists will likely enter an organization through the IT group, because that department is most likely to engage their services to help drive value from information mining projects, pens Retail Columnist Todd Michaud.

Read more...

Best Buy Outage And The Downside To Merged Channels

March 28th, 2012

When Best Buy wrapped up a planned 17-hour site outage on Wednesday (March 28), it came away with more than an updated E-Commerce system. The retailer learned the downside of tight merged channel integration and what happens when in-store becomes too dependent on online operations.

As Best Buy itself said: “While the updates are occurring, customers will be unable to search or browse products, place orders or check order status on BestBuy.com, m.bestbuy.com (mobile or tablet), BestBuy.com/espanol and store kiosks.” Customers also “will not receive E-mails regarding orders while the updates are in progress” and checking order status—plus, of course, making online purchases—”will also be inaccessible to store employees, call center agents and online support representatives.”

Read more...

Starbucks Finds A CRM Reason To Postal Mail Giftcards

March 22nd, 2012

With today’s overwhelming focus on digital goods, why on Earth would a chain choose to physically send giftcards through the mail anymore? Answer: It’s arguably the last reliable—and consistently legal—way to get customer addresses.

Ironically, it’s Starbucks—which was one of the first to try mobile payment and intrinsically understood the social media concept years before Facebook launched—that has embraced sending giftcards (for customer birthdays, which is another clever CRM touch) through the hail/sleet/dark-of-night people. This issue actually combines two marketing devices popular throughout the 20th Century: snailmail and plastic giftcards/loyalty cards.

Read more...

Want To Buy Tokens? Pretend It’s A Marketing Program

March 20th, 2012

Information security programs are notoriously difficult to implement. They are likely to cost money or negatively impact business operations or both. Business leaders want to think about making more money or reducing costs. Info-sec projects typically are sold on the “risk avoidance” platform, which is not the best political platform to be campaigning on.

A month after you pitch, writes Retail Columnist Todd Michaud, you’re back, and the marketing chief is talking about how your brand needs a new, leading-edge loyalty program. You offer up that there is new technology in place that will enable your brand to create a loyalty system without forcing customers carry another plastic card, tag or smartphone application.

Read more...

Gap’s Geofencing Trial Merely The Appetizer Before The Purchase History Entrée

March 14th, 2012

Gap last week ended a 2-week trial on a geofencing mobile ad effort, one that reinforced traditional billboard ads with mobile messages displayed to people standing right beside those ads. In some cases, those ads were right in front of Gap stores, and therein lies untapped mobile potential.

The initial test used the shopper’s physical location, but no other personal data (such as purchase history, other apps on the phone, Web search logs, personal demographics). However, personalization will likely be the subject of upcoming trials, said Dave Etherington, the SVP for marketing and mobile at Titan, the advertising firm that executed the Gap trial.

Read more...

Sears Isn’t Spotting Top Customers At The Door, But Should It Be?

March 14th, 2012

Sears is not using technology to spot loyalty customers walking into some of its stores. On Tuesday (March 12), The Wall Street Journal reported the venerable 2,700-store chain is doing that in its Woodfield Mall store near Chicago. By the next day, the story had been tweaked: The store “might soon” do that. A Sears spokesman was more blunt: “We do not have that functionality,” he said.

But Sears clearly wants it—like Neiman Marcus and every other big retailer. The challenge now isn’t doing it, but figuring out how it can fit in with what customers expect.

Read more...

Why Not Use Mobile To Complete Offline Purchases In-Store?

March 14th, 2012

Retailers are using mobile all wrong. How about using the physical stores to save sales that were abandoned online? Why not, asks Retail Columnist Todd Michaud, use mobile as the bridge between online and brick-and-mortar? What if an apparel chain used its online shopping cart to pull a set of clothes for shoppers to try on in the fitting room of their local store at their convenience?

What if the customer could tag an item in the retail store so that it automatically was added to their online shopping cart for future purchase? This would enable people who like what they see to purchase it later. “Honey, I really like the looks of this new washing machine, but wanted to let you check it out before I purchased it.”

Read more...

Wal-Mart’s Social Sales Heaven

March 13th, 2012

The latest Wal-Mart social acquisition—one where it grabbed “the technology of” a 4-year-old Facebook app called Social Calendar—creates the potential for Wal-Mart shoppers to not only be reminded of Aunt Bertha’s birthday but have gift ideas based on Aunt Bertha’s social media activity together with her purchase history. Walmart.com will send these gifts to its customers—or to Bertha directly—with one-click speed.

That ability, plus new detailed maps to customers within Facebook, and Wal-Mart has bought itself quite a gift. The magic comes when those millions of gift-giving events—birthdays, anniversaries, weddings, graduations, baby showers, etc.—are merged with Wal-Mart’s new social media files and its not-so-new customer purchase histories.

Read more...

Revolt Over Interchange: Home Depot, Wal-Mart Lead Way

March 8th, 2012

In the same month that Home Depot is moving its PayPal mobile-payment process chainwide, the home improvement superstore—along with more than a dozen of the world’s largest retailers, including Wal-Mart and Target—is signaling its dissatisfaction with all of the current mobile-payment options by agreeing to fund an alternative. This retailer-owned effort has a lot of dollars to make its dreams come true, with more than $20 million pledged and more than a trillion dollars in combined revenue to funnel to the preferred approach.

But the group has the same hurdles that have weighed down so many industry consortium: potential infighting among the leading players; legal obstacles; the need to build a massive infrastructure, given the intent to shun current networks; and the tech questions, such as whether this new approach will have any better luck at mastering security than today’s efforts.

Read more...

Neiman Marcus Know-It-All App May Require A Different Kind Of Associate

March 7th, 2012

Neiman Marcus is testing a new iPhone loyalty app that the luxury chain hopes will finally turn a longstanding desire of retailers into reality: the ability to know when the chain’s best customers walk through the door, and to match those customers up with the right sales associates.

Retailers have been trying to get that right for years, using a variety of technologies. But if Neiman Marcus’ approach works, it may mean that associates and store managers will have to exercise much more discretion and discipline—and that chains will have to change they way they hire associates.

Read more...

Data Portability Is Your Get Out Of Jail Free Card

March 7th, 2012

On your list of must-haves for a new retail technology, application functionality is essential and ease of use is great. But the absolute top requirement should be the portability of the system’s data, pens Retail Columnist Todd Michaud — even if you don’t need that portability today.

Being able to move data around your enterprise gives the most flexibility in using that data, and data portability also future-proofs your system by letting you bolt on new technology quickly instead of slowly and oh-so-carefully making changes to what you’ve already got.

Read more...

Page 1 of 291234561020Last »

Weekly, Monthly Newsletters

Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly report, with urgent bulletins as news merits—along with our monthlies on Mobile, Security, In-Store, E-Commerce and CRM.
advertisement

Most Recent Comments

"Careless" Systems Integrators Now Directly Under PCI DSS

This exact issue has been bothering me for years, and I was JUST talking about it with someone only yesterday. This may well be my favorite article, mostly because I'm biased and have hated this particular problem forever. Read more...
Good article, but how does this have anything to do with the DSS? Read more...
Actually, the QIR program has a lot to do with the DSS (or PCI). Since merchants rely on their reseller or integrator to implement their PA-DSS validated application, these resellers and system integrators play a critical role in merchants achieving and maintaining PCI compliance. As far as I can tell, the QIR program is designed to help merchants stay compliant by making sure their payment applications are installed according to the PA-DSS Implementation Guide, for example ensuring default passwords are changed (and protected), that the data encryption keys are properly set and secured, that the merchant's data retention policy is set, that no sensitive cardholder data are stored, and often that a firewall is in place and properly configured. Read more...
Although this is a great move forward in pushing the issue of highly trained people, it is also a good marketing ploy for the council. It begs the question: How much do they stand to make? The problem for this is that for people (like myself) that are just starting out their own business venture, PCI has typically charged a premium for their training and certifications. This change will likely force those of us with less capital to spin into the abyss. I have more than 15 years in the security and compliance fields with heavy hitter certs like CISSP, CRISC, and Sec+. There should not be a guide but a free test or a pre-requisite of either the PCI cert OR other heavy hitter certs. I just don't want the good guys in small places to get flushed out. Read more...
The ETA recently launched the Certified Payment Professional program, which charges $425 for non-members to take the test, assuming they meet the 'experience' requirement, to PROVE they are a professional. And they'll have to take it every 3 years. Worthy program, but high cost. Plus, only a select few were allowed to be in the first class, and there are only 4 test windows per year currently. So being on the registry simply means, you were lucky enough to get picked, nothing to do with skill level. Read more...
@Cory: Thanks for your comment and question about the pricing of the QIR training. I raised that question in a conversation with Bob Russo last week, and I will address it in a follow-up column in a few days. While the pricing is not yet set, hopefully it will not be too great a burden for you or other integrators/resellers. We'll have to see, though. Read more...

Costco Self-Checkout Trial Setback After Store Losses

Not all self checkout works this way. One self checkout vendor is designed to work this way and it leaves a gaping security problem that can create this situation. There are 3 predominant providers of self checkout in the U.S. and this represents the lowest installed base provider of the 3 and their market share continues to shrink from reports I have seen. Read more...
Editor's Note; The vendor that Mark was referencing is IBM. His point is that other systems make it easier for any weight mismatches to require associate intervention--just like with alcohol or cigarettes or any other age-restricted item--rather than a more passive flag to the customer that the item was excluded. Read more...
Another angle on the challenges with self checkout which may come to the retail scene in the next year is the tap and go/NFC smart phones. Though these are all the rage in Japan, we have yet to adopt them in the U.S.. But that will change as the new phones emerge with the chips embedded this year. And the new demographic want to use this type of technology. A large retailer told us that NFC phone customers are getting their identities stolen, even though the self check-out requires proximity-- and they do not want to take responsibility for this occurrence in their stores, on their premises. So although they like the idea self check-out they are still experimenting with various approaches. Read more...
ed
For self checkout, item-level RFID or unique barcodes plus real-time tracking appears to be the missing component. Mail delivery companies use real-time tracking of mail with a barcode and assure delivery at a certain time. The public library embed books with RFID and track them through checkout. Retailers and SCO manufacturers are going to have to accept the fact they cannot rely on UPC and really need an item-level identifier that tract that specific product as a unique item from shelving to checkout. Read more...

Visa Yanks Global Payments' PCI Compliance. Catch-22 In Full Force

So PCI compliance can not guarantee that a provider will not be breached, but a breach is inherent evidence of non-compliance? Any comment from VISA as to whether they will continue to accept ROCs prepared by Trustwave? Seems like an inconsistent position. Read more...
Thu
Global Payments reported they were working toward being in compliance with PCI, despite already being on the list. In a backwards way, they admitted they were not previously in compliance. We can't really say that a breach is inherent in these type of situations without having a full investigation report. That's one reason why MasterCard is waiting to see what forensics finds before yanking them from their list. Read more...
In the past, Visa has stated, "No compromised entity to date has been found to be in compliance with PCI DSS at the time of the breach. In all cases, forensic investigations have concluded that compliance deficiencies have been a major contributor to the breach." This quote can be taken two ways. Either PCI is perfect and all-encompassing and compliance guarantees you won't be breached; or there are so many “gotchas” in PCI that no one can escape non-compliance. I personally believe that PCI is written in such a way — and interpretations among QSAs vary so much — as to make it impossible for anyone to be 100 percent compliant 100 percent of the time. Read more...
PCI, TSA, IRS - obviously none of these functions as intended or as promoted. I've said it before and I say it again, hackers are free of personnel, budget, expertise, infrastructure and time constrains. Nothing, NOTHING, is ever fully safe. Visa and its attorneys simply choose to hide behind the false sense of security of the PCI veil. Truth be known, Visa has probably been hacked. Anyone see the similarities between VISA and the wizard of OZ? Read more...
This begs the question, how does this decision by Visa affect Third Party Processors (TPA's)? Our TPA agreement has wording to the effect that we can only send CHD to PCI compliant processors and banks. Now that Visa has deemed GPS non-compliant, are we breaking our TPA agreement by allowing our customers to continue using GPS? Read more...

How About A Little Service Provider Responsibility Here, PCI-Wise?

I appreciate the one-sideness issue highlighted in this article. I also understand how card brands have a contractual link to merchants - but only rarely do with service providers. I'd find it virtually meaningless for the PCI requirement to mandate actions by the service provider, when they have no contracted responsibility to a commercial entity. That said, 12.8.4 places an obligation on the service provider to demonstrate compliance to their customer the merchant (or service provider, Acquirer etc). Is not the combination of these 2 requirements having the same outcome? Read more...
Lem
PCI is like banging your head on the wall. When you complete the SAQ, it feels good stopping. Read more...
Actually, service providers do have direct links to the card brands. For example, many have direct system connections/access points to the card networks. More importantly, all service providers validate their PCI compliance to the card brands. The brands (at least Visa and MasterCard) also post lists of compliant Level 1 Service Providers on their websites. My point was not so much about the card brands, though. I was observing that since PCI already has a number of requirements that only apply only to Service Providers and not to merchants, there is precedent for one more Service-provider-only requirement to cure the imbalance I noted. Read more...
Walt, I'd suggest that perhaps you have a limited concept of who would be considered a Service Provider under the guidelines that you've suggested. The fact is that most resellers/integrators do NOT have direct links to the card brands or the card networks. They may work with processors to board new merchants or provide support, but there is no contractual or legal obligation at all. Your comment that all service provides validate their PCI compliance is also way off base if you include resellers & integrators. The limited number of Level 1 Service Providers probably do validate their compliance, but the vast majority of resellers/integrators are not that big. Read more...

The Never-Ending Dance Of Contactless Security

ed
Contactless should require multi-factor authentication for financial transactions. However, multi-factor authentication will nullify the main benefit of contactless transactions which is speed. Is there really an improvement between a mag swipe and contactless tap if multi-factor authentication is required? Read more...
Contactless card transactions are verfied online, if there is fraud the bank with take the liablity. This does not happen with checks, bills. Oh and contactless is faster than any other form of payment and you do not have to check the takings at the end of the day: so faster service and a bit more secure. Read more...
MC
To contaftless. Not completly true that the bank will take the hit for a fraudulant contactless transaction. When paying at the fuel pump with contactless, you will have a defined pre-auth limit which is set by the issuer and obtain an online auth number. Even with the issuer providing real time auth, should the customer dispute the transaction, the liability and burden of proof still lies with the retailer in most circumstances. To the issuer they claim this is a "card not present" transaction if completed out of sight of the store attendant. Add that to the fact that that a gas station forecourt allows the hiding of the necessary fraudulant transaction supporting equipment inside a vehicle, it creates the anoynmous environment that fraudsters prefer to operate under. Read more...

The PayPal Problem: Will It Impact Retailers' PCI Scope?

For the foreseeable future, retailers are not going to be transacting exclusively against PayPal accounts. Therefore, with the assumption that the payments are stored, transmitted and processed through the same systems as "regular" CHD, there will be no change in scope. Merchants will have to protect the PayPal payment information with the same rigour as PANs/CV2s/tokens, but this isn't arduous because they are doing it right now. (Or should be.) Read more...
This is the problem with the notion of the high value token wording in September's guidelines. As you rightly point out an email address, mobile no. or even a name can be considered a high value token. Yet by their very nature these are all readily available in the public domain, so I find it hard for them to be considered as a high value token. Read more...
Will Visa be including in their V.me system the additional ability for online payers to source funds via a “debit” transaction from their banking account, rather than only by a credit card transaction as has been the case in the past because of the PIN requirement for such a “debit” transaction? After all, what’s the difference between a PIN, that Visa/MasterCard already hold, and a password required to access a secure online payments gateway? Read more...
The PayPal user information is much more "high value" because it can be used across merchants to initiate transactions. If I have it or gain access to it via a merchant compromise, there is nothing to stop me from using it at another merchant. A properly designed tokenization system should have rules that prohibit tokens obtained from one merchant to be used at another merchant and/or prohibit initiating transactions unless the PAN and authentication data has been previously received by that merchant. Read more...
A big difference with PINs(at least in the debit world) is that they should only be entered into an encrypting PIN Pad. The feeling goes that if I steal a card with a valid PIN I can go to an unattended device(ATM) and pull out money w/o having to present a legitimate card to a person. I suppose you could make the same case(which you did) regarding an online transaction w/ a password. Read more...
PayPal's plan of POS attack is to entice merchants with below-cost credit and debit card processing, which is an offer no retailer will refuse. The company will subsidize its losses from the card transactions with the very high-margin profits it enjoys when its users fund the sales amount from their bank accounts. On the other hand, whether the consumers will be won over is another question altogether. If it is to stand a chance, PayPal will need to make the checkout process as uneventful as possible. As it is, the customer is asked to enter his or her cell phone number, in addition to a PIN, before the transaction can be completed. That's unnecessary and excessive. Read more...

Tokens Are Not The Same As Encryption. Honest

I agree with all your points on how the technologies differ. The only possible disagreement I have is that you are very generous in giving PCI credit for distinguishing the differences between the two technologies and scope whereas I think they caused the confusion (or at least didn't help). Read more...
I tend to disagree that tokenisation and encryption are different - indeed, I see tokenisation as a form of bespoke encryption. Many of the arguments I hear about tokenisation being different from encryption leads to concerns about the security of encryption, or that encryption can be reversed. Although it is true that encryption can be reversed with the key, I strongly dispute the arguments about the security of encryption, and personally I put much more faith in an algorithm that has undergone many decades of community research, where the security (key) can be isolated in approved hardware, than in a bespoke solution I have no visibility or independent assurance of. Read more...
"High-value tokens are those that can be used to initiate a new card transaction." Personally, I didn't understand this part of the doc. Surely that's the point of a token, so I'm assuming they mean a token that can be used independently of a 'vault' type of service to initiate and complete a transaction. Otherwise, every token would be a High Value token. Services like Square's card case where a person's name can trigger a payment, or PayPal's where an email and password trigger a card payment. In these cases a name and email would be tokens and as they are initiating a card payment could be considered a High Value token. Read more...
I disagree with you on the point you made about there being no way from a PCI scoping perspective to compare tokenization guidance to encryption clarification. The parallel that I see is not between tokenization and encryption, but between the token and the encrypted data values themselves. Semantics? Maybe, but I believe there is a significant if not subtle difference between these two statements. Read more...
How can QSA be comfortable determining if something is out of scope, if he or she does not know how the system providing that benefit explicitly works in all conditions over its lifetime, especially if its distributed and may its functionality and risk profile may change over time and can be explicitly guaranteed? A QSA takes liability for such a de-scoping claim. Only proofs of security and evidence can stand behind that something seriously lacking in most of the debate. Read more...
Tokenization is a use case of data transformation, not a specific technology. Humans have been practicing tokenization using multiple methods for centuries and claiming that one method of data transformation is the "real" tokenization and not some other way doesn't make sense. Tokenization must be reversible. Read more...
Promises of incremental sales and the ability to target loyalty have been completely worn out by endless pitches of card services, hardware, software, etc etc etc... Another watershed way of getting mobile payments introduced is to shift merchant's payment modes from higher to lower cost products. I think ISIS has started down a path that completely misses that opportunity by partnering with incumbents who have zero interest in reducing merchant payment costs. Read more...

Want To Push Social Media? Have You Considered Using Your Stores?

What about if the retailer is in a shared space (e.g., a food court in a mall or college campus) where there may be limited space and possibly limited flexibility (e.g., power, comms, lease restrictions)? Or in airports, where I see more and more retailers. Would your recommendations hold for those locations, too? By coincidence, I was at a conference this week and sat next to the person charged with building brand awareness for a national food chain on college campuses -- and therefore with the student demographic -- nationwide. After reading your piece, I was wondering, would your recommendations would hold for them? As for airports, I could see one school of thought that says customers don't live there, so get them in and out. But I also could see where the particulars of this demographic could be sufficiently compelling to want to reach out. Read more...
I agree that there are even deeper levels of engagement that you absolutely could drive in the store (I love the idea of floating coupons by the way). I think what is most important is using the store to start a conversation that could be then continued online (rather than always trying to start a conversation online that culminates with a sale in the store). Read more...
I think the statement "Then there is the small fact that the retail operator doesn’t feed his family based upon how well his customers are engaged online" speaks loads. Read more...

Publix Buy-Online-Pick-Up-In-Store Trial Nixed: Grocery Shoppers Are Different

Your take on the customer's view is right, however I wonder whether supermarkets can go a _long_ way towards resolving it with easy, quick refunds? My partner unpacked our home-delivered fruit and veg box last week, and discovered bruised fruit. Took a picture, emailed the company, and within 10 minutes had a refund. Happy customer all round - the company cares, etc. This requires very careful thinking on the merchant's part about how to invest in this area of customer service. However, since it is equally easy for my partner's picture of bruised oranges to be uploaded to a social media site as it is to email the company, the downsides for NOT doing this are quite large. Read more...
What about the other non tangible benefits of shopping at the grocery store - it gets you out of the house and you get to interact with the staff. for many people this might be there only "human contact" in a day, or at least human contact that doesnt come with the stresses associated with family/work colleagues/customers. And of course, there is the primeval "hunting and gathering food" aspect. Read more...
ed
The last poster hit it head on - there is a primal "hunter" instinct of us humans preventing the buy groceries online model to take off. Food, clothing and shelter are the three things we humans go out and scavenge for and that is in our primal instinct. It appears the next logical step is to focus on items that do not interfere with our primal instincts such as prepackaged food or personal hygiene. Read more...

StorefrontBacktalk
Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.