Evan Schuman's StorefrontBacktalk

Ready to pour $185,000 into nailing down your E-Commerce site’s domain name all over again? Starting in January 2012, retailers will be able to apply for new top-level domains (TLDs) that will give them Internet addresses that end with their brand—.macys instead of macys.com, for example. But on October 21, the National Retail Federation (NRF) sent a letter to the U.S. Commerce Department asking that the department delay implementation of the new TLD land grab until lots of questions about the process are cleared up.

That could take a while. No one—including ICANN, the body that handles new TLD names—knows how many retailers, manufacturers, cities, organizations or other entities will apply for their own TLDs, or how long the approval process will take (estimates range from seven months to years), or whether there will ever be another chance to buy up vanity domains. What is clear is that it’s going to be expensive—even for retailers who decide not to pop for the chance to slice .com off the end of their E-Commerce site’s address.

A federal appellate panel, reviewing some of the data-breach lawsuits against Hannaford, has dealt a very narrow setback to retailers, ruling that consumers can be entitled to identify-theft insurance and replacement payment cards. The fact that such an extremely limited support for consumer rights can even be seen as a setback for retailers puts into context how incredibly retail-friendly federal courts have consistently been in various data-breach rulings.

There are two likely near-term impacts from the ruling. First, Hannaford itself will now have this case return to an active trial status, where it will likely reside for an absurdly short of time before it’s settled for the very small number of dollars that such an insurance policy and card replacements (for just a few customers) will cost. For retailers throughout the country, though, the impact will be more muted.

A Google engineer’s accidentally published rant on October 12 made headlines because he ripped into Google’s hottest new property, calling Google+ “a knee-jerk reaction, a study in short-term thinking” and “a pathetic afterthought.” But ironically, that’s the least interesting thing Googlista Steve Yegge had to say—and his real point has serious implications for retailers.

That crucial point, buried in Yegge’s 4,800-word rant: Google (just like most retail chains) has built a company on top of a collection of applications. Amazon (where Yegge worked for six years) has built its enormous E-Commerce success because it is not just a bundle of retail applications. It’s a platform that lets customers interact, outside retailers sell and other third parties connect. But Amazon didn’t start that way. And how it made the transition should have retail chains thinking hard about whether that’s the right approach for them, too.

In the middle of a strange lawsuit against Amazon.com—one where an actress is suing because she says Amazon revealed her correct age—is a very serious payment-card IT accusation: that Amazon processed a payment and then used the card-verification data to gather more data and then published it. To be fair, the lawsuit itself is a dubious document, with some statements that seem clearly false and others that seem to not recognize how Amazon and its Internet Movie Database unit (IMDb.com) function. But setting aside those issues—which certainly raise questions about the validity of the Amazon accusations—the charges bring up an interesting issue.

Is it illegal, or even against the various card brand rules or PCI’s rules, to use information from the confirmation process to access public information and to then use it? Amazon is not accused of publishing the verification data directly (which would have raised very different issues) but of using that data to track down public records. And if Amazon indeed did that—and that’s still a big “if”—is that a legitimate area for retailers to use to grow CRM databases?

Sears’ in-store mobile move is more about feature migration (from POS and consumer’s phones to phones controlled by associates) than new functionality. But for an October 2011 rollout—given some of Sears’ thinking—that might be just perfect. When Sears on October 13 added its name to the lengthy roster of chains rolling out in-store associate-controlled Apple devices, it opted to not offer checkout. But it is mirroring the services for customers that associates have, for years, been able to do from POS stations and that customers (for a lesser time) have been able to do from their own smartphones.

Sears’ conservative move makes more sense in the context that many customers may not feel like using their phones while shopping and, more to the point, most American consumers don’t yet have smartphones—if you accept the smartphone definition of a phone that can download third-party apps.

Wal-Mart on Tuesday (Oct. 11) announced a deal with Facebook to launch more than 3,500 store-specific Facebook pages. This move could mark the beginning of a key positioning change—both with the world’s largest retailer and the many other chains likely to follow Wal-Mart’s strategy—of thinking of the Web face of Wal-Mart being one chain instead of thousands of local stores.

Beyond the obvious—strengthening the local friendly face of the neighborhood store—this could alert corporate to stores that are resonating with their audiences and those that are not. It’s not unusual for chains to allow specific stores to have very different product mixes based on the manager’s read on local customers. In turn, this could enable those differences to be much more pronounced than is practical today with a single walmart.com site. This all presumes, though, that customer interactions with local Facebook sites—especially as measured by the number of “likes” a site gets—is a meaningful metric. That’s far from being a given.

Last Thursday (Oct. 6), Walgreens rolled out its latest mobile feature, which enables its customers to get text reminders of prescriptions that are due for refill, orders that the chain said can be completed “with a simple ‘refill’ reply.” But as another reminder of the challenge of federal pharmacy privacy rules, the text is so restricted as to be borderline useless to the chain’s best customers.

The new service, called Refill Reminder Text Alerts, is based on a top-notch idea. The goal is to aid customers who have multiple refills and have had the onus of initiating contact with their pharmacy every time a prescription needs to be refilled, even if they have been consistently refilling the same prescriptions every month for years. Instead of waiting for the customer to call, the chain is initiating that contact and asking with a simple text for permission to refill the order. The problem involves restrictions from the U.S. Health Insurance Portability and Accountability Act (HIPAA). It prevents the texts from identifying which prescription it’s asking about.

HSN last Friday (Oct. 7) took the next logical step with mobile-friendly QR codes by placing them in a corner on the television screen, giving high-definition TV viewers the chance to learn more about the products being shown. In addition, HSN cleverly tried to avoid the QR snafus that other retailers—such as Macy’s—have fallen into by using its on-air hosts to teach visitors how to use the codes.

But the limited four-day experiment also demonstrated the many QR drawbacks that retailers have to struggle with. A reporter for Forbes, for example, tried making a purchase during the event through a QR code and found that her couch was 10 feet away from the screen but that she had to get up to scan the code from five feet away. People who successfully navigated the QR code got to an ordinary Web site page. No discount, no special reward. And how long would the code be displayed? Then there’s the learning curve.

Even as retailers and customers ramp up for mobile commerce, some smartphone makers still don’t have a mindset that’s ready for handling payments. On Tuesday (Oct. 4), handset vendor HTC admitted that an application built into some of its Android phones could leak sensitive user information—such as GPS data, E-mail account information and potentially even payment-card numbers—to malware that could get the data without a password or any special permissions except the right to connect to the Internet.

The specific information that HTC’s logging software collects isn’t tremendously sensitive—we’re talking location, not payment-card numbers. However, the fact that megabytes of data are being scooped up by the phone’s maker, but not secured by even a password, is a sign that smartphone vendors still assume a phone is just a phone—instead of a combination payment terminal, mobile wallet and M-Commerce browser.

Amazon is once again the only company you have to hate over 1-Click. A one-click patent infringement lawsuit against Apple, PayPal and Victoria’s Secret has been dismissed, marking the end of an Amazon competitor’s effort to collect royalties from E-tailers who had already licensed Amazon’s 1-Click patent. The dismissal came after a federal appeals court ruled on September 23 in a separate case that the patent held by Cordance—the Amazon competitor for one-click royalties—was invalid. (A jury came to that conclusion in a 2009 trial, but the judge overruled that verdict. The appeals court last month decided the jury was right the first time.)

It’s hard to cheer for another Amazon 1-Click court victory—1-Click has been the favorite patent to hate among E-tailers for more than a decade (although in-store, patent lawsuits over debit and gift-card processing make a strong showing). But at least there’s some good news for retailers this time: For now, you’ll only have to pay for 1-Click once.

Newly released mobile-commerce sales figures from major retail chains show a stunning difference success, with the largest M-Commerce retailer—Amazon—making more than 15 times as much as the next largest M-Commerce revenue retailer: Wal-Mart. M-Commerce revenue plunged after that, with Amazon, for example, making 156 times the M-Commerce revenue than Home Depot. Part of the explanation is that retailers, in general, are doing quite poorly in M-Commerce sales. A new extensive ranking of the 300 largest M-Commerce companies—sequenced by M-Commerce revenue—shows only two retailers in the top 10 list.

The $2 billion Amazon is projected to make via transactions made by consumer phones is a non-trivial figure, given its $34.2 billion in global revenue of all types, according to the figures published by Internet Retailer. But note how quickly the numbers drop with its rivals. Wal-Mart, the only other retailer to make the overall top 10, appeared at slot 4 with $127.7 million. The third largest retailer—Staples—comes in at a projected $45.3 million this year, followed by Best Buy ($37.9 million), Macy’s ($33.2 million), Buy.com ($32.5 million), Foot Locker ($32 million), Sears ($31.7 million) and Overstock ($31.6 million).

Before a typically staid Federal Reserve Bank of Chicago symposium last week, the CEO of a security device vendor violated Jim Croce’s rule of not tugging on Superman’s cape. In a speech, the CEO ripped into the PCI Council, dubbing it a “dangerous false God” and saying that “PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority. It has and will continue to stifle innovation by its often nonsensical rule making.” And she then stopped pulling her punches.

To put this into context, PCI has unquestionably improved retail security in the U.S. and few have suggested a concrete alternative approach that wouldn’t bring with it even worse problems. Like the criminal courts, a system can be very far from perfection and still be the best of all alternatives. It’s also true that when security choices are made, some vendors are not going to be happy with the new rules. Even with all of that said, the directness and intensity of the speech by Magtek CEO Mimi Hart is worthy of note.

Neiman Marcus on September 29 announced an unusual-sounding Foursquare marketing campaign. The chain hid cards giving away 15 $1,000 handbags (Nancy Gonzalez clutches, to be precise) in its stores and used Foursquare to reveal a clue to help shoppers find the product. A statement the chain issued said the system would “indicate whether the user is in the vicinity of a hidden clutch.” But in actual fact, the system didn’t know anything beyond the fact that the consumer had entered a particular store.

It then offered a clue. For a store in Ft. Worth, Texas, for example, the tease said: “It may be a Full House but we are convinced you will go bananas for this bag. Find it and win the bag.” The promotion couldn’t really indicate how close the customer was to the gift, because Foursquare’s GPS signal typically ends the instant the customer enters the building. Neiman Marcus couldn’t go any farther, “because of our infrastructure. We’d need to have sensors all over the store,” said Jean Scheidnes, the chain’s manager of social media. But what if a chain did deploy such a network of in-store sensors? The potential could go way beyond fun and games.

Hard on the heels of a September 23 demonstration showed that Secure HTTP is no longer all that secure, Google and Microsoft have both recommended that Web sites dodge the problem by changing the encryption they use. (And how often do these guys agree on anything?) Many E-Commerce sites use the Advanced Encryption Standard (AES) for encryption, but AES is vulnerable to the security hole demonstrated last week. However, the older RC4 is immune to this particular attack, and that’s what Google and Microsoft recommend E-Commerce sites (and other sites receiving sensitive data such as payment-card numbers) use.

Does this demand an emergency fix? No, but it’s more serious than many experts thought before last Friday’s demonstration. Security researchers Juliano Rizzo and Thai Duong required only two minutes to break into a PayPal user’s encrypted session—fast enough to make their attack feasible for cyberthieves (although still extremely difficult, at least until some thoughtful hacker turns it into a script any 13-year-old can use). But switching from AES to RC4 is relatively painless for online retailers. The real fix will require upgrading security protocols on hundreds of millions of Web browsers and servers.

As customer complaints continue to pour in about Target’s Missoni Tuesday—canceled orders, repeated delays, payment cards charged for orders lost in the site’s crash—one question still stands out: How could Target have so completely butchered the customer-service aspect? Amazon has been handling Target.com’s customer service for the past decade, along with everything else associated with the E-Commerce site. That means the customer-service department that screwed up so badly on Missoni Tuesday was even newer than the Web site’s code. Why? Because although that custom code took two years to develop, a call center is viewed as a commodity—meaning those people were either hired or brought in at the last minute.

On top of everything else that went wrong, that made Target’s IT problems just that much worse. Seems that Target is only now starting to understand the full costs of having outsourced to Amazon. Loss of control? That it knew. Loss of experience? That’s the cost it’s just starting to understand.

On September 22, the U.S. Senate Judiciary Committee pushed a data security bill—which has been bouncing around that chamber for six years—to the full Senate. The bill would create federal data security rules, including new retail data breach disclosure rules. But the bill (Personal Data Privacy and Security Act of 2011 introduced by Sen. Patrick Leahy, Dem.-VT) still suffers from many of the lengthy exceptions that it has had for years, exceptions that all but guarantee that few retailers will be required to do anything differently.

But in light of this bill’s lengthy exemptions and data breach size limits—public disclosure, for example, is only required when a breach impacts more than 5,000 people in one state—the National Retail Federation issued a statement saying it fears that with so many retailers having to report data breaches under this legislation people might get bored and start to ignore the notices. NRF dubs this scenario “notice fatigue.” What does it say to the nation when the chief lobbying organization charged with protecting retail interests publicly trumpets the fact that it believes there will be a huge number of data breach reports if full disclosure is required? Yeah, that makes me want to go and buy stock in Wal-Mart and Walgreens right away.

The Federal Trade Commission is reworking its rules on how E-Commerce sites have to deal with children (12 years old and younger) who visit. Yes, “uh-oh” is the correct response. The FTC is officially soliciting feedback on its proposed changes to the Children’s Online Privacy Protection Rule. It might be a good idea to take a peek at its changes and offer some feedback.

Do they need help? One of the FTC’s questions was whether certain emerging technologies are “Web sites located on the Internet” or “online services.” Web sites located on the Internet? As opposed to what? One begins to wonder if the FTC understands that the Worldwide Web and E-mail and FTP and newsgroups and IP services are all part of the Internet. No matter. The issues being debated include parental consent methods, along with how it’s determined who is a child and who isn’t, given that some children might simply opt to lie. From an E-tail perspective, there are huge implications about verification, handling this data and delays before legitimate information can be gathered. The rules themselves look fairly benign, but the FTC needs to hear more comments from E-tail IT folk about the implications of various methods of authentication and collection. Better to help form the rules now then to complain about them later. (Note: As an IT person, you do have an obligation to do both.)

In the ongoing battle of words over retail self-checkout with Kroger and Albertsons—with each side arguing to its customers that true customer love means rejecting/retaining self-checkout—the latest comes from a 75-year-old $1.5-billion regional grocery chain that was late to the game in beginning self-checkout and right in the middle of the rush to jettison it. But even though the chain certainly argued a customer service reason for the swift chain-wide exit, it also said that it couldn’t stomach the high theft rate.

The Big Y chain, with 61 stores in Connecticut and Massachusetts, announced this month that it would kill all of its self-checkout lanes. “In the battle of Service vs. Self Checkouts, service won,” the chain said in a short statement. In a conversation with a chain executive, though, the decision sounded a lot more complicated. To be blunt, it didn’t seem as if the chain had ever been all that fond of self-checkout, which it first deployed back in 2003. “We were one of the last chains to get into the self-checkout game. We were really dragging our feet,” said Claire D’Amour-Daley, the chain’s VP for corporate communications.

Shoppers going to E-tail sites from Facebook and Twitter are much less likely to make purchases; but when they do make a purchase, it is sharply higher from these social network referrals than from other types of referrals, a recent report said. Those Twitter purchasers also seem willing to pay more for the same merchandise. This apparent contradiction—actually, it’s more of a nuanced distinction than a real contradiction—is interesting as much from a “what do we do about that?” perspective as from a “is this really valid?” take.

The simplest way for a site to guess whether another site is influencing purchases is to review referral link logs, to see where customers were right before. That method, however, doesn’t make much sense with many social sites. A Twitter visitor, for example, will likely click on a link to read the reviews/photos/thoughts of a Twitter connection, and only after that—and perhaps one or two more links—will the customer visit the retailer’s site.

If you are a company in Alabama, Kentucky, New Mexico or South Dakota and you suffer a data breach in your state that affects residents of your state, you might be tempted to look up your state’s data breach law, see that your legislature had decided not to pass such a requirement and believe you have complied with the law. But if you “conduct business” in Texas, under a new Texas law, not only must you notify Texas residents (if any) that their data has been breached, but you have to notify residents in states that have no breach disclosure laws—or face the wrath of the Lone Star state.

This means, writes Legal Columnist Mark Rasch, that Texas law would apply to the relationship between a retailer in Tuscaloosa and a consumer in Birmingham, AL, a retailer in Louisville and a consumer on Lexington, KY, a retailer in Albuquerque and a consumer in Santa Fe, NM, or a retailer in Sioux Falls and a consumer in Rapid City, SD.

The PCI SAQ process needs work, but SAQ C is especially problematic. Retailers who qualify for SAQ C process payments on a payment application connected to the Internet. The target audience for SAQ C is small merchants with a payment application on their personal computer, which connects to the Internet to process card transactions. Other requirements are that the merchants store no electronic cardholder data and that their computer is not “connected to any other systems in your environment.”

In the real world, many retailers and franchisors (and franchisees) try to qualify to use SAQ C. PCI Columnist Walter Conway calls this the “anything but SAQ D” approach. In his experience, the biggest challenge of SAQ C is isolating the application server(s) from the rest of the merchant environment. Conway knows merchants who have devoted a lot of effort and changed their network so they can qualify for SAQ C. A recent clarification by the PCI Council, however, limits the ability of many retailers and franchisors to use this SAQ.

When Visa announced Monday (Sept. 19) that it had officially sold a license to Google Wallet, it signaled a key next step in the mobile payment maneuvers. Google now appears to have the best position with retailers, while ISIS gets love from banks and card issuers, and PayPal is relying on its own online payment abilities. Then there’s the mobile payment candidate waiting in the wings. Will Apple in a month or so make its NFC mobile move?

That’s increasingly likely—at least if Apple is ready. This particular fight may be moving to the hearts and phones of consumers, where two players—ISIS and PayPal—have serious handicaps. But consumers see Google as a search engine that does a lot of stuff for them for free. And if any company generates even more warm-and-fuzzy feelings than Google, it’s Apple. And Apple also has a host of rarely-discussed huge mobile payment advantages, starting with the fact that it’s a retailer and a darn innovative one at that.

Secure HTTP may be in trouble. The protocol that E-Commerce sites use to safely receive customers’ payment-card information can be hijacked in a matter of minutes, according to two security researchers who will demonstrate their attack at a security conference on Friday (Sept. 23). In case anyone doubts how relevant their demonstration is, their target will be a PayPal account.

The good news: The security hole can be closed by upgrading E-Commerce sites to a version of the security protocol that has been available since 2006. The bad news: Most E-Commerce Web sites and most Web browsers are still using the version with the security hole. The security-guru consensus: The sky isn’t falling yet, and browser makers may be able to implement a tweak that blocks the threat without a new security protocol.

After everything else that happened to Target in the wake of its catastrophically successful Missoni sale on September 13, here’s one more thing to add insult to injury: Customers are now complaining about their online orders being delayed or canceled—and then seeing the merchandise they couldn’t get showing up again on Target.com. But it’s hard to blame this problem on Target’s new E-Commerce site—the same thing happened to Target and other E-tailers last Black Friday, when Target.com was still being run by Amazon.

The “now it’s out-of-stock, now it’s back in stock” problem isn’t new to either in-store or E-Commerce, and it’s one that retailers usually try to handle as quietly as possible with ever-smarter inventory systems. But that will probably never work, because real-time inventory stops working very well when an item is about to go out of stock. Unfortunately, giving online customers more information about a looming out-of-stock situation could actually encourage them to buy less—and may not keep them any happier.

When it comes to short-term E-Commerce promotions, be careful what you wish for or you will surely crash. Target.com learned that lesson last week and, on Tuesday (Sept. 20), it was the turn for Domino’s Pizza. But Domino’s explained away its crash with a twist: it blamed “bad apple” customers.

Domino’s enjoyed a piping hot multi-hour site outage that day, shortly after it launched a Facebook promotion—which was also shut down—to give away 100,000 pizzas in a new gourmet-style pizza line dubbed Artisan Pizza. The chain isn’t saying exactly what happened to cause its outage, but it is saying that customers—presumably ultra-intent on winning the free pizzas—did something unfair. Ostensibly, it was some sort of denial-of-service variation where they would flood the servers with responses, thereby getting lots of entries in and denying others the ability to do the same. Domino’s is declining to say precisely what it thinks was done. But the chain still apologized for it on Facebook on Wednesday (Sept. 21).