Evan Schuman's StorefrontBacktalk

Google Wallet’s security problems that surfaced last week—two different ways for a thief who has stolen a phone to get access to payment cards in the digital wallet—prompted Google to block new Google Wallet provisioning for several days until the company pushed out a fix. But the vulnerabilities also highlighted a major pain point: Shifting payments from plastic card to smartphone isn’t just about technology, it’s also about getting partners to cooperate—in this case, card issuer Citi.

The big problem: The most logical and secure technology fix—moving PINs to secure hardware—is something Citi seems unwilling to do.

Hewlett-Packard announced a new open-source Web browser for mobile devices on Tuesday (Feb. 14). It’s name? Isis. That’s the latest slap for ISIS, the mobile payment initiative backed by Verizon, AT&T and T-Mobile—apparently HP didn’t even wonder if anyone had trademarked “Isis” as the name for a mobile app (yes, ISIS has). It’s especially worrisome with ISIS now slipping into third place in the mobile payment horse race behind Google and PayPal, which are both already taking payments.

Even more confounding: Starting this month, Google now offers Google Wallet on some AT&T mobile phones and, unlike Verizon, AT&T is apparently officially allowing it. To be fair, ISIS still plans to start trials of its payments system this summer in Salt Lake City and Austin. But to be realistic, if ISIS can’t keep its founding members on board or even defend its brand name, you have to wonder whether these telcos still think they can win the mobile payment game—or if ISIS is about to change directions again.

A Seattle mobile payment firm is pushing for phone purchases to be done with no PIN, arguing that with this young a market, consumer convenience needs to trump security. Given its focus on authenticating the phone instead of the customer, it’s had to get creative and might be pushing the privacy envelope. It examines the five most frequently called friends, for example, along with a list of installed applications.

Whether or not its methods go too far, it’s in good company in the mobile early-stage convenience versus security argument, with both PayPal—and its phone-less and card-less purchases at Home Depot—and Visa, which is pushing PIN-less EMV transactions while MasterCard is taking the more secure and less convenient pro-PIN EMV position.

A new cryptographic hole revealed this week will impact one in 500 encryption keys, will be fairly hard for cyberthieves to find and will almost certainly be patched quickly. Still, it raises fundamental questions about encryption reliance. The group of cryptography researchers described an encryption hole that hits RSA especially hard, and at least one major chain is taking this very seriously.

“The bigger concern is internal keys, ones they couldn’t survey. Without their data of ‘weak keys,’ we can’t be sure we aren’t using any,” the retail exec said. “All owners of certificates do not know today if their keys are weak or not, and have no way of finding out just by examining them.”

Every time we hear one of these shipping company nightmare stories—with packages lost or recklessly damaged—it’s a painful reminder of how much retailers are at the mercy of these shipping partners. When a consumer makes an E-Commerce purchase and something happens to the product en route, who does the consumer blame?

There may be a way to flip this problem into an advantage. What if chains viewed every store as a local distribution center? And used local talent to deliver not only to customers but on the same day? This approach enables the merged-channel retailer to extend that experience right back into the customer’s front yard and maybe through the front door.

The whole concept of showrooming bothers Retail Columnist Todd Michaud. He keeps thinking about how retailers need to turn their retail locations into a strategic asset, rather than a burden. There is no reason retail organizations cannot duplicate (or even improve upon) the online purchase experience of their E-tailer counterparts.

If traditional retailers really want to win the war against their online counterparts, they need to shift the battlefield from price to convenience. And nothing says “convenience” like “drive-thru,” right?

In almost all U.S. state and federal data breach disclosure laws, a loophole lets a retailer avoid disclosure if law enforcement says it would help the investigation to keep the breach secret. The U.S. SEC, however, now has no such exemption.

This means that if the Secret Service or FBI tells a chain to keep an incident secret or else risk disrupting an active investigation, a company that complies—and keeps word of the breach out of SEC filings—may be guilty of SEC fraud, pens Legal Columnist Mark Rasch. In this federal agency versus federal/state agency situation, the retailer victim may be victimized again.

Yes, customers really will pay attention to in-store electronic signs—especially if they’re not supposed to. In a Reuters news story this week, Kroger CFO Mike Schlotman said 2,200 of the grocery chain’s 3,600 stores have installed video screens to alert associates when more checkout lanes should be opened up. The screens, which display three numbered balls, are supposed to use a secret code to show how many checkstands should be open. But some shoppers have cracked the code, Schlotman said, and now complain to associates that, for example, there should be 11 lanes open because the screens say so.

But did anyone really think customers wouldn’t catch on? There’s a long tradition of retailers trying to slip secrets-in-plain-sight past customers on coupons, receipts or in-store displays. It never worked before, and with fanatical shoppers now constantly comparing notes on the Internet, a cracked code is practically guaranteed to become widely known very quickly. Then again, maybe treating this stuff like a treasure hunt can actually make customers feel like they have more control over their shopping. In that case, it’s fine for retailers to play the secrets game—so long as no one seriously thinks the “secret” can be kept.

Are you legally liable for what customers do over your store’s free Wi-Fi? A Massachusetts lawsuit is backing into that question with a novel legal theory: If illegal activity uses someone else’s unsecured Wi-Fi, then the Wi-Fi owner can be sued for negligence for allowing it to happen.

To be clear, the Massachusetts plaintiff is not going after any retailers—in fact, the plaintiff’s lawyer says he’d hate to try winning a case like that against a retailer. Unfortunately, that doesn’t mean some other lawyer won’t chase the same theory, with results that could put a chain in court.

A woman walks into her local Wal-Mart and immediately turns to an area near the front of the store with a bank of screens. This customer is rushed today, so she tells the system to forget the recommendations and she selects 24 items from her shopping list.

The items that are on the shelf elsewhere or in the backroom? An employee goes to fetch them. Those that are not in-stock at that store? They’ll be shipped to her home. This is where Venky Harinarayan, Wal-Mart’s Senior VP for Global E-Commerce, head of @WalmartLabs and venture capitalist extraordinaire, sees the world’s largest chain headed.

Apple’s mobile devices all but own in-store mobile in large retail chains, but they’re the least well supported of mobile devices for enterprise use. That’s creating increasingly serious troubles for retailers using iPods and iPads for in-store transactions. Case in point: $3.5 billion housewares chain Williams-Sonoma, where IT had to work all around Apple’s minimalist ideas of device management just to improve chances that transactions would complete reliably.

The problem? Locking down the devices is impossible. Monitoring how well they can communicate with POS backends requires developer gymnastics. Unexpected updates can wreak havoc. And Apple isn’t helping.

At just about every major chain, employees have agreed to lengthy nondisclosure agreements, whereby they have agreed not to “disclose” any “confidential information.” The problem is that most employees don’t think of updating their LinkedIn profile as a disclosure. Even more significantly, they don’t think of a lot of their day-to-day operations as confidential information.

Nowhere is this more true than with retail IT talent, talent that is marketed by touting the various applications people have worked on and the specifics of problems they have solved, pens Legal Columnist Mark Rasch. In LinkedIn, all of those apps and problems/solutions are located right next to their employer’s name.

MasterCard has clarified its EMV push policies, saying its campaign will be focused solely on direct data breaches (as in a wide-scale attack on servers stealing millions of card numbers). Its second campaign will deal with individual fraud (as in consumers losing their cards and someone finding them and then running up charges).

But the number-two card brand also spoke of a near-term future where E-Commerce will be able to use the EMV chip to authenticate and process E-Commerce and M-Commerce transactions. However, will consumers pay more for laptops that can handle such security? And will tablets and smartphones—which can more easily and more cost-effectively handle such technologies—grow quickly enough to make desktop/laptop enhancements irrelevant?

Pity poor E-Commerce. It’s barely 18 years old, has racked up about $200 billion in revenue last year and still has trouble getting noticed. Consider MasterCard’s and Visa’s EMV announcements. Both brands set various incentives for retailers if they process 75 percent of their transactions through EMV contact-and-contactless terminals. Of course, what MasterCard and Visa meant was in-store transactions.

The idea that an E-Commerce transaction is not a real transaction should be repugnant to any retailer in 2012. But those old prejudices that stores are where serious commerce happens are apparently acceptable.

Home Depot’s unusual move last week to shut down its site for 18 hours starting on Wednesday at noon was apparently done for some very logical reasons.

The timing of the move raised eyebrows. Such shutdowns have historically been done overnight, perhaps starting at about 11 PM or midnight East Coast time, and during the weekend. Also raising eyebrows was why a planned software upgrade required the site to be taken down at all. Given the home repair nature of Home Depot, weekend downtime can be more costly than a Wednesday or Thursday.

Amazon may be sprinting to get a strategic advantage when E-Commerce sales taxes finally kick in, but it’s still in no hurry to pay up. Last week, in its annual 10-K report to the U.S. Security and Exchange Commission (SEC), Amazon said Arizona has billed it for “approximately $53 million, including tax and interest, for uncollected tax for the periods March 1, 2006, through December 31, 2010.” The “transaction privilege tax” bill was dated November 2011; apparently, the state’s revenue department just realized those four Amazon distribution centers in Arizona belong to that company in Washington.

Yes, Amazon has to keep pretending its warehouses belong to a company completely separate from its online business. And the state has to do this little dance to start negotiations that will end up in an agreement that Amazon will start collecting Arizona sales tax on some future date or once a federal law kicks in. But wouldn’t it be nice if, for once, both sides could just skip the inevitable lawsuit, lobbying and legislation and go straight to the back-room deal? Arizona is already so late to this game it’ll be lucky just to get through one of those three Ls before Congress finally acts.

When it comes to loyalty, many retailers are stuck in the 1990s. Does anyone else find it funny that in a world where you can very easily have a video conference with your kids from a $500 tablet over free Wi-Fi from a random hotel, we’re expected to keep a 3.3- x 2.2-inch piece of plastic in our wallets to get benefits from some of our favorite retailers?

All of this, pens Retail Columnist Todd Michaud, in an area—such as CRM—where the application of technology could directly impact a retailer’s top and bottom lines.

MasterCard’s Monday (Jan. 30) rollout of its roadmap for EMV in the U.S. set it on the opposite side of payment security from Visa, with MasterCard pushing for EMV with PIN and Visa arguing that PIN isn’t necessary. MasterCard is backing up its preference with some serious fraud-dollar forgiveness. Oddly enough, the much-smaller MasterCard has trumped—or, more precisely, nullified—Visa’s position, at least as far as retailers are concerned.

Given that greater-than-99-percent of Visa retailers in the U.S. also accept MasterCard, chains must go along with whichever brand has the more strict requirements. Typically, that’s been Visa, but not this time. On EMV-related PCI relaxations, however, the two brands opted to adopt identical policies.

Amazon, which last year was spending millions to fight online sales taxes, is now throwing its E-Commerce competitors under the sales-tax bus. Last week, Amazon sent E-mail notices to South Carolina customers, reminding them that they owe sales tax on Amazon purchases—but without Amazon actually collecting tax when a sale is made, thereby hiking the price a customer pays.

That means Amazon gets to build South Carolina distribution centers and enjoy a five-year holiday from having to collect sales tax—while Overstock.com, eBay and even Wal-Mart become the new big targets in the crosshairs of state tax collectors.

It was just past 10:30 PM on January 15 when police say a shoplifter walked into the Murrieta, Calif., Wal-Mart. But as part of a growing trend, she didn’t try and steal any merchandise. What she did was walk over to an unstaffed counter, pull out what seemed to be wire cutters and cut loose the store’s keys to its safer security devices.

Other thieves have opted for grabbing EAS tag detachers, but the point is the same. Beyond protecting products, retailers need to reinforce protections around the devices that protect their products. How are keys and tag detachers handled when not in use? Is there an explicit policy about ignoring EAS alarms?

With all of the new data coming in from mobile and social, retail IT has a truly strategic psychological problem. The old way of creating interfaces between systems can’t scale and will not deliver the results this new world of information overload demands. You’ve got to stop thinking about interfaces and start thinking about services. You’ve got to stop thinking about batch ETL processing and start thinking about real-time data integration and unstructured data.

You’ve got to start accepting cloud computing as a method of scaling your computing platform up and down, pens Retail Columnist Todd Michaud. In short, you’ve got to rip out most of your information architecture and start over.

As retailers embrace the cloud for its flexibility and convenience, they might want to also consider a very serious potential for loss of control. Legally, we’re talking three different types of control loss: Your loss of access to the data; your customers’ loss of the ability to access your services; and the potential for your confidential data to become public records and to then find its way to your competitors.

Paranoid? Not any more, pens Legal Columnist Mark Rasch. Recently, the U.S. Government took down the copyright pirate site “MegaUpload” and had its founder arrested and detained awaiting extradition.

eBay’s bid to become the link between big U.S. retailers and Australian customers is off to a less-than-sterling start. On January 18, eBay CEO John Donahoe bragged to an earnings call audience that Macy’s used eBay Australia to get a foothold Down Under without creating a brick-and-mortar presence. “Macy’s saw that the Australian dollar was very strong,” Donahoe said. “The Australian consumers are very open to import and they’re looking for brands. And Macy’s opened up a store in eBay Australia, and so they’re now reaching consumers in Australia on the eBay platform without having to have assets reside in the country.”

Well, sort of. Actually, Macys.com was already selling to Australian customers last summer, using third-party vendor FiftyOne to handle shipping, customs, currency issues and customer service. And the Macy’s eBay Australia store currently has no products; Macy’s spokesman Jim Sluzewski said the eBay store was tested only through the end of 2011 and Macy’s is now evaluating its results. So Macy’s wasn’t depending on eBay to reach Aussies, and the eBay store was already closed when Donahoe did his bragging. Other than that, he got it right—we hope.

PayPal’s expansion of its in-store payments trial at Home Depot (up from 400 PayPal employees to all PayPal users) marks a huge jump in the trial’s scope—and risk. On January 19, PayPal opened up the trial to include 51 stores (up from the initial 5) and said all PayPal users could now sign up for the system. That should give both PayPal and Home Depot much more useful information on who will use the system, and how.

But PayPal’s approach—which essentially reverses 50 years of payment-card advances by eliminating any physical authentication device—still presents a big challenge when it comes to security. The ability to check out with just a mobile phone number and PIN—no plastic card, NFC-enabled phone or other authentication hardware required—means anyone who can acquire that phone number plus PIN has a free shot at the legitimate customer’s account.

In a futile attempt to fight showrooming, Target is pressuring its suppliers to make it more difficult for Target’s customers to price compare. The most bizarre part is that Target is trying to game a system where it already has a huge competitive advantage.

The historic argument has been that E-tailers have a huge convenience advantage and that a retailer must combat that by leveraging its experience/ambiance advantage. But with showrooming, the customer has already driven to the store, parked, walked to the aisle and found the desired product. The physical store has the convenience advantage 10 times over.