Evan Schuman's StorefrontBacktalk

If ever there was an argument where security trumped compliance, the debate about tokenization versus encryption is it. Readers have made that point abundantly clear following a recent column describing the PCI scope reduction benefits of tokenization versus encryption.

The shift in emphasis from compliance to being secure is not new, but PCI Columnist Walter Conway was struck by how pronounced a perspective change retailers are experiencing.

Mobile payment is going to change retail in an unknown number of unknown ways, and your lawyers will have healthy employment. Consider in-aisle checkout and shoplifting rules, pens Legal Columnist Mark Rasch. Today, customers who put products in a concealed place—a pocket, backpack, purse, etc.—while still in the store can be convicted of shoplifting even if they have yet to reach the POS checkout area.

The conceal part of that action is considered evidence of criminal intent. Now let’s see you try and enforce that rule when you have in-aisle mobile checkout.

This year—2012—will be the beginning of the end for the traditional POS platform. Even though many analysts predicted that Apple, and its iPad, would be the David that finally took down the Goliaths, Retail Columnist Todd Michaud is arguing that Google will land the fatal blow.

The POS defense has been that chains need hardened systems. That argument worked when tablets were $500 and even $400. But now that Android tablets have fallen below $100, the argument falls apart. You could have four spares in the backroom and still be ahead.

No retailer likes being fined by Visa or MasterCard for letting thieves steal payment-card data, and most grumble privately about how that process is arbitrary and rigged against merchants. But a lawsuit now unfolding in Utah has uncovered a remarkable level of detail about how arbitrary card brands can be.

The lawsuit is challenging everything from issuing banks’ contracts to Visa’s claims for counting up card fraud and pinpointing who’s to blame—in addition to $1.3 million in card fraud that Visa says the restaurant enabled via an alleged security breach for which there’s no concrete evidence.

Home Depot’s trial to let shoppers pay in-store with PayPal—a program confirmed late last week, which is loosely related to PayPal’s wallet—is interesting more for what it doesn’t do than what it does. It’s a baby-step program in two ways.

On the mobile front, it’s the first retail trial of PayPal’s mobile payment program and it doesn’t use a mobile device at all. (OK, that’s more an embryo step than a baby step.) On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.

Mobile wallets face a time-honored Catch-22: because very few stores support the technology, consumers have very little reason to bother getting it. Exactly how barren is this dial-tone desert for Google Wallet, currently the only actively being trialed game in mobile town?

We have our early clues from the CIO of the $2.5-billion 481-store Guess chain, one of the first test sites for Google Wallet in “a couple of stores” in California since May. In total, how many customers have tried Google Wallet? Says CIO Michael Relich: “Five or six.” Not 500 or 600 customers, mind you. Five or six.

Walk into one of about 25 Guess stores this week and you’ll see customer-accessible iPads in the men’s, women’s and accessories departments and even in the dressing rooms. “For the cost of a kiosk, I can put in four or five of these,” said Guess CIO Michael Relich. “This is the consumerization of IT.”

But the Guess iPad trial is hardly being done to save costs. The flexibility of the tablets and sharp, customer-friendly graphics make the devices a much more effective way to show demos and to locate merchandise, check inventory and do anything else that a kiosk would normally do.

After years of making search-engine optimization tweaks to E-Commerce sites to get as high in those search results as possible, retailers are about to face a much more complicated SEO situation. On Tuesday (Jan. 10), Google announced it will now push up search results from Google+ high in its search rankings. The result: Retail sites will suddenly be pushed down in the list of search results by something outside of their SEO control.

But that’s just the start. Does anyone really expect that Google won’t take this further—and that your traditional SEO and social media teams aren’t about to collide?

The days of the classic botnet distributed denial-of-service attack may be numbered, and that isn’t necessarily good news for retail chains.On January 6, a cyberthief-friendly programmer made public a one-line attack that could enable a single attacker to bring multiple servers to their knees. That moves DDoS out of the realm of requiring a costly botnet for a high-bandwidth mass attack—and brings it into range for a single irritated teenager.

The vulnerability that attack uses is easily fixed. What’s really worrisome is what makes the attack practical: the new ability to target server weaknesses that have been known for years—but no one worried about.

In-aisle mobile payment isn’t merely a new payment method. It has the potential to force stores to rethink almost all aspects of operations—and few have seriously come to terms with how different environments are going to have to be. At the NRF show in New York City next week, a StorefrontBacktalk IT panel is going to map out the least-anticipated changes. And if you’re around on Tuesday 2–3 PM (1A 21/22 at the Javits Center), please drop by and tell us what we forgot to include. Ann Taylor CIO Mike Sajor, Sears VP/Loss Prevention Bill Titus and the NRF’s Joe Larocca—moderated by StorefrontBacktalk Editor Evan Schuman&mdashlwill look at the neglected items. As a Florida hobby shop discovered while serving as an NCR in-aisle mobile payment beta tester, this in-store mobile payment stuff is a lot harder than it looks.

“It’s really a change management problem,” Sajor said. “Literally everyone has to think through all of the possible change behaviors.” As Sears thinks through in-store mobile issues, it’s seeing how everything will need to change, from the supply chain to customer interactions to SKU-level integrity, inventory and dealing with new threats to the supply chain. “Some significant competitive advantages are going to be lost,” Titus said. The panel will be pure discussion, with no presentations and lots of audience interaction. So please argue with us there. Don’t make me come and find you.

The National Retail Federation’s Big Show is next week, and the exhibition floor will be crowded with vendors offering retailers all types of software applications. As a public service, following is a list of questions all merchants should ask their POS system supplier or reseller based on one QSA’s experience—namely the experience of PCI Columnist Walt Conway.

The good vendors will be able to address all these questions. The not-so-good ones will hand you a carrier bag or a pen instead.

Amazon is floating the idea—via a patent filing—of launching a social service. Whether it would be a dating site or a potential business partner finder or just a more intelligent way of choosing who to hang with online, that’s not clear.

But it is clear that Amazon is drooling over its vast CRM files and trying to figure out how much money it can make off them.

Twas the night before Christmas, and up in the sky, was a jolly old Santa, sans gifts from Best Buy. Consumers who had bought particularly popular items on the Best Buy Web site on Black Friday expecting a visit from Santa instead received a virtual lump of coal from the retailer in the form of an E-mail informing them that no gift was coming.

Legal Columnist Mark Rasch wants to call it a bait-and-switch coupled with a breach of contract. The Uniform Commercial Code Article 2 for the sale of goods says that if there is an offer (PlayStation for $150!), an acceptance (click here!) and consideration (here’s my credit card), then voila! A contract is formed.

Best Buy’s Black Friday disaster is a huge deal precisely because it strikes at the very heart of E-Commerce fears. Namely, a consumer needs to feel confident that once an order is paid for, the product will absolutely be arriving shortly.

Although Best Buy has yet to spell out how this happened, the most likely scenario is that it was the so-called perfect storm of bad timing and possibly a quantity typo. How much of a delay happened while employees desperately tried to find the—unknown to them at that point—non-existent merchandise? In a $50 billion chain, news can travel upstream very slowly. When the news is bad, it travels upstream even more slowly.

If detecting a customer’s age is tricky when the customer is standing right in front of a kiosk, it’s an even bigger problem for E-Commerce—one with hard legal consequences. Just after Christmas, a California father discovered his 14-year-old son had successfully ordered a water pipe and tobacco through Amazon—both illegal for minors to buy in California.

Age verification is something mail-order vendors have struggled with for years, and mostly given up on. But E-tailers can no longer use impossibility as an excuse. A recent federal law requires age-verification for tobacco sold online—and other age-controlled items can’t be far behind.

When Kraft and Intel recently started showing off their age-detecting kiosk—a vending machine that dispenses Jell-O pudding and other desserts only to consumers it calculates are old enough to appreciate them—it was yet another in a long line of age-guessing systems. This one, though, has the potential to help retailers at least minimize some hassles from selling age-restricted products.

The age-detection part uses an optical sensor to consider the customer’s face shape, along with distance measurements between the eyes, nose and ears.

As the quantity of mobile POS interactions continues to soar—whether they’re payments, coupons, CRM or something else—it’s a rare retailer who has avoided the maddening inability of laser scanners to reliably grab data off a smartphone. P&G has moved into this argument, pushing a mobile scan approach based on using functionality within handset hardware or mobile operating systems.

The good news is that this approach, in theory, will be free to retailers, because it will not necessitate any store IT changes at all. The problem—and it’s a deal-killer—is timing. With the mobile onslaught, quick is almost certainly going to trump free.

The PCI Council used its December 2011 newsletter to remind merchants and service providers to control physical access to their call centers with video cameras or other devices. This recommendation is both sound security and good advice, and merchants everywhere should take it to heart. But as a QSA, PCI Columnist Walt Conway wishes the Council had done more than highlight just one particular sub-requirement.

There is more to protecting sensitive areas than installing video cameras. The second, and possibly thornier, concern for small and midsize merchants is how effective the reminder is likely to be when many of them mistakenly think they won’t need to follow the advice.

The latest major retail data breach—involving 150 Subway locations and more than 50 other retailers, payment-card data from more than 80,000 shoppers and more than $3 million in bogus, but completed, transactions—is different than its predecessors for several reasons. Most notably, it appears to be the first major breach that was initially detected by a chain’s own IT team.

The essence of the attacks’ success leveraged two weaknesses: different unsecured remote-access packages used by various franchisees of Subway, which enabled easy Internet access to POS systems; and card swipes with minimal encryption. That meant key-capture software installed by the cyberthieves was able to grab data in the clear, as it was being swiped.

A U.K. buying site that tracks the frequency of online customer reviews said on December 8 that retailers shouldn’t expect a flood of product reviews on the run-up to Christmas. If the usual trends hold, there should be a lull in reviews between October and New Year’s when the pace of review writing should pick up again, according to DooYoo.com.

As obvious as that seems (after all, how can a gift recipient review a gift until it’s actually opened?), there may be a few more subtleties in when retailers can expect reviews—and what type of reviews they can expect.

Microsoft has effectively thrown in the towel for Microsoft Tag. On Tuesday (December 13), Microsoft announced that its Tag Reader smartphone app will now support QR codes and NFC. Officially that’s to make Tag Reader a one-stop app so users won’t have to worry about what reader to use with various tags. In practice, it’s curtains for Tag, the multicolored 2D barcode that Microsoft rolled out in January 2009 but that never really caught on (not that the more successful QR code has been a barn-burning success).

In a blog post, Microsoft said it now recommends NFC for retailers to “blend in beautifully,” QR to “grab their attention” and Tag to “raise curiosity”—presumably as in, “curiosity about who’s still interested in Microsoft Tag.”

When Amazon launched a one-day promotion this month aimed at getting its customers to go into brick-and-mortars and select items they wanted to buy at Amazon for a 5 percent discount, it was engaging in a deliciously ironic act.

Why? Because although what it was doing to those physical stores was likely legal, had those stores tried doing the same to Amazon, it would have been illegal, thanks to Amazon’s posted policies. That policy phrasing is not even universal—or even common— among major E-tailers, pens Legal Columnist Mark Rasch.

As is our tradition, StorefrontBacktalk shuts down for the last two weeks in December, due to the fact that y’all are far too busy (a) supporting the biggest selling weeks of the year until December 25th, (b) supporting the biggest returns-and-exchanges week of the year after December 25th and (c) closing the quarterly books until December 31st on what everyone hopes will be a bigger year than 2010.

That means our next regular weekly issue will arrive on January 5th, 2012. In the meantime, everything else will still be live (the Web sites, our Kindle version, our Twitter tweets, our mobile sites, etc.). And we’ll, as always, send out breaking news alerts if circumstances merit.

It’s now been four months since the PCI Council’s guidance on tokenization, and people are still mixing up tokenization and encryption. They are also drawing incorrect parallels/inferences. Tokenization is not encryption. Trying to compare the two is not appropriate (or like comparing quarks to streetcars or your other favorite silly similes), and doing so can lead to mistakes in scoping PCI.

By the way, after much effort, PCI Columnist Walt Conway thinks he has finally found a real-world example of what a high-value token should be. Let’s say shoppers want to use a payment card at a merchant, but they do not want that merchant to have their PAN, for whatever reason.

Google Wallet isn’t safe, at least not on the consumer end. That’s the conclusion from security firm viaForensic’s analysis released on Monday (Dec. 12). Yes, Google does a good job of blocking man-in-the-middle attacks. And having a PIN to open the wallet restores some security that Visa stripped out when it brought Chip-and-PIN to the U.S.

But Google also stores far too much customer information unencrypted on the phone—and if the phone is malware-infected or stolen, that data becomes far too easy for a thief to get at.