Evan Schuman's StorefrontBacktalk

If you want a perfect snapshot of how dominant Apple has become for in-store mobile POS devices—and why—look no further than Hewlett Packard’s mobile POS announcement on Thursday (Nov. 3): a payment-card sled that attaches to HP’s new Slate 2 tablet. This is bound to be a tough sell—remember, HP has just killed off a tablet line in a very public fashion (even though that wasn’t the Windows-based Slate line). The HP tablet-and-sled combo together will be a hefty $1,200. Competing with Apple means HP will need to nail this product perfectly—right?

Yes, that’s what HP needed. But instead of offering the tablet and sled as a general-purpose in-store mobile POS, HP is positioning it largely as an add-on to HP’s own POS systems. OK, that limits the market. So does the lack of a clear advantage over an iPad (HP says being Windows-based will make it “easy for retailers to integrate,” though a product manager acknowledged that iPads probably work fine with most retailers’ systems too). Then there’s the mag-stripe reader, which can work right out of the box in unencrypted mode. Wait, isn’t that exactly what retailers don’t want?

Offering to alert pharmacy customers to prescriptions that are about to expire would be a terrific idea, were it not for privacy restrictions imposed by the U.S. Health Insurance Portability and Accountability Act (HIPAA). That’s something Walgreens learned the hard way last month. Winn-Dixie, the $7 billion regional grocery chain, tackled the same issue and debated and ultimately rejected several tech approaches.

With so many chains offering pharmacy services, the debates provide a glimpse into how mobile strategies can slam into privacy rules and, sometimes, technology simply can’t get around that. Tim Bell is the director for pharmacy managed care and systems at the 460-store chain operating in Florida, Alabama, Louisiana, Georgia and Mississippi. Bell said the issue is that the best approach for sending a quick alert (such as “Your Prescription for Lipitor is due for renewing. Should we renew?”) and accepting (“Renew”) is the least secure: text messaging.

Apple is about to complete its conversion to a merged-channel retailer—and maybe put its first stake in the ground for mobile payments, too. Most critically, Apple is changing how it doles out bonuses and commissions, which is the only way to get anyone’s attention. Sales will no longer be credited to the division (online or in-store) that collects the money, but to whoever actually delivers the product. On November 3, Apple is expected to roll out a new system that will merge its in-store and mobile-commerce channels, offer a 12-minute turnaround time for M-Commerce orders and reward brick-and-mortar stores for pushing customers to shop online and pick up in-store. And—as you may have heard—it’s letting customers do self-checkout, too.

If that sounds like an afterthought, it very nearly is, even though self-checkout alone would be a big deal for most chains. What Apple is primarily trying to do is demolish the wall between stores and M-Commerce. It may not work—that 12-minute turnaround promise may just be impossible, and some of Apple’s plans for prioritizing customers can collapse when things get busy. But if it does work, it may also represent Apple’s demonstration of how it plans to offer mobile payments to other retailers—without either NFC or mimicking a plastic card.

In the battle to woo retail partners, PayPal this week put out its best digital wallet presentations in a pop-up store in the Tribeca section of New York City. With presentations done by PayPal staffers and professional actors, PayPal is preparing to run retailers through five scenarios of mobile wallet retail usage. Unfortunately, PayPal’s demonstrations look eerily like those from Google and ISIS.

The problem is that the digital wallet concept—a place where you can cram in every payment method, CRM card and discount reminder—is the same, with trivial differences in partners and technology. PayPal did showcase some differentiators—such as the ability to pay with airline miles or other points programs, in addition to changing the payment method days after the purchase has been finalized—but it also conceded that there’s nothing preventing Google or ISIS (or Apple or others) from offering identical services.

In unrelated trials this week, Debenhams—the UK’s second-largest department store—and eBay are trying to push the mobile limits of creating stores with no physical infrastructure. But unlike Web sites, these virtual stores exist in a specific place to which customers must travel. In Debenhams’ case, a human being at that location would see nothing, except other human beings oddly pointing their phones around the sky.

The virtual store is not new. In a much publicized trial this summer, Tesco re-created almost all of the merchandise from one of its stores as a series of high-res photographs with QR codes on the walls of a South Korean subway. But the Debenhams’ effort takes it farther than any other retailer. At least consumers arriving at that subway would see pictures of products and could guess what to do. In the Debenhams’ trial, consumers were directed to very prominent street corners in London (Trafalgar Square), Manchester (Albert Square), Birmingham (Centenary Square), Cardiff (Cardiff Castle) and Glasgow (George Square). They then loaded a mobile app onto their phones. If the geolocation of the phones matched what the app had been programmed to look for, it would display a ghostly image of a dress.

The Holy Grail of customer relationship management—or, given your perspective, The Black Hand Of Death of CRM—is cross-chain transparency. That’s where you see not only every transaction from your customers within your own chain but also everything they purchased from every one of your rivals and when. The potential for this type of transparency will exist with the various mobile wallets being pitched, but an even more likely and more frightening source of this data will be companies that are offering to digitize paper receipts.

Whether such a possibility is good or evil depends on whether you are salivating over seeing your rivals’ transactions or envisioning your rivals seeing all of your transactions. Officially, none of the mobile wallet players—including Google, PayPal and ISIS—has threatened to sell peeks at your transaction receipts to your rivals, although no one is willing to rule out future revenue sources. But the smaller vendors that are offering your customers free digitization of their paper receipts—and usually an offer to also store any already-digitized receipts—are the more likely sources of this cross-merchant data.

Envision an in-store system that addresses every customer by name and points out to the customer—out loud, in earshot of other customers—prior purchases, including highly sensitive products. The system would know the customer’s address, relatives, neighbors and friends, and might even mention embarrassing incidents involving the customer as a child. The name of this invasive system is “the friendly shopkeeper,” and almost every corner pharmacy, grocery and hardware store had one back in the 1950s and 1960s—back when we like to think customers were very privacy conscious.

Conventional wisdom is that consumer resistance to invasive marketing consistently softens over time with each new retail tech innovation. But the friendly shopkeeper demonstrates that’s not a linear trend. And there’s a school of thought that says mobile technology may break that trend, too. The potential invasiveness of mobile payments is so intense that customers might rebel and resist all privacy-infringing efforts even more—making mobile dangerously likely to blow up in retailers’ faces.

Level 3 merchants, whose compliance Visa only started making public this summer, have seen their relatively weak compliance numbers drop further, according to new figures the card brand released Monday (Oct. 31). Level 2 chains saw an even stronger drop, while Level 1s continued their improvement trend.

The numbers on their own are somewhat of a concern, given that compliance in any group is supposed to steadily improve. That’s especially true with a new entry, such as Level 3s, which start at such a relatively low level of compliance. In this instance, though, the explanation for the compliance dip might lie in a recent increase in the number of Level 3s trying to get compliant.

By now you’ve probably seen how easy it is to unlock an iPad 2 without knowing the password. Local TV news anchors are having a field day with this one, because even they can figure out how to exploit the hole Apple left in iOS5. It requires using the iPad 2′s magnetic smart cover and about five seconds of poking buttons and covering and uncovering the screen—a truly impressive security fail.

Apple has come up with a workaround (change the smart cover-related settings) and promises a patch soon, but this should still remind retail chains they need to be doing their own security in apps running on in-store mobile devices. Making sure a custom app automatically locks itself when it’s not being used will cost an associate a few extra seconds for one more password, but you really don’t want a thief to walk off with a tablet running a live application that’s connected with your payment or inventory systems. (And if your in-store iPads don’t have their own smart covers? Let’s just say that thieves tend to come prepared.)

A QR code approach that will display different information—and initiate different actions—based on the purchase history of the person scanning it is being evaluated by Home Depot, Target and Macy’s, according to the CEO of the QR vendor that is trying to sell that system. This next-generation QR code tactic leverages tracking codes from the mobile phones to establish a customer history and thereby permit highly customized responses.

“At the scan, we get a certain amount of metadata as a result of the scan itself—operating system, carrier, cell tower being used, etc. We get all of that,” said Scanbuy CEO Mike Wehrs. “We know what that app has scanned in the past.” Indeed, Wehrs argues, the app can secure data from the QR code plus the phone plus online data accessed from a retailer’s loyalty card database. “If the app integrates with their CRM files, it can give a completely customized experience.”

In a five-store trial—slated to expand chain-wide in the next two weeks—the Meijer grocery chain has gotten creative about letting customers locate products on the shelves using their phones. Given that GPS won’t work in-store and that in-store hardware sensors are expensive and labor-intensive, the chain is using a combination of Wi-Fi signal strength and product-barcode scanning to zero in on the customer’s location.

The potential of this microlocation mobile approach is compelling, because it provides a relatively easy—and somewhat accurate—way to help customers find product. Of course, that’s not the goal of all chains. Some chains—such as Costco—depend heavily on the customer stumbling on impulse buys as he/she wanders the aisles in search of the elusive clothes pins or peanuts.

Mobile-commerce sites, take note: Android phones are now outselling all other smartphones in Asia. On October 20, ABI Research reported that in 2011, Android will represent 52 percent of smartphones sold in Asian markets, up from 16 percent last year. (Combined with the 56 percent increase in Asian smartphone sales that ABI reported, that means a stunning five times as many Asian Android phones sold in 2011 as in 2010.) ABI also reported on Monday (Oct. 24) that, worldwide, downloads of Android apps now outpace those for the iPhone by 44 to 31 percent, although Apple users still download twice as many apps per phone.

That doesn’t mean iPhone use has fallen off a cliff—many of those Androids are likely lower-priced phones that are being snapped up by customers who can’t afford Apple’s price tag. But it does mean large numbers of M-Commerce customers will be using Android phones. That could actually make life easier for M-Commerce developers: With the market mainly split between spendthrift iPhone customers and more numerous cheapskate Android users, developers can decide who they want to target and how to make their mobile sites work well with either group—or both.

A federal appellate panel, reviewing some of the data-breach lawsuits against Hannaford, has dealt a very narrow setback to retailers, ruling that consumers can be entitled to identify-theft insurance and replacement payment cards. The fact that such an extremely limited support for consumer rights can even be seen as a setback for retailers puts into context how incredibly retail-friendly federal courts have consistently been in various data-breach rulings.

There are two likely near-term impacts from the ruling. First, Hannaford itself will now have this case return to an active trial status, where it will likely reside for an absurdly short of time before it’s settled for the very small number of dollars that such an insurance policy and card replacements (for just a few customers) will cost. For retailers throughout the country, though, the impact will be more muted.

PCI Columnist Walter Conway argues that this is a good week for every retailer’s IT, security and business departments, because they will have a relatively rare chance to sharply influence PCI issues. The PCI Council’s Special Interest Group (SIG) nominees for the coming year are coming up, and these folks have a key vote. The reason is that the Council has a short list of seven proposed SIGs, only three of which will be selected. Which three are chosen is solely based on the votes of Participating Organizations. Retailers will make their voices heard by voting for their three top choices. Whichever nominees the Participating Organizations decide to support with their votes, it will need to be done quickly: Online voting starts this week and ends November 4.

There are two changes to the SIGs this year. One change is that a Council staffer will lead the SIG (previously, the chair was a member of the PCI Council’s Board of Advisors). The other change is that each SIG must complete its work in one year. In years past, SIGs could—and sometimes did—run indefinitely, becoming a source of frustration for everyone. The changes should mean each SIG is focused on delivering results.

When a major Australian shopping mall next month starts tracking consumers by their mobile phones, they will try and pacify privacy advocates by stressing that no customer names nor phone numbers will be given to retailers. Truth be told, the tracking information that they will collect will be far more valuable.

The vendor behind the trial, a U.K. firm called Path Intelligence, pledged that “no mobile phone usernames or numbers could be accessed” and that “all we do is log the movement of a phone around an area and aggregate this to provide trend data for businesses.” But what if that phone-tracking data is linked with security cameras and/or POS systems? What if a mall representative called one of its retail residents and said, “We’re now tracking a woman who has spent $980 in the last hour and she has just walked into your store. For a $300 fee, I’ll tell you exactly where she’s standing right now. Deal?”

The PCI Council has updated its PIN Transaction Security (PTS) rules to include newer types of card-accepting systems, including mobile, kiosks and vending machines, but left vague are many of the most practical retail issues. The new PTS version 3.1 is aimed at device manufacturers. Given that retail shops need to be populated with compliant devices, though, how much time will device makers have to make upgrades? How long will existing systems be given a pass?

The guidelines, which are generally filled with commonsense security restrictions, offer nothing about timing, schedules or when retailers can—or should—include the new requirements in RFPs. The closest the guidelines get to referencing existing hardware is a brief comment that such components can be reused in newly approved systems. It does, however, detail fees.

Sears’ in-store mobile move is more about feature migration (from POS and consumer’s phones to phones controlled by associates) than new functionality. But for an October 2011 rollout—given some of Sears’ thinking—that might be just perfect. When Sears on October 13 added its name to the lengthy roster of chains rolling out in-store associate-controlled Apple devices, it opted to not offer checkout. But it is mirroring the services for customers that associates have, for years, been able to do from POS stations and that customers (for a lesser time) have been able to do from their own smartphones.

Sears’ conservative move makes more sense in the context that many customers may not feel like using their phones while shopping and, more to the point, most American consumers don’t yet have smartphones—if you accept the smartphone definition of a phone that can download third-party apps.

With all of the recent challenges retailers—including Macy’s and HSN—have had with QR codes, it’s not a surprise that many chains have underestimated how complex and difficult those little dot-filled squares can be. It’s not really that QR codes are so complicated as much as it is that they are different. The problem is that they are misleadingly similar enough to retail-friendly barcodes that they lull many into thinking QR codes can be handled the same way. As chains have tried pushing the images beyond posters and into devices such as televisions and magazines, they have slammed into the logistical problems new technology brings.

For example: Where should the QR codes be placed? Should it be near the bottom of the screen? Well, what if the consumer time-shifts with a DVR or Tivo? A part of the code could be overridden by screen buttons. Place it in a glossy magazine? Good choice, but you have to steer clear of the page side toward any glued (perfect-bound) gutter or else consumers won’t be able to get a full scan of the image.

Just when you thought you had figured out how to deploy in-store mobile devices, something comes along to remind you that it’s not that simple. Last month, the FCC ordered 20 small online retailers to stop selling illegal devices that jam the signals for mobile phones, GPS and Wi-Fi. No surprise there—but also not much impact, because such devices are easily available from other online retailers. That means anyone willing to pay as little as $80 could walk into a store in your chain and jam the Wi-Fi that your mobile POS depends on.

It’s a classic single-point-of-failure problem, and it could be frighteningly disruptive—especially since this holiday season will be the first at many stores with lots of in-store mobile devices in use, and almost all retailers are using Wi-Fi to keep them connected. A saboteur who uses a pocket-size jammer wouldn’t have access to payment-card information, but what’s supposed to be an impressive demonstration of retail technology would just irritate customers and frustrate associates—especially during the high-volume times that mobile POS should be a relief. And that’s just from an intentional saboteur. Unintentional Wi-Fi jamming could have even worse effects.

Last Thursday (Oct. 6), Walgreens rolled out its latest mobile feature, which enables its customers to get text reminders of prescriptions that are due for refill, orders that the chain said can be completed “with a simple ‘refill’ reply.” But as another reminder of the challenge of federal pharmacy privacy rules, the text is so restricted as to be borderline useless to the chain’s best customers.

The new service, called Refill Reminder Text Alerts, is based on a top-notch idea. The goal is to aid customers who have multiple refills and have had the onus of initiating contact with their pharmacy every time a prescription needs to be refilled, even if they have been consistently refilling the same prescriptions every month for years. Instead of waiting for the customer to call, the chain is initiating that contact and asking with a simple text for permission to refill the order. The problem involves restrictions from the U.S. Health Insurance Portability and Accountability Act (HIPAA). It prevents the texts from identifying which prescription it’s asking about.

Pity the poor BlackBerry. There are more BlackBerry models equipped with NFC chips than there are NFC iPhones and Android phones combined. BlackBerry phones are actually being used for mobile payments in some Middle Eastern countries. And on Monday (Oct. 10), BlackBerry maker Research in Motion announced a new set of NFC-based features that sound like a perfect platform for doing payments, too. But still, nobody takes the BlackBerry seriously as a mobile-payments contender in the U.S.

There are lots of reasons for that: IT shops have bad memories of having to run proprietary RIM servers to support BlackBerry users. RIM’s periodic network outages (such as the one slowing E-mail delivery and choking BlackBerry Internet access this week) give retail IT plenty of reason to hope payments will never depend on RIM. And although iPhones are sexy and Android phones are at least gadgety, BlackBerrys—until recently—looked downright clunky. But with a growing consumer fan base spearheaded by BlackBerry Messenger users, along with actual experience doing mobile payments, retailers may have to bite the bullet and accept that RIM is going to be a payments player in the U.S., too. The question is, how soon—and then how?

Retailers are starting to outrun Google when it comes to Google Wallet. On Tuesday (Oct. 11), the $334 million Peet’s Coffee chain announced that, by the end of October, it will upgrade POS devices to accept Google Wallet payments at all 193 company-owned stores—not just the ones in New York, Los Angeles, Chicago, San Francisco and Washington, D.C., where Google Wallet was officially rolled out in late September. Peet’s is working fast—American Eagle Outfitters didn’t even officially launch Google Wallet in the target cities until Wednesday (Oct. 12), although AEO actually had it working in some stores a month ago.

If Google was hoping for an orderly Wallet rollout, it may be out of luck. There’s only so long the window will stay open for retailers to look cool by offering mobile payments—once customers get used to it, Google Wallet will be more useful but not nearly so interesting. That means at least some smaller retailers may be in a race to get Google Wallet running in as many locations as possible, never mind Google’s plans. And once retailers, not Google, are calling the shots on the mobile-payments rollout, that’s control that Google may never recapture.

HSN last Friday (Oct. 7) took the next logical step with mobile-friendly QR codes by placing them in a corner on the television screen, giving high-definition TV viewers the chance to learn more about the products being shown. In addition, HSN cleverly tried to avoid the QR snafus that other retailers—such as Macy’s—have fallen into by using its on-air hosts to teach visitors how to use the codes.

But the limited four-day experiment also demonstrated the many QR drawbacks that retailers have to struggle with. A reporter for Forbes, for example, tried making a purchase during the event through a QR code and found that her couch was 10 feet away from the screen but that she had to get up to scan the code from five feet away. People who successfully navigated the QR code got to an ordinary Web site page. No discount, no special reward. And how long would the code be displayed? Then there’s the learning curve.

Remember those demonstrations of how the payment-card numbers can be stolen from contactless cards by a thief carrying a card reader who bumps victims’ wallets and purses in a crowd? Yes, it’s been a staple of local TV news for years, and it’s a legitimate potential security risk—a risk that was going to be eliminated by NFC mobile payments. That, it turns out, didn’t quite work out the way the proponents of NFC phones were hoping it would.

The key to making phones more secure was supposed to be that a required PIN would prevent the NFC chip from being turned on most of the time, and the chip would be powered down quickly after a transaction when the screen went dark. That’s certainly the way Google Wallet was designed for Android phones. But according to most of the reviews of Google Wallet, all that PIN-punching is a pain, and the phone’s screen quickly going dark is annoying. Guess how secure that makes the NFC chip?

Apple on Tuesday (Oct. 4) made the boldest—and smartest—mobile payment move it possibly could: nothing. Based on almost any metric—customer experience, market share domination, ROI/profit enhancement, pushing the sales of non-payment hardware/software, etc.—the right course now is for Apple to sit back and let Visa, Google, PayPal, Square and ISIS fight it out as they pay for the infrastructure. Then, when the bugs have been worked out so Apple can deliver its legendary “it just works” customer experience—then jump in.

Not unlike IBM in the 80s and 90s, Apple is in the highly enviable position that it can wait until it’s time and then still dominate the market when it makes the move. Indeed, it might even be easier and more effective to do it that way. But that strategy will also determine who will define the retail NFC standards that matter—the ones on the checkout counter and in the retailer’s datacenter. And that won’t be Apple.