Evan Schuman's StorefrontBacktalk

With all of the recent challenges retailers—including Macy’s and HSN—have had with QR codes, it’s not a surprise that many chains have underestimated how complex and difficult those little dot-filled squares can be. It’s not really that QR codes are so complicated as much as it is that they are different. The problem is that they are misleadingly similar enough to retail-friendly barcodes that they lull many into thinking QR codes can be handled the same way. As chains have tried pushing the images beyond posters and into devices such as televisions and magazines, they have slammed into the logistical problems new technology brings.

For example: Where should the QR codes be placed? Should it be near the bottom of the screen? Well, what if the consumer time-shifts with a DVR or Tivo? A part of the code could be overridden by screen buttons. Place it in a glossy magazine? Good choice, but you have to steer clear of the page side toward any glued (perfect-bound) gutter or else consumers won’t be able to get a full scan of the image.

Just when you thought you had figured out how to deploy in-store mobile devices, something comes along to remind you that it’s not that simple. Last month, the FCC ordered 20 small online retailers to stop selling illegal devices that jam the signals for mobile phones, GPS and Wi-Fi. No surprise there—but also not much impact, because such devices are easily available from other online retailers. That means anyone willing to pay as little as $80 could walk into a store in your chain and jam the Wi-Fi that your mobile POS depends on.

It’s a classic single-point-of-failure problem, and it could be frighteningly disruptive—especially since this holiday season will be the first at many stores with lots of in-store mobile devices in use, and almost all retailers are using Wi-Fi to keep them connected. A saboteur who uses a pocket-size jammer wouldn’t have access to payment-card information, but what’s supposed to be an impressive demonstration of retail technology would just irritate customers and frustrate associates—especially during the high-volume times that mobile POS should be a relief. And that’s just from an intentional saboteur. Unintentional Wi-Fi jamming could have even worse effects.

Pity the poor BlackBerry. There are more BlackBerry models equipped with NFC chips than there are NFC iPhones and Android phones combined. BlackBerry phones are actually being used for mobile payments in some Middle Eastern countries. And on Monday (Oct. 10), BlackBerry maker Research in Motion announced a new set of NFC-based features that sound like a perfect platform for doing payments, too. But still, nobody takes the BlackBerry seriously as a mobile-payments contender in the U.S.

There are lots of reasons for that: IT shops have bad memories of having to run proprietary RIM servers to support BlackBerry users. RIM’s periodic network outages (such as the one slowing E-mail delivery and choking BlackBerry Internet access this week) give retail IT plenty of reason to hope payments will never depend on RIM. And although iPhones are sexy and Android phones are at least gadgety, BlackBerrys—until recently—looked downright clunky. But with a growing consumer fan base spearheaded by BlackBerry Messenger users, along with actual experience doing mobile payments, retailers may have to bite the bullet and accept that RIM is going to be a payments player in the U.S., too. The question is, how soon—and then how?

Retailers are starting to outrun Google when it comes to Google Wallet. On Tuesday (Oct. 11), the $334 million Peet’s Coffee chain announced that, by the end of October, it will upgrade POS devices to accept Google Wallet payments at all 193 company-owned stores—not just the ones in New York, Los Angeles, Chicago, San Francisco and Washington, D.C., where Google Wallet was officially rolled out in late September. Peet’s is working fast—American Eagle Outfitters didn’t even officially launch Google Wallet in the target cities until Wednesday (Oct. 12), although AEO actually had it working in some stores a month ago.

If Google was hoping for an orderly Wallet rollout, it may be out of luck. There’s only so long the window will stay open for retailers to look cool by offering mobile payments—once customers get used to it, Google Wallet will be more useful but not nearly so interesting. That means at least some smaller retailers may be in a race to get Google Wallet running in as many locations as possible, never mind Google’s plans. And once retailers, not Google, are calling the shots on the mobile-payments rollout, that’s control that Google may never recapture.

HSN last Friday (Oct. 7) took the next logical step with mobile-friendly QR codes by placing them in a corner on the television screen, giving high-definition TV viewers the chance to learn more about the products being shown. In addition, HSN cleverly tried to avoid the QR snafus that other retailers—such as Macy’s—have fallen into by using its on-air hosts to teach visitors how to use the codes.

But the limited four-day experiment also demonstrated the many QR drawbacks that retailers have to struggle with. A reporter for Forbes, for example, tried making a purchase during the event through a QR code and found that her couch was 10 feet away from the screen but that she had to get up to scan the code from five feet away. People who successfully navigated the QR code got to an ordinary Web site page. No discount, no special reward. And how long would the code be displayed? Then there’s the learning curve.

In the PCI alleys, there has been some back-and-forth recently about the PCI Council’s Internal Security Assessor (ISA) program and some MasterCard changes about whether participants needed to be auditors. Although the impact of the back-and-forth is relatively trivial, it brings up an interesting question: How independent does an independent assessor really need to be?

The essence of the ISA program is for retailers to have someone on their team who is trained in PCI nuances and who can help the chain maintain compliance between assessments. Most of the retailers that are working with the ISA program plan to continue using their QSA. If ISA works, it would enable much faster and less painful assessments, because someone internal at the merchant is constantly watching for anything that could cause a compliance problem. To be candid, none of the players involved is independent at all. The internal folk are all on the retailer’s payroll, and the external QSAs are all being paid by the chain to conduct the assessments.

Apple on Tuesday (Oct. 4) made the boldest—and smartest—mobile payment move it possibly could: nothing. Based on almost any metric—customer experience, market share domination, ROI/profit enhancement, pushing the sales of non-payment hardware/software, etc.—the right course now is for Apple to sit back and let Visa, Google, PayPal, Square and ISIS fight it out as they pay for the infrastructure. Then, when the bugs have been worked out so Apple can deliver its legendary “it just works” customer experience—then jump in.

Not unlike IBM in the 80s and 90s, Apple is in the highly enviable position that it can wait until it’s time and then still dominate the market when it makes the move. Indeed, it might even be easier and more effective to do it that way. But that strategy will also determine who will define the retail NFC standards that matter—the ones on the checkout counter and in the retailer’s datacenter. And that won’t be Apple.

Newly released mobile-commerce sales figures from major retail chains show a stunning difference success, with the largest M-Commerce retailer—Amazon—making more than 15 times as much as the next largest M-Commerce revenue retailer: Wal-Mart. M-Commerce revenue plunged after that, with Amazon, for example, making 156 times the M-Commerce revenue than Home Depot. Part of the explanation is that retailers, in general, are doing quite poorly in M-Commerce sales. A new extensive ranking of the 300 largest M-Commerce companies—sequenced by M-Commerce revenue—shows only two retailers in the top 10 list.

The $2 billion Amazon is projected to make via transactions made by consumer phones is a non-trivial figure, given its $34.2 billion in global revenue of all types, according to the figures published by Internet Retailer. But note how quickly the numbers drop with its rivals. Wal-Mart, the only other retailer to make the overall top 10, appeared at slot 4 with $127.7 million. The third largest retailer—Staples—comes in at a projected $45.3 million this year, followed by Best Buy ($37.9 million), Macy’s ($33.2 million), Buy.com ($32.5 million), Foot Locker ($32 million), Sears ($31.7 million) and Overstock ($31.6 million).

Before a typically staid Federal Reserve Bank of Chicago symposium last week, the CEO of a security device vendor violated Jim Croce’s rule of not tugging on Superman’s cape. In a speech, the CEO ripped into the PCI Council, dubbing it a “dangerous false God” and saying that “PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority. It has and will continue to stifle innovation by its often nonsensical rule making.” And she then stopped pulling her punches.

To put this into context, PCI has unquestionably improved retail security in the U.S. and few have suggested a concrete alternative approach that wouldn’t bring with it even worse problems. Like the criminal courts, a system can be very far from perfection and still be the best of all alternatives. It’s also true that when security choices are made, some vendors are not going to be happy with the new rules. Even with all of that said, the directness and intensity of the speech by Magtek CEO Mimi Hart is worthy of note.

If there’s one thing a Sears associate—especially one who logs lots of cashier time—should understand, it’s how CRM works. But according to police in Heath, Ohio, at least one didn’t, and he’s behind bars as a result. Well, that, plus he stole a customer’s credit card and used it to make purchases at gas stations—where he also used his loyalty card to make sure he got points for every purchase. Oops!

The tale of 19-year-old Sears associate Zachariah S. Grigsby, though, gets even more strange. It all started on August 12 when Grigsby, who worked at the Sears at Heath’s Indian Mound Mall, was processing a customer who used his Discover card, said Heath Det. Sgt. Craig Black.

Over the next four years, retailers will buy an average of 10 percent fewer traditional POS units, opting instead to use mobile checkout, according to an IHL Mobile study slated to be released next week. But that may be a misleadingly small change, because some sectors—such as specialty retailers—will see traditional POS purchases plunge by 20 percent in that same timeframe, which means “roughly 200,000 units going away. That’s more than NCR ships for an entire year worldwide,” said IHL President Greg Buzek.

Several elements over the next few years—the report projects out to 2015—will make this change even more dramatic. Some 45 percent of new stores will be “mom and pops that are just starting. There you’ll see a tremendous impact,” because the stores won’t even start with a traditional POS, Buzek said. “Why pay $3,000 [for a traditional POS] when I can get an iPad and put Square on it? This is going to fundamentally change the mall in the next three years.”

When the manager of a Florida hobby store was about to begin testing in-store mobile checkout as part of an NCR beta test in June, she envisioned using the devices throughout the store, to both free up POS space and give shoppers a faster experience. But like so many mobile-payment issues, those plans yielded to the reality of hosts of unanswered loss-prevention questions about the mobile payments. The manager ordered the Apple-based units be restricted to an existing POS area right by the exit.

As mobile payments inch along, retailers are trying to balance two concepts: the ideals of mobile-payment strategies with the mundane, practical logistics issues. And nowhere did those two concepts collide more clearly than in the one-location $3.5 million specialty store in Plantation, FL. How could someone at the door verify that the receipt is legitimate? For that matter, if the associate at the door is shown a digital receipt, how is he/she to know if it’s a valid receipt—as opposed to a doctored image—unless the associate scans the receipt’s barcode and runs a check to see if that item was indeed purchased in the prior 10 minutes?

With mobile-payments rivals Google and PayPal breathing down its neck a week before Apple announces its new iPhones (and possibly its own mobile-payments plans), ISIS on Tuesday (Sept. 27) said it has lined up five Android handset makers plus BlackBerry maker RIM to support ISIS-style mobile payments. Actually, that’s a little less than it appears: NFC-equipped phones from Samsung, HTC, LG, Motorola, Sony Ericsson and RIM will support “preexisting global standards” that “essentially detail how banks and other service providers can securely provision payment credentials in the secure element,” according to an ISIS statement.

That brings six phone makers, four card brands and three mobile telcos under ISIS’ big tent, along with DeviceFidelity, which lets non-NFC phones add NFC through a microSD slot. Problem: ISIS’ card brands have also signed with Google, as have the five Android handset makers (and DeviceFidelity says its deal with ISIS isn’t exclusive, either). Bigger problem: ISIS has yet to demonstrate payments, while Google Wallet is already operating with multiple retailers. It’s hearts-and-minds time, but ISIS has nothing exclusive and nothing to show potential users. Would it kill these telcos to just demonstrate they can actually make a transaction?

On September 22, the U.S. Senate Judiciary Committee pushed a data security bill—which has been bouncing around that chamber for six years—to the full Senate. The bill would create federal data security rules, including new retail data breach disclosure rules. But the bill (Personal Data Privacy and Security Act of 2011 introduced by Sen. Patrick Leahy, Dem.-VT) still suffers from many of the lengthy exceptions that it has had for years, exceptions that all but guarantee that few retailers will be required to do anything differently.

But in light of this bill’s lengthy exemptions and data breach size limits—public disclosure, for example, is only required when a breach impacts more than 5,000 people in one state—the National Retail Federation issued a statement saying it fears that with so many retailers having to report data breaches under this legislation people might get bored and start to ignore the notices. NRF dubs this scenario “notice fatigue.” What does it say to the nation when the chief lobbying organization charged with protecting retail interests publicly trumpets the fact that it believes there will be a huge number of data breach reports if full disclosure is required? Yeah, that makes me want to go and buy stock in Wal-Mart and Walgreens right away.

In the ongoing battle of words over retail self-checkout with Kroger and Albertsons—with each side arguing to its customers that true customer love means rejecting/retaining self-checkout—the latest comes from a 75-year-old $1.5-billion regional grocery chain that was late to the game in beginning self-checkout and right in the middle of the rush to jettison it. But even though the chain certainly argued a customer service reason for the swift chain-wide exit, it also said that it couldn’t stomach the high theft rate.

The Big Y chain, with 61 stores in Connecticut and Massachusetts, announced this month that it would kill all of its self-checkout lanes. “In the battle of Service vs. Self Checkouts, service won,” the chain said in a short statement. In a conversation with a chain executive, though, the decision sounded a lot more complicated. To be blunt, it didn’t seem as if the chain had ever been all that fond of self-checkout, which it first deployed back in 2003. “We were one of the last chains to get into the self-checkout game. We were really dragging our feet,” said Claire D’Amour-Daley, the chain’s VP for corporate communications.

The PCI SAQ process needs work, but SAQ C is especially problematic. Retailers who qualify for SAQ C process payments on a payment application connected to the Internet. The target audience for SAQ C is small merchants with a payment application on their personal computer, which connects to the Internet to process card transactions. Other requirements are that the merchants store no electronic cardholder data and that their computer is not “connected to any other systems in your environment.”

In the real world, many retailers and franchisors (and franchisees) try to qualify to use SAQ C. PCI Columnist Walter Conway calls this the “anything but SAQ D” approach. In his experience, the biggest challenge of SAQ C is isolating the application server(s) from the rest of the merchant environment. Conway knows merchants who have devoted a lot of effort and changed their network so they can qualify for SAQ C. A recent clarification by the PCI Council, however, limits the ability of many retailers and franchisors to use this SAQ.

When Visa announced Monday (Sept. 19) that it had officially sold a license to Google Wallet, it signaled a key next step in the mobile payment maneuvers. Google now appears to have the best position with retailers, while ISIS gets love from banks and card issuers, and PayPal is relying on its own online payment abilities. Then there’s the mobile payment candidate waiting in the wings. Will Apple in a month or so make its NFC mobile move?

That’s increasingly likely—at least if Apple is ready. This particular fight may be moving to the hearts and phones of consumers, where two players—ISIS and PayPal—have serious handicaps. But consumers see Google as a search engine that does a lot of stuff for them for free. And if any company generates even more warm-and-fuzzy feelings than Google, it’s Apple. And Apple also has a host of rarely-discussed huge mobile payment advantages, starting with the fact that it’s a retailer and a darn innovative one at that.

PayPal’s not-quite-a-mobile-payments-announcement on September 14 was a nearly perfect primer on how not to convince retailers you’re a serious player in in-store payments: Trot out a collection of rebranded (but unintegrated) technologies—everything from your own mag-stripe cards to self-checkout by phone to yet another nonstandard use of PIN pads—and then demo them without any hint that you recognize the unsolved problems they carry, never mind having solutions.

The problem isn’t just that PayPal has apparently done nothing to pull together its pile of recently acquired technologies into a suite of payment services. It’s that each of these services has real problems that have dogged retailers’ efforts at mobile payments for years. And astonishingly, PayPal doesn’t seem to have solved any of them.

The shortened versions of the Self-Assessment Questionnaire (SAQ) have only one problem: They are incomplete. There are PCI requirements every merchant should meet beyond what is specified in any shortened SAQ. Any retailer that limits its PCI compliance effort to completing one of the shortened SAQs trades off security for compliance. That is, any merchants who think they need only meet the requirements of a shortened SAQ risk a data compromise that can result in ruinous fines and land them in the headlines for reasons they would rather not be there.

The SAQ is an excellent starting point, pens PCI Columnist Walter Conway. But it is not (and does not promise to be) an all-inclusive approach to achieving—not just validating—PCI compliance. In a previous column, Walt noted the PCI Council’s point that slavishly (his terminology) completing a SAQ may not be enough to be PCI compliant.

Last week’s 96-page PCI Point-to-Point Encryption (P2PE) validation requirements document from the PCI Council offered retailers a non-trivial compliance carrot: Implement P2PE according to the Council’s specs and see your PCI scope drop from 12 requirements to just two.

The big news is where the Council says in the report that “it is expected that PCI DSS controls that will be applicable to a merchant’s validation will include (but will not be limited to): Protection of media and devices; Maintaining information security policies and training for personnel; Processes for management of third-party providers (including P2PE provider); Incident response and escalation procedures.” That means a retailer implementing approved P2PE might reduce its PCI compliance to just requirements 9 and 12 (and maybe 11.1). The Council’s words “will include (but not be limited to)” are important. We have, effectively, a new PCI standard with the accompanying infrastructure: detailed hardware and software specifications, an independent P2PE validation process and two new flavors of specialized QSAs.

The PCI Council on Thursday (Sept. 15) will detail its initial guidelines for point-to-point encryption (P2PE), but retailers need not—and should not—take any near-term action. Nor should they sign any imminent contracts involving P2PE. Why? The Council will stress that the document—a 96-page detailed description of various P2P approaches and common-sense security processes for each—is only “the first set of validation requirements” and that key parts of the program won’t even be in place for six to eight months and might be delayed even further.

Why such delays? First, the Council wants retailers to contract only for P2PE applications that appear on a Council list of applications validated to be PCI compliant. The problem? That list doesn’t yet exist, and the list’s creation is “targeted for Spring 2012,” according to a draft copy of the Council’s document. A second reason for the delay is PCI training of assessors. The Council isn’t promising to identify the testing procedures until “the end of 2011″ and “training opportunities” (which we assume means classes) won’t be detailed until “Spring 2012.” The report will say that the guidelines—even if perfectly followed—won’t offer a path for a retailer to be considered out-of-scope. The best that a chain can hope for, according to the document, will be “reduced scope.” But nowhere does the document say what exactly that would and wouldn’t include.

When Macy’s on Tuesday (Sept. 13) issued a statement summarizing a wide range of IT investments, including stores borrowing inventory from each other, a cosmetics kiosk, some tablet deployments, digital receipts, Wi-Fi, Google Wallet support and online chats (Really? No touting those newfangled UPC codes?), the fact that many of these IT efforts happened months ago made the compilation news release seem baffling. Baffling, that is, until we figured out the point: IT is now cool. Or at least Wall Street thinks it is.

To be specific, Wall Street doesn’t think that all IT investments are cool. It’s when IT investments come from companies where it’s not expected. When eBay or, heaven forbid, Amazon invest in IT, Wall Street lets them have it with both spreadsheets, in a way that it would have never criticized Wal-Mart for opening new stores. But when the Sears and Macy’s of the world start talking about these space-age computer thingies, stock analysts get all starry-eyed.

Starting today (Sept. 14), we are making our monthly topic-specific newsletters available for all of our readers, for free. These five newsletters—each one covering solely E-Commerce, Mobile, PCI/Security, In-Store or CRM issues—have until now only been available to Premium subscribers.

For readers focused on any of those areas, the Monthlies provide an easy way to keep up-to-date and to make sure you don’t miss any story important to your operation. The Monthlies also have two other helpful features.

The PCI Council on Thursday (Sept. 15) is releasing a guidance document
on point-to-point encryption (P2PE). This technology—properly implemented—has the potential to reduce PCI scope greatly, and several retailers have already implemented it. But one issue may have early adopters digging up their vendor agreements: Are they sure their your implementations—particularly the encrypting POS devices—will pass the Council’s new Secure Card Reader testing program? Will their vendors replace the POS devices with compliant ones, assuming they can, and what will that cost?

The idea behind P2PE, pens PCI Columnist Walter Conway, is that an encrypting POS terminal encrypts the cardholder data (the first “point”) immediately as the customer’s card is swiped. A third-party service provider (the second “point,” and often the merchant’s card processor) manages both encryption and key management. The third party is the only one that can access the actual cardholder data. The result is that when P2PE is properly implemented, almost all the merchant’s systems are out of PCI scope because the merchant has no way to decrypt the data or ever to get access to the clear-text cardholder data.

In yet another example of mobile rewriting almost everything retail, the most recent quarterly POS terminal shipments spiked nearly twice as much as had been predicted, according to new figures from IHL. One of the key factors driving those shipments was retailers eager to upgrade their POS to be in a better position to accept mobile payments. “The biggest surprise was the resiliency of the POS market and the level of shipments, which was nearly double what we had predicted for the quarter,” said IHL CEO Greg Buzek. “In a global economy that slowed tremendously in the second quarter due to fuel prices, earthquakes, tsunamis and other factors, the retail POS market was particularly strong.”

IHL is now projecting a $7.3 billion worldwide POS spend for 2010—which includes hardware, software, and maintenance—and it expects 2011 to hit $7.78 billion. For the “pave the way for advancements” category, Buzek pointed to mobile as well as CRM, loyalty and merged-channel capabilities. On the more pragmatic side, many of these purchases are most likely equipping stores that were ordered long before the global recession peaked. “These were capital campaigns that were in the works before the economy soured, so it is 2010 results, creating budgets and new stores, and that creates a need for new POS,” Buzek said.