Evan Schuman's StorefrontBacktalk

Best Buy’s Black Friday disaster is a huge deal precisely because it strikes at the very heart of E-Commerce fears. Namely, a consumer needs to feel confident that once an order is paid for, the product will absolutely be arriving shortly.

Although Best Buy has yet to spell out how this happened, the most likely scenario is that it was the so-called perfect storm of bad timing and possibly a quantity typo. How much of a delay happened while employees desperately tried to find the—unknown to them at that point—non-existent merchandise? In a $50 billion chain, news can travel upstream very slowly. When the news is bad, it travels upstream even more slowly.

If detecting a customer’s age is tricky when the customer is standing right in front of a kiosk, it’s an even bigger problem for E-Commerce—one with hard legal consequences. Just after Christmas, a California father discovered his 14-year-old son had successfully ordered a water pipe and tobacco through Amazon—both illegal for minors to buy in California.

Age verification is something mail-order vendors have struggled with for years, and mostly given up on. But E-tailers can no longer use impossibility as an excuse. A recent federal law requires age-verification for tobacco sold online—and other age-controlled items can’t be far behind.

A very bizarre eBay holiday promotion—which appears to have been in response to an almost-as-bizarre holiday promotion from Amazon—seemed to reverse conventional thinking about merged channel retailing. Instead of offering an incentive to shop online or in-store, the eBay incentive inexplicably required consumers to shop in both channels.

What started this holiday dogfight was an Amazon promotion, where it was offering a tiny discount (5 percent, with a ceiling of $5) for people who scanned barcodes and then purchased the item on Amazon. eBay’s response was what it billed as a $10 in-store coupon, with three retailers: Toys “R” Us, Dick’s Sporting Goods and Aéropostale.

When Kraft and Intel recently started showing off their age-detecting kiosk—a vending machine that dispenses Jell-O pudding and other desserts only to consumers it calculates are old enough to appreciate them—it was yet another in a long line of age-guessing systems. This one, though, has the potential to help retailers at least minimize some hassles from selling age-restricted products.

The age-detection part uses an optical sensor to consider the customer’s face shape, along with distance measurements between the eyes, nose and ears.

As the quantity of mobile POS interactions continues to soar—whether they’re payments, coupons, CRM or something else—it’s a rare retailer who has avoided the maddening inability of laser scanners to reliably grab data off a smartphone. P&G has moved into this argument, pushing a mobile scan approach based on using functionality within handset hardware or mobile operating systems.

The good news is that this approach, in theory, will be free to retailers, because it will not necessitate any store IT changes at all. The problem—and it’s a deal-killer—is timing. With the mobile onslaught, quick is almost certainly going to trump free.

For many shoppers, the thief non-interference policy of many chains—especially when it involves firing a security guard who confronted a shoplifter—is baffling, even though it’s truly—albeit non-intuitively—the right thing to do. Apple’s approach to non-interference with thefts took on an especially surreal twist in Toronto late last month.

The store does have a policy: Don’t take sides. If the customer wants to call police, let the police handle it. If police aren’t called, treat everyone as a legitimate customer.

The PCI Council used its December 2011 newsletter to remind merchants and service providers to control physical access to their call centers with video cameras or other devices. This recommendation is both sound security and good advice, and merchants everywhere should take it to heart. But as a QSA, PCI Columnist Walt Conway wishes the Council had done more than highlight just one particular sub-requirement.

There is more to protecting sensitive areas than installing video cameras. The second, and possibly thornier, concern for small and midsize merchants is how effective the reminder is likely to be when many of them mistakenly think they won’t need to follow the advice.

The latest major retail data breach—involving 150 Subway locations and more than 50 other retailers, payment-card data from more than 80,000 shoppers and more than $3 million in bogus, but completed, transactions—is different than its predecessors for several reasons. Most notably, it appears to be the first major breach that was initially detected by a chain’s own IT team.

The essence of the attacks’ success leveraged two weaknesses: different unsecured remote-access packages used by various franchisees of Subway, which enabled easy Internet access to POS systems; and card swipes with minimal encryption. That meant key-capture software installed by the cyberthieves was able to grab data in the clear, as it was being swiped.

A U.K. buying site that tracks the frequency of online customer reviews said on December 8 that retailers shouldn’t expect a flood of product reviews on the run-up to Christmas. If the usual trends hold, there should be a lull in reviews between October and New Year’s when the pace of review writing should pick up again, according to DooYoo.com.

As obvious as that seems (after all, how can a gift recipient review a gift until it’s actually opened?), there may be a few more subtleties in when retailers can expect reviews—and what type of reviews they can expect.

The Amazon price-check promotion is getting mercilessly blasted by authors, a U.S. Senator, a retail trade group and various others. The strangest part is that so many are getting the actual specifics of the Amazon program wrong.

Booksellers were up in arms about Amazon encouraging people to go into their local stores to buy on Amazon, despite the fact that consumers have been doing the same thing for as long as Amazon has been around and the fact that—to be nitpicky—books were excluded from the program. U.S. Senator Olympia J. Snowe (R.-Me.) issued a statement that “incentivizing consumers to spy on local shops is a bridge too far.” That may be true, but the price-sharing part—the spying the senator is referencing—was excluded from any incentives.

When Amazon launched a one-day promotion this month aimed at getting its customers to go into brick-and-mortars and select items they wanted to buy at Amazon for a 5 percent discount, it was engaging in a deliciously ironic act.

Why? Because although what it was doing to those physical stores was likely legal, had those stores tried doing the same to Amazon, it would have been illegal, thanks to Amazon’s posted policies. That policy phrasing is not even universal—or even common— among major E-tailers, pens Legal Columnist Mark Rasch.

It’s now been four months since the PCI Council’s guidance on tokenization, and people are still mixing up tokenization and encryption. They are also drawing incorrect parallels/inferences. Tokenization is not encryption. Trying to compare the two is not appropriate (or like comparing quarks to streetcars or your other favorite silly similes), and doing so can lead to mistakes in scoping PCI.

By the way, after much effort, PCI Columnist Walt Conway thinks he has finally found a real-world example of what a high-value token should be. Let’s say shoppers want to use a payment card at a merchant, but they do not want that merchant to have their PAN, for whatever reason.

Google Wallet isn’t safe, at least not on the consumer end. That’s the conclusion from security firm viaForensic’s analysis released on Monday (Dec. 12). Yes, Google does a good job of blocking man-in-the-middle attacks. And having a PIN to open the wallet restores some security that Visa stripped out when it brought Chip-and-PIN to the U.S.

But Google also stores far too much customer information unencrypted on the phone—and if the phone is malware-infected or stolen, that data becomes far too easy for a thief to get at.

Why won’t Verizon let users install Google Wallet on its soon-to-be-released Galaxy Nexus phone? It might be that Verizon is defending its ISIS partnership and the mobile wallet it will roll out sometime next year. But there’s a simpler explanation: Only one mobile wallet can control the NFC Secure Element that stores payment-card data. If that’s Google Wallet, then it can’t be ISIS or any mobile-payments scheme that Verizon controls directly.

And although there’s nothing to stop Verizon from adding the necessary hardware for lots of mobile wallets, that’s not likely to happen unless Google opens its own corporate wallet.

The European Union is considering new rules that will enable it to fine retailers as much as five percent of their annual revenue—yep, you read that right—for breaching EU privacy rules. The rules would also cover the protection of payment-card data.

If enacted with enforcement teeth, this could be huge. Not only are the threatened amounts (at least the ceiling) orders of magnitude beyond what major U.S. chains have been threatened with by card brands and processors, but the threats are far more realistic.

A mobile vendor who was testing out the in-store Google Maps application this week at a Home Depot store in Florida discovered an unexpected result. While standing inside a Home Depot—which is one of a handful of Google partners on this project—and just feet away from the store’s paint aisle, the tester called up the store’s inside layout and asked the app where the paint aisle was.

The Home Depot partner app quickly responded: At the Lowe’s store three blocks away. It’s becoming clear that retailers need to be thinking about—and asking—a lot more questions about in-store maps and mobile navigation.

A 26-hour (minus one minute) Amazon in-store mobile price-comparison experiment starting Friday (Dec. 9) is scaring a lot of retailers, who fear that allowing consumers to scan barcodes, compare prices and buy from within the store will hurt them. One retail lobbying group objects to Amazon taking advantage of its sales-tax-free status to make in-store sales.

Much of the concern may have little foundation, because Amazon has low-balled the incentives to such an extent that it’s unclear if many consumers will even bother to try it.

Most of the uproar over Carrier IQ and its monitoring software installed on many smartphones has focused on conventional privacy worries—whether an outsider is capturing and storing sensitive private information. But a bigger concern for retailers might be the fact that Carrier IQ can reportedly broadcast payment-card numbers unencrypted over Wi-Fi as the numbers are being entered by online customers or in-store associates.

Never mind whether Carrier IQ or the mobile operator is keeping this information. If it’s merely being transmitted unencrypted, a thief monitoring a store’s wireless networks might be able to scoop it up in transit.

Many chains have seen the cloud as a nice way to get unlimited data storage on the cheap. But Best Buy’s initial cloud efforts revealed something much more fun: a lawless area where IT management didn’t have any rules.

A funny thing happened, though: “Everybody has always said that if we could do the datacenter over again, we’d make no mistakes and everything would be perfect. It would be this incredible Utopian datacenter, except that we’re all making the same mistakes that we made in the datacenter originally, because you go to the cloud like the Wild West,” said Thomas Kelly, Best Buy’s enterprise architect for cloud services.

Starbucks on Tuesday (Dec. 6) released select mobile transaction stats for 2011, showing some 26 million mobile transactions. More meaningfully, the chain said it had tracked $110.5 million reloaded via the mobile app, which is a tiny percentage (4.6 percent) of the $2.4 billion put onto Starbucks Cards through non-mobile means.

The Starbucks mobile app merely displays the same barcode that exists on the customer’s plastic Starbucks Card. That means there is no wireless transmission, nor are any meaningful changes to the POS or card-swipe required. It does, however, require a change-of-behavior from the customer, and that might be the hardest and most valuable element.

One of the biggest benefits of tokenization might be the implementation process itself. That is, while using properly constructed tokens can reduce a merchant’s PCI scope, the process of planning, designing and implementing can produce significant benefits, too. One result from tokenization is restricting the further spread of cardholder data throughout the enterprise. Another is that the implementation process gives you a running start in complying with PCI version 2.0.

PCI Columnist Walter Conway argues that tokenization requires a lot of work to implement. It would be a shame to not take full advantage of that work and the benefits that come from it.

The ongoing debate about how far retailers can—and should—go when tracking customers through their mobile devices is getting confused, thanks to the illegal misinterpretations made by some of the vendors pushing these approaches.

But Legal Columnist Mark Rasch wants to be clear: Be ahead of the curve in tracking consumers, and do it before case law and legislation have a chance to play themselves out, and you could find yourself with legal headaches for years—potentially having to somehow remove all of that ill-gotten data from your systems.

Wal-Mart on Thursday (Dec. 1) officially rolled out its Shopycat Facebook app, which lets consumers see WalmartLabs-fueled gift suggestions for all of your Facebook friends, based on their posts and stated likes/dislikes. Wal-Mart said that “Shopycat is designed to trigger gift ideas for friends ranging from music, books and movies to games and electronics, making gifting more fun and saving on time and the pressures of discovering the perfect gift.” About time that someone put an end to this pressure to find the perfect gift. Effort, thought and attention are simply making America weak. When I think gifts for loved ones, I think compromise and just get it over with. (And yes, that fits in so well with the image that Wal-Mart is trying to shake.)

The idea is indeed interesting, as the Wal-Mart algorithms have already done the work of predicting what would be desirable. Then again, does it factor in that something of strong interest to someone has likely already been purchased by—or for—them? One nice touch about Shopycat is that it doesn’t technically limit its suggestions to walmart.com and Wal-Mart stores. But testing on the app certainly shows that the overwhelming majority of choices are—coincidentally—only on walmart.com.

The biggest E-Commerce surprise of Black Friday was probably what didn’t happen: The problem-plagued Target.com didn’t crash. Despite an absent E-Commerce chief for six weeks before the big day, and what some saw as a half-hearted defense of the site by Target’s CEO on an earnings call, the chain’s online store weathered the Black Friday-Cyber Monday weekend with just some performance degradation—about the same as other major E-tailers.

The most likely reason it survived: Target.com deep-sixed its clever but ill-fated experiment in limiting the number of customers who could be on the site at the same time.

Maybe using mobile phone signals to track customers isn’t looking so sweet after all. On Monday (Nov. 28) two U.S. shopping malls said they stopped using a people-tracking system that used mobile signals, after the malls’ developer got letters from U.S. Sen. Charles Schumer (D-NY), who threatened to call in the Federal Trade Commission to investigate privacy issues. That’s despite the fact that the system is designed to be anonymous—and the system’s legality is untested.

There are some ironies in all this. One is that, with all the genuinely invasive customer-tracking technologies online and even in malls, the mobile signals used in this one really are anonymous to everyone but the mobile phone operators. Another is that if the system were actually targeting individual customers and the data were used by store associates, it might actually be more palatable to shoppers. After all, when location data is anonymously collected, it feels creepy. But when an associate knows you’ve already been to Wet Seal and Nordstrom, that just means she knows your tastes and can serve you better—or at least it feels that way.