Evan Schuman's StorefrontBacktalk

Envision an in-store system that addresses every customer by name and points out to the customer—out loud, in earshot of other customers—prior purchases, including highly sensitive products. The system would know the customer’s address, relatives, neighbors and friends, and might even mention embarrassing incidents involving the customer as a child. The name of this invasive system is “the friendly shopkeeper,” and almost every corner pharmacy, grocery and hardware store had one back in the 1950s and 1960s—back when we like to think customers were very privacy conscious.

Conventional wisdom is that consumer resistance to invasive marketing consistently softens over time with each new retail tech innovation. But the friendly shopkeeper demonstrates that’s not a linear trend. And there’s a school of thought that says mobile technology may break that trend, too. The potential invasiveness of mobile payments is so intense that customers might rebel and resist all privacy-infringing efforts even more—making mobile dangerously likely to blow up in retailers’ faces.

About a year ago, retailer Williams-Sonoma got into legal trouble in California for having its cashiers ask people using credit cards to provide their ZIP codes (to be used for marketing purposes) in violation of a California statute that made it unlawful to ask for “personal information” as a condition of accepting a credit card. A federal court in New Jersey has now let Williams-Sonoma off the hook for doing the exact same thing in the Garden State, leaving the state of the law of ZIP codes at best uncertain.

Several states have laws that restrict either in whole or in part the use of certain personal information as a condition of accepting a credit card, pens Legal Columnist Mark Rasch. The trick, though, is whether to write it down or not. (Hint: You really don’t want to write it down.)

Level 3 merchants, whose compliance Visa only started making public this summer, have seen their relatively weak compliance numbers drop further, according to new figures the card brand released Monday (Oct. 31). Level 2 chains saw an even stronger drop, while Level 1s continued their improvement trend.

The numbers on their own are somewhat of a concern, given that compliance in any group is supposed to steadily improve. That’s especially true with a new entry, such as Level 3s, which start at such a relatively low level of compliance. In this instance, though, the explanation for the compliance dip might lie in a recent increase in the number of Level 3s trying to get compliant.

By now you’ve probably seen how easy it is to unlock an iPad 2 without knowing the password. Local TV news anchors are having a field day with this one, because even they can figure out how to exploit the hole Apple left in iOS5. It requires using the iPad 2′s magnetic smart cover and about five seconds of poking buttons and covering and uncovering the screen—a truly impressive security fail.

Apple has come up with a workaround (change the smart cover-related settings) and promises a patch soon, but this should still remind retail chains they need to be doing their own security in apps running on in-store mobile devices. Making sure a custom app automatically locks itself when it’s not being used will cost an associate a few extra seconds for one more password, but you really don’t want a thief to walk off with a tablet running a live application that’s connected with your payment or inventory systems. (And if your in-store iPads don’t have their own smart covers? Let’s just say that thieves tend to come prepared.)

Here’s an IT twist: The $9 billion Whole Foods Market grocery chain is pulling back from accepting checks primarily because it wants to collect less customer data. Making this move even more unusual is that checks—along with cash—have a much higher margin than payment cards due to a delicious absence of interchange.

“We simply don’t want the burden of having all that information,” said Whole Foods spokesperson Libba Letton, adding that it’s the same reason the chain has thus far shunned any type of CRM/loyalty program. That said, there are other more mundane reasons for the 300-store 38-state chain’s rejection of checks, added Letton: “It takes too long, and the financial impact of check fraud.” Also, there’s the fact that the number of consumers using checks at grocery stores is plummeting, so why keep associates trained on something that is so rarely used? Still, the idea of a chain choosing to prematurely halt an interchange-free system that brings in lots of customer data, that’s an unusual kettle of organic steamed fish.

With all of the legal wrangling in the wake of the Hannaford data-breach appellate decision over who has to pay for what “damages” or “loss,” and to whom, one thing is lost. With today’s breach-apathetic American consumers, a multibillion-dollar breach will not likely cause merchants to lose any customers. When one of those impacted customers calls and asks for a replacement card and you say “$20, please,” that’s when you’ll lose that customer.

The appellate decision clarified the legal environment, but it merely said what self-interested chains should have been doing all along, pens Legal Columnist Mark Rasch. From a merchant, vendor, supplier or technology consultants’ standpoint, the goals remain the same: Prevent the breach in the first place, and do what is reasonably necessary to control or mitigate the harm if a breach occurs.

A federal appellate panel, reviewing some of the data-breach lawsuits against Hannaford, has dealt a very narrow setback to retailers, ruling that consumers can be entitled to identify-theft insurance and replacement payment cards. The fact that such an extremely limited support for consumer rights can even be seen as a setback for retailers puts into context how incredibly retail-friendly federal courts have consistently been in various data-breach rulings.

There are two likely near-term impacts from the ruling. First, Hannaford itself will now have this case return to an active trial status, where it will likely reside for an absurdly short of time before it’s settled for the very small number of dollars that such an insurance policy and card replacements (for just a few customers) will cost. For retailers throughout the country, though, the impact will be more muted.

PCI Columnist Walter Conway argues that this is a good week for every retailer’s IT, security and business departments, because they will have a relatively rare chance to sharply influence PCI issues. The PCI Council’s Special Interest Group (SIG) nominees for the coming year are coming up, and these folks have a key vote. The reason is that the Council has a short list of seven proposed SIGs, only three of which will be selected. Which three are chosen is solely based on the votes of Participating Organizations. Retailers will make their voices heard by voting for their three top choices. Whichever nominees the Participating Organizations decide to support with their votes, it will need to be done quickly: Online voting starts this week and ends November 4.

There are two changes to the SIGs this year. One change is that a Council staffer will lead the SIG (previously, the chair was a member of the PCI Council’s Board of Advisors). The other change is that each SIG must complete its work in one year. In years past, SIGs could—and sometimes did—run indefinitely, becoming a source of frustration for everyone. The changes should mean each SIG is focused on delivering results.

Shoplifters and employees who steal are classic in-store loss-prevention problems, but fully one-fifth of shrink is due to administrative errors and supplier fraud—things that LP isn’t designed for but that conventional IT should be a lot better at dealing with. According to the annual “Global Retail Theft Barometer” report out this week from the Centre for Retail Research in the U.K., about 20 percent of shrink worldwide is due to administrative errors (including “pricing mistakes, accounting errors and process failures,” the report says) and fraud or errors by suppliers.

That’s a huge chunk of loss that should be fixable with nothing but better automation. The other 80 percent is predictably split between external and internal theft, though that split varies widely: In the U.S. it’s 36 percent shoplifters and 44 percent employees, while worldwide that’s flipped: 43 percent shoplifting and 35 percent internal theft. But using IT to cut administrative-error shrink has at least one big advantage over Loss Prevention: Those errors aren’t working hard to hide themselves. And if you can use better systems to cut admin-error shrink in half, that’s roughly as good as catching a quarter of your shoplifters.

In the middle of a strange lawsuit against Amazon.com—one where an actress is suing because she says Amazon revealed her correct age—is a very serious payment-card IT accusation: that Amazon processed a payment and then used the card-verification data to gather more data and then published it. To be fair, the lawsuit itself is a dubious document, with some statements that seem clearly false and others that seem to not recognize how Amazon and its Internet Movie Database unit (IMDb.com) function. But setting aside those issues—which certainly raise questions about the validity of the Amazon accusations—the charges bring up an interesting issue.

Is it illegal, or even against the various card brand rules or PCI’s rules, to use information from the confirmation process to access public information and to then use it? Amazon is not accused of publishing the verification data directly (which would have raised very different issues) but of using that data to track down public records. And if Amazon indeed did that—and that’s still a big “if”—is that a legitimate area for retailers to use to grow CRM databases?

When a major Australian shopping mall next month starts tracking consumers by their mobile phones, they will try and pacify privacy advocates by stressing that no customer names nor phone numbers will be given to retailers. Truth be told, the tracking information that they will collect will be far more valuable.

The vendor behind the trial, a U.K. firm called Path Intelligence, pledged that “no mobile phone usernames or numbers could be accessed” and that “all we do is log the movement of a phone around an area and aggregate this to provide trend data for businesses.” But what if that phone-tracking data is linked with security cameras and/or POS systems? What if a mall representative called one of its retail residents and said, “We’re now tracking a woman who has spent $980 in the last hour and she has just walked into your store. For a $300 fee, I’ll tell you exactly where she’s standing right now. Deal?”

The PCI Council has updated its PIN Transaction Security (PTS) rules to include newer types of card-accepting systems, including mobile, kiosks and vending machines, but left vague are many of the most practical retail issues. The new PTS version 3.1 is aimed at device manufacturers. Given that retail shops need to be populated with compliant devices, though, how much time will device makers have to make upgrades? How long will existing systems be given a pass?

The guidelines, which are generally filled with commonsense security restrictions, offer nothing about timing, schedules or when retailers can—or should—include the new requirements in RFPs. The closest the guidelines get to referencing existing hardware is a brief comment that such components can be reused in newly approved systems. It does, however, detail fees.

Sears’ in-store mobile move is more about feature migration (from POS and consumer’s phones to phones controlled by associates) than new functionality. But for an October 2011 rollout—given some of Sears’ thinking—that might be just perfect. When Sears on October 13 added its name to the lengthy roster of chains rolling out in-store associate-controlled Apple devices, it opted to not offer checkout. But it is mirroring the services for customers that associates have, for years, been able to do from POS stations and that customers (for a lesser time) have been able to do from their own smartphones.

Sears’ conservative move makes more sense in the context that many customers may not feel like using their phones while shopping and, more to the point, most American consumers don’t yet have smartphones—if you accept the smartphone definition of a phone that can download third-party apps.

Just when you thought you had figured out how to deploy in-store mobile devices, something comes along to remind you that it’s not that simple. Last month, the FCC ordered 20 small online retailers to stop selling illegal devices that jam the signals for mobile phones, GPS and Wi-Fi. No surprise there—but also not much impact, because such devices are easily available from other online retailers. That means anyone willing to pay as little as $80 could walk into a store in your chain and jam the Wi-Fi that your mobile POS depends on.

It’s a classic single-point-of-failure problem, and it could be frighteningly disruptive—especially since this holiday season will be the first at many stores with lots of in-store mobile devices in use, and almost all retailers are using Wi-Fi to keep them connected. A saboteur who uses a pocket-size jammer wouldn’t have access to payment-card information, but what’s supposed to be an impressive demonstration of retail technology would just irritate customers and frustrate associates—especially during the high-volume times that mobile POS should be a relief. And that’s just from an intentional saboteur. Unintentional Wi-Fi jamming could have even worse effects.

Last Thursday (Oct. 6), Walgreens rolled out its latest mobile feature, which enables its customers to get text reminders of prescriptions that are due for refill, orders that the chain said can be completed “with a simple ‘refill’ reply.” But as another reminder of the challenge of federal pharmacy privacy rules, the text is so restricted as to be borderline useless to the chain’s best customers.

The new service, called Refill Reminder Text Alerts, is based on a top-notch idea. The goal is to aid customers who have multiple refills and have had the onus of initiating contact with their pharmacy every time a prescription needs to be refilled, even if they have been consistently refilling the same prescriptions every month for years. Instead of waiting for the customer to call, the chain is initiating that contact and asking with a simple text for permission to refill the order. The problem involves restrictions from the U.S. Health Insurance Portability and Accountability Act (HIPAA). It prevents the texts from identifying which prescription it’s asking about.

HSN last Friday (Oct. 7) took the next logical step with mobile-friendly QR codes by placing them in a corner on the television screen, giving high-definition TV viewers the chance to learn more about the products being shown. In addition, HSN cleverly tried to avoid the QR snafus that other retailers—such as Macy’s—have fallen into by using its on-air hosts to teach visitors how to use the codes.

But the limited four-day experiment also demonstrated the many QR drawbacks that retailers have to struggle with. A reporter for Forbes, for example, tried making a purchase during the event through a QR code and found that her couch was 10 feet away from the screen but that she had to get up to scan the code from five feet away. People who successfully navigated the QR code got to an ordinary Web site page. No discount, no special reward. And how long would the code be displayed? Then there’s the learning curve.

According to American Apparel, item-level RFID can pay for itself by cutting employee theft. The 285-store chain’s VP of Technology, Stacey Shulman, told RFID Journal that in stores using RFID for inventory accuracy, internal shrinkage has dropped by an average of 55 percent. (The chain started by putting RFID in 50 of its stores with the highest shrinkage rates.) As a result, the savings covers the deployment cost. Of course, that’s something of an accounting trick. Deploy any surveillance technology in a store with lots of employee theft and some thieves will get nervous and stop stealing—for a while.

Shrinkage drops, and IT can declare that RFID’s ROI is 100 percent. Then, by the time the thieves start stealing again, it’s hard to argue with item-level RFID’s other benefits in better accuracy and faster replenishment, which is why Macy’s is pushing item-level RFID hard. Besides, the theft rate might never return to its original levels, right? It’s also wise to remember that the only retail people who care about ROI are the people can say “no”: your CFO’s team. And for IT projects, they check ROI once. So if it looks like thefts have been avoided, you get the credit. And given that the team won’t check again in four months, you’ll likely never get dinged if the reductions were short-lived. Short attention spans can be your friends.

Remember those demonstrations of how the payment-card numbers can be stolen from contactless cards by a thief carrying a card reader who bumps victims’ wallets and purses in a crowd? Yes, it’s been a staple of local TV news for years, and it’s a legitimate potential security risk—a risk that was going to be eliminated by NFC mobile payments. That, it turns out, didn’t quite work out the way the proponents of NFC phones were hoping it would.

The key to making phones more secure was supposed to be that a required PIN would prevent the NFC chip from being turned on most of the time, and the chip would be powered down quickly after a transaction when the screen went dark. That’s certainly the way Google Wallet was designed for Android phones. But according to most of the reviews of Google Wallet, all that PIN-punching is a pain, and the phone’s screen quickly going dark is annoying. Guess how secure that makes the NFC chip?

In the PCI alleys, there has been some back-and-forth recently about the PCI Council’s Internal Security Assessor (ISA) program and some MasterCard changes about whether participants needed to be auditors. Although the impact of the back-and-forth is relatively trivial, it brings up an interesting question: How independent does an independent assessor really need to be?

The essence of the ISA program is for retailers to have someone on their team who is trained in PCI nuances and who can help the chain maintain compliance between assessments. Most of the retailers that are working with the ISA program plan to continue using their QSA. If ISA works, it would enable much faster and less painful assessments, because someone internal at the merchant is constantly watching for anything that could cause a compliance problem. To be candid, none of the players involved is independent at all. The internal folk are all on the retailer’s payroll, and the external QSAs are all being paid by the chain to conduct the assessments.

Even as retailers and customers ramp up for mobile commerce, some smartphone makers still don’t have a mindset that’s ready for handling payments. On Tuesday (Oct. 4), handset vendor HTC admitted that an application built into some of its Android phones could leak sensitive user information—such as GPS data, E-mail account information and potentially even payment-card numbers—to malware that could get the data without a password or any special permissions except the right to connect to the Internet.

The specific information that HTC’s logging software collects isn’t tremendously sensitive—we’re talking location, not payment-card numbers. However, the fact that megabytes of data are being scooped up by the phone’s maker, but not secured by even a password, is a sign that smartphone vendors still assume a phone is just a phone—instead of a combination payment terminal, mobile wallet and M-Commerce browser.

Before a typically staid Federal Reserve Bank of Chicago symposium last week, the CEO of a security device vendor violated Jim Croce’s rule of not tugging on Superman’s cape. In a speech, the CEO ripped into the PCI Council, dubbing it a “dangerous false God” and saying that “PCI has rapidly become a self-perpetuating, self-aggrandizing, profit-motivated authority. It has and will continue to stifle innovation by its often nonsensical rule making.” And she then stopped pulling her punches.

To put this into context, PCI has unquestionably improved retail security in the U.S. and few have suggested a concrete alternative approach that wouldn’t bring with it even worse problems. Like the criminal courts, a system can be very far from perfection and still be the best of all alternatives. It’s also true that when security choices are made, some vendors are not going to be happy with the new rules. Even with all of that said, the directness and intensity of the speech by Magtek CEO Mimi Hart is worthy of note.

If there’s one thing a Sears associate—especially one who logs lots of cashier time—should understand, it’s how CRM works. But according to police in Heath, Ohio, at least one didn’t, and he’s behind bars as a result. Well, that, plus he stole a customer’s credit card and used it to make purchases at gas stations—where he also used his loyalty card to make sure he got points for every purchase. Oops!

The tale of 19-year-old Sears associate Zachariah S. Grigsby, though, gets even more strange. It all started on August 12 when Grigsby, who worked at the Sears at Heath’s Indian Mound Mall, was processing a customer who used his Discover card, said Heath Det. Sgt. Craig Black.

Macy’s on Wednesday (Sept. 28) pledged an aggressive chain-wide RFID rollout, promising to item-level tag some 700,000 UPCs in every Macy’s and Bloomingdale’s by the end of 2013. That will represent about a third of all of the $25 billion chain’s products and one of the most aggressive retail item-level deployments yet. Macy’s won’t be tagging any of the replenishment goods directly, leaving that task to its suppliers, who will ship products to Macy’s already tagged.

This massive item-level selling-floor-to-the-stockroom project began as a pilot at the Bloomingdale’s New York SoHo, which is a pilot-friendly place apparently—the chain is now using Bloomingdale’s SoHo to test Google Wallet. As a practical matter, this rollout will give Macy’s a wide range of technology options as the potential of full item-level RFID gets closer. But Macy’s is officially focused fully on just one RFID function: faster and more accurate inventory.

When the manager of a Florida hobby store was about to begin testing in-store mobile checkout as part of an NCR beta test in June, she envisioned using the devices throughout the store, to both free up POS space and give shoppers a faster experience. But like so many mobile-payment issues, those plans yielded to the reality of hosts of unanswered loss-prevention questions about the mobile payments. The manager ordered the Apple-based units be restricted to an existing POS area right by the exit.

As mobile payments inch along, retailers are trying to balance two concepts: the ideals of mobile-payment strategies with the mundane, practical logistics issues. And nowhere did those two concepts collide more clearly than in the one-location $3.5 million specialty store in Plantation, FL. How could someone at the door verify that the receipt is legitimate? For that matter, if the associate at the door is shown a digital receipt, how is he/she to know if it’s a valid receipt—as opposed to a doctored image—unless the associate scans the receipt’s barcode and runs a check to see if that item was indeed purchased in the prior 10 minutes?

Hard on the heels of a September 23 demonstration showed that Secure HTTP is no longer all that secure, Google and Microsoft have both recommended that Web sites dodge the problem by changing the encryption they use. (And how often do these guys agree on anything?) Many E-Commerce sites use the Advanced Encryption Standard (AES) for encryption, but AES is vulnerable to the security hole demonstrated last week. However, the older RC4 is immune to this particular attack, and that’s what Google and Microsoft recommend E-Commerce sites (and other sites receiving sensitive data such as payment-card numbers) use.

Does this demand an emergency fix? No, but it’s more serious than many experts thought before last Friday’s demonstration. Security researchers Juliano Rizzo and Thai Duong required only two minutes to break into a PayPal user’s encrypted session—fast enough to make their attack feasible for cyberthieves (although still extremely difficult, at least until some thoughtful hacker turns it into a script any 13-year-old can use). But switching from AES to RC4 is relatively painless for online retailers. The real fix will require upgrading security protocols on hundreds of millions of Web browsers and servers.