Evan Schuman's StorefrontBacktalk

When it comes to loyalty, many retailers are stuck in the 1990s. Does anyone else find it funny that in a world where you can very easily have a video conference with your kids from a $500 tablet over free Wi-Fi from a random hotel, we’re expected to keep a 3.3- x 2.2-inch piece of plastic in our wallets to get benefits from some of our favorite retailers? All of this, pens Retail Columnist Todd Michaud, in an area—such as CRM—where the application of technology could directly impact a retailer’s top and bottom lines.

Why are small problems sometimes the biggest pains? Sometimes because they’re the hardest to spot. On January 25, Neiman Marcus’ Web site was inaccessible only to customers using Internet Explorer versions 6 and 8 on Windows 7—everyone else was apparently able to get in without difficulty. This sort-of outage should have been easy to fix, but it lasted more than nine hours.

That suggests the Dallas-based high-end retailer made a change in the wee hours—exactly when you’d expect—but then accidentally left test code in the homepage. The result: a Web site that probably worked fine for everyone in IT, just not for all customers.

With all of the new data coming in from mobile and social, retail IT has a truly strategic psychological problem. The old way of creating interfaces between systems can’t scale and will not deliver the results this new world of information overload demands. You’ve got to stop thinking about interfaces and start thinking about services. You’ve got to stop thinking about batch ETL processing and start thinking about real-time data integration and unstructured data.

You’ve got to start accepting cloud computing as a method of scaling your computing platform up and down, pens Retail Columnist Todd Michaud. In short, you’ve got to rip out most of your information architecture and start over.

PayPal’s expansion of its in-store payments trial at Home Depot (up from 400 PayPal employees to all PayPal users) marks a huge jump in the trial’s scope—and risk. On January 19, PayPal opened up the trial to include 51 stores (up from the initial 5) and said all PayPal users could now sign up for the system. That should give both PayPal and Home Depot much more useful information on who will use the system, and how.

But PayPal’s approach—which essentially reverses 50 years of payment-card advances by eliminating any physical authentication device—still presents a big challenge when it comes to security. The ability to check out with just a mobile phone number and PIN—no plastic card, NFC-enabled phone or other authentication hardware required—means anyone who can acquire that phone number plus PIN has a free shot at the legitimate customer’s account.

Speed-tuning for retail Web sites may have finally hit a wall. A report released Wednesday (Jan. 25) says Nike, JCPenney, JCrew and Amazon had the fastest retail sites in 2011. But the survey also notes that the most popular and profitable sites are actually slower to load than the average site, because they contain so much content, and that content delivery networks don’t actually speed up load times.

In theory, load times of 3 seconds or more should cost retailers half their customers. If that’s true, E-tailers should be going out of business. Maybe it’s time to dump those theories.

In the power struggle between retail marketing and retail IT, IT is getting its server farms kicked. It started with E-Commerce and is now growing with mobile and social. What has to go? If it can go in the cloud, get rid of it. E-Mail? Gone. Web hosting? Out of here. CRM? Exit, stage right. If it can be easily outsourced by specialist firms or even done by people in the business unit, you need to let it go.

It’s time to evict Web and mobile app development, and pretty much any marketing initiative that isn’t core to your business. Heresy? Certainly, pens Retail Columnist Todd Michaud. But it’s necessary.

Home Depot’s trial to let shoppers pay in-store with PayPal—a program confirmed late last week, which is loosely related to PayPal’s wallet—is interesting more for what it doesn’t do than what it does. It’s a baby-step program in two ways.

On the mobile front, it’s the first retail trial of PayPal’s mobile payment program and it doesn’t use a mobile device at all. (OK, that’s more an embryo step than a baby step.) On the payment front, this is also a test of Home Depot accepting a rectangular magstripe card that doesn’t say MasterCard, Visa, American Express, Discover or Home Depot on it.

Walk into one of about 25 Guess stores this week and you’ll see customer-accessible iPads in the men’s, women’s and accessories departments and even in the dressing rooms. “For the cost of a kiosk, I can put in four or five of these,” said Guess CIO Michael Relich. “This is the consumerization of IT.”

But the Guess iPad trial is hardly being done to save costs. The flexibility of the tablets and sharp, customer-friendly graphics make the devices a much more effective way to show demos and to locate merchandise, check inventory and do anything else that a kiosk would normally do.

The National Retail Federation’s Big Show is next week, and the exhibition floor will be crowded with vendors offering retailers all types of software applications. As a public service, following is a list of questions all merchants should ask their POS system supplier or reseller based on one QSA’s experience—namely the experience of PCI Columnist Walt Conway.

The good vendors will be able to address all these questions. The not-so-good ones will hand you a carrier bag or a pen instead.

The PCI Council used its December 2011 newsletter to remind merchants and service providers to control physical access to their call centers with video cameras or other devices. This recommendation is both sound security and good advice, and merchants everywhere should take it to heart. But as a QSA, PCI Columnist Walt Conway wishes the Council had done more than highlight just one particular sub-requirement.

There is more to protecting sensitive areas than installing video cameras. The second, and possibly thornier, concern for small and midsize merchants is how effective the reminder is likely to be when many of them mistakenly think they won’t need to follow the advice.

The latest major retail data breach—involving 150 Subway locations and more than 50 other retailers, payment-card data from more than 80,000 shoppers and more than $3 million in bogus, but completed, transactions—is different than its predecessors for several reasons. Most notably, it appears to be the first major breach that was initially detected by a chain’s own IT team.

The essence of the attacks’ success leveraged two weaknesses: different unsecured remote-access packages used by various franchisees of Subway, which enabled easy Internet access to POS systems; and card swipes with minimal encryption. That meant key-capture software installed by the cyberthieves was able to grab data in the clear, as it was being swiped.

Microsoft has effectively thrown in the towel for Microsoft Tag. On Tuesday (December 13), Microsoft announced that its Tag Reader smartphone app will now support QR codes and NFC. Officially that’s to make Tag Reader a one-stop app so users won’t have to worry about what reader to use with various tags. In practice, it’s curtains for Tag, the multicolored 2D barcode that Microsoft rolled out in January 2009 but that never really caught on (not that the more successful QR code has been a barn-burning success).

In a blog post, Microsoft said it now recommends NFC for retailers to “blend in beautifully,” QR to “grab their attention” and Tag to “raise curiosity”—presumably as in, “curiosity about who’s still interested in Microsoft Tag.”

As is our tradition, StorefrontBacktalk shuts down for the last two weeks in December, due to the fact that y’all are far too busy (a) supporting the biggest selling weeks of the year until December 25th, (b) supporting the biggest returns-and-exchanges week of the year after December 25th and (c) closing the quarterly books until December 31st on what everyone hopes will be a bigger year than 2010.

That means our next regular weekly issue will arrive on January 5th, 2012. In the meantime, everything else will still be live (the Web sites, our Kindle version, our Twitter tweets, our mobile sites, etc.). And we’ll, as always, send out breaking news alerts if circumstances merit.

A message from our beloved business side: As the NRF Big Show happens next month, StorefrontBacktalk has a couple of last-minute slots for anyone wanting to communicate with NRF attendees. In mid-January, as our readers leave their postmortem holiday shopping meetings with the list of everything that went wrong, every feature management wants to add and a wishlist of products to make it all, it’s a nice time message.

We will also be adding several content channels next year—including several new weekly podcast series, more monthlies, events in addition to our usual weekly and monthly newsletters, and Web sites—and if your marketing people have any interest in getting involved, we now have new opportunities. Some of these new channels were specifically created to enable smaller vendors, with much more limited resources, into our community. If your marketers want to get your brand in the middle of these discussions, please drop us a note.

A mobile vendor who was testing out the in-store Google Maps application this week at a Home Depot store in Florida discovered an unexpected result. While standing inside a Home Depot—which is one of a handful of Google partners on this project—and just feet away from the store’s paint aisle, the tester called up the store’s inside layout and asked the app where the paint aisle was.

The Home Depot partner app quickly responded: At the Lowe’s store three blocks away. It’s becoming clear that retailers need to be thinking about—and asking—a lot more questions about in-store maps and mobile navigation.

Many chains have seen the cloud as a nice way to get unlimited data storage on the cheap. But Best Buy’s initial cloud efforts revealed something much more fun: a lawless area where IT management didn’t have any rules.

A funny thing happened, though: “Everybody has always said that if we could do the datacenter over again, we’d make no mistakes and everything would be perfect. It would be this incredible Utopian datacenter, except that we’re all making the same mistakes that we made in the datacenter originally, because you go to the cloud like the Wild West,” said Thomas Kelly, Best Buy’s enterprise architect for cloud services.

Late on Wednesday (Nov. 30), the 11-year-long battle between the 288-store 29-state Dillard’s chain and JDA Software/i2 finally closed, when JDA agreed to write Dillard’s a check for $57 million. The vendor’s check was to compensate Dillard’s for what were allegedly lies the software company used when selling a supply chain system. But the filings in the case provide a rare look into how software companies regard sales tactics and it’s essential reading for all IT execs before their next meeting with any software sales rep.

Quick background: JDA was not involved in this matter when the sale was made in 2000 and is only now involved because JDA bought i2 in January 2010. In June 2010, the case went to trial and a Texas jury awarded Dillard’s $237 million. That’s an impressive amount given that Dillard’s had only paid $2.4 million for the software. JDA/i2 appealed and Wednesday’s settlement happened while the appeal was still processing. Dillard’s position has been that JDA lied to them during the sales process and that the $6.1 billion chain didn’t receive the value the vendor had promised.

Just a reminder that StorefrontBacktalk now has five free monthly newsletters, each one focusing on a different key area for us: E-Commerce, Mobile, PCI/Security, In-Store and CRM. The Monthlies—see the descriptions here—are available to anyone via a quick E-mail sign up.

The Monthlies publish the first few days of each month, and they are a great way to catch up on all of the news in a given area. So before you miss the December Monthlies, sign up for your free copy.

Wal-Mart’s newest mobile acquisition may be a lot more than the world’s largest retailer is admitting. On November 10, the chain announced that it acquired Grabble, a tiny Australian mobile POS startup that can deliver receipts to customers’ phones. Wal-Mart also did a good job of scrubbing the Internet of information about what Grabble actually makes: hardware that attaches to POS systems to capture purchases and other customer data in real time, so that information can be used without having to change existing back-end POS software. Mobile receipts are just one obvious application.

It never really made much sense that Wal-Mart would go all the way to Australia for a mobile-receipts startup—that’s hardly a new idea. But a box that plugs into a POS, so it’s easy to experiment on a store-by-store basis with everything from mobile receipts and coupons to plug-and-play CRM, inventory and analytics systems, sounds like it’s worth the trip. And that could explain why Wal-Mart worked so hard to make most details about Grabble disappear.

Given the dominance of the key U.S. holiday next week (we mean Thanksgiving, not Black Friday), StorefrontBacktalk‘s weekly newsletter won’t publish on November 24. Everything else will still be live (the Web sites, our Kindle version, our Twitter tweets, our mobile sites, etc.), but we need a little time off to burn some turkey and over-season some stuffing.

Speaking of which, we want to tap into the knowledge of our audience with a question that has nothing to do with retail technology. One of us here at StorefrontBacktalk is going to try something new for Thanksgiving: Cooking the turkey on a gas grill. The problem is that, well, it’s me. And my Weber grill seems to have two temperature settings: 750 degrees Fahrenheit and OFF. To be precise, it has tons of settings, but those two numbers seem to be the only heat levels the beast is capable of delivering and maintaining. In a short duration grilling (say 5 to 8 minutes), it’s easy to compensate. But when dinner for a dozen people needs to cook for five hours, I’m open to any tricks to get the temperature to get down to 325 degrees and to stay there. Any suggestions? If you do have any suggestions, please E-mail me at Help Evan To Not Turn His Entree Into Sawdust Held Together By Static Electricity.

Ever since Visa reversed itself and embraced EMV this summer, GuestView Columnist Trinette Huber—who by day is information privacy and security manager for the 2,700-store Sinclair Oil company—has been wondering why. She has concluded it’s not for the security. For the last five years, Huber pens, she has been advising, cajoling, arguing and sometimes arm-twisting when it comes to PCI compliance for Sinclair’s distributors and c-store operators. “We’ve been waiting for technology that protects credit-card data. Stop coming back to the trough to get retailers to pay for something that doesn’t remove PCI compliance requirements and protect online transactions.”

Huber adds: “Chip-and-PIN doesn’t eliminate your requirement to be PCI compliant. You still have to do that. If we adopt Europe’s old technology, the card data will still pass in the clear. You still need to spend all of that money securing your point-of-sales, auditing your network and reporting on your compliance status. Well, maybe not reporting to Visa—if you meet its requirements—but there’s still MasterCard, American Express and Discover.”

Offering to alert pharmacy customers to prescriptions that are about to expire would be a terrific idea, were it not for privacy restrictions imposed by the U.S. Health Insurance Portability and Accountability Act (HIPAA). That’s something Walgreens learned the hard way last month. Winn-Dixie, the $7 billion regional grocery chain, tackled the same issue and debated and ultimately rejected several tech approaches.

With so many chains offering pharmacy services, the debates provide a glimpse into how mobile strategies can slam into privacy rules and, sometimes, technology simply can’t get around that. Tim Bell is the director for pharmacy managed care and systems at the 460-store chain operating in Florida, Alabama, Louisiana, Georgia and Mississippi. Bell said the issue is that the best approach for sending a quick alert (such as “Your Prescription for Lipitor is due for renewing. Should we renew?”) and accepting (“Renew”) is the least secure: text messaging.

In unrelated trials this week, Debenhams—the UK’s second-largest department store—and eBay are trying to push the mobile limits of creating stores with no physical infrastructure. But unlike Web sites, these virtual stores exist in a specific place to which customers must travel. In Debenhams’ case, a human being at that location would see nothing, except other human beings oddly pointing their phones around the sky.

The virtual store is not new. In a much publicized trial this summer, Tesco re-created almost all of the merchandise from one of its stores as a series of high-res photographs with QR codes on the walls of a South Korean subway. But the Debenhams’ effort takes it farther than any other retailer. At least consumers arriving at that subway would see pictures of products and could guess what to do. In the Debenhams’ trial, consumers were directed to very prominent street corners in London (Trafalgar Square), Manchester (Albert Square), Birmingham (Centenary Square), Cardiff (Cardiff Castle) and Glasgow (George Square). They then loaded a mobile app onto their phones. If the geolocation of the phones matched what the app had been programmed to look for, it would display a ghostly image of a dress.

Google is finally beginning to tighten the screws on users of its Google Maps. Well, sort of. On October 26, the search giant said that, starting Jan. 1, 2012, it will begin charging $4 per 1,000 views through its Maps API—but only for Web sites that exceed 25,000 map-views in a single day. Because Google is only counting the initial map access in that 25,000, it should be pretty easy for retailers to calculate whether this change will cost them anything at all.

For many retailers using Google Maps just on “find a store” pages, that pricing pretty much wipes out any incentive to jump ship to Microsoft’s or Yahoo’s map offerings—changing and testing the code would probably cost more than paying the overage fee on a few busy days. (If you’re a heavier user, because you have Google Maps in logistics or other geotracking applications, you may want to consider your options.) The actual pain may be trivial this time around, but it’s still a reminder that free Internet services probably won’t stay free forever—even from Google, which really wants retailers to be its new best friends.

A QR code approach that will display different information—and initiate different actions—based on the purchase history of the person scanning it is being evaluated by Home Depot, Target and Macy’s, according to the CEO of the QR vendor that is trying to sell that system. This next-generation QR code tactic leverages tracking codes from the mobile phones to establish a customer history and thereby permit highly customized responses.

“At the scan, we get a certain amount of metadata as a result of the scan itself—operating system, carrier, cell tower being used, etc. We get all of that,” said Scanbuy CEO Mike Wehrs. “We know what that app has scanned in the past.” Indeed, Wehrs argues, the app can secure data from the QR code plus the phone plus online data accessed from a retailer’s loyalty card database. “If the app integrates with their CRM files, it can give a completely customized experience.”