Evan Schuman's StorefrontBacktalk

In-store automation gives and it takes away. On April 22, automation opened the doors of the biggest supermarket in Hamilton, New Zealand, at 8 A.M. local time—even though no employees were anywhere near the store, because the store was closed for Good Friday. When customers arrived, they were able to shop and even use the self-checkout without the help of in-store staff, at least until someone tried to buy liquor. Customers didn’t seem to notice the absence of store associates.

Automation is always about cutting out human labor, but just piling it on without fully integrating it into a store’s operation is bound to generate problems—in this case, potentially huge problems. No one actually backed up a truck to haul away everything in the store. But that depended on the goodwill and honesty of customers, which is not something any chain can count on.

A blind call-center worker on April 12 sued a Maryland county government over a job downgrade and pay cut after the county merged its non-emergency call centers but didn’t preserve screen-reading technology. Yasmin Reyazuddin, a multilingual information specialist, said she researched the necessary configuration changes after the county bought Oracle’s Seibel CRM system, but when she raised questions about the switchover she was demoted, moved to a non-call center job and told her pay would be reduced. She wasn’t even allowed to try the system to see if she could use it anyway.

Wait—there’s a call-center employee who’s already using assistive technology, is capable of researching whether the new system can be made accessible (according to Oracle’s documentation, it can) and is willing to look for a workaround for any problems. And that’s the employee IT can’t figure out how to accommodate in the project plan? That isn’t an employee you bury. You loan her to IT to figure out the cheapest way to get a screen reader working and then end up collecting good publicity instead of a federal lawsuit.

StorefrontBacktalk will launch its Premium Edition on April 18, just four days from now, on Monday. The reason we’re mentioning this again is to remind everyone that we are offering special 50 percent off pre-launch pricing. In other words, the exact same Premium service on April 18 will cost half as much on April 17. If you want to still have full access to all of our top stories (and all of the other goodies that come with the Premium subscription), doing it now is the cost-effective move.

Our site license options are also half-off during the pre-launch period (which has barely four days left). Our fear is that many readers will not focus on this until April 18, when they start running into firewalls when they try to read key stories and columns. And when they then subscribe, they won’t be able to take advantage of the pre-launch deals. The pre-launch deals were created specifically to give our long-time readers a break, so we want to make sure we do everything we can to remind everyone before it’s too late. To take advantage of our pre-launch deal, please click here.

The massive Epsilon E-mail data breach—which has sent to cyberthieves E-mail addresses from the files of Target, Best Buy, Kroger, Walgreens, Home Depot Credit Card, HSN, Marks and Spencer, New York & Co., Brookstone, Eddie Bauer, Ethan Allen, Fry’s Electronics and countless other retailers—may be what finally pushes chains to insist that PCI-like rules be applied to all corporate information and not merely payment data.

Epsilon is merely the latest in a series of publicized, highly embarrassing incidents for retailers where they are taking a consumer black eye for breaches, ethically questionable activities or gaping security holes that were entirely handled by third parties. Whether it’s supply-chain management holes perpetrated on a multi-billion-dollar retail chain, SEO efforts against JCPenney or data-backup screw-ups that crippled the American Eagle Outfitter’s site for eight days, retail IT execs are learning that as long as they are going to be blamed for what third-parties do in their names, they might as well take a much more active role in beefing up protection of all customer data.

With Wal-Mart now pushing wine kiosks on its customers, thanks to a favorable decision by the Pennsylvania Liquor Control Board, retailers that had been only casually thinking about it are preparing to move into the space. As a retail lawyer, Legal Columnist Mark Rasch says, “Wait!” Of the hundreds of types of kiosks out there today, none has anywhere near the legal liability issues that a wine kiosk does. Just a few of the issues include: age verification, determining whether the customer is already intoxicated, drunk-driving issues (what happens if in-store video captures someone buying and drinking wine and then the parking lot cameras see him driving away?) and records retention, along with some deliciously arcane laws involving alcohol sales in some states.

Wal-Mart’s initial move will include 23 Pennsylvania stores, using the state’s own self-serve wine kiosks. These kiosks have had mixed results, with some wine enthusiasts pushing back against the machines. But those are not legal issues and, believe me, these machines offer enough such issues to keep entire law firms gainfully employed.

RSA will have to replace all its SecurID fobs in the wake of the security breach the company announced on March 17. Why? Because no one at RSA knows exactly what the thieves took. Did the crooks grab source code that spells out SecurID’s secret hashing algorithm? You have to assume so. Did they get data on the seeds, which would allow a thief with the algorithm and lots of computing horsepower to duplicate any particular SecurID fob? Again, you have to assume so. And that’s enough to require replacing all SecurID fobs and starting over with new seeds.

But instead of trying to shore up the popular but aging SecurID system, there’s a better way for RSA to go: It could just publish the hashing algorithms and convert its SecurID users to mobile devices that could be updated on-the-fly at any time. That would eliminate all the advantage gained by the thieves who stole RSA’s secrets, while making things more secure for SecurID users.

As retailers move to embrace mobile commerce, there are debates about what types of analytics should be used for mobile and even whether mobile analytics—or any single-channel effort—is necessarily a good thing. Most retail IT leaders, including Home Depot’s Senior VP/IT and one of her counterparts at HSN, say that many chains are so early in their mobile thinking today that such debates are premature. “I think mobile is so young that we’re not sure yet. Our analysis is developing in that area,” said Home Depot’s Cara Kinzey. “And I think that retailers are behind, [with many saying] ‘We’re more concerned about sales and we’ll get to that later.’ Honestly.”

Sean Bunner, HSN’s Operating VP, echoed Kinzey’s sentiment. “It’s such an early channel to get so granular. There’s some overall trend stuff we’re more interested in, like ‘what category of merchandise are they purchasing?’ From what we’ve seen, mobile is significantly different than Web or, for us, TV,” he said. “But even within mobile, between mobile Web and apps. You see pretty significant shifts in categories, so we then have to get into CRM activity to see ‘Why is that?’ Do you want to merchandise that store differently?”

The U.S. Patent Office has sanctioned a way for retail associates to quickly approve large numbers of gift cards simultaneously, which can come in handy when a business wants 500 cards to give to employees. The question of whether such rapid transactions could open new security holes for the cards—already a favorite with cyberthieves—wasn’t addressed in the patent. The patent was announced Monday (March 7) by inventor First Data. Bizarrely, the government issued the patent some four-and-half months ago, on October 26. We’ve seen companies announce them right away, delay a week or so, or choose to not announce. But waiting four-and-a-half months was a new one.

The patent itself is fairly straightforward, in that the system assumes software will activate the group of cards by scanning (or keying in) the first card number, along with the number of cards sought. The patent spoke of variations of this approach: “The point-of-sale device can request a confirmation of the last number in the pack of cards. Thus the clerk can either swipe or hand key in the number of the last card that makes up the pack of cards,” the patent filing said.

How will mobile devices ever get PCI approval if retailers can’t lock them down? For that matter, how should IT feel about a vendor that reserves the right to reach into the mobile devices and make unannounced changes? What if the device is in the middle of a critical project at that moment? What if the act of removal causes some unexpected system crash? Those are some key questions in the wake of Google’s announcement on Saturday (March 5) that the search giant is remotely removing a group of malicious apps from Android-based smartphones and tablets—and without any prior warning to users.

Google has reached into users’ mobile devices at least once before to delete apps in the name of security. Most users may not mind—certainly not as much as, say, Amazon reaching into their Kindles to delete mistakenly published e-books. But for retailers that want to use an Android device as a point-of-sale unit, the ability of a vendor—or any outsider—to modify the device by long distance could make getting a QSA’s approval impossible.

Can a retailer (or even a service provider) move its payment applications to the cloud and maintain PCI compliance? PCI Columnist Walt Conway believes the answer to this question is yes, it is possible to be PCI compliant in the cloud. Neither validation nor compliance will necessarily be easy, and success is not guaranteed, but achieving both is possible. A better question, though, is how can a merchant implement a payment application in the cloud be both PCI compliant and secure?

Achieving PCI compliance in a cloud-based environment will involve some intense negotiations between the merchant and its cloud provider. If a merchant is neither willing nor able to dig into the details and maybe do a little arm wrestling with its provider, moving a payment application to the cloud is not for that merchant. Negotiating a detailed, comprehensive service level agreement (SLA) will be perhaps the most important single step to achieving PCI compliance in the cloud. But before you can even begin to develop an SLA, a merchant needs to understand who does what. That is, the first thing you need to know is which services will be provided by the cloud provider and which are the merchant’s responsibility.

Buried in the various legal filings of a shareholder fraud lawsuit against footwear maker Crocs is an intriguing look into how routine IT operations and discussions can quickly become very public and seem really bad. The case, which US District Court Judge Philip Brimmer dismissed on Monday (Feb. 28), told tales of a new IT chief whose software recommendations were treated by senior management “dismissively.” Also mentioned was inventory and forecasting software that was “archaic,” “primitive” and “hopelessly error-prone” and financial reporting software that consisted of “obsolete, unsuitable tools.” And almost all of it involved the manufacturer’s interactions with retailers.

The IT issues—which Crocs apparently did not dispute—never played a crucial role in the arguments, with the judge throwing out the case because he said the shareholders couldn’t prove that senior management lied about these matters. That said, it’s educational how close a linkage the shareholders drew between routine IT issues and critical financial shortcomings. Excel spreadsheets, for example, were blamed for product shortages and surpluses.

Starting April 18, StorefrontBacktalk will launch a whole new range of Premium features, including special monthly reports, exclusive private discussion groups (CIO-only, franchisee-only, CFO-only, etc.) and Premium-only access to StorefrontBacktalk‘s top stories. Best of all, readers who subscribe to the Premium edition before it launches on April 18 will get a 50 percent discount on the subscription price—locked in for the first year.

The majority—if not the vast majority— of recent StorefrontBacktalk stories will still be available to read for free. So will our highly moderated discussion forums, which won’t waste your time with spam and vendor pitches. But readers who aren’t Premium subscribers will only be able to see the very beginning of Premium stories and columns—and they won’t have any access at all to the Premium forums, private discussion groups, monthly reports or the archives of StorefrontBacktalk stories that are more than 30 days old.

The reader discussion part of StorefrontBacktalk has always been crucial to us; it’s a critical part of the sense of community we want to create. Ideally, this function is less about what our writers have to say to you, the readers, and more about what you have to say to each other. That’s why we’re introducing today our StorefrontBacktalk-style discussion forums: “Beyond The Story.”

It’s called Beyond The Story because our discussion forums thus far have been limited to comments on individual stories. And we policed those comments strictly, making sure that they were indeed about the story they were attached to and that they were non-promotional, non-offensive and respectful. (Well, as respectful as IT professionals debating RFID, PCI, CRM and Mobile are likely to get. We don’t seek miracles here.)

The last thing an alternative mobile payments vendor needs is to discover that someone else holds the patent to key technology. In the case of Square, the alternative payments vendor with the little card-swiper that plugs into an iPhone, it’s worse: Square’s founders are now in the early stages of a lawsuit over a patent for technology they not only thought they had invented but for which they actually paid the filing fee of said patent, which actually ended up with someone else’s name on it.

That’s definitely not the kind of problem any retailer wants when it comes to payments processing. You expect that a startup will have to build a customer base, service infrastructure and even technology from the ground up. None of which is easy. But Square’s story turns out to be one that mixes friendship, betrayal, electronics, glass blowing, legal shenanigans and Rashomon-like conflicting stories. In short, way more drama than retailers want from a vendor, even one with interesting technology and the promise of cutting the cost of payment-card processing. When it comes to payments, boring would definitely be better.

Sometimes the oldies really can make a comeback. For some reason, thieves are now increasingly using the 40-year-old text-based Telnet protocol to attack corporate servers, according to network-services vendor Akamai, whose retail customers include Amazon.com, Best Buy, JCPenney and Staples. Akamai says Telnet now represents the second-heaviest level of Internet attack traffic—and the Telnet attacks are still growing.

This sort of retro attack (it’s like the Pong of computer break-ins) would be charming, except that it’s growing rapidly. A year ago, almost no attackers used Telnet. But by the third quarter of 2010 (the last period for which Akamai has released data), Telnet attacks had jumped to one out of every six attacks.

Pricing mistakes are still the bane of E-Commerce, and now Target seems to have come up with a much more efficient way of creating them. Last Sunday (Jan. 16), Target began offering a Sony PlayStation 3 (list price: $350 to $500) for $39.99 on both Target.com and the retailer’s Amazon store. What’s interesting, though, is how the foul-up appears to have happened. It looks like there really was a new product Target intended to sell. But instead of creating a new page for that product, a Web site designer decided to modify an existing page—and before that new page was completed, it somehow hit the sites.

The clues are in the mismatched description on Target.com for the product, which the small print describes as the “PlayStation Move sharp shooter.” It turns out there is a new add-on for the PlayStation with that name. According to Sony, its list price is $39.99 (which matches the Target.com page) and it is scheduled to be available in February (which matches the description on Target’s page that reads, “Arriving soon! Order now for shipment in 2 to 4 weeks”).

The $44 billion 3,900-store Sears chain has one of the lengthiest histories of any major U.S. retailer. But given how long its stores have lasted, its latest CIO’s tenure lasted not very long at all.

Timothy Kasbe, a celebrated IT exec who arrived at the chain in February 2009 after having served as the CIO of India’s largest retail chain, quietly left the company early last month. Very quietly.

As we enter the holiday season, it seems like a good time for StorefrontBacktalk PCI Columnist Walter Conway to put together his holiday PCI wish list. Unlike most lists you may receive, he is targeting each of his wishes to a particular party. And because it seems like a shame to exclude anyone, his PCI wish list includes card brands, trade associations, certain retailers and, of course, the PCI Security Standards Council itself.

Walt’s first request is for the PCI Council to publish a full, one-year schedule of training sessions. The Council’s training programs are excellent. Because of that, they are very popular and fill up quickly. As of this writing, the Council has not yet posted future training classes on its Web site. When that list is posted, Walt’s wish is that it be a complete schedule for all 2011 courses.

Think cloud computing will solve the problems of overloaded E-Commerce sites? Not necessarily. The Web site of U.K. grocery giant Tesco on December 5 ground to a halt after a surge of customers tried to take advantage of a loyalty-card promotion. But that surge wasn’t unanticipated; just days before, Tesco had said that cloud services provider Akamai would be offloading 90 percent of the load—to make sure nothing would go wrong. That didn’t exactly work: When the Web site crashed, customers turned to the call center and clogged it, too.

The ability to quickly scale up processing power is one of the chief attractions of cloud computing, and there’s no doubt it works in at least some cases. For example, Amazon’s ability to ramp up capacity via the cloud doesn’t just keep the E-tailer rock solid during the holiday peak; it also probably keeps it going in the face of denial-of-service attacks. Still, getting everything in the cloud working correctly to handle a sudden surge isn’t as easy as cloud boosters make it sound—and Tesco is Exhibit A.

The PCI Security Standards Council, as expected, has officially declared it will not sign off on any mobile application for quite some time. If it helps, the Council added that mobile “will be a key focus for the Council in 2011.” (Unfortunately, the PCI statement didn’t note how many key focuses the Council plans on having next year.)

“Until such time that it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape,” the statement said, “the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated PA-DSS applications unless all requirements can be satisfied as stated.” This statement comes on the heels of a column by StorefrontBacktalk’s PCI columnist Walter Conway in which he described this as the Council’s position and noted it is permitting—encouraging?—acquirers to fill the void and approve payment applications on their own and then offer them to their merchants.

A Chinese RFID manufacturer has started shipping RFID tags designed to look—and apparently function—as real buttons. They also can be washed with no harm to the sealed RFID mechanism.

However, by fueling the fears of every anti-RFID privacy advocate, these faux buttons may do far more harm than good. To be fair, these may not be faux buttons, in that they may actually function as buttons. In which case, they’re not faux: They’re Trojan horses. But in this version of the classic Trojan War tale, the soldiers inside the horse might turn around and attack their retail Greek creators.

Target on Tuesday (Nov. 9) issued a chain-wide software patch to theoretically resolve a three-and-a-half-month-long coupon-scanning nightmare in which consumers were often given a small fraction of the promised discount. But that was only after it ordered cashiers that weekend to manually review all paper coupons, a move estimated to cost the chain as much as $5 million in additional labor costs alone.

As part of the ordered manual review, Target shut down its POS Cashier Speed-O-Meter devices to accommodate the additional time for the manual reviews. That review will cost the chain between $2 million and $5 million in additional labor costs, said IHL President Greg Buzek, who calculated that fee based on an additional minute for every transaction and the number of stores and checkout aisles that Target is using, plus Target’s efforts to add more people to keep the lines moving.

As much as E-Commerce and Mobile Commerce are all about taking the in-store experience and making it better (easier, faster, cheaper) and perhaps creating a few experiences that are uniquely digital, digital sites are almost always more comfortable selling physical goods. That’s true even for entirely digital operations, such as Amazon’s Kindle.

That’s why the announcement from Kindle that it will, “later this year,” introduce “lending for Kindle” is so potentially significant. The concept is a direct steal from the physical world. A person who purchases an e-book can loan someone a copy of that book, with restrictions. If a consumer today buys a book from a physical store, that consumer owns that book and is therefore free to sell it to someone else, for whatever price the market will bear. Instead of prohibiting that in the digital world, why not encourage it, albeit for a cut.

The CIO of $2 billion shoe chain DSW is putting out feelers for a senior retail IT manager, one whose background focuses on applications (not infrastructure), merchandise planning distribution, allocation and logistics.

Background in “store systems would also be interesting” for this position, said DSW CIO Carlos Cherubin. “This is a new position, born of the fact that our organization is growing,” he said, referring to its current 210-person IT operation (internal IT staff of 170 plus about 40 IT contractors). “We’re a 200-person shop day-to-day,” Cherubin said.

One of the most frustrating truths in retail security is that, by definition, it has no meaningful return on investment—at least not in the sense that CFOs and board members view ROI. There’s no chance at improving revenue or profit; at best, it’s risk avoidance. Even that’s dicey. If security is in place, how do you really know that you would have been breached otherwise?

One way to squeeze out ROI: Flip an unsexy security expense like PCI by upgrading to a POS system that also moves lines faster or displays ads while customers are waiting. Or what about training cashiers to encourage debit-card users to key in their PIN—thus improving security and reducing the cost of card transactions at the same time? We explore these and other ideas in the latest StorefrontBacktalk podcast on security. To listen to the podcast, please click here.