StorefrontBacktalk

Could Chat Transcripts Be Security Minefields?

Evan Schuman — Thu, 02 Sep 2010 09:41:11 +0000

When Rite-Aid and Walgreens both announced pharmacist chat programs last month, they were the latest chains to try and use chat to get closer to their customers. But, ironically, the preservation of chat discussions of super-sensitive patient medical history may prove a very serious threat to security.

It's ironic because both chains are taking substantial steps to secure the access to confidential patient data, but neither is specifying steps to protect transcripts of that very same data. Imagine forcing call center employees to comply with all PCI rules regarding not preserving prohibited payment card data and then allowing them to write down all of that data in plain-text files that are then transmitted to consumers (who are unlikely to protect them) and saved in the chain's files.

How Far Should Check-In Mobile Apps Go?

Evan Schuman — Thu, 02 Sep 2010 09:32:45 +0000

At Sports Authority stores, consumers looking to win points by checking in at the store can go one better and earn more points by performing specific actions, such as trying out a particular golf club. It's one of the farthest reaching mobile trials thus far, but can it go much further?

What if the actions were associated with the customer and the product so that the retailer could offer a lot more points if the customer purchased the incentivized product within XX days? The POS could note the customer ID and know to watch for specific products. When a match happened, the points would be automatically issued.

Google’s Latest Social Search Falls Far Short Of What Retailers Need

Evan Schuman — Thu, 02 Sep 2010 09:24:01 +0000

Among the most frustrating data-analytics facts in retail today is that the goldmine of customer data locked in social networks is virtually untouchable because of the way the data is structured.

Think about it: millions of customers and prospects post their innermost product thoughts on Twitter, Facebook, Youtube and the blogs of themselves and their friends. this info is free and often visible to all. But how do you take that data and match it to specific customers/prospects so that the data can be acted on? That's the untouchable part.

Mobile Web Performance Erratic At Best: Nordstrom, QVC Good; Levi, REI Bad

Frank Hayes — Thu, 02 Sep 2010 09:15:28 +0000

Just how out-of-control does mobile commerce get when you're creating M-Commerce sites for different smartphones on different carriers? Pretty wild, according to the numbers from a new survey of retail M-Commerce sites by Web-metrics company Gomez. The best sites (Petco, QVC, Nordstrom) perform consistently well; the worst (Levi Strauss, REI, American Eagle Outfitters) always have mediocre availability. But in between, it's chaotic: Content that shows up in seconds on one phone can take half a minute on another, and a site that's 99 percent available on one carrier can drop to 89 percent on a different one.

Tuning E-Commerce site performance for multiple browsers is an old problem, of course. But programming is just the beginning of the mobile performance problem. It also depends on smartphone hardware, which varies widely in horsepower, and mobile carriers, whose performance can change dramatically if a user moves literally just a few feet away. That makes the puzzle hugely more complex--at a time when retailers can't afford to avoid that complexity.

Mobile Cannibalism: Get Used To It

Evan Schuman — Thu, 02 Sep 2010 09:01:07 +0000

With several major retail mobile sites starting to yield significant traffic and/or sales--Pizza Hut's iPhone app, for example, is about to pass the 2 million download mark--senior execs at various chains are grappling with what should be expected of the telephone terminals, what Lily Tomlin's Ernestine the switchboard operator might have called Ringy Dingy Revenue.

What is a realistic near-term goal? Is it to generate true additional revenue or is it acceptable--initially, at least--to simply shift purchases from Web to mobile? Moving from revenue to the much-beloved profit margin, is it possible to say whether mobile or Web has lower operational costs?

North Carolina’s E-Tail Amnesty Program Rejected By 94 Percent

Evan Schuman — Thu, 02 Sep 2010 08:50:21 +0000

In the latest saga of North Carolina’s attempts to get sales tax revenue from E-tailers–its battles with Amazon are nothing if not creative–the state offered tax amnesty to 450 retailers, if they cooperated. Only 27 accepted the offer, which is barely 6 percent of those approached. Those 27 “represent a variety of large national and smaller specialized retailers,” said Beth Stevenson, the public information officer for North Carolina’s Department of Revenue.

The deal was simple. If the retailer agreed to collect North Carolina’s taxes for four years, the state would agree to not “assess tax, penalties or interest” and “to not exercise its authority to obtain consumer information from the retailer to collect a tax liability.” I’m stunned that more retailers didn’t leap at the offer. I’m really curious as to which national chains agreed to this proposition, as it would almost certainly force them to also pay taxes to every other state. Then again, if the chain’s participation stays secret, the other states wouldn’t know and it couldn’t be used against the retailer.

Bad Week For Global Security

Evan Schuman — Thu, 02 Sep 2010 08:44:21 +0000

This was a bad week for non-U.S. security managers. On Monday (Aug. 30), Australia’s Commonwealth Bank proudly issued a news release that said “In an Australian banking first, Commonwealth Bank today announced increased protection for customers shopping online with the introduction of NetCode SMS or token–a one-time password” and that “It provides customers with a convenient authentication check-point and increased security.” It proved secure, all right. Not only did it reject fraudulent transactions, it rejected legit ones, too. Can’t be too careful these days. The problem was reportedly fixed by the end of the day.

Meanwhile, German pharmacy chain Schlecker accidentally made available on its site the names, addresses and profiles of about 150,000 customers. The Daily Bild quoted an unidentified chain spokesperson saying that “the mistake had been not Schlecker’s but rather had been made by an external service provider. The paper said “first and second names, the addresses, genders, E-mail addresses and customer profiles were all accessible. A further 7.1 million E-mail addresses of customers receiving the firm’s newsletter were also available.” Added the spokesperson: “We are in close contact with our service provider.” My guess is that, from the service provider’s perspective, it might be a little too close for comfort.

Staples, Office Depot, OfficeMax Are Sued For Their Web Sites—And Much Of The Rest of E-Tail Could Be Next

Frank Hayes — Thu, 02 Sep 2010 08:37:10 +0000

Staples, Office Depot and OfficeMax are standing in for the rest of the E-tail world in a lawsuit filed last Friday (Aug. 27). The office-supply giants are being accused of illegally using patented technology in their Web sites--though it's not clear what features of the sites are violating the law. The suit, filed by a company Microsoft co-founder Paul Allen owns, also names E-Commerce companies eBay and Netflix, along with search engines Google and Yahoo, social networking sites Facebook and YouTube, and Apple and AOL.

Retailers aren't usually hit with patent lawsuits. Those are usually reserved for manufacturers, although the ways retailers handle debit cards, gift cards, micropayments and site accessibility have attracted litigation in the past. This time, though, it's their Web sites that have the office stores under legal attack. But there's nothing special about these Web sites that make them dramatically different from other large E-tailers. That means if these retailers lose in court--or settle the case--every other major retailer will soon be looking down the barrel of the same legal gun.

In New York, One-Third Of Grocery Price Scanners Fail

Frank Hayes — Thu, 02 Sep 2010 08:28:26 +0000

Nearly one-third of checkout price scanners in New York City grocery stores are inaccurate. That's one of the findings reported this month (August 18) by the city's Department of Consumer Affairs after a year-long inspection sweep of supermarkets. The bad scanners were in grocery stores ranging from small independents to major chains, although ironically the smallest convenience stores--what New Yorkers call "bodegas"--actually had fewer problems than full-service grocery stores.

Sometimes it's hard for IT to demonstrate cost and value to retailers in hard dollars. This isn't one of those times. A faulty scanner costs money when it's caught by a city inspector--as much as $700 per scanner. That's on top of fixing the scanner and whatever extra time is required when checkers have to key in prices by hand.

Visa Raises The Bar For PA-DSS Applications And Vendors

Walter Conway — Thu, 02 Sep 2010 08:07:08 +0000

PCI Columnist Walt Conway asks, do most retailers know that the people who wrote their payment applications have criminal records and that the reseller actually knows this? Also, do chains realize they can implement tokenization without paying for an expensive upgrade? Visa does, and the company spelled it all out in its recently issued Top 10 Best Practices for Payment Application Companies.

This document should be required reading for retailers. Although it is aimed at software developers, resellers and system integrators, the document has just as much relevance for any merchant who uses a third-party payment application (which is just about all of them). What Walt hears Visa telling retailers is: "You should expect more than just a PA-DSS validation." And the result is, everybody benefits, including smart vendors and resellers (who now have a basis to differentiate themselves) and their merchant customers.

Franchise IT: The Movie

Todd L. Michaud — Thu, 02 Sep 2010 02:43:09 +0000

Franchisee Columnist Todd Michaud has decided to write a Disney movie script for a new science-fiction thriller called Franchise IT. This movie will be a twist on the movie Inception, where the hero (CIO) must navigate a complex maze within three different universes simultaneously in an effort to save the world. The first level is "Enterprise IT," the second level is "Brand IT" and the third level is "Franchisee IT." Just like in the movie Inception, the hero has to solve a series of interrelated puzzles at multiple levels (a dream within a dream within a dream), or everything is going to blow up. It's going to be Epic!

Sure the Social Network movie about Facebook has the guy from Saturday Night Live and Justin Timberlake in it. Big deal. Franchise IT will have suspense (Will he be able to upgrade the 15-year-old POS in time for the new gift-card program?), explosive confrontation (Will the spitting-mad, screaming franchisee break our hero's resolve and send him home crying?), betrayal (A surprise corporate restructuring threatens everything) and drama (Caught in a battle between a slow-moving, out-of-touch governing council and an advanced, aggressive European organized crime ring, can he survive?). The tagline will be: "You don't sell 500 million sandwiches without dicing up a few CIOs."

The Danger Of Assuming Perfection

Evan Schuman — Thu, 26 Aug 2010 09:36:36 +0000

In last week's lead story, PCI Columnist Walter Conway wrote a hard-hitting column questioning whether--under very limited circumstances--carelessly used encryption might actually weaken a retailer's data security. In security circles, it's heresy to question encryption and, predictably, the emotional reaction to the column was intense.

It's not often that people challenge our technical conclusions while simultaneously questioning the marital status of our mothers. The column suffered from one key technical error, questioning how easy it would be to extract clues to an encryption key from encrypting the short payment card expiration date field. Walt admitted that error--and explained the context--in his column this week. (By the way, if anyone else wants to yell us at, this week has a column from Frank Hayes that questions the very premise of security passwords. Gluttons for punishment we be, a rare breed of journalistic masochists.) But there's a bigger issue at play here, a long-standing technology frustration beneath the emotions.

Encryption Implementation Really Matters

Walter Conway — Thu, 26 Aug 2010 09:26:27 +0000

PCI Columnist Walt Conway wants to withdraw one point from last week's column while reinforcing the rest. To suggest that the key could be derived from encrypting too small and easily guessable a field was wrong. But the essence of the concern is that properly configured systems would not be vulnerable to this type of attack. How many retail chains do you know that who have properly configured security systems?

Retailers looking to purchase a product rather than develop one in-house have to be equally thoughtful. They should make sure the software vendors providing their POS applications have experts on cryptography as part of their development teams. It's not enough to ask what algorithm or key length the POS uses or even to check that the application is on the PA-DSS list of Validated Payment Applications without understanding the operational implications of how that application handles cryptographic functions.

Kill All The Passwords

Frank Hayes — Thu, 26 Aug 2010 09:13:43 +0000

It's time to kill all the passwords. That's the only real conclusion to draw from the work being done by Georgia Tech Research Institute researchers, who are using off-the-shelf graphics-processing cards to crack passwords by brute force. The time required to break an eight-character password: two minutes. A seven-character password--the minimum currently required by PCI-DSS for retailers to protect stored payment-card information--goes in seconds. One of the Georgia Tech researchers, Richard Boyd, called seven-character passwords "hopelessly inadequate."

In short, password security is no longer security. The clock isn't just ticking on every retailer's favorite cheap authentication scheme, it has run out. The answer isn't longer passwords; that's just a stopgap, and even if it works, it won't hold for long. Maybe Chip-and-PIN employee ID cards would do the trick. Even a mag-stripe-and-PIN approach could work. But whatever replaces passwords has to be cheap. And it must have a reasonable chance of keeping the bad guys away from information such as card data.

Apple Taking Privacy Concerns To Heart

Evan Schuman — Thu, 26 Aug 2010 08:31:12 +0000

While retailers debate mobile geolocation efforts and the resulting privacy implications, Apple's Patent people are preparing for the battle after the arguments have died. On Thursday (Aug. 19), the U.S. Patent Office made public an Apple patent application that, among other things, uses a consumer's heart rhythms to not only confirm that person's identity but analyze vibrations to determine the kind of transportation that person is likely using.

And here’s a passage that’s sure to capture the attention of privacy advocates everywhere: “The photograph can be taken without a flash, any noise or any indication that a picture is being taken to prevent the current user from knowing he is being photographed. As another example, a recording can be taken to capture the current user’s voice through, for example, the microphone. The recording can be taken when the current user makes a phone call with the electronic device. In some embodiments, the electronic device can record any voices or sounds that are detected, regardless of whether or not a phone call is being made.”

Still More Of The Dumbest Wireless Security Errors

Frank Hayes — Thu, 26 Aug 2010 08:01:27 +0000

Wireless security isn't really a contradiction in terms. But you wouldn't always know that from the ridiculous things some retailers have done when deploying wireless networks. Still, retailers aren't alone when it comes to being foolish or careless with Wi-Fi. Wireless security insanity goes well beyond traditional product movers.

From sports teams and cruise lines who ran their wireless networks wide open because they didn't know any better to a hotel that didn't offer Wi-Fi service but still got compliments from guests happy with the new hotspots, we look at some of the most bizarre wireless security efforts in the second of two StorefrontBacktalk podcasts on worst practices in wireless security. To listen to the podcast, please click here.

Stop Making Friends And Start Making Money

Todd L. Michaud — Thu, 26 Aug 2010 07:49:41 +0000

Franchisee Columnist Todd Michaud can't help but smile when he reads polls about how many companies are experimenting with social media. Responses along the lines of, "We are trying different social media tactics but have not landed on a solid strategy," tend to be the most popular answer. Can you imagine a CIO making the statement, "We are playing around with ERP to see if we can build a business case"?

The world is moving to an open, sharing, social platform at a lightening pace. As a result, people behave differently today than they did yesterday. How have your sales and marketing strategies adapted to this change? What if you could provide incentives to customers to entice their social graph to visit the location (receive 10 cents on your loyalty/gift card for each of your friends who checks in)? Laugh if you will, but I believe the restaurant industry will see multi-level marketing become a large part of its business in the next three to five years.

Sam’s Club’s Wi-Fi Struggle

Evan Schuman — Thu, 26 Aug 2010 07:39:05 +0000

When Wal-Mart's Sam's Club said this month that it was going all-Wi-Fi-all-the-time, it renewed the debate about where to draw the restriction line when doling out bandwidth to consumers. Sam's Club is now confirming that it has quietly--and expectedly--put in customer limits (partitioning its network) to strike that balance.

The chain is dealing with that balance in several ways. To minimize the risk of consumers placing "inappropriate content" on large-screen TVs on display (not sure what they'd consider more offensive: porn or setting the homepage to Costco), content control will stay with store associates. Sam's Club didn't want to "unleash content onto TVs that we didn't have control over," said Scott Benedict, the chain's senior electronics buyer. "We wouldn't want content coming over the TVs that was inappropriate."

New Gift Card Rules Will Make That Plastic Even More Of A Hot Potato

Evan Schuman — Wed, 25 Aug 2010 08:57:13 +0000

When the U.S. Federal Reserve's new gift card rules took effect on Sunday (Aug. 22), it made severe changes to when gift cards can expire and even more severe changes to when the money on those cards can expire. These changes could prove problematic for retailers who have stockpiles of cards with the old wording. But those headaches are trivial compared to what their IT counterparts, who need to incorporate the new accounting rules for existing and new gift card accounts, will face.

The new rules apply to activity as of Sunday, which means that the millions of cards already in circulation must be handled differently until they're all gone.

More M-Commerce Proof, From China: $4.4 Billion In Mobile Revenue Last Year

Evan Schuman — Wed, 25 Aug 2010 08:18:58 +0000

As retailers plunge ahead with Mobile-Commerce plans, they are continually looking for market evidence that there’s gold in them thar hills. Anything to appease corporate’s comically relentless search for ROI proof, whether it’s realistic or not. Late last month brought Amazon’s boast of $1 billion in M-Commerce revenue. That was great for starters, even though a lot of the sales were for e-books and Kindles and other especially M-Commerce-friendly purchases. Still, a billion dollars is a billion dollars.

Today, from China, we have a new stat that’s almost four-and-a-half times better. China’s Union Mobile Pay is reporting an M-Commerce sales volume equivalent to $4.4 billion U.S. (30 billion yuan, which is about 3.1 billion euros), according to a report Tuesday (Aug. 25) from PaymentsSource. That service also reported 140 million registered users, as of the end of last year. There are always caveats, and it should be said that China is a much more mobile-payment friendly country, that the infrastructure has fewer obstacles (with government blessing) and that mobile is sometimes the only viable payment method accepted by some Chinese merchants. But $4.4 billion? That’s hard to dismiss with even a billion caveats.

Nordstrom Merges Online And In-Store Inventory

Frank Hayes — Tue, 24 Aug 2010 08:48:54 +0000

Nordstrom might be the last retailer you’d expect to worry about slugging it out with competitors online for customer service. The tony $8.6 billion chain also doesn’t have a reputation for tech wizardry. But when Nordstrom unveiled its redesigned Web site last Saturday (Aug. 21), it also spotlighted a feature that the retailer quietly began offering in September 2009: merged online and in-store inventory systems. As a result, a customer buying through any Nordstrom channel has access to products that happen to be in any store or online warehouse.

That fully merged-channel inventory system took four years of work to become a reality, according to Nordstrom spokesman Colin Johnson. The process started with breaking down organizational silos and laying the foundation, then moved to creating a single view of inventory and finally layered the brick-and-mortar store inventory view on top of the online inventory system. That explains why multichannel commerce seems like such a slow slog for most retailers today: It really does take years. Considering that Nordstrom’s in-store approach of pampering customers can’t be replicated online, the retailer was wise to start the march early–and arrive first.

Telecom, Banks Starting Various M-Commerce Trials

Evan Schuman — Tue, 24 Aug 2010 08:37:40 +0000

Disparate mobile-payment-related moves from Bank of America, US Bancorp, Verizon and Visa this month show a continuing shift to mobile payment from key telecom and financial players. The moves are not aligned, which shows the type of multiple experiment efforts typical at the start of a major channel. Bank of America and Visa are beginning a mobile contactless payment trial to run from September through New Year’s Eve in the New York metro area, with an identical trial at US Bancorp slated to start in October.

An unspecified number of consumers in the trials will be provided with contactless chips to insert into their phones. The problem with those trials is it’s likely testing the wrong things. Few have questioned whether the payments will work. The issue is whether consumers will bother to make contactless payments. People chosen for these trials will be much more likely to participate, so it’s not clear what they will prove. The Verizon trial comes in the form of a $400,000 investment by Verizon in CardStar, which consolidates CRM and membership cards in a phone, according to The Wall Street Journal.

Mobile RFID Reader Shortage?

Evan Schuman — Mon, 23 Aug 2010 08:12:04 +0000

Everywhere else in the world, the cliché is “When it rains, it pours.” But for retailers now focusing on RFID projects, a more apt phrase would be “When it rains, it’s a drought.” That’s because a major financial investment firm is reporting a sharp mobile RFID reader shortage. The cause: lots of RFID projects, with Wal-Mart’s 20,000-unit-order leading the way.

The report comes from investment firm Robert W. Baird & Co., according to SupplyChainDigest. Beyond Wal-Mart, the reasons cited were “supply constraints that have lasted for months in basic electrical components that have caused delivery problems in a wide number of high tech gear, including mobile devices”; a 23,000-customer order from a European logistics company; and the recent leap in popularity of mobile–versus fixed–RFID readers. “A quick check at ScanSource, a distributor that sells exclusively to other resellers and VARs, showed about half of the models of Motorola 9090-G mobile RFID terminals were in-stock, and the other half showing as ‘call for availability,’” the story said. RFID: Can’t live with it, can’t live without it.

Heartland Self-Inflicts More Data Breach Injuries

Evan Schuman — Thu, 19 Aug 2010 08:49:01 +0000

Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria—which one Austin detective said crafts a terrific baklava—that happens to use Heartland as its processor.

A preliminary investigation by the Austin Police Department Financial Crimes Unit—which knows its way around credit card theft—ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tino computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.

Gap In Huge Global E-Commerce Rollout

Evan Schuman — Thu, 19 Aug 2010 08:43:55 +0000

On paper, global expansion limited to E-Commerce sites should be light-years easier than doing it with overseas brick-and-mortar locations and employees. In reality, not so much. It's certainly easier. But with tariffs, taxes, postal codes and local customs, delivering a seamless and fully integrated experience is next to impossible.

Gap, along with its Banana Republic, Old Navy, Piperlime and Athleta brands, announced August 12 plans to move from a site supporting one country to one supporting 65 countries by the end of December. The $14 billion chain is tackling the expansion with two parallel efforts: It's going to build its own physical fulfillment centers in both Canada and the U.K., in addition to crafting dedicated customized E-Commerce sites for those two countries; and it's using a vendor to add a small Flash module to replicate local checkout.

What Is POS Menu Decay, And How You Can Avoid It?

Todd L. Michaud — Thu, 19 Aug 2010 08:36:40 +0000

At one time, changing a button on a cash register involved Wite-Out and a pen. Today, it's one of the most complex of the processes that need to be managed on a day-to-day basis. This "simple" little thing requires people from supply chain, operations, marketing, research and development and, of course, IT to make it happen correctly.

A poor decision now can easily mean the difference between "easy to maintain" and "get me the hell out of here" within a few short months, pens Franchisee Columnist Todd Michaud. The key is to think through the long-term impacts carefully before making a short-term decision. First, consider the operational flow of the cashier. How does the cashier interact with the customer, and how can the register's menu and button layout be done in a way to make that interaction as simple and efficient as possible? What screens will the button appear on? What will its size and color be? Will there be an image?

The Dumbest Wireless Security Errors

Frank Hayes — Thu, 19 Aug 2010 08:28:56 +0000

For years, chief security officers have viewed wireless security as a contradiction-in-terms punchline. But with PCI rules clamping down and cyberthieves sniffing around for whatever holes they can find, wireless security has stopped being funny. Still, either through ignorance or carelessness, many retailers have been caught doing some pretty ridiculous things when deploying wireless security.

From a gas-station chain that tested security by calling the attendants to ask if rogue devices were attached to a grocery chain that tried to scare off hackers by using extra-long SSIDs, AirTight Networks' Anthony Paladino has seen more than a few absurdities in his efforts to plug wireless leaks. He talked about them in the first of two StorefrontBacktalk podcasts on worst practices in wireless security. To listen to the podcast, please click here.

Too Much Encrypt = Cyberthief Gift

Walter Conway — Thu, 19 Aug 2010 08:06:43 +0000

Encrypt every part of your payment data and you may be giving your least favorite cyberthief a beautifully wrapped gift. That's the secret dare not spoken aloud by security advocates, and it was hinted at--albeit obliquely--by the PCI Council in its latest update.

Although it can be considered cryptographer heresy to suggest that encryption is ever a bad thing, if it's applied to certain fields, encryption may actually sharply undermine security by making it much easier to break the encryption key. And when that happens, pens PCI Columnist Walt Conway, the whole gig is up.

PCI New Rules: Reading The Tea Leaves

Walt Conway and Evan Schuman — Thu, 19 Aug 2010 07:56:27 +0000

When the PCI Council periodically sends out sanctioned teases about an upcoming version, the fun part is the tea-leaf-like reading of its deliberately vague hints. And the Council has offered us quite a bunch to choose from, including "expanded definition of systems components to include virtual components," "recognize that issuers have a legitimate business need to store sensitive authentication data" and the especially intriguing "update requirement to allow business justification for copy, move and storage of CHD during remote access."

The most powerful change from the hints was a warning that too much encryption may actually weaken network security. (See this week's PCI column from Walt Conway.) But let's delve into some of the more mysterious and intriguing elements first.

Is Barnes & Noble’s Fear Of iPad Competition Stunting Its M-Commerce Effort?

Frank Hayes — Thu, 19 Aug 2010 01:23:04 +0000

Mobile Commerce is just beginning to demonstrate how tricky it can get. On Tuesday (August 17) Barnes & Noble announced new versions of its free e-reader app for the iPhone and iPad. The app has most of the features of Barnes & Noble's Nook tablet e-reader. But one feature is notably absent: the Nook's ability to let users read anything in Barnes & Noble's electronic inventory when the device is inside one of the book chain's 723 stores.

That Nook feature, which Barnes & Noble calls "Read in Store," doesn't just allow customers to browse whatever they want in the store. It also allows the retailer to track each customer's browsing habits to the second -- and to the page. That's a potential gold mine of data for feeding recommendations to customers as well as managing dead-tree inventory. And because "Read in Store" has turned out to be very popular with Nook-using customers, Barnes & Noble knows there's a demand for the feature--and a lot of customer data to be acquired from it.

eBay’s First-Ever Rewards Program Offers A Bit Too Much Honesty

Evan Schuman — Tue, 17 Aug 2010 08:15:01 +0000

In the 15 years since Web pioneer eBay began, the E-tailer has never bothered to have a rewards program. That changed on August 13, when it unveiled a 2 percent rebate on “most items purchased through the site with PayPal.” Although the size of the rebate is certainly modest, eBay may have let a wee bit too much honesty show through in its statement.

“We’re giving eBay’s most loyal shoppers something special in return–money to spend on eBay,” said Lorrie Norrington, president of eBay Marketplaces. Hey, the truth is the truth. We’re simply used to marketers dressing it up a bit more. Then again, why pretend that eBay wants its customers to pocket these rewards?

Oregon Gift Card Cloner Pleads Guilty

Evan Schuman — Mon, 16 Aug 2010 08:19:12 +0000

An Oregon man pleaded guilty earlier this month to cloning gift cards for Abercrombie & Fitch, American Eagle, Apple, Best Buy, Macy’s, Kroger and Spencer Gifts. The a crime was solved when Kroger fraud investigators noticed card balances being checked online hundreds of times a day.

Sealtiel Chacon Zepeda started his attacks by stealing blank gift cards from one of the chains–using the unprotected carousels that display the cards–and then scanning them at home, according to this story in Oregon Live. “He would then return some of the scanned cards to the store and wait for a computer program to alert him when the cards were activated and loaded with money. Using a magnetic card writer, Zepeda then rewrote one of the leftover stolen gift card’s magnetic strip with the activated card’s information, thus creating a cloned card.” The crime here isn’t especially clever, but it does nicely refute the belief that crooks won’t bother going through these efforts to clone gift cards.

Walgreens And Rite-Aid: Dueling Chat Strategies

Evan Schuman — Thu, 12 Aug 2010 05:15:41 +0000

Within a few days of each other, two of the nation's largest pharmacy chains--Walgreens and Rite-Aid--this month rolled out programs in which their customers can use Internet chat to talk with pharmacists about medical advice 24x7. But each chain opted for a very different approach, with $63 billion Walgreens giving its pharmacist chatters full access to the medical databases on patients across the country while $26 billion Rite-Aid took the more conservative route of limiting chatters to generic advice based on nothing more than what consumers choose to share.

The moves--and different strategies--are especially interesting given how pharmacies today find themselves in arguably the most data-sensitive retail segment. This space has all of the usual retail privacy concerns and regulations, in addition to medical requirements such as the U.S. Health Insurance Portability and Accountability Act (HIPPA).

How Free Wi-Fi Can Shut Down A Restaurant

Todd L. Michaud — Thu, 12 Aug 2010 05:07:13 +0000

Someone with a Secret Service badge has just informed you that she believes credit card numbers are being stolen from your restaurant by a European organized crime ring. That person says it is because you plugged your wireless access point into the wrong port. Angry people are standing across the counter; their bank accounts have been drained, and they are accusing you of stealing their rent money. Visa is saying that you have to pay $12,000 for a forensic audit of your POS. All because you wanted to offer free wireless.

Franchisee Columnist Todd Michaud wants to ask you to back up about 18 months, when you made the decision to install a wireless hotspot for guests. At the time, you were feeling pressure to keep up with the other area restaurants that were stealing away your customers because they had wireless and you didn't. After talking to your nephew Steve, who studied computers in school, you decided to implement wireless in your store and it was pretty easy.

Policing Consumer Comments: No Charge, Please

Frank Hayes — Thu, 12 Aug 2010 05:05:03 +0000

It turns out that charging $19.99 to review harassing or libelous comments posted on a Web site really is a really bad idea. On Monday (August 9), the local-Web-message-board group Topix officially agreed to stop its ill-advised, year-long attempt to monetize the monitoring of its sites. Topix says it will now review all reported abusive posts for free, remove inappropriate posts within three working days and report illegal activity to law enforcement.

Topix had help changing its mind: In May, 23 state attorneys general called on Topix to stop its pay-for-policing charges, with the implicit threat that they’d get tougher if Topix didn’t end this policy. As we said then, retailers also have lots of ideas for making money on the many non-customers who hang out at their E-Commerce sites just to comment. But you wouldn’t charge $19.99 to have a security guard stop thugs from roughing up someone in your store. Maybe that’s the test case to use for deciding whether an audience-monetizing idea is over the top.