Evan Schuman's StorefrontBacktalk

If you are a company in Alabama, Kentucky, New Mexico or South Dakota and you suffer a data breach in your state that affects residents of your state, you might be tempted to look up your state’s data breach law, see that your legislature had decided not to pass such a requirement and believe you have complied with the law. But if you “conduct business” in Texas, under a new Texas law, not only must you notify Texas residents (if any) that their data has been breached, but you have to notify residents in states that have no breach disclosure laws—or face the wrath of the Lone Star state.

This means, writes Legal Columnist Mark Rasch, that Texas law would apply to the relationship between a retailer in Tuscaloosa and a consumer in Birmingham, AL, a retailer in Louisville and a consumer on Lexington, KY, a retailer in Albuquerque and a consumer in Santa Fe, NM, or a retailer in Sioux Falls and a consumer in Rapid City, SD.

The PCI SAQ process needs work, but SAQ C is especially problematic. Retailers who qualify for SAQ C process payments on a payment application connected to the Internet. The target audience for SAQ C is small merchants with a payment application on their personal computer, which connects to the Internet to process card transactions. Other requirements are that the merchants store no electronic cardholder data and that their computer is not “connected to any other systems in your environment.”

In the real world, many retailers and franchisors (and franchisees) try to qualify to use SAQ C. PCI Columnist Walter Conway calls this the “anything but SAQ D” approach. In his experience, the biggest challenge of SAQ C is isolating the application server(s) from the rest of the merchant environment. Conway knows merchants who have devoted a lot of effort and changed their network so they can qualify for SAQ C. A recent clarification by the PCI Council, however, limits the ability of many retailers and franchisors to use this SAQ.

When Visa announced Monday (Sept. 19) that it had officially sold a license to Google Wallet, it signaled a key next step in the mobile payment maneuvers. Google now appears to have the best position with retailers, while ISIS gets love from banks and card issuers, and PayPal is relying on its own online payment abilities. Then there’s the mobile payment candidate waiting in the wings. Will Apple in a month or so make its NFC mobile move?

That’s increasingly likely—at least if Apple is ready. This particular fight may be moving to the hearts and phones of consumers, where two players—ISIS and PayPal—have serious handicaps. But consumers see Google as a search engine that does a lot of stuff for them for free. And if any company generates even more warm-and-fuzzy feelings than Google, it’s Apple. And Apple also has a host of rarely-discussed huge mobile payment advantages, starting with the fact that it’s a retailer and a darn innovative one at that.

Secure HTTP may be in trouble. The protocol that E-Commerce sites use to safely receive customers’ payment-card information can be hijacked in a matter of minutes, according to two security researchers who will demonstrate their attack at a security conference on Friday (Sept. 23). In case anyone doubts how relevant their demonstration is, their target will be a PayPal account.

The good news: The security hole can be closed by upgrading E-Commerce sites to a version of the security protocol that has been available since 2006. The bad news: Most E-Commerce Web sites and most Web browsers are still using the version with the security hole. The security-guru consensus: The sky isn’t falling yet, and browser makers may be able to implement a tweak that blocks the threat without a new security protocol.

After everything else that happened to Target in the wake of its catastrophically successful Missoni sale on September 13, here’s one more thing to add insult to injury: Customers are now complaining about their online orders being delayed or canceled—and then seeing the merchandise they couldn’t get showing up again on Target.com. But it’s hard to blame this problem on Target’s new E-Commerce site—the same thing happened to Target and other E-tailers last Black Friday, when Target.com was still being run by Amazon.

The “now it’s out-of-stock, now it’s back in stock” problem isn’t new to either in-store or E-Commerce, and it’s one that retailers usually try to handle as quietly as possible with ever-smarter inventory systems. But that will probably never work, because real-time inventory stops working very well when an item is about to go out of stock. Unfortunately, giving online customers more information about a looming out-of-stock situation could actually encourage them to buy less—and may not keep them any happier.

When it comes to short-term E-Commerce promotions, be careful what you wish for or you will surely crash. Target.com learned that lesson last week and, on Tuesday (Sept. 20), it was the turn for Domino’s Pizza. But Domino’s explained away its crash with a twist: it blamed “bad apple” customers.

Domino’s enjoyed a piping hot multi-hour site outage that day, shortly after it launched a Facebook promotion—which was also shut down—to give away 100,000 pizzas in a new gourmet-style pizza line dubbed Artisan Pizza. The chain isn’t saying exactly what happened to cause its outage, but it is saying that customers—presumably ultra-intent on winning the free pizzas—did something unfair. Ostensibly, it was some sort of denial-of-service variation where they would flood the servers with responses, thereby getting lots of entries in and denying others the ability to do the same. Domino’s is declining to say precisely what it thinks was done. But the chain still apologized for it on Facebook on Wednesday (Sept. 21).

PayPal’s not-quite-a-mobile-payments-announcement on September 14 was a nearly perfect primer on how not to convince retailers you’re a serious player in in-store payments: Trot out a collection of rebranded (but unintegrated) technologies—everything from your own mag-stripe cards to self-checkout by phone to yet another nonstandard use of PIN pads—and then demo them without any hint that you recognize the unsolved problems they carry, never mind having solutions.

The problem isn’t just that PayPal has apparently done nothing to pull together its pile of recently acquired technologies into a suite of payment services. It’s that each of these services has real problems that have dogged retailers’ efforts at mobile payments for years. And astonishingly, PayPal doesn’t seem to have solved any of them.

Is the KFC chain now going to have to tell employees that it’s Finger Scannin’ Good? That’s a possibility, given a move announced Tuesday (Sept. 20) by two of its franchisees to abandon password access to POS and switch to a fingerprint biometric authentication system.

The advantages are initially compelling, in that it makes it so much harder for associates to impersonate managers for fraud, whether it’s for stealing money directly, manipulating payroll records or letting employees falsely sign in for each other. The problem is that bored, persistent and resourceful KFC employees—armed with almost unlimited access to these biometric devices and potentially lots of free time during slower parts of the day—are quite good at finding security holes. Will it be a piece of Scotch sticky tape that will fool the system? Maybe the system can be fooled into accepting a new—and non-existent—manager? Given that the fingerprints are not being stored (only a numeric representation of the fingerprint’s datapoints), could the number be faked instead? All in all, this biometric approach is probably a very good idea. But few things are secure enough to hold up to under-paid, young, bored QSR employees, especially when management will likely be slow to react, preferring to believe that fingerprint biometrics are foolproof.

Arbitration clauses have always been seen as favoring the retailers and, therefore, as a clause you always want to fight for—if you can. But as the world of retail has changed, with Web and mobile enabling customers to have much greater access to critical operations, things have subtly flipped. Those retailer-protecting arbitration clauses of yesteryear have now morphed into the customer-protecting clauses of today.

Consumers are now empowered to do genuine harm to retailers—harm that would otherwise be addressed through some legal recourse, writes Legal Columnist Mark Rasch. Consumers can commit commercial defamation (think Oprah and the beef industry). They can manipulate stock prices through online campaigns. They can shoplift or otherwise steal goods, products or services. They can release sensitive personal information about the company, its products or plans, its personnel or processes. They can hack into computer systems and steal information. They can infringe or disparage trademarks. They can infringe copyrights. They can modify hardware or software. They can start a grass-roots online campaign to literally destroy a business. They can organize online protest movements, flash mobs or other demonstrations. They can launch denial of service attacks. Consumers can even use your goods and services to harm others.

The shortened versions of the Self-Assessment Questionnaire (SAQ) have only one problem: They are incomplete. There are PCI requirements every merchant should meet beyond what is specified in any shortened SAQ. Any retailer that limits its PCI compliance effort to completing one of the shortened SAQs trades off security for compliance. That is, any merchants who think they need only meet the requirements of a shortened SAQ risk a data compromise that can result in ruinous fines and land them in the headlines for reasons they would rather not be there.

The SAQ is an excellent starting point, pens PCI Columnist Walter Conway. But it is not (and does not promise to be) an all-inclusive approach to achieving—not just validating—PCI compliance. In a previous column, Walt noted the PCI Council’s point that slavishly (his terminology) completing a SAQ may not be enough to be PCI compliant.

Last week’s 96-page PCI Point-to-Point Encryption (P2PE) validation requirements document from the PCI Council offered retailers a non-trivial compliance carrot: Implement P2PE according to the Council’s specs and see your PCI scope drop from 12 requirements to just two.

The big news is where the Council says in the report that “it is expected that PCI DSS controls that will be applicable to a merchant’s validation will include (but will not be limited to): Protection of media and devices; Maintaining information security policies and training for personnel; Processes for management of third-party providers (including P2PE provider); Incident response and escalation procedures.” That means a retailer implementing approved P2PE might reduce its PCI compliance to just requirements 9 and 12 (and maybe 11.1). The Council’s words “will include (but not be limited to)” are important. We have, effectively, a new PCI standard with the accompanying infrastructure: detailed hardware and software specifications, an independent P2PE validation process and two new flavors of specialized QSAs.

One of the legendary challenges selling apparel online has been getting clothes to fit. Sometimes, the fault is that customers can’t measure correctly—or perhaps they don’t want to measure correctly. Either way, if the clothes don’t fit, everyone loses. On Monday (Sept. 12), the 1,989 stores in the Charming Shoppes chains (in 48 states branded as Lane Bryant, Cacique, Fashion Bug, Catherines Plus Sizes and Figi’s) announced a survey tactic that replaces sizes and measurements with questions about body perceptions.

Company officials say they expect the system to be—please forgive us—measurably more accurate than any E-Commerce apparel tactic being used elsewhere today. The process starts with a database of between 80 and 90 questions and asks between 20 and 22 questions of each shopper, with each answer dictating the next question. If all goes well, the entire process should be completed within three minutes and it’s often closer to 1.8 minutes.

Trying to regain detailed operational control over Best Buy operations, CIO Jody Davids has gotten board permission to do what major retailers are doing today: Hiring new IT managers by the hundreds. Indeed, what had initially looked like a 200-person boost—which alone would have roughly tripled the number of dedicated, salaried Best Buy IT people from about 100 to 300—is now looking like perhaps a 300-person boost, Davids said. Either way, it means a very different IT environment at the $50 billion chain.

Historically, those 100 Best Buy IT folk have managed “several thousand” IT contractors, Davids said, which puts Best Buy—albeit in a rather extreme way—in the same position as many other chains. Outsourced IT certainly has the advantages of scale and instant experts, in that it’s a lot easier to bring in a team to create a specialized app for one business group and to then not rehire them when the project is over. That’s much easier than having to hire and train employees and to then have to try and lay them all off.

When ToysRUs on September 8 added a “Family And Friends Pick Up” feature to its buy-online-pick-up-in-store service, it at first seemed like a nice little enhancement. But behind this seemingly cost-free convenience are layers-upon-layers of rich and highly actionable CRM data and other goodies.

The idea is straight-forward enough. If a ToysRUs customer can’t easily get to the local store, he/she asks a friend/relative to pick up the item as a favor. The initial customer simply is asked to give the picker-upper’s first/last name, E-mail, phone number, address and the relation to purchaser. The picker-upper gets a direct E-mail message indicating the item is ready for pickup. Before going any further, ToysRUs is now picking up a bunch of verified E-mail addresses of people who are near its stores, along with other bits of wonderful data. Not only is the E-mail address verified (they had to receive the confirmation notice), but so is the name and address, courtesy of the driver’s license or other ID they had to show when picking up the merchandise.

Target’s E-Commerce inventiveness is coming back to bite it. When the chain’s three-week-old Web site crashed early Tuesday morning (Sept. 13) in the face of a ravening hoard of shoppers looking for Missoni products, the site truly was down. By noon Eastern time, the site was back up—but many would-be customers continued to think the site was offline throughout the rest of the day. Those who did reach the site to shop reported issues at checkout time that might (or might not) have been true IT glitches. The problem: Even when Target.com works, it doesn’t work the way customers expect.

That compounded the problems of “Missoni Tuesday,” which a Target spokesman said saw “greater item demand than we do on a typical Black Friday.” But the crush of customers, and the fact that so many items sold out, masked a serious issue: Even though Target.com made buckets of money that day, the result left a bad taste in the mouths of many Target customers—and the site’s nonconformist challenges are still there.

Early this month, The New York Times R&D Lab started talking up some work it is doing to create an interactive mirror. The idea is that consumers would replace their regular mirrors with this souped-up, voice-recognizing networked version. It responds to the command “Mirror?” You can place a bottle of antacid on the ledge and it will identify it, offer instructions and perhaps a coupon. It will also create a digital tie and “place” it on your neck to try and match your shirt.

This is a very clever project, but I have to wonder whether it has any practical value. There is something ultra-sensitive about a bathroom mirror. Yeah, there’s that naked thing and the video-streaming thing that may not play well together. When I think of all of the potentially creepy implementations of RFID, mobile geolocations and facial recognition, I think an interactive video-capable mirror using Microsoft Kinect has got to rank right up there.

The PCI Council on Thursday (Sept. 15) will detail its initial guidelines for point-to-point encryption (P2PE), but retailers need not—and should not—take any near-term action. Nor should they sign any imminent contracts involving P2PE. Why? The Council will stress that the document—a 96-page detailed description of various P2P approaches and common-sense security processes for each—is only “the first set of validation requirements” and that key parts of the program won’t even be in place for six to eight months and might be delayed even further.

Why such delays? First, the Council wants retailers to contract only for P2PE applications that appear on a Council list of applications validated to be PCI compliant. The problem? That list doesn’t yet exist, and the list’s creation is “targeted for Spring 2012,” according to a draft copy of the Council’s document. A second reason for the delay is PCI training of assessors. The Council isn’t promising to identify the testing procedures until “the end of 2011″ and “training opportunities” (which we assume means classes) won’t be detailed until “Spring 2012.” The report will say that the guidelines—even if perfectly followed—won’t offer a path for a retailer to be considered out-of-scope. The best that a chain can hope for, according to the document, will be “reduced scope.” But nowhere does the document say what exactly that would and wouldn’t include.

When Macy’s on Tuesday (Sept. 13) issued a statement summarizing a wide range of IT investments, including stores borrowing inventory from each other, a cosmetics kiosk, some tablet deployments, digital receipts, Wi-Fi, Google Wallet support and online chats (Really? No touting those newfangled UPC codes?), the fact that many of these IT efforts happened months ago made the compilation news release seem baffling. Baffling, that is, until we figured out the point: IT is now cool. Or at least Wall Street thinks it is.

To be specific, Wall Street doesn’t think that all IT investments are cool. It’s when IT investments come from companies where it’s not expected. When eBay or, heaven forbid, Amazon invest in IT, Wall Street lets them have it with both spreadsheets, in a way that it would have never criticized Wal-Mart for opening new stores. But when the Sears and Macy’s of the world start talking about these space-age computer thingies, stock analysts get all starry-eyed.

Starting today (Sept. 14), we are making our monthly topic-specific newsletters available for all of our readers, for free. These five newsletters—each one covering solely E-Commerce, Mobile, PCI/Security, In-Store or CRM issues—have until now only been available to Premium subscribers.

For readers focused on any of those areas, the Monthlies provide an easy way to keep up-to-date and to make sure you don’t miss any story important to your operation. The Monthlies also have two other helpful features.

As if QR codes weren’t having enough trouble getting traction among young consumers who should be their biggest fans, now it turns out that the codes are not only widely unused, they’re also unsafe. On September 9, mobile security blog Kaotico Neutral pointed out that because many mobile apps, when fed a QR code containing a URL, will immediately send the browser to that Web site—no questions asked—QR codes can easily be used to inject malware from an infected site into any phone or tablet that scans it.

Worse still, because the checkerboard codes are often on stickers or posters in public places, a QR on a retailer’s legitimate advertising can be turned evil by someone using a replacement QR that covers the original—even in-store. That means QR codes represent a triple threat (literally) for retailers: Many customers don’t know what they are. The ones who do are at risk if they read them. And cybercrooks can use your own advertising and signage to damage your reputation. Yeah, that certainly sounds like the mobile retail gimmick you need.

What happens when Wi-Fi gets too fast to be useful to retailers? We should know in about three years. On Monday (Sept. 12), analyst firm ABI Research predicted that the next generation of Wi-Fi (officially known as IEEE 802.11ac) will become the dominant wireless protocol by 2014. The new Wi-Fi will be fast enough to pump out multiple streams of high-definition video—which will be a nightmare for stores offering customers Wi-Fi, because letting customers slurp up that much data would require each store to have an Internet connection roughly the same size as a large ISP.

Of course, that’s only a problem if that high-bandwidth content comes from the Internet. If it’s served from within the store, customers could receive a constant stream of commercials, product pitches and other videos on their smartphones and tablets. There’s just one difficulty: If customers are accustomed to having a huge pipe to the Internet on their personal devices, they won’t react well to retailers that have cut back their bandwidth ration to just enough for the Web, E-mail and Twitter—unless there’s someone else available to blame.

The PCI Council on Thursday (Sept. 15) is releasing a guidance document
on point-to-point encryption (P2PE). This technology—properly implemented—has the potential to reduce PCI scope greatly, and several retailers have already implemented it. But one issue may have early adopters digging up their vendor agreements: Are they sure their your implementations—particularly the encrypting POS devices—will pass the Council’s new Secure Card Reader testing program? Will their vendors replace the POS devices with compliant ones, assuming they can, and what will that cost?

The idea behind P2PE, pens PCI Columnist Walter Conway, is that an encrypting POS terminal encrypts the cardholder data (the first “point”) immediately as the customer’s card is swiped. A third-party service provider (the second “point,” and often the merchant’s card processor) manages both encryption and key management. The third party is the only one that can access the actual cardholder data. The result is that when P2PE is properly implemented, almost all the merchant’s systems are out of PCI scope because the merchant has no way to decrypt the data or ever to get access to the clear-text cardholder data.

What does the “price” of an item mean? If you pick up a can of corn at the Piggly Wiggly and the electronic shelf label (ESL) says it is $1, but the price changes when you walk up to the register, what price is the merchant legally required to deliver? Although any reasonable merchants would likely honor the lower price, must they do so? What about an online store, where the price of an item might easily be changed between the time a customer puts it in his shopping cart and the time he checks out?

There are two different legal precedents for these situations, writes Legal Columnist Mark Rasch—and in fact, they go in exactly opposite directions. That creates an inherent problem, for both consumer relations and the law. Customers could feel cheated if price changes don’t work the way the customer expects. And as ESLs make in-store pricing work more like online pricing, that could change the way courts see it.

While Amazon and the state of California were doing their political deal for online sales-tax collection, someone apparently pointed out to the state that Wal-Mart—one of the tax’s biggest backers—isn’t collecting California sales tax for some of the most expensive items on its own E-Commerce site. Wal-Mart’s explanation: The items (including boardroom-style projection systems that cost as much as $70,000) aren’t really being sold by Wal-Mart, even though Walmart.com is processing the orders and collecting the money.

That sounds just a wee bit hypocritical, especially because Wal-Mart is unquestionably required to collect sales taxes online given that it has both brick-and-mortar stores and an E-Commerce distribution center in California. But the problem—and Wal-Mart’s excuse—points out a legitimate issue when it comes to collecting those taxes online. A traditional store’s boundaries are pretty straightforward. But online, it can get a lot harder to tell where one retailer ends and another begins, and exactly who is supposed to be collecting which taxes.

Amazon has cut a deal with California politicians to block the state’s online sales-tax law for at least a year. The political deal, reached Wednesday (Sept. 7), buys Amazon and other online retailers a year’s respite from the online tax in California. But it also effectively guarantees that, one way or another, E-tailers will be collecting state sales tax 16 months from now.

The deal also effectively signals an end to a string of political and court battles in New York, Illinois, Connecticut, Rhode Island, North Carolina, Arkansas and Colorado. Amazon—which California calculated would be responsible for delivering half the online sales taxes the state expects to collect—is now in a race to get Congress to authorize online sales taxes. And unless the rest of the pure-play E-tailers decide to fight it, Amazon will drag them all along in its slipstream.