Evan Schuman's StorefrontBacktalk

Pity poor E-Commerce. It’s barely 18 years old, has racked up about $200 billion in revenue last year and still has trouble getting noticed. Consider MasterCard’s and Visa’s EMV announcements. Both brands set various incentives for retailers if they process 75 percent of their transactions through EMV contact-and-contactless terminals. Of course, what MasterCard and Visa meant was in-store transactions.

The idea that an E-Commerce transaction is not a real transaction should be repugnant to any retailer in 2012. But those old prejudices that stores are where serious commerce happens are apparently acceptable.

Home Depot’s unusual move last week to shut down its site for 18 hours starting on Wednesday at noon was apparently done for some very logical reasons.

The timing of the move raised eyebrows. Such shutdowns have historically been done overnight, perhaps starting at about 11 PM or midnight East Coast time, and during the weekend. Also raising eyebrows was why a planned software upgrade required the site to be taken down at all. Given the home repair nature of Home Depot, weekend downtime can be more costly than a Wednesday or Thursday.

Amazon may be sprinting to get a strategic advantage when E-Commerce sales taxes finally kick in, but it’s still in no hurry to pay up. Last week, in its annual 10-K report to the U.S. Security and Exchange Commission (SEC), Amazon said Arizona has billed it for “approximately $53 million, including tax and interest, for uncollected tax for the periods March 1, 2006, through December 31, 2010.” The “transaction privilege tax” bill was dated November 2011; apparently, the state’s revenue department just realized those four Amazon distribution centers in Arizona belong to that company in Washington.

Yes, Amazon has to keep pretending its warehouses belong to a company completely separate from its online business. And the state has to do this little dance to start negotiations that will end up in an agreement that Amazon will start collecting Arizona sales tax on some future date or once a federal law kicks in. But wouldn’t it be nice if, for once, both sides could just skip the inevitable lawsuit, lobbying and legislation and go straight to the back-room deal? Arizona is already so late to this game it’ll be lucky just to get through one of those three Ls before Congress finally acts.

When it comes to loyalty, many retailers are stuck in the 1990s. Does anyone else find it funny that in a world where you can very easily have a video conference with your kids from a $500 tablet over free Wi-Fi from a random hotel, we’re expected to keep a 3.3- x 2.2-inch piece of plastic in our wallets to get benefits from some of our favorite retailers?

All of this, pens Retail Columnist Todd Michaud, in an area—such as CRM—where the application of technology could directly impact a retailer’s top and bottom lines.

Why are small problems sometimes the biggest pains? Sometimes because they’re the hardest to spot. On January 25, Neiman Marcus’ Web site was inaccessible only to customers using Internet Explorer versions 6 and 8 on Windows 7—everyone else was apparently able to get in without difficulty. This sort-of outage should have been easy to fix, but it lasted more than nine hours.

That suggests the Dallas-based high-end retailer made a change in the wee hours—exactly when you’d expect—but then accidentally left test code in the homepage. The result: a Web site that probably worked fine for everyone in IT, just not for all customers.

MasterCard’s Monday (Jan. 30) rollout of its roadmap for EMV in the U.S. set it on the opposite side of payment security from Visa, with MasterCard pushing for EMV with PIN and Visa arguing that PIN isn’t necessary. MasterCard is backing up its preference with some serious fraud-dollar forgiveness. Oddly enough, the much-smaller MasterCard has trumped—or, more precisely, nullified—Visa’s position, at least as far as retailers are concerned.

Given that greater-than-99-percent of Visa retailers in the U.S. also accept MasterCard, chains must go along with whichever brand has the more strict requirements. Typically, that’s been Visa, but not this time. On EMV-related PCI relaxations, however, the two brands opted to adopt identical policies.

Home Depot took its Web site offline on Wednesday (Feb. 1) to upgrade its version of IBM WebSphere from version 6 to 7. (Exactly why the planned outage began at noon on Wednesday seems a little mysterious, but Home Depot knows its traffic patterns better than we do.) However, in what was apparently an effort to give visitors something to read, the “Pardon Our Dust” default page included a link to Home Depot’s company blog, which even had a new post for do-it-yourselfers on Wednesday.

Only one problem: The new blog post had a link to where customers could buy that product on the site—which, naturally, took the customer to the only page working on the regular site, the “Pardon Our Dust” page. In fact, all the blog’s links went either to that page or to a grim-looking error page headed “Moved Permanently: The document has moved here”—and “here” turned out to be a link to the “Pardon Our Dust” page (from which they could, of course, click on “Blog” again). Enticing customers with products you can’t sell them—and then running them in circles? Sometimes the best thing to do really is to just close the store for the day.

For quite a few years now, the contactless payment world has enjoyed an endless-loop of defend-and-repel games when dealing with contactless security. The game starts with bank assurances that the data being transmitted wirelessly couldn’t possibly be enough for a thief to perform a transaction. Next is some public demo of a security researcher wirelessly grabbing data and completing a transaction. This is followed by industry refutations that the system demoed was either out-of-date or some part of the test was unrealistic.

Interestingly enough, there’s truth on both sides. But the dance of demo-and-explanation seems to never slow.

Amazon, which last year was spending millions to fight online sales taxes, is now throwing its E-Commerce competitors under the sales-tax bus. Last week, Amazon sent E-mail notices to South Carolina customers, reminding them that they owe sales tax on Amazon purchases—but without Amazon actually collecting tax when a sale is made, thereby hiking the price a customer pays.

That means Amazon gets to build South Carolina distribution centers and enjoy a five-year holiday from having to collect sales tax—while Overstock.com, eBay and even Wal-Mart become the new big targets in the crosshairs of state tax collectors.

It was just past 10:30 PM on January 15 when police say a shoplifter walked into the Murrieta, Calif., Wal-Mart. But as part of a growing trend, she didn’t try and steal any merchandise. What she did was walk over to an unstaffed counter, pull out what seemed to be wire cutters and cut loose the store’s keys to its safer security devices.

Other thieves have opted for grabbing EAS tag detachers, but the point is the same. Beyond protecting products, retailers need to reinforce protections around the devices that protect their products. How are keys and tag detachers handled when not in use? Is there an explicit policy about ignoring EAS alarms?

With all of the new data coming in from mobile and social, retail IT has a truly strategic psychological problem. The old way of creating interfaces between systems can’t scale and will not deliver the results this new world of information overload demands. You’ve got to stop thinking about interfaces and start thinking about services. You’ve got to stop thinking about batch ETL processing and start thinking about real-time data integration and unstructured data.

You’ve got to start accepting cloud computing as a method of scaling your computing platform up and down, pens Retail Columnist Todd Michaud. In short, you’ve got to rip out most of your information architecture and start over.

As retailers embrace the cloud for its flexibility and convenience, they might want to also consider a very serious potential for loss of control. Legally, we’re talking three different types of control loss: Your loss of access to the data; your customers’ loss of the ability to access your services; and the potential for your confidential data to become public records and to then find its way to your competitors.

Paranoid? Not any more, pens Legal Columnist Mark Rasch. Recently, the U.S. Government took down the copyright pirate site “MegaUpload” and had its founder arrested and detained awaiting extradition.

eBay’s bid to become the link between big U.S. retailers and Australian customers is off to a less-than-sterling start. On January 18, eBay CEO John Donahoe bragged to an earnings call audience that Macy’s used eBay Australia to get a foothold Down Under without creating a brick-and-mortar presence. “Macy’s saw that the Australian dollar was very strong,” Donahoe said. “The Australian consumers are very open to import and they’re looking for brands. And Macy’s opened up a store in eBay Australia, and so they’re now reaching consumers in Australia on the eBay platform without having to have assets reside in the country.”

Well, sort of. Actually, Macys.com was already selling to Australian customers last summer, using third-party vendor FiftyOne to handle shipping, customs, currency issues and customer service. And the Macy’s eBay Australia store currently has no products; Macy’s spokesman Jim Sluzewski said the eBay store was tested only through the end of 2011 and Macy’s is now evaluating its results. So Macy’s wasn’t depending on eBay to reach Aussies, and the eBay store was already closed when Donahoe did his bragging. Other than that, he got it right—we hope.

PayPal’s expansion of its in-store payments trial at Home Depot (up from 400 PayPal employees to all PayPal users) marks a huge jump in the trial’s scope—and risk. On January 19, PayPal opened up the trial to include 51 stores (up from the initial 5) and said all PayPal users could now sign up for the system. That should give both PayPal and Home Depot much more useful information on who will use the system, and how.

But PayPal’s approach—which essentially reverses 50 years of payment-card advances by eliminating any physical authentication device—still presents a big challenge when it comes to security. The ability to check out with just a mobile phone number and PIN—no plastic card, NFC-enabled phone or other authentication hardware required—means anyone who can acquire that phone number plus PIN has a free shot at the legitimate customer’s account.

When a customer walks into a store and gives a payment card to an associate, who charges it on a store-branded mobile device, is that customer interacting with that retailer? If that device is using Square, the answer is “no,” but the customer won’t know that. If an E-mail address is requested, is it for Square or that retailer?

If a marketing opt-in question is posed, who is posing it? And how will customers react when they later learn they weren’t sharing with whom they thought they were sharing? Bad news: This is not hypothetical. There is a broader issue at play here. With any of the third-party mobile payment efforts—Google Wallet, PayPal, ISIS, maybe even Apple—there is the potential for this type of confusion.

In a futile attempt to fight showrooming, Target is pressuring its suppliers to make it more difficult for Target’s customers to price compare. The most bizarre part is that Target is trying to game a system where it already has a huge competitive advantage.

The historic argument has been that E-tailers have a huge convenience advantage and that a retailer must combat that by leveraging its experience/ambiance advantage. But with showrooming, the customer has already driven to the store, parked, walked to the aisle and found the desired product. The physical store has the convenience advantage 10 times over.

Speed-tuning for retail Web sites may have finally hit a wall. A report released Wednesday (Jan. 25) says Nike, JCPenney, JCrew and Amazon had the fastest retail sites in 2011. But the survey also notes that the most popular and profitable sites are actually slower to load than the average site, because they contain so much content, and that content delivery networks don’t actually speed up load times.

In theory, load times of 3 seconds or more should cost retailers half their customers. If that’s true, E-tailers should be going out of business. Maybe it’s time to dump those theories.

Historic British retailer Fortnum & Mason—with roots dating back to 1704—is finding that PCI compliance doesn’t end with IT. The chain had to confess last week that a customer service rep was asking customers to E-mail their full credit-card data—including CVV—to process routine refunds.

Clearly, one errant employee is something every chain has. But this example brings up a too-often overlooked PCI fact: Compliance is an issue for every employee. Mobile payment, being a disruptive factor, will only make things worse, because it creates many more opportunities for payment-card data to be captured/retained against the rules.

When the $7.3 billion Hy-Vee regional grocery chain on Monday (Jan. 23) rolled out its in-store mobile app, it encouraged customers to use Twitter to report out-of-stock items. It’s a wonderful move, acknowledging—and addressing—a communication hole that exists because of an outdated management structure.

In a typical chain store, what happens when a customer discovers a problem, be it an incorrect price label or an out-of-stock or expired product? It’s up to the customer to track down an associate. What happens then? Usually nothing, because it’s quite unlikely it’s the primary responsibility of that employee to deal with that problem.

In the power struggle between retail marketing and retail IT, IT is getting its server farms kicked. It started with E-Commerce and is now growing with mobile and social. What has to go? If it can go in the cloud, get rid of it. E-Mail? Gone. Web hosting? Out of here. CRM? Exit, stage right. If it can be easily outsourced by specialist firms or even done by people in the business unit, you need to let it go.

It’s time to evict Web and mobile app development, and pretty much any marketing initiative that isn’t core to your business. Heresy? Certainly, pens Retail Columnist Todd Michaud. But it’s necessary.

Given that PCI only applies to payment transactions for the five major card brands, PayPal transactions would not normally be in scope. But recent pilot programs by at least one major retailer and an announcement by a POS device vendor has PCI Columnist Walter Conway questioning the conclusion that PayPal transactions will remain out of PCI scope.

If a PayPal card triggers a transaction on an underlying Visa or MasterCard, might that PayPal account be considered a “high-value token” and, therefore, be in scope for PCI? And if the PayPal account is in scope, is it a big deal?

With Visa’s clarification on January 13 that its U.S. EMV deployments will include Chip-and-no-PIN, retailers are trying to decide if this is a good thing or a bad thing. On the bad side, this forces retailers to immediately trust the chip technology perhaps a bit more than they want to.

“When I think about secondary validation, that gives me more of a warm fuzzy even though we have people saying that I have a more sophisticated chip and that my smart device has got some protection sitting in it,” said Bill Titus, the Loss Prevention VP at Sears.

Few statements are parsed as aggressively for hidden signals and clues as those from Wal-Mart corporate. And few topics have to be handled more delicately than how aggressively Wal-Mart senior management will push merged-channel strategies on its stores. Therefore, the statement issued Monday (Jan. 16) by Wal-Mart about its new E-Commerce chief and how he is expected to interact with stores is getting a lot of close inspection.

Wal-Mart has recently been trying to more closely align stores with various online, mobile and social efforts. But like all major chains, brick-and-mortar management resistance is non-trivial.

Want to drive customers to all your retail channels? Give them a more satisfying Mobile-Commerce site—at least that’s what one analyst says. In a study released on January 12, ForeSee argued that only Apple and Amazon have M-Commerce sites that really stand out for customer satisfaction. Customers said the Web sites of other big chain are better than their mobile sites, which hurts the chains’ ability to get customers to return through any channel.

It’s a fine theory. Trouble is, it doesn’t actually seem to work for most of the 16 retailers that ForeSee looked at, ranging from Best Buy and eBay to Avon and Target.

When Amazon’s Zappos apparel unit announced on Sunday (Jan. 15) that more than 24 million customers had their information potentially stolen from its site, Zappos took the radical—but wise—move of wiping out all of its passwords. That caused massive disruptions to the company, shutting down customer service phone access and access to the site from outside the U.S., in addition to inconveniencing all customers.

But it was the unequivocal declaration that payment systems had not been touched that raised eyebrows. At this early stage of a breach investigation—knowing that cyberthieves tend to be quite good at hiding their tracks and creating misleading tracks—is such a blanket promise to customers reckless?