|
The more the TJX saga goes on, the more the TJX data intrusion situation seems to be more hopeless. Every day, bits of news crops up here and there—a couple of class-action lawsuits, a congressional call for a Federal Trade Commission investigation, various associations linking specific fraudulent transactions with TJX—and TJX says practically nothing. And what it does say, it says in what many consider insulting language. For the moment, let's set aside the positively drug-crazed PR strategy, even though I truly believe that had TJX management been running Johnson & Johnson in 1982, their strategy would have been to keep silent about the cyanide-laced capsules and see how many people died. They'd then issue a statement saying, "By delaying a public announcement, with the help of top health experts, we were able to contain the problem and further strengthen our manufacturing system to prevent further intrusion. Therefore, we believe that we were acting in the best interest of our customers." And, yes, other than changing "computer security" to "health" and "computer network" to "manufacturing system," that is exactly what TJX Chairman Ben Cammarata said, explaining the month-long delay of the announcement. But what is truly most interesting about the case today is how little has leaked about what actually happened. There's plenty of speculation, but very few facts to base them on. Congressional aides and the attorneys involved in some of the class-action lawsuits have almost nothing to work with. In a Web-distributed video statement, Cammarata shed almost no new light on what had actually happened, other than this tidbit: the driver's license data that was taken came from customers who went into the stores and tried returning products without receipts. It's not definitive whether it was an external break-in or someone (perhaps an employee or former employee) accessing the system from inside. One report—initially confirmed from TJX PR—had the attacks having taken place in May, some seven months before they were discovered. Was it one incident? Ten? Did someone break in and leave a program that would continue to send data? How was it ultimately discovered? Do they have accurate records about what happened? Revealing any of this would not likely hamper any investigation. Even the details of the techniques used to break in would likely be safe to reveal, as the company has already announced that the hole the perpetrator exploited has been addressed. Then there are still the questions about the data-handling itself. Was any of it encrypted? Was the information retained in violation of PCI rules? How could the intrusion have gone on so long—seven month—without being detected? Ironically, TJX was also sued in January for improperly handling POS receipt printing (failing to truncate credit card numbers and expiration dates), but that's looking like chicken data feed compared with the rest of this. What is puzzling about this is "Why the silence?" Assuming the full details will be monumentally embarrassing—which seems to be an inescapable conclusion now—why not get it over with? Reveal the full details in a statement, hold a news conference, do a little interviews and then move on. Isn't that better than letting congressional hearings and legal depositions force the details out in what will likely be the most unflattering light possible? It seems mind-boggling for TJX executives to think that if they stonewall long enough, they'll never have to admit what they did? As far as TJX is concerned, it has several different constituencies. Some of them it cares about and others are meaningless to them. In the meaningless camp are most media, industry analysts and government officials. Those groups can say all kinds of demoralizing things, but their ability to punish TJX is minimal. In the important to TJX camp are shareholders and customers. As of this writing, all indications are that customers are shrugging this off, with nothing solid suggesting that consumers are avoiding TJX merchant locations in any meaningful way. Shareholders—and Wall Street, in general—have also not seemed especially concerned. Taking a look at the stock over the last six months shows no significant stock price pain. On Thursday, however, the company said that it is allowing for a financial hit of a penny a share for the fourth quarter because of the intrusion and specifically "costs incurred to investigate and contain the intrusion, enhance computer security and systems, communicate with customers, as well as technical, legal, and other fees incurred through the fourth quarter." The stock price dropped that day $1.08/share (about a 3.65 percent drop) to close at $28.49. At one point in the day, the share price fell to $28.37 before recovering slightly. If this marks the beginning of a true stock slide, things may change. But customers are the key. Most have not been impacted by the intrusion and, theoretically, the banks are covering most of the expenses for the few who are getting hurt. As long as customers are content, Wall Street shouldn't go too far astray and TJX will likely keep silent.
|
Search Through All Stories
Whether the wing flapping of a bug can eventually cause a tornado is debatable, but Cyber Monday 2008 should serve as a warning to E-tailers to avoid the lesson learned by Staples and Dell on Monday (Dec. 1): Don't ignore the butterfly effect.
At about 6 AM on Black Friday, Wal-Mart's site went down for about an hour and then came up. But this time, it had moved its content pages to an outside service. Wal-Mart said it had been a scheduled change, a concept that Gareth Evans, head of client services at Web tracking firm Sitemorse, finds unlikely.
In a trial of new holographic magnetic stripes for its payment cards, Visa found the cards "emitted an electrostatic discharge that caused POS terminals to shut down," according to a report in The Nilson Report, a respected credit card industry newsletter.
Microsoft's Live Search cashback program—which gives rebates to those who comparison shop online and choose stores that are part of the program—was a bit too popular on Black Friday (Nov. 28) and crashed for several hours, leaving consumers with no cashback and a lot of anger.
Sears.com suffered the worst Web problems on Black Friday (Nov. 28), experiencing a series of complete site crashes for much of the day. Although no other major retailer came close, according to preliminary reports, many of the industry's largest merchants suffered site slowdowns or other Web problems, including Walmart, Kmart, Saks, Overstock, Amazon, Target, Kohl's, Costco and Buy.com.
In a trial initially limited to the United Kingdom, Switzerland, Israel and Italy, Visa Europe is starting a trial this month of a card with an 8-digit alphanumeric display, 12-button keyboard and a long-life battery. The card has the ability to offer reciprocal authentication, which is designed to allow consumers "making transactions via phone or the Web a way to identify the party on the other end before transmitting identifying credentials."
Black Friday (Nov. 28) E-Commerce sales hit $534 million, reflecting a one percent increase from last year's Black Friday, ComScore reported Sunday (Nov. 30).
A Web-generated wakeup phonecall to get customers to in-store early morning sales may not have a material impact on quarterly sales, but it's a creative touch for the E-Commerce site JCPenney relaunched right before Black Friday (Nov. 28). Even if the system's in-store inventory update isn't quite accurate.
A group of credit card thieves in Seattle tried to maximize their profits by using their stolen credit card data to open a loyalty card account with Best Buy, where they could get could extra benefits along with their stolen products, according to a federal indictment filed Nov. 19. One had tried a similar rewards scam with a Home Depot reward card and a Sears gift card.
Following a site meltdown by a major U.K. retailer this month, Internet traffic tracking firm Hitwise was able to document and make concrete what has always been assumed: Consumers abandon a retail site when it melts down faster than politicians vote for a tax cut.
Recently released numbers raise questions as to whether online will be much of a savior at all. New figures from eMarketer project that E-Commerce sales will top last year's numbers by some $5.6 billion, a 4.1 percent increase from $136.8 billion to $142.4 billion.
Eduardo Perez of Visa has called its fines for non-compliance "nuisance" fines. In other words, the fines are not large enough to be a big financial burden to retailers but are large enough to get the CFO pissed off about having to pay them and maybe large enough to get a CEO to at least show up for a meeting to discuss PCI.
The IT struggle with knowing where all payment data is—let alone trying to enforce rules that pretty much try and keep it there—was the topic of a StorefrontBacktalk a podcast this week with our own PCI columnist, David Taylor, and security specialist J.D. Oder, the chief technology officer at Shift4.
A Supreme Court decision from back in June 2007—intended to give consumer goods manufacturers greater control over their products' pricing—is fueling confusion, mistrust and runarounds among E-tailers trying to compete on price.
Wal-Mart has agreed to pay $1.4 million to settle complaints that it overcharged customers in California. The Nov. 24 deal involved the mispricing of some 1,043 items over four years. Some of the problems happened because associates would make pricing changes to items in the store's register database but not in the aisle.
PayPal has come up with yet another payment-related use of a cellphone: to authenticate a non-mobile E-Commerce transaction. Customers of the payment giant "can now choose to receive a unique six-digit security code via text message to their mobile phones prior to logging in to their accounts," PayPal said.
There's an E-mail campaign that says consumers can identify American products by the first three digits of the barcode. In theory, this would allow people who only want to buy American products an easy way to do that. The only problem is that the trick doesn't always work, which means it could have the opposite effect.
When are related product lists helpful and when are they distracting? Is it an obviously useful upsell or is it doomed to the fate of the salesperson who shows a customer one too many choices? HP thinks it's often the latter and has sharply trimmed the number of related items it shows. And the company is claiming a 30 percent sales increase as a result.
Amazon.com, which arguably has one of the most extensive retail CRM databases and purchase recommendation engines, envisions a Catch-22 future for gift cards. The key is making them more personalized, more customized. And yet, anything that hints of privacy violations is off-limits. It's like a starving man being given the keys to a well-stocked food locker as long as he agrees not to eat anything.
As more retailers try to go where the customers are rather than getting them to come to the retailer, TiVo and Domino's are taking the next logical step with a TV-as-E-Commerce-Device approach.
We make calls on PCs and surf the Web on our phones. The lines of separation are blurring fast. But in the world of retail technology, the difference between a kiosk and digital signage is one of the more difficult distinctions to make. How to describe that difference? To one CFO, the answer was obvious: A poem. In rhyming verse. Rhyming verse that is so bad it's almost good.
The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computer that security managers would rather they didn't. GuestView Columnist David Taylor asks if these people might be doing things (e.g., downloading malware) that could bring down your company?
When file transfer site YouSendIt—with more than 100,000 paid users bringing in some $10 million this year—crashed on Monday (Nov. 17), it illustrated the kind of crash that should make retailers very concerned.
Podcast panelists debate card replacement problems, including inadvertently printing encryption keys on customer receipts and the refusal of the card brands to shorten how long expiration dates are valid. "We now have to worry about data that's been there as many as 12 years."
A loyalty card that consumers can turn on and off could potentially usher in a consumer revolution of sorts, allowing the majority to punish merchants they see as misusing CRM data that has been entrusted to them. At least that's one scenario painted by the president of the company that is pushing the card.
Amidst an avalanche of hype about the desirability of gift cards this holiday season, the National Retail Federation on Tuesday (Nov. 18) predicted a six perfect drop in gift card sales this season, from $26.3 billion spent during last year's holiday season to a projected $24.9 billion for this season.
Some 30 meters below solid bedrock underneath Stockholm, an abandoned nuclear bunker has been transformed into what could only be described as the world's coolest datacenter.
Several factors are lining up—including rushed technology upgrades, more site handoffs for everything from mobile to social networking widgets and a surge in traffic from bargain hunters—that could easily make this holiday shopping season one of the crashiest in years, if not the crashiest. (Note to copydesk: I don't care if crashiest is not a word. It should be.)
When Sears rolled out its mobile effort (Sears2go) this month, it illustrated the challenges for a retailer trying to craft a clean and stable mobile strategy at a time of extreme flux for the mobile space.
When E-Commerce execs try and understand abandoned shopping carts, they often overlook concrete clues. One of the best is whether shoppers clicked on the store locator link right before leaving. But deciding what to do about abandoned carts, that gets complicated. The innocuous-looking store locator is akin to waving a red cape in front of the face of an E-Commerce manager bull.
The Web is overflowing with analysis of the TJX data breach disaster, but what's intriguing is the possibility that some of the indicted suspects may have worked as code writers in the light of day for some major companies, including Morgan Stanley.
Equifax on Thursday (Nov. 13) announced an E-Commerce CRM and payment card that consumers can activate and deactivate based on how they feel about the site they are visiting. The only way such a card—dubbed the Equifax online identity card—will be successful is if it's adopted by a large number of retailers. And each of those retailers would have to be willing to surrender one of their most precious pieces of data: customer history.
We see tons of variations on the meta-search concept for E-Commerce, but this site seems to have hit on a truly practical combo: An engine that finds the lowest prices and simultaneously finds relevant coupons and then integrates the two.
Visa, long the key driver of compliance with the PCI security standards, is helping to clear up merchant and service provider confusion regarding the global deadlines for PCI DSS compliance. But GuestView Columnist David Taylor notes some unusual phrasing and concludes that Visa wants to ease the compliance process to get more service providers outside the United States on board.
Instead of making gift cards worthless once they're emptied, Target and Best Buy have opted for the other extreme: With enough micro electronics, the gift cards themselves might be worth more than the merchandise they can buy.
Wal-Mart will insist that its Chinese suppliers comply with RFID tagging by January 2009. And given various recent safety problems reported from China, Wal-Mart is also requiring sub-contractor information be included with every tagged product.
Forced to try and boost revenue in a tight economy, Best Buy is pushing an aggressive plan—based partly on open APIs—to sell to customers wherever on the Web they're hanging out, rather than trying to get them to virtually travel to the retailer's online storefront.
While the headlines in the United States tell of store closings and expansions being back-burnered, it's a very different story in at least one part of the Middle East. In Dubai in the United Arab Emirates, Tuesday (Nov. 4) saw the world's largest mall opening ever.
RFID sales globally will be more than $5.3 billion this year, with supply chain management, ID documents, ticketing and contactless payment drive shipments leading the way, according to a report released Monday (Nov. 3) by ABI Research.
MasterCard's PayPass is ramping up its mobile program with an over-the-air provisioning service to supposedly make it easier for consumers to personalize their payment data on their mobile devices.
Without a doubt, the most popular strategy for dealing with PCI compliance and data security is avoidance, writes GuestView Columnist David Taylor. Not unlike the game of "hot potato," which dates back to the pilgrims, the goal is to find someone who is willing to put up with the hassle of PCI compliance and then give that person all the credit card data.
When Costco on Monday (Oct. 27) announced that it would support—for the first time—customer comments on its products, the move was less noteworthy for the $71 billion chain's late-to-the-party embrace than for what it says about the industry's acceptance of a once much-feared feature.
Although there is a little doubt that the United States is in for a very rough economic period over the next half-year or more, there is ample reason to believe that retail IT may escape mostly unharmed. Let's not get too optimistic here. "Mostly unharmed" doesn't mean escaping untouched. But it does mean that when large companies—especially retailers—have to suddenly make do with a lot fewer people, they need that good ole IT magic more than ever.
The battle for booksales should be an online natural. But as Barnes & Noble discovered this week, the compelling, intimate experience of a physical bookstore is still proving elusive.
A Hong Kong RFID vendor is boasting about a new $1,950-$2,500 handheld UHF reader "with a read range exceeding 25 feet with standard dipole passive tags and a throughput reaching 400 tags per second." That claim is usually reserved for fixed readers, a very sharp claimed performance boost.
Genesco, which owns more than 2,000 stores operating as nine different chains including Johnston & Murphy, Dockers and Journeys, learned this week how POS receipt customization can be remarkably dangerous.
As the U.S. economy collapses (temporarily mind you, but a collapse nonetheless) and holiday sales contract, the one segment rumored to likely fare best is merchants selling to the highly affluent. But in what could be bad news for E-Commerce, those rich niche retailers tend to resist online sales more fervently than other E-tail segments.
Technology that has been deployed to digitally watch—and analyze—how consumers interact with digital signage could also be used to interpret what they are doing while looking at a cereal shelf. Are they ignoring the product or are they picking it up, reading the label and then quickly putting it back?
The group originally called the PCI Alliance, which changed its name to the PCI Security Vendor Alliance on Tuesday (Oct. 21), has changed its name again—this time to the Payment Card Industry Security Alliance (PCI SA). Mercifully, it never bothered to change its URL, so it's still pcialliance.org.
A major Japanese mobile phone loyalty card trial slated to run from February through June of next year might prove to be a powerful prototype of how other countries might deploy mobile payment networks.
Companies are beginning to extend the protection of PCI-driven security controls to other confidential data, which is great, argues GuestView Columnist David Taylor. What is even better, he says, is that some service providers are finding they can leverage their PCI compliance to gain a competitive advantage.
Australia's Woolworths, which runs the country's largest supermarket chain, has given thumbs up to one RFID trial and thumbs down to another. "The overall cost for a company the size of Woolworths is still too high, and the return on investment for track and trace is just not enough for us to race ahead."
The very premise of E-Commerce is for E-tailers to create a beautiful site, where your customers come to shop. The latest trend, though, is to cut deals with your customers to buy from you anywhere but your site, whether it's on MySpace or Facebook social networking sites, from a cell phone, in the middle of a Google search or while watching a YouTube video.
E-Commerce customers who speak English are "the most frequent victims of identity theft, twice the rate of France, Germany and Spain," according to a study released Tuesday (Oct. 21) by PayPal. The E-mail survey of 1,000 consumers was conducted this summer and examined six countries: the United States, Canada, France, Germany, Spain and the United Kingdom.
As retailers across the globe modernize, the installed base of payment authorization terminals has soared almost 22 percent from 2006 to 2007. As happens typically in a growth segment such as authorization terminals, vendor consolidation has concentrated control—and, therefore, retail purchase options—into far fewer hands.
In their September stats, U.K. sites that sold eyeglasses and related vision aids fared among the very worst in one criteria: sites that are designed to be easily used by those with vision difficulties.
The Circuit City "one price promise" move could ultimately prove to be quite a clever piece of marketing. First, it will be trumpeted as a consumer advantage, even if it means that the price equality will be achieved by sometimes (all the time?) online pricing being raised to match the in-store price.
Home Depot and McDonald's are both in the middle of non-traditional kiosk trials. McDonald's is on its fourth such trial, after having concluded that the first three simply didn't work well. Not too many retailers would opt for a fourth trial after three unsuccessful attempts. The non-traditional Home Depot kiosk trial is based more on the units themselves—small mobile units, some as tiny as 5-inches tall—and the size of the chain's planned kiosk commitment: Well north of $100 million for full deployment
Consider this: Is there a connection between a growing support for various cloud computing approaches and the increasingly active IT role that franchisees are taking? Yes, it's a wacky juxtaposition, but stay with me for a moment. There has been a steady noise coming from retail franchisees who are trying to drive more of their stores' IT strategy.
When GuestView Columnist David Taylor wrote last week about PCI 1.2 changes, he received quite an earful from readers that some changes are having an even more strict impact.
When supermarket chain Wegmans confirmed this month its first-ever self-checkout trial, it was billed as a customer service feature. That's technically true, but only in a very roundabout way.
This is the latest volley in a federal court—and soon federal legislative—game of Internet taxation and control. Can states force E-Commerce sites to tax for them? Can municipalities police what gets sold in their communities, even via laptop or PDA?
"The systems were very poorly adjusted to reflect differences in locales," said CEO Frank Blake. "We are the single-largest less-than-truckload shipper in the United States. A lot of trucks are going to stores that aren't full. It's not efficient."
