Quickly catch-up on the latest in E-Commerce and Retail Tech with our free weekly newsletter, with urgent bulletins as news merits.

StorefrontBacktalk will never sell your E-mail address to anyone at anytime.

Evan Schuman is the former retail technology editor for eWEEK.com, PCMagazine, CIOInsight and retail reporter for RISNews and Consumer Goods Technology. Having covered IT issues for 21 years - and other stuff like legal affairs, politics, Wall Street and the environment for about eight years before that - Schuman is in a good position to gripe about technology trends and sometimes accidentally make a good point.

E-Commerce
RFID
Payment Systems
Security/Fraud
CRM
Contactless/Wireless
IT Strategy
Search

Trick Or Treat? New PCI Version To Be Here By Halloween By this Halloween, the PCI Council will unveil the first major revision of the PCI DSS payment card security program in two years. But with the council not releasing any true details about the changes, nervous retailers are truly wondering "Trick or Treat?"

In E-Commerce Satisfaction: Netflix, QVC On Top; PCMall, Home Depot On Bottom That which keeps consumers satisfied seems to be part of an E-Commerce site's culture, as top (and bottom) players tend to show little movement, year to year. The latest results from measurement firm ForeSee Results seem to reinforce that.

Delegation Can Be Good, And A Half-Dozen Other Security Tips From his perch in the world of security, Guestview Columnist David Taylor sees delegation as a good thing. Some of the retailers with the best strategies have figured out how to "deputize" internal audit, HR, data owners and store managers and give them specific things to do, from employee education to access monitoring to policy enforcement.

Dave & Buster's Data Breach Indictment: Apps Crash For The Bad Guys, Too It was April 2007 when a pair of cyberthieves from the Ukraine and Estonia set out to try and grab payment card data from the 49-store Dave & Buster's restaurant chain. But according to a federal indictment and U.S. Secret Service affidavit unsealed May 12, 2008, the pair quickly discovered that software can be an equal-opportunity crasher.

TJX Gets 99.5 Percent Signoff With MasterCard Banks When TJX announced a MasterCard agreement last month to pay $24 million for data breach costs stemming from the industry's worst payment card data breach, it was contingent on at least 90 percent of the banks agreeing. No surprise, but TJX made that acceptance rate with room to spare, coming in at 99.5 percent.

Applying Internet Security To RFID NeoCatena Networks has in the wings a product designed to stop fraudulent or bad tag data from getting into the system from the supply chain.

FTC To Hold Contactless Hearing In Seattle Retailers focused on contactless payment might want to circle July 24, 2008, on their calendar. That is when the U.S. Federal Trade Commission will hold a hearing in Seattle "to explore the growth of contactless payment systems and the implications for consumer protection policy."

Macys Shutting Down Bloomingdale's Catalogue Guess this is what the cliche-afflicted would call a "sign of the times." Macys is killing the Bloomingdale's catalog while Amazon.com is selling copies of Bloomingdale's 1886 catalog for $12. (Can you imagine the number of out-of-stocks in that thing?)

U.S. Watched 11.5 Billion Web Videos In March For e-tailers who still think that Web video may be a fad, consider this stat: In March, U.S. Internet users watched 11.5 billion online videos. That's a 13 percent gain from the prior month and a 64 percent gain from the identical month the prior year, according to Comscore.

Google Pushes Aside Yahoo For #1 Slot Thanks in no small part to soaring traffic on YouTube, Google for the first time took the top slot in American consumer reach in April, besting Yahoo. But it took that top slot just barely, reaching 141 million Americans in April. Yahoo ranked second with 140.6 million visitors.

Arrests Made In California Debit-Card Skimming Scam California authorities have arrested two men in connection with another retail card-reader switch scam, an effort that police say brought in about $225,000 from 222 victims who swiped their debit cards at a regional grocery chain.

Self-Checkout Psychology: Losing The Customer's Trust With the many new self-checkout offerings being introduced this week from the likes of IBM, NCR and Fujitsu, it's not a bad idea to focus on what will truly decide whether these machines do anything to help retailers.

Self-Checkout: It's Not Just For Lanes Anymore With the nation's largest casino town as its backdrop, IBM and NCR gambled that the ho-hum growth in self-checkout can become a winner if the systems are moved away from the front-of-the-store checkout lanes and moved back toward the deli, bakery and even in the middle of the cereal aisle. All in all, I'd rather take my chances at rolling a 10 the hard way.

The Home Depot Self-Checkout Machine That Wouldn't Take "No" For An Answer Trying to collect some innocuous-sounding information from self-checkout customers, a self-checkout system at a Maryland Home Depot instead accidentally got itself embroiled in a privacy controversy.

The Data Breach Librarian Actually Gets Paid The Florida librarian and data breach victim who successfully took Wells-Fargo and Sprint Nextel to small claims court was paid this week, something that some data breach observers doubted would ever happen.

Twitter Dead Last In Social Network Uptime With its sites being unavailable for barely one hour over four months, MySpace has the best uptime of any major social networking site and Twitter (more than 37 hours of downtime during the same period) has the worst.

The Dangers Of Choosing The Wrong Wireless Approach London-based Marks & Spencer is the RFID tag champ. Attaching 350 million a year to items of clothing, they even blow past Wal-Mart when it comes to tagging individual items. Unfortunately, each and every one of those tags might have used the wrong technology.

Opposition To Tokenization A Lot More Than Token GuestView Columnist David Taylor this week discovered that there's a lot more than token opposition to tokenization. One of the concerns is that companies have already spent money on encryption.

Microsoft Gives Up Yahoo Pursuit Microsoft on Saturday (May 3) gave up its efforts to acquire Yahoo, declaring such an effort too expensive. "Despite our best efforts, including raising our bid by roughly $5 billion, Yahoo! has not moved toward accepting our offer," Microsoft CEO Steve Ballmer said in a letter to Yahoo CEO Jerry Yang.

Rite Aid Cuts Deal For Visually Impaired Web, POS Support Rite Aid on May 1 announced an extensive set of E-Commerce and POS changes to accommodate visually-impaired consumers, admittedly under an implied litigation threat from advocacy groups. The $24 billion 5,000-store pharmacy chain joins an expanding list of national retailers who have agreed to make such changes, including 7-Eleven, RadioShack, Safeway, Trader Joe's and Wal-Mart.

Beware Of Mobile Customers Who Are Not Where You Think They Are As retailers continue to experiment with mobile commerce, one potential problem is when mobile customers prove to be truly mobile. Let's say a national chain sends an E-mail blast to the cellphones of 10,000 Boston-area customers, inviting them to visit the store for a free sample on Wednesday.

Number Of 10-Year-Olds On Social Sites Soaring Like it or not (place this father defiantly in the "not" category), children are using the Internet's social network sites at a younger age, with retail marketers hovering close by. How young? New stats show 17 percent of boys aged 10-12 used such sites last year, which is more than double the 8 percent who used social sites in 2006, according to the Harris Poll.

Do Retailers Really Maintain A Secure Environment? This wonderful piece comes courtesy of that time-honored daily newspaper tradition, the police blotter. A woman walks up to an ATM at a Hannaford's grocery store. She connects a laptop to the ATM until an alarm goes off, at which point she packs up and leaves.

NRF Group Offers Payment Consistency Guidelines With an eye on retailers having to juggle payment systems between many varied environments—far beyond merely online and in-store—a National Retail Federation division this week introduced a set of guidelines called the Retail Transaction Interface.

Best Buy Using IT To Try And Limit Geek Squad Snooping With a privacy invasion trial about to begin, Best Buy's IT department will be conducting more frequent remote audits of the chain's Geek Squad tech support department.

Microsoft Leaning Toward Going Hostile To Get Yahoo Microsoft is "leaning toward going hostile in its pursuit of Yahoo," with an announcement "likely" on May 2.

Which Do You Want, Buddy? Compliance Or Security? GuestView Columnist David Taylor this week suggests that, today, only a small minority of retailers says that they are getting much value from their security investments. Examples abound: Intrusion alerts that are ignored due to lack of staff, firewalls with rules that are out of date, intrusion detection systems that have not been tuned to minimize the false positives and encryption keys that are never changed. Fixing this stuff is not expensive, but it's not fun either.

Cash Usage Rising Sharply In Britain British retailers are seeing a resurgence in cash purchases, mostly due to a weak economy and consumers who are "nervous about borrowing or spending on debit cards," according to a new report from the British Retail Consortium (BRC). But the question remains whether the consumer reactions that are pushing cash usage in the U.K. are likely to be replicated in other parts of the world.

Google's New Technique To See Pictures, Rather Than Merely Read Captions Google says it has concocted a better way of searching for Web images, one that involves image-recognition to "see" what the image depicts as opposed to just reading the accompanying text. This technique, called Visual Rank, has tremendous potential to shake up E-Commerce, which heavily relies on product images.

Hannaford CIO: We Need To Spend Millions, Go Well Beyond PCI Hannaford CIO Bill Homa, overseeing a data breach probe that exposed some 4.2 million payment cards, said this week that his grocery chain needs to go well beyond PCI to try and be secure, an effort he predicted would cost his department millions of dollars "but not tens of millions."

Pizza Hut Delivering A Web Virtual Waiter Pizza Hut is taking the "other people who bought also liked" approach mastered by Amazon.com and is trying to apply it to pizza and breadsticks and their own Web site. The service initially sounded like an ordinary Web upsell package, but a demo of the service suggested it might be more sophisticated than that.

Javelin Report: Retailers Have No Reason To Support Contactless Payment Although contactless payment has tremendous potential to advance payments and set the stage for mobile commerce, it's suffering from benign neglect from both retailers and the card brands—and banks, too. That according to a new contactless payment report from analyst firm Javelin Strategy & Research.

The Few. The Proud. The Incredibly Retail Geeky The E-Commerce folk over at the National Retail Federation—Shop.org—are not so quietly putting out feelers for a new VP gig to pull in other e-tailers.

Wal-Mart Makes RFID Privacy Promises To Arkansas State Legislators Wal-Mart executives this week promised Arkansas legislators that any product with a radio tag would be clearly labeled, as the retail giant tries to put the inventory-tracking devices on all products sold at Sam's Clubs by 2010.

Is This Retail Payment Data Breach A Trend? Police near Canton, N.Y., are investigating a payment card data breach at a local retail chain that sounds oddly similar to the Hannaford and other related recent breaches. Is this a coincidence or a gang focused on retail data?

Startup Promises Hard-To-Duplicate RFID Chips A difficult to duplicate RFID chip? That's the claim of an RFID startup, which is using MEMs resonators to create a unique signal, or "voiceprint," which can't be cloned and can be used to authenticate the chip.

EBay's PayPal Gets Into In-Store EBay's PayPal is following the path set by other alternative payment players and is starting to appear in physical stores. It's not a huge chain, but it's a start. Moosejaw Mountaineering and its seven stores will now accept PayPal and the chain is also starting to use in-store kiosks to display online customer reviews.

Did Someone Forget To Tell Amazon About The Recession? We've been seeing a bizarre trend this national recession. It seems to be hitting hard the companies that expected to be hit, the ones that cut back spending in anticipation of the downturn. Lo and behold, after cutting back on customer service and marketing programs, they see revenues fall. Did they correctly predict the sales drop or did they unintentionally cause the sales drop?

Is Starbucks' Continuing Traffic Plunge Payback For Web Weakness? Starbucks on April 23 cut back its financial projections for the year, citing continuing declines in its store traffic, especially in California and Florida. This is announced just a few weeks after Starbucks said it would shake up its Web presence.

China Becoming A Very Dominant POS Player China POS shipments soared some 19 percent last year, figures that show China's retailers quickly becoming some of the biggest POS purchasers in the world, according to a new global POS report from consultancy IHL Group.

The Secret To Protecting All That Is Confidential GuestView Columnist David Taylor this week argues that one of the hardest parts of extending PCI controls to other confidential data is the application of Identity and Access Management (IAM) that crosses applications and platforms, without encountering the "analysis paralyses" that comes with trying to implement Single Sign-on.

A Trio Of Credit Card Conundrums If there's one thing that the last year of credit card catastrophes has made undeniable it's that mixing credit cards, retailers, banks and card brands is unpredictable and a lot more complex than anyone wants to believe. With that in mind, StorefrontBacktalk has been asking retailers, lawyers and other experts (and gadflies) for their favorite credit card security issue brain teasers. How many can you figure out?

Retailers Wrestling With How To Use Consumer-Generated Video When North Face—a unit of the $7.2 billion VF Corp. and a major manufacturer of athletic gear and clothing—officials started looking at the tidal wave of consumer-generated Web videos being created, they saw consumer passion. It's the same kind of passion that exists in sports enthusiasts, which is who the retailer needs to reach.

Top E-Commerce Complaint: Web Images That Don't Look Like The Product E-Commerce customers have several complaints about online buying, but the top concerns are Web images that don't match the real thing and sites that make it difficult to easily ask any questions, according to a late March Opinion Research Web survey of 1,092 consumers.

Waiter? Stylus, Please One of the most annoying parts of many a casual restaurant outing is at the end, when you just want to say "Check, please" and all wait staff seems to sense this and decide instead to join the Waitress Relocation Program. Microsoft has created a device that permanently sits on the table.

NRF Lobbying Group Opposes Behavioral Advertising Warning The National Retail Federation's Shop.org is lobbying the U.S. Federal Trade Commission to not flag consumers when their shopping behaviors are being tracked online, arguing that it would merely serve to frustrate those consumers.

More Than 10 Billion U.S. Web Videos Watched In February In case there are two or three of you who are still skeptical about whether Web video will have an impact, consider these new figures. In February, U.S. Internet users viewed more than 10 billion online videos, which represents a 3 percent gain versus January (despite February being two days shorter) and a 66 percent gain versus February 2007, according to ComScore.

Extending PCI Standards To Protect All Confidential Data GuestView Columnist David Taylor this week questioned why PCI doesn't protect non-payment card information, such as Social Security numbers. Any security consultant will tell you that it's important to have a data classification scheme. Although it makes a nice spreadsheet, we have seen only a few leading-edge merchants and banks that actually attempt to enforce it and use it to drive access controls. Why? Taylor has concluded that it's for a single strategic reason: "Data classification is boring."

PA-DSS Formally Unveiled The PCI Security Standards Council on April 15 officially rolled out version 1.1 of the Payment Application Data Security Standard (PA-DSS). The specifics of the standard were spelled out last November and this is just the expected formal unveiling.

A Kiosk That Toys With Long-Term CRM Rewards A DVD rental kiosk outfit has rolled out a kiosk that keeps track of orders and awards free videos for frequent shoppers. The idea of a kiosk that has a long-term memory and an active CRM component is a wonderful next step (OK, a baby step) for intelligent kiosks.

A 600-Foot Passive RFID System? RFID vendor Mojix has rolled out a new RFID system that it says can read passive, Gen2-standard tags from 600 feet away; cover 250,000 square feet of area; and pinpoint tag location in 3D.

Walmart.com Wants Its Own Online Customer Forums Wal-Mart is pushing to create online communities for its customers, where Wal-Mart employees can sit on the sidelines, take notes and be influenced, or so suggests the chief marketing officer for online operations at the world's largest retailer.

GuestView Column: Many QSAs Do Not Have The Background, Expertise To Assess PCI GuestView Columnist Joel Weise—the chief technologist for Sun Microsystems GSS Security Program Office—argues that although there are many qualified security assessors (QSAs), "a few who simply do not have the background and expertise in systems security manage to distort the original intent of PCI."

$5 Billion Blockbuster Wants To Buy $12 Billion Circuit City Blockbuster is trying to acquire Circuit City--a chain that is reporting twice its annual revenue--by offering a 50 percent per-share premium, Blockbuster announced early on April 14.

eBay's Australia Experiment: Ban All Payment Methods Other Than PayPal As of June 17, anyone in Australia buying from eBay online will be told: "PayPal" or "Forget It, Pal." With the exception of in-person pickups and cash-on-delivery, plus a handful of large-ticket items, sellers will be required to offer eBay-owned PayPal as a payment method by May 21, in anticipation of the June 17 ban on anything else.

Advance Auto Parts Breach Included Unencrypted Payment Data From 2001 Unencrypted customer credit card information dating back to 2001 was among the customer payment data stolen from as many as 56,000 customers of Advance Auto Parts, according to one company official, who added that the chain is not PCI compliant.

McDonald's Mobile Trial Raises Question: Who Owns The Data? A group of 109 McDonald's restaurants in the Salt Lake City region are doing a mobile commerce trial, with participating consumers getting free iced coffee. Although those 109 stores are barely one coffee bean's worth, given the $22.8 billion chain's 31,377-store network, the trial is interesting both for its capabilities and for how much data-control McDonald's was willing to give up.

Hannaford Kills TV Commercials After Station Reports On Data Breach Saying only that a TV station's news coverage of its data breach was too "aggressive," the Hannaford grocery chain has canceled its commercials from the Portland, Maine, CBS affiliate. The station, which announced Hannaford's decision on its own news site, said the chain declined to site any errors or problems with the coverage.

Best Buy Change Sees 10X Increase In CRM Participants When Best Buy removed annual fees from its bonus card, the company yielded about 10 times the number of shoppers opting to sign up for its rewards program.

European Commission Cracking Down On Search Engine Privacy The European Commission is cracking down on search engine data-retention, with a new proposed rule that search engines should delete personal data about their customers within six months.

Forrester: E-Commerce Dollars Growing But Cannibalization A Big Factor E-Commerce is growing sharply—much more rapidly than in-store sales. It grew some 21 percent, to $175 billion last year, crediting E-Commerce with six percent of all retail sales, according to new figures from Forrester Research.

The Dangers Of Manual PCI Reviews Guest Columnist David Taylor sees manual reviews as one of most serious threats to retail security. As one security manager put it: "We are so far behind in tracking down the alerts, we could have been breached a month ago and still not know it."

RFID Prototype Aircraft Delays Not An RFID Issue With reports out this week that Boeing's much-celebrated upcoming aircraft—the 787 Dreamliner—would be again delayed because of technology problems, some wondered if the delays involved the plane's extensive RFID experiments. Not so, says Boeing.

ISPs Tracking User Activity Much More Than Is Generally Known ISPs have been quietly expanding their use of deep-packet inspection. They are capturing everything a user does—to the point where "at least 100,000 U.S. customers are tracked this way, and service providers have been testing it with as many as 10 percent of U.S. customers, according to tech companies involved in the data collection."

Sears Online Soaring 20 Percent The Web world defies prediction—or does it? Conventional wisdom would have the new up-and-coming retailers faring better online, while the old-style bigbox merchants lag behind. And yet, Starbucks has had far more online troubles than it should have while Sears is soaring online.

Piggly-Wiggly Trying To Recreate The Grocery Layout Focusing on recent improvements in refrigeration technology, the 115-store Piggly Wiggly is pledging to radically revamp its store. The grocery chain is shaking up product positioning issues—all frozen foods are kept together, for example—that have been considered sacrosanct for decades.

Microsoft To Yahoo: Accept Buyout Now Or It Will Be Hostile And For Less Money Microsoft's board has given Yahoo's board three weeks to either agree to a takeover deal or it will go hostile. In a Saturday letter from Microsoft CEO Steve Ballmer to the Yahoo board, Ballmer strongly hinted that if the deal goes hostile, the original $44.6 billion offer would be reduced.

Virtually Instant Card-Swipe Encryption Device To Be Unveiled Next Week Amidst the sea of security announcements slated for the RSA Conference next week is a card swipe device that claims almost instant encryption of cards, avoiding the problem of card data being grabbed before encryption. Such claims are commonplace, but the VeriShield Protect from Verifone is making claims that—if ultimately proven true—would significantly advance retail payment security.

Home Depot CIO Steps Down Home Depot CIO/EVP Bob DeRodes has resigned and will leave the $77 billion home improvement chain "at the end of the year," according to a statement Home Depot issued Thursday. DeRodes will continue to run IT until he leaves, the statement said, as the chain starts a search for his replacement.

New Mobile Payment Patent Sidesteps Wireless Concerns With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

Security Controls Are Useless If They're Not Turned On Guest Columnist David Taylor is baffled by how often security safeguards are purchased, installed and then not meaningfully used. It's not uncommon for merchants to turn on security controls shortly before an audit, and turn them off afterward.

Restaurants Using Credit Card As Their Loyalty Card A series of restaurant chains—including Subway, Tully's and Brinker (Chili's, Macaroni Grill, On The Border, etc.)—have been experimenting with a way to use regular credit and debit cards as loyalty cards.

Amazon's TextBuyIt Service Not Likely To Make Them A Lot Of Retail Friends Amazon.com on Wednesday rolled out a new service called TextBuyIt, which allows consumers to comparison shop online working solely with fast text messages. But the move may not sit well with other retailers, who could see this making it easier to find better deals elsewhere, especially in bookstores.

The Legal Irony: A Secure Retailer Could Suffer More In A Breach Than A Reckless One There is this fairy tale belief that legal justice in civil lawsuits punishes those who act poorly, while protecting and vindicating those who consistently do the right thing. Nowhere is this myth more wrong—indeed, polar opposite wrong—than when dealing with security breach issues of U.S. retailers.

Is Hannaford Unique Or The Start Of A New Breach Trend? Was the Hannaford data breach isolated or was it part of a sweep of similar penetrations? A Vermont ski resort is reporting an almost identical breach of card information in transit in February and an official there was told by law enforcement "that they currently are looking into about 50 reported incidents of the same sort in the Northeast alone."

TJX Offers To Pay MasterCard Banks As Much As $24 Million For Breach Costs TJX will pay as much as $24 million to cover databreach losses suffered by MasterCard banks, assuming 90 percent of the banks agree to the settlement offer, TJX and MasterCard announced on Wednesday. TJX last year announced the world's worst payment data breach, which impacted some 100 million cards.

Recession Breathing New Life Into Coupons? Although the coupon redemption rate has been steadily declining for at least 10 years, a new vendor survey suggests the recession may turn that around. Of the 1,529 U.S. consumers who responded, 67 percent said they are much more likely, or somewhat more likely, to use coupons during a recession, according to the survey performed by ICOM Information & Communications.

In Bankruptcy, A Firm Finds Out Its True Worth Bankrupt Pay By Touch—officially using the name Solidus Networks—has sold off two key units for a total of $4.8 million. Phoenix Check Cashing dropped $4.2 million to pick up Pay By Touch's check-cashing division, known as BioPay Paycheck Secure

Amex Kills Its Payment Fob. Will Others Follow? Pushing a convenience/ease-of-use argument, payment processors have spent much of the last two years trying to get consumers to use different payment methods. But 2008 has thus far not been friendly to them. This week brings the news that American Express is halting its ExpressPay keyfob, some six years after the payment giant started offering it.

Hannaford Breach Included Clear Text Sent Via Fiber-Optic Cable The Hannaford data breach included payment information that was partly encrypted and partly clear text—and it was all transmitted over a private fiber-optic cable. This information—on top of the reports that Trojan Horse software was installed on 300 servers in 300 Hannaford stores—is painting a picture of a retailer that seemed to be following accepted security procedures.

Beware The Razored Fake Payment Card A new type of payment card forger is making the rounds, this time armed with a razor blade and very little money. After the thief has been able to guess at random numbers and find a viable payment card, the culprit razors off the last few digits from a real payment card and KrazyGlues the guessed at numbers onto the card.

Hannaford Had Trojan Installed On 300 Store Servers, One Copy For Each Store The data breach at Hannaford involved a Trojan Horse that was installed on servers at every one of its 300 grocery stores, according to Hannaford officials. The software intercepted card data at the POS and then periodically transmitted them "to an unnamed offshore Internet service provider."

FTC: TJX "Failed To Provide Reasonable And Appropriate Security" In the multi-year databreach at TJX—the worst in credit card history—the retail chain "created an unnecessary risk to personal information by storing it on, and transmitting it between and within, in-store and corporate networks in clear text," according to a complaint issued Thursday by the U.S. Federal Trade Commission.

PCI Safe Harbor? In Your Dreams, Breach Boy If there's one thing that can be said about CFOs, they love their absolutes. They love absolute assurances that if they do X-and-Y, they'll be protected against Z. And, most recently, they are simply ga-ga for those who say that a PCI compliance letter means they are in a magical safe harbor, where they can do anything with their security that they want and be utterly immune from liability.

The Credit Cards' Worst Nightmare: Perfect Encryption The security exec then asked an annoyingly thought-provoking question: What do you think would happen if retailer were given perfect encryption? He painted a picture of retailers who would use their perfectly-protected data and would confidently let it ride atop the public Internet. At that point, paying for the private security tunnels of a Visa or MasterCard would no longer be essential.