After a week of meetings in Durban, South Africa, focused on vanity domain names, it looks like Amazon's (NASDAQ:AMZN) application to use its own name is still being denied, while U.S. apparel chains Express (NYSE:EXPR) and The Limited won't be able to block other applicants from grabbing their names. But one of the vanity-domain decision makers also acknowledged this week that all these cases may yet end up in court.
The quarterly meeting of ICANN, which is selling new top-level domains (what comes after the last dot in a web address) for $186,000 each, did result in the first four vanity domains being officially awarded, but none were for retailers or in the English language. At least some of the new names sought by U.S. chains should be awarded by the end of the summer, ICANN says. But what initially looked like just a very expensive way to acquire their own .brand names is now turning into a process that's effectively stripping some chains of their brands.
PCI's Global Forum is an open forum in name only, at least as long as it continues to force changes on members that they are not permitted to even know about until someone who has been briefed chooses to tell them, pens GuestView Columnist Stephen Ames. What makes him say that? He spins a story about how PCI really works.
He had just wrapped up onsite PA-DSS validations with his PA-QSA this month and a question came up about PA-DSS Requirement 4.2.7, which aligns with DSS Requirement 10.2, which is all about user access. Ames' QSA tells him that PA-DSS Requirement 4.2.7 is now always in scope, regardless of whether or not there is a user database within the application. Both of these options would cause application vendors to take on more liability. He searched the PA-DSS for a security requirement that aligns with PCI DSS 11.5 – File Integrity Monitoring – and there is none. Ames is certain that most application vendors would not take responsibility for file integrity monitoring at merchant sites. He can't understand why the SSC is forcing that upon application vendors when they don’t even have that requirement written into the PA-DSS.
After years of trying to convince major bookstore chains that printing single copies of books onsite is viable, one print-on-demand vendor has finally gotten a nibble. The 253-store Books-A-Million (NASDAQ:BAMM) chain has said that it will put a print-on-demand kiosk in its store in Portland, Me., and another one in a store to be named later.
Books-A-Million doesn't appear to be trying to reduce its need to stock inventory with the machine. Instead, it's going after sales of books it wouldn't normally stock anyway. The idea is that instead of sending customers away to order an out-of-print book from Amazon (or theoretically have the store order it and wait a week, but how likely is that?), the kiosk will be able to download and print the book in a matter of minutes. The reality is likely to be a little more complicated.
Think Your Incentives To Get Your Brand Followed On Twitter Are Good? The Vatican's Almost Certainly Got You Beat
Retailers have tried quite a few creative tactics to get shoppers to participate in the chain's social media efforts, but none have the clout to do what the Vatican just did when it was trying to...
To make a CRM rewards program effective today, it needs to move beyond points only offered for purchases. (Heck, even the Pope is offering concrete incentives for following him on Twitter.) Gilt.com, an e-tailer that has already gotten creative by offering mobile-only offers, is trying to do just that by offering loyalty points for visiting the site on several consecutive days.
But such a program will quickly fail—and fail in such a way as to be counter-productive—if the points are not set properly. In other words, if the number of points needed to get a reasonable prize and the number of points offered for non-purchase activities are set such that it's impossible to redeem those rewards in a reasonable period of time, this campaign won't work. The initial stats suggest that Gilt.com may have fallen into that particular trap. One incented behavior--visiting the site five days in a row—will deliver 100 points. And what will that 100 points buy? Well, a gift certificate (valued between $80 and $100) requires 25,000 points. A loyal shopper could perform that quintuple-consecutive-visit chore 249 times in a row (that's visiting the site every day for 1,245 consecutive days, which is almost visiting the site every day for 3-and-a-half years) and still not qualify for that gift certificate.
With all of the bitter retail rivalries and customer-stealing efforts, I found this story out of Syracuse, NY, refreshing. Seems that an LP officer working for Abercrombie & Fitch (NYSE:ANF)...
ICANN's Vanity Domains Will Break Some Of The Internet And We Won't Help Fix The Problems, Says ICANN's Security Chief
From the Department of What's The Worst That Can Happen?, Vanity Domains division: ICANN, the organization that's selling do-it-yourself replacements for .com for $185,000 each, is meeting this week...
A Best Buy online anti-fraud mechanism has unintentionally created a security hole. I was placing an order with a local Best Buy physical store, using the web site's pickup-in-store option. Because the store only had one of the item left, the associate suggested that I give her all of the account information on the phone and she would enter the order right there.
Everything went fine except that she apparently did a one-character typo in the e-mail address. I didn't discover this until a half-hour later when no confirmation note ever arrived. Using the order confirmation that she gave me, Customer Service was able to identify the order and spot the e-mail typo. Great! Except that Best Buy's fraud procedure locks them out from changing the e-mail address. Wait a second. Best Buy now knows that the address is wrong and further knows that my sensitive order information is going out to someone else (assuming that typo-ed address belongs to a real person). Not only can't they fix it, but they tell me that additional mails will go out to that incorrect e-mail address no matter what. Oops!
One of the nation's 15 largest retail chains had done a tremendous job segmenting its network to reduce the scope of its PCI assessment. All of that was thrown away, though, during a simple data center transition, when Networking made a security change but no one ever bothered to tell senior IT management.
Late last year, the chain decided to move its data center from an in-house facility to a purpose-built data center campus in another part of the United States. The goal was to gain additional raised floor space, energy efficiency and to avoid significant natural disaster risks with the location of the existing data center. In the QSA's review of the new data center, it was seen as a model of energy efficiency and modern design of data centers. So far, so good. But when the QSA returned for the annual PCI assessment, a review of the core switch and the layer 3 ACLs (Access Control Lists) revealed that all of the switch’s ACLs have been disabled—commented out—for both data centers. The formerly segmented network was totally flat with no segmentation.
An eBay court case poses a question that gets a lot more interesting the more you think about it: If an e-commerce site is used extensively by a large number of shoppers as their primary store, does it become subject to all of the laws that govern physical stores? The legal issue in this case involves a deaf seller who argued that accessibility laws required eBay and other e-tail sites to accommodate shoppers with vision and hearing difficulties.
The argument for the shopper speaks to the intent of the original legislation—or, more precisely, the intent of the legislators who crafted that initial legislation. Did they not indeed intend that if shoppers must go to public stores to make purchases, those stores must allow in and support all shoppers equally? The counter is that the law understandably makes no reference to e-commerce and that if Congress wants to pass such a law, great, but until it does, courts must assume that a law means what it says and nothing more.
QR codes are ugly. They're intrusive. Most designers hate them because there's no way to make them look any less like the brick-full-of-blocks they are, especially when they've been slapped next to a great-looking retail marketing image. That's why the idea of leaving out the QR code entirely and just getting a mobile phone to react to the image itself is so appealing. It looks so much better that it's easy to forget why it's a bad idea: That ugly, intrusive QR code screams "Point your camera at me!" An ordinary image doesn't.
As a result, if potential customers know what they're supposed to do with a QR code, they can easily do it. But how are they supposed to know that there's any special significance to the image in an ad or porter or brochure?
That's too bad, because the problem of all the incompatible, vendor-specific data formats for shopping carts, product identifiers, transactions and customer information is costing retailers money to integrate and maintain E-Commerce sites. It also locks chains into specific vendors' formats—and vendor lock-in is very much a dollars-and-cents issue in retail IT. Any retailer's E-Commerce group that doesn't start tracking this effort now may soon either be paying or playing catch-up.
Now that Barnes & Noble has lost its CEO and is further exploring "strategic alternatives," it looks increasingly like the last bookstore megachain has reached its last link. On Monday (July 8), CEO William Lynch resigned, and Chairman Leonard Riggio named a new president, but not a CEO. The obvious question: When does a retailer not need a CEO? When it expects a new owner to name one. The less obvious question: How could merged channel/omnichannel have failed Barnes & Noble so completely?
Think it's because Barnes & Noble is in the dead-tree book business? So is Amazon. Besides, at last report the brick-and-mortar bookstore business was still holding up (if only barely). It's the Nook and the chain's efforts to merge physical book and E-book retailing that have been a bottomless money pit. So why did Barnes & Noble—having lost its biggest physical-store competitor when Borders went under—fail to gain any merged channel traction?
Vanity top-level domains (TLDs), which seemed like such a good idea a year ago to Walmart, Safeway, Amazon and Google, are slowly grinding their way forward. Last week ICANN, which is selling the new dot-names at $185,000 each, said it has finalized the registrar's contract for the new names. Unfortunately, that doesn't help the would-be owners of .walmart, .amazon, .book and .grocery—they're still stuck in ICANN's flypaper-like approval process.
To be fair, after more than a year, 552 vanity TLDs (out of 1,930 applications) have actually made it through the process to the point where there are no objections and they don't match other applicants. That includes retail-related terms like .camera, .clothing, .market, .markets, .pharmacy, .shoes and .toys, along with 23 actual retailer names. They're ready to start getting their contracts. Everybody else still has hurdles to climb.
In the loss prevention world of counter-counter-espionage, a California vendor is pitching a silent way to detect shoplifters who have their own silent way of detecting the detectors. Let's slow this down. In an attempt to defeat standard EAS devices, shoplifters for years and years have lined shopping bags with aluminum foil and sometimes carried strong magnets to deactivate EAS tags. Then came LP's response, where stores could detect the foil and those magnets, but the detection was audible and did little beyond alerting the thief. Even worse (well, from the thief's perspective, even better), that alert happened immediately, before the thief could steal anything.
In a handful of jurisdictions, the mere possession of such devices is illegal. What the vendor, San Diego-based Indyme, is pushing is a silent system that alerts LP that a foiled bag (calling it a "booster bag" is so clichéd) or magnet has entered the store and it flags the shopper and allows the shopper to be tracked, hopefully discretely. It also triggers security cameras to follow the shopper.
MasterCard is involved in an intense battle with the highest European Union court, with the brand begging for the court to overturn a decision that would sharply limit interchange rates MasterCard could charge throughout the continent. On the surface, that seems like exactly what one would expect from MasterCard. And it was, until we saw an unusually candid statement from its chief counsel.
MasterCard lawyer Thomas Sharpe argued to the Luxembourg-based court that "the effect of the commission’s decision is to require MasterCard issuers to continue to provide valuable services to merchants such as guaranteeing payment to them without being able to recover any revenues from those merchants for those services," according to a Bloomberg reporter who attended the hearing. But in an interview right after the hearing, another MasterCard lawyer, associate general counsel Carl Munson, said, “If we win this case, we would be free to set any fees we want." (No need to call your physician, Mr. Retailer. That involuntary shudder is quite normal.)
A security researcher in Seattle has identified yet another program running in the background of some smartphones in the name of collecting quality of service information. This time the phone is Motorola's (NASDAQ:GOOG) Droid X2, and the program collects data that includes some user passwords—the researcher confirmed that his YouTube password was slurped up—which then are sent back to Motorola over an unencrypted connection.
Motorola doesn't have any real use for YouTube passwords, of course. But the fact that it's collecting them anyway suggests that whoever designed the software is really unclear on the security problems in slurping up data by default. Ironically, the one kind of data security that retailers are most concerned about, PCI, isn't strictly an issue if a customer uses a Droid X2 for mobile commerce, since the data leak is out of PCI scope—it's on the customer side. But a chain's employees might be sending their passwords to critical systems using a Motorola phone too, potentially exposing all the chain's systems to attack.
The self-checkout software at a Safeway chain in California, Vons, lets the shopper move directly to the payment area and then still buy more items. This bit of flexibility likely seemed a good idea at the time, until it was discovered that it meant that the next shopper could scan groceries and those groceries would be charged to the payment card of the first shopper.
Nearby stores within the Ralph's and Albertson's chains avoid this issue by simply forcing the shopper to close out the order before proceeding to payment, according to a California TV station's report. The Safeway stores had a "finish" button but was it not required that it be hit before proceeding to payment. One wonders how much time was spent watching and fixing these holes and creating and distributing the signs, as well as dealing with customers who were apparently paying for other shoppers. It's also possible that many of those ripped-off shoppers never detected it, but they will now that media coverage has kicked in. How will those shoppers feel about Safeway's "let the glitch happen and we'll fix the individuals who notice later" approach? Compare all that to how much time it would have likely taken IT to simply force that the "finish" button be hit before payment was accepted? Ahhh, the wacky world of retail cost-benefit and analysis.