U.K.'s John Lewis Trials Electronic Shelf Tags That Don't Look Like New Technology. Will This Reverse Psychology Work?
Electronic shelf tags have gone pretty much nowhere in recent years, but U.K. department store chain John Lewis is doing an interesting trial at one of its newest stores. The Exeter location, which...
Security rules are wonderful things, and nowhere are they more needed than in retail and payment-card data. But a common criticism of the organization handling such matters—the PCI Council—is that it...
Nordstrom (NYSE:JWN) is six months into a 17-store trial in which shoppers are counted by way of Wi-Fi signals from their smartphones. The 236-store apparel chain is not storing any customer personal information from the trial, and it's only being given aggregated data on customers by the vendor handling the trial. But that vendor, Euclid, is storing hashed versions of customer Wi-Fi MAC addresses—and is also running trials for some 35 other of the nation's 100 largest retailers. That presents what could easily become an irresistible cross-retailer mobile tracking temptation.
Two very desirable—and potentially lucrative—sets of shopper data are being captured and saved here. But the retailers and the vendor involved are all pledging to not use it. The first is cross-retailer data, which is where the vendor will recognize a shopper's phone's MAC address when the shopper repeatedly walks into a Nordstrom and then detect that same shopper walking into a Nordstrom competitor. How much would that rival pay for such information? The second data set: Once one of those MAC addresses makes a purchase, the chain could connect that MAC address with the payment information. Voila, instant CRM-friendly data on whenever that customer walks into a store and, with enough sensors, every aisle he or she visits and how long the shopper lingers.
Everyone knows the standard advice when someone—especially someone who works in IT—is about to be fired or laid-off, all of their passwords and systems access are shut off right before they're told....
The PCI Security Standards Council (PCI SSC) recently released PCI DSS Cloud Computing Guidelines, a document that has important information for any retailer or merchant looking to take advantage of the benefits from cloud computing. The guidance document begins with a simple statement: "It may be particularly challenging to validate PCI DSS compliance in a distributed, dynamic infrastructure such as a public or other shared cloud." Using the phrase "particularly challenging" communicates that a merchant's PCI compliance will be easier or harder depending on the chosen cloud deployment model, pens PCI Columnist Walter Conway.
One gem tells retailers they need to "obtain the details of the CPS's [cloud service provider's] compliance validation." This is the first official guidance that tells merchants to go beyond asking for the attestation of compliance (AOC). The guidance suggests merchants review "The Executive Summary and Scope of Work sections" of the CSP's report on compliance (ROC) and the "specific components, facilities, and services that were assessed." Securing a copy of the current AOC for the CSP is a good start, but it is not enough. Merchants need to know the scope of the CSP's assessment, which is not sufficiently detailed in the AOC. The SIG recognized this situation explicitly with its recommendation.
Amazon's newly issued patent for reselling digital goods raises some interesting concerns. The least interesting: Holy cats, Amazon has patented the idea of selling used e-books! (No, it hasn't.) Much more intriguing: What happens when many retailers have their own online digital resale shops? To resell or give away that digital copy of Nineteen Eighty-Four I bought from Walmart (or Barnes & Noble or Target), will I have to get the original retailer involved?
Short answer: apparently so. And with digital content a potential CRM goldmine, more chains may soon start selling digital books, movies, music and audio books—which could get very sticky, for both customers and retailers.
When the PCI Council rolled out its cloud computing guidelines on February 7, one element—dealing with introspection—has been heralded as sound practice while being slammed as unrealistic and impractical. The problem speaks to the very nature of clouds.
In private clouds, retailers can demand unlimited data about their environments; shared cloud providers, meanwhile, simply cannot reveal information about other cloud residents. That very well may mean shared cloud vendors will simply not be able to provide enough information for a retailer to become PCI compliant. Does the council then ban shared clouds—as some have expected—or impose requirements on retailers that they may be unable to fulfill? The guidelines—which are not edicts from the council (yet) but, indeed, are solely guidelines—fairly describe the various types of cloud offerings, from the private cloud to the various shared options: community cloud; public cloud; and hybrid cloud. Although acknowledging that retailers may have limited control of the environment and the information in a cloud model, the council still places demands on the information gathered for PCI compliance.
For the past two years, the Payment Card Industry Security Standards Council (PCI SSC) has been taunting merchants with offers of a specialized (and simplified) Self-Assessment Questionnaire (SAQ) for those using "validated P2PE" approaches. At first, the council told merchants to wait while it drew up plans to validate the products. Then—finally—seven months ago, PCI SSC released its standards and told merchants to go right ahead and pick one of these validated options. There's only one problem: As of Thursday (Feb. 7), the council hadn't validated any.
That's right. Seven months after the standards were released and nearly two full years from its initial announcements on the matter, the PCI SSC has yet to validate a single P2PE vendor that can offer the promised scope reductions and a simplified SAQ to merchants. Why? Well, quite frankly, pens GuestView Columnist J. David Oder, because the council designed the wrong standard.
On Monday (Feb. 4), the California Supreme Court revisited the question of whether online retailers are permitted to collect certain personal information when engaging in a credit-card transaction. A 1974 statute seems to say "no," but the California Supreme Court says "yes." Although the case is a victory for online retailers, the way the court came to its decision may open up consumers to much more use of personal information. In the end, that possibility may cause the State Legislature to clamp down on new forms of database misuse—for both online and offline retailers, pens Legal Columnist Mark Rasch.
In the 1970s, California passed the Song-Beverly Act. It prohibited merchants (there were no online merchants back then) from requiring, as a condition for accepting a credit card, consumers to provide certain personal information. The legislature was worried about merchants using the pretext of accepting a credit card to mandate that consumers pony up their names, addresses and other personal information.
Chains are still inching toward making their mobile apps genuinely useful to customers, but at least they're doing it in more technically useful ways. On Monday (Feb. 4), Walgreens announced a new application programming interface (API) that should make it easier for mobile app developers to deliver all sorts of prescription refill information to users, at least if Walgreens is willing to provide it.
Unfortunately, what this API currently does is pretty primitive: It accepts a prescription number and then reports back to the app that it has (or hasn't) successfully requested a refill. Just the fact that there's an API is a big step forward, because it means Walgreens can extend that API without breaking any apps that use it.
The California Supreme Court on Monday (Feb. 4) ruled that online merchants have the right to ask for Zip code and other personal information about shoppers who buy electronically downloadable products, but physical retailers do not. Given the clout of the highest court from the country's largest state making such a ruling—which, in turn, makes it very likely that other states will follow—this decision could sharply change CRM and POS strategies.
Such changes are especially likely because the court did not impose any restrictions on how retailers can use this newly permitted data, despite the ruling saying that data is solely to give online shops a better chance of fighting fraud. The ruling allows address and other information to be demanded from shoppers even when the goods are physical, but only if the product is being shipped to a different location. The rationale is that when a physical product is being delivered, the retailer has an obvious need to ask for the address to which it will be sent. But for fraud purposes, the court's Monday ruling now allows the site to demand the address of the customer, in addition to the delivery address.
The NRF and the Electronic Payments Coalition (EPC) have launched what is essentially a flame war over the swipe surcharges that are allowed under the interchange settlement as of January 27. NRF launched the first broadside, calling surcharges a "ridiculous concept" and deriding "propaganda" suggesting any retailer would use them. EPC fired back on Tuesday (Feb. 5), calling NRF's statements "false and misleading."
This isn't complicated—the retailers most likely to adopt swipe-fee surcharges are the ones currently offering discounts for using cash, and that group doesn't include most big chains. But NRF is also fighting the interchange settlement and EPC is supporting it, which goes a long way to explain some otherwise pretty incomprehensible flaming.
Amazon has cut another distribution-center-for-sales-tax deal, this time in Connecticut. On Monday (Feb. 4), the E-Commerce colossus said it will be building a DC in Connecticut and will also start collecting sales tax from Connecticut customers—but not until November. ("Hey, we're Amazon. We could do it tomorrow. But just to show you who's running this show, you can wait nine months.")
That's all in line with Amazon's recent delay-and-get-concessions approach to sales taxes. But the point of the exercise was always to give Amazon more flexibility when it comes to delivery—and with 16 states now potential locations for Amazon DCs, it may already have almost everything it needs. Amazon's deal-cutting days may be almost over.
PCI DSS has two sunsets coming up. The first is the well-documented end of PA-DSS v1.2 this October. The second, and equally significant, sunset is Windows XP's end-of-life just a few months later, and this event may have an even more direct impact on retailers. The demise of Windows XP will challenge retailers with POS or other payment applications running in that environment. These retailers will fall into one of three scenarios. How they choose to address the situation will affect their PCI compliance and, more importantly, their security. There may even be a little fallout for the PCI Security Standards Council (PCI SSC) itself, pens PCI Columnist Walter Conway.
On April 8, 2014, about 14 short months from now, Windows XP will reach the end of its life as an operating system. That means that starting on April 9, 2014, Microsoft will no longer market, support or provide regular security patches for that operating system. Retailers with POS or other payment systems running on Windows XP after this date will, therefore, no longer be PCI compliant.
Duane Reade, the largest drugstore chain in New York City, announced on Tuesday (Feb. 5) it would be trying an unusual mobile effort: It is participating in an elaborate Google mobile-fueled virtual reality game. At one level, this is just silly fun. But from a retail mobile perspective, a lot more is going on here. The game, called Ingress, is from Google's Niantic Labs and involves hiding barcodes throughout the stores. From the chain's perspective, is it about getting shoppers to walk inside its 250 stores? No, although the game certainly does that. Is it about getting shoppers to not merely enter but have to go deep into the store, searching through shelves of products to find the game barcodes? Yes, but that's not the biggest element.
The real payback for Duane Reade, owned by Walgreens, is about changing customer mobile behaviors. In English, that means getting shoppers comfortable with scanning barcodes and interacting with the resultant data. It will increase participation in more explicit mobile programs. This will mean more price comparisons—which Duane Reade is confident it will usually win—and, soon, it will soften resistance to mobile payments.
A ComScore survey released on Monday (Feb. 4) reminded us why we hate it when surveys don't give us context. The topic was digital wallets, and among other not-very-surprising tidbits (48 percent of...
As the online (and mobile) leader by a very wide margin, Amazon certainly generates a generous share of envy and hatred from E-tailers and retailers alike. They all quietly celebrate every Amazon misstep and piece of investor pain—except one. When Amazon has an outage and the E-Commerce king is trying to convince everyone that the site was not the victim of a D-DOS attack, every rival is in its corner.
On Thursday (Jan. 31), Amazon was down for about 49 minutes, which is certainly a notable event. One cyberthief group tweeted responsibility, claiming "we used a 7kbotnet running hoic 100 threads each. 80servers in botnet and a 16gbps booter." Does it make much of a difference whether the outage was caused by an internal IT screw-up, an unexpectedly huge number of shoppers looking at a specific sale or an outside malicious group? Absolutely.
Restaurant reservations Web site Open Table just paid $10 million to purchase the app developer Foodspotting, which enables people to take pictures of, well, food. The idea behind the synergy is that consumers looking to make reservations can not only read the menu but actually see the food presentation "in the real world" by looking at pictures taken by bona fide customers.
This continues a trend of technology empowering consumers, observes Legal Columnist Mark D. Rasch. It's also a way for restaurants and other retailers to get themselves into real legal trouble if they're not very careful about how they identify their use of this type of social technology.
When JCPenney very publicly and very aggressively embraced a chain-wide, all-product item-level RFID strategy—with the promise of a full rollout by February 1 (2013)—executives cited supply-chain savings as a key driver. The chain has now reversed course, killing much of the RFID program to save money. When a chain is under this much financial pressure, a little savings today is a lot more valuable than a lot of savings down the road.
But of much greater significance is the digital domino effect. In this case, JCPenney was building its in-aisle checkout on the premise that it had item-level RFID fully in place. And if remodeled stores have dramatically scaled back the number of cashwraps (because customers would be doing in-aisle checkout), does that mean all those customers will have to line up for the limited number of cashwraps? That's not going to be pretty—presuming JCPenney can actually get enough returning customers to make it a problem.
October promises to be a big month for everyone involved with PCI, but maybe not for the expected reason. On Oct. 28, 2013, every payment application validated under Payment Application Data Security Standard (PA-DSS) version 1.2—and there are a lot of them—will see its validation expire. The applications will no longer be acceptable for new deployments, a potential nightmare for every retailer using a validated payment application. If a retailer has any payment app that glitches in early November, it could have far fewer—if any—choices as a replacement. The problem: A large number of applications still haven't been revalidated under PA-DSS 2.0. Given the time that has already elapsed, coupled with the human tendency to delay the unpleasant, we're looking at a likely crush of last-minute validation renewal requests that could strain both PA-QSA and PCI SSC resources.
For retailers, says PCI Columnist Walter Conway, this means applications that may still be secure won't necessarily be supported by vendors. Much worse, this situation could create a huge backlog of applications to be evaluated by PA-QSAs and then approved by the PCI Council. That process will take weeks, and quite possibly months, to work through. Retailers should note that this will be happening barely one month before Black Friday. Fear not, though. All of these problems can be averted if software vendors all act quickly, well ahead of deadline. (Editor's Note: In other words, we're all doomed.)