The new iPhone 5s's biometric fingerprint scanner can actually put consumers (or merchants, for that matter) in a worse position legally than the previous four-digit PIN. In fact, the biometric can open the contents of a consumer's phone and any linked payment systems, accounts or systems—including contacts, email and documents—less legally protected than the simple passcode. This is because the law may treat the biometric (something you are) differently from a password (something you know).
To that extent, the best approach (and the less convenient one) for people wanting to protect not only their phones but anything linked to them, is to use both the biometric and a passcode, writes Legal Columnist Mark Rasch. He doubts that will happen, knowing how lazy most people are, but the change from PIN to print matters much more than it might seem to.
Is JCPenney (NYSE:JCP) taking out customer Wi-Fi just out of spite or because customers really aren't using it? This week the struggling department-store chain confirmed to BuzzFeed that Penney's had cut off customer access to in-store Wi-Fi. (BuzzFeed used the word "removed," but the Wi-Fi is still available for associates to use with mobile POS.) The chain's official explanation: "There was little use by customers." The word from inside sources: CEO Mike Ullman doesn't think it's worth the cost, and besides, ex-CEO Ron Johnson called it "fundamental architecture" so it must be junk.
That's an exaggeration, of course—even Johnson couldn't turn a really good idea into junk. But the cost-savings numbers being floated around—Penney's only spent $12 million to install the Wi-Fi but will save $7 million a year by not letting customers use it—suggest the chain needs to actually get about $10 million a year in additional profit to cost-justify free user Wi-Fi. Spread across 1,100 stores, that's possible, but it still requires that Wi-Fi at least look like it's helping to move the needle on sales. And that, realistically, is a hard sell.
Google (NASDAQ:GOOG) wants to replace cookies with something new—that, of course, Google will control. That's the gist of a story in USA Today on Tuesday (Sept. 17). Citing an inside source it doesn't name, the newspaper reports that Google is working on an "anonymous identifier for advertising" called AdID that "would be transmitted to advertisers and ad networks that have agreed to basic guidelines, giving consumers more privacy and control over how they browse the Web." Um, right.
Macy's (NYSE:M) is not, repeat not, capturing signals from customers' mobile phones to identify them at POS. That's the main thing people are remembering from a presentation by Macy's customer strategy VP Julie Bernard at a conference last week. Aside from the implication that some other chains are doing that, it's too bad, because it misses Bernard's two key points. One is that customers demand marketing messages that are relevant to them, but they're at the point of paranoia about retailers collecting the information necessary to make the messages relevant. The other is that some ways of collecting that information truly are creepy.
But which ones? Gut-level intuition isn't a reliable guide, and it's especially hard for retail IT people to use as a gauge when they're dealing with ideas from marketers. What's needed is a more or less external standard for when CRM data collection has crossed the line. Fortunately, we have one, and we've used it before: The traditional human shopkeeper. The question: When it comes to invading customers' privacy, what could Mr. Hooper do?
If we needed any more evidence that Isis still isn't quite ready for prime time, we have it now: On Sept. 10, McDonald's (NYSE:MCD) told the Bloomberg news service that it's testing mobile payments...
As if retailers didn't have enough conventional privacy concerns, now even touching customers' Wi-Fi may have more legal problems than previously thought. On Sept. 10, a federal appeals panel in San...
How close is Amazon (NASDAQ:AMZN) to same-day delivery for most U.S. customers? Maybe not as close as we thought. While a report in May said that by the end of 2013 Amazon will have a distribution center within five miles of most major U.S. cities, a new calculation by supply-chain consultant Marc Wulfraat suggests Amazon has a lot farther to go before it can even reach 20 percent of U.S. shoppers.
Unlike the May numbers from Channel Advisor, Wulfraat just looked at the 20 largest U.S. cities—which are arguably the best candidates for same-day delivery, since they have the highest customer density. Then he measured the distance from each city's epicenter to the closest Amazon warehouse, figuring a generous 100 miles for a DC to be able to do same-day delivery. The results weren't generous to Amazon's same-day plans: Only eight of the 20 cities currently have an Amazon DC within 100 miles.
Is iBeacons really the killer new iOS feature that some Apple watchers think it is? According to various claims, iBeacons is Apple's (NASDAQ:AAPL) solution for payments, for "indoor GPS," for replacing RFID tags, for tracking customers everywhere and for in-store mobile marketing. Most of that is the usual technology-lust silliness. But iBeacons really do have some interesting in-store possibilities for retailers. And the technology is cheap enough—and low-risk enough—that, for once, chains really can have some fun experimenting with technology.
Here's the basic concept: You can put small, free-standing, battery-powered Bluetooth transmitters called beacons at key spots in your stores. When a customer running the right smartphone app comes close enough, the beacon sends out a message—longer than a Tweet but smaller than a web page—for the app to display. The beacons are cheap (starting at about $35 each), easy to move and reuse, and short-range (so they really can send messages to just people in, say, the produce department). Think digital signage without that expensive, bulky sign and you've started to scratch the surface.
What was billed as the final showdown over the mammoth interchange settlement on Thursday (Sept. 12) turned out to be as contentious as the year leading up to it. It took more than five hours for U.S. District Judge John Gleeson to listen to the parade of critics and objectors in his Brooklyn courtroom. By the end, he was clearly frustrated. "Is this ever going to come to an end without comprehensive legislation?" he asked at one point?
Well, it might if someone would actually get all the way to trial with a lawsuit over whether Visa (NYSE:V) and MasterCard's (NYSE:MA) rules for card acceptance and interchange fees violate antitrust laws. And that might happen even if Judge Gleeson approves the settlement, since both merchants, including Target (NYSE:TGT) and Macy's (NYSE:M), and card brands have already filed new lawsuits over the antitrust question. In the meantime, the judge has a pile of arguments to deal with in the weeks or months before he issues his ruling.
Sometimes it's the little things. Apple just announced its new version of the iPhone, and among the (mostly minor) changes, the company added a little thing that is a potential game changer: a fingerprint reader to authenticate the user. It's a simple biometric of the type that has been on many computers for years. But just as the addition of the iTunes store to the iPod transformed digital purchases, and the addition of apps to iOS transformed software, the addition of the biometric reader can transform identity management, online purchases, key management and DRM, and can be used to either enhance or destroy privacy as we know it.
But there are problems with biometrics, writes Legal Columnist Mark Rasch, and some of them are inherent. The second thing an electronic fingerprint system must do is scan the fingerprint and create some form of digital representation of what has been scanned. The first step? That's is the hardest: Having a way of identifying the individual who's being biometrically "fingerprinted."
Apple (NASDAQ:AAPL) has discovered the fingerprint. OK, Apple actually discovered the fingerprint in 2008, when it began filing patents for biometric security. But after five years and the acquisition of biometric authentication vendor AuthenTec, on Tuesday (Sept. 10) Apple finally unveiled an iPhone that can be unlocked with a fingerprint. Very impressive, and something Apple views as crucial for its eventual foray into mobile payments. The only problem? It's really not enough.
That's not a knock against AuthenTec or Apple. There's a fundamental problem with all fingerprint-based authentication—and the very reason it's so popular for law enforcement. The huge advantages of fingerprints over any traditional password or fob system are that (a) they're virtually unique, and (b) users aren't likely to lose, forget or get confused about them. The big problem with fingerprints? You leave copies of them virtually everywhere you go.
We know PayPal is probably the most committed U.S. mobile payments player whose name isn't Starbucks (NASDAQ:SBUX), so we're trying not to be cynical about PayPal Beacon, the hands-free in-store...
How is it that Twitter has become one of the most valuable social-media tools for most retailers and one of the biggest and hardest-to-nail-down risks for them? That question cropped up again last Thursday (Sept. 5), when popular multi-account Twitter management tool HootSuite announced a partnership with Nexgate to finally provide what, in any other context, would be considered the absolute minimum tools necessary to keep an organization from regularly shooting itself in the corporate foot.
The problem, in a nutshell, is that Twitter was never designed for this. Like so many other things on the Internet, it was intended as something relatively simple for ordinary users—in this case, an online replacement for mobile text messages. But the combination of potentially instant response and the fact that Twitter is free made it perfect for everything from customer service to group chats, at least in the eyes of budget-strapped corporate users. Could anyone have intentionally designed an Internet boobytrap more potentially devastating? Probably not.
Amid a lot of wailing among bankers over the 21-cent cap on debit interchange fees—and now the threat that the cap could be pushed even lower by a Washington, D.C., federal judge—a little bit of inconvenient reality has shown up. Mark Horwedel, CEO of the Merchant Advisory Group, actually remembers why banks started using debit cards in the first place. More to the point, he remembers that debit interchange fees weren't capped at all back then—because there wasn't any debit interchange.
Yes, that interchange-free time is ancient history—way back in the 1990s. It was also a time when big retail chains actually had some control in a major part of the payment system. If you want a clear picture of how chains are capable of losing that kind of self-determination—and how it's likely to happen again with whatever new payments systems retailers adopt in the next few years—this is a useful reminder.
Heartland Payment Systems can be sued by several card-issuing banks for negligence after all. On Tuesday (Sept. 3), a three-judge panel of the 5th U.S. Circuit Court of Appeals ruled that a federal court in Texas erred in March 2012 when it threw out the case on the basis of the economic loss doctrine. (Don't worry, we'll get to what that means.) That effectively ended the financial institutions' case against Heartland, which stemmed from the processor's now-legendary 2008 data breach.
But the appeals court said that while the judge was right about Texas law, Heartland could be sued under New Jersey law, where Heartland is headquartered, because the economic loss doctrine works differently there. The key issue: Except for going to court, the issuing banks had no clear way of going after Heartland to get their money back. That means the case is alive again and will return to Texas for further proceedings.
In a move that will satisfy nobody, data broker Acxiom announced that, beginning Sept. 4, it has launched a new website, AboutTheData.com, where people can log in and see some of what the data broker knows about them. This is supposed to be a move toward greater transparency and openness, and toward that end is a good move, but ultimately it may result in data brokers having more information about consumers.
What appears to be a service for consumers is, in fact, a service that benefits the data broker and its customers, writes Legal Columnist Mark Rasch—and it only indirectly helps out the consumer. What it definitely doesn't tell consumers is exactly where data about them comes from, and especially what it will be used for.
You know all that CRM data you've been so lovingly collecting from loyalty programs, special offers, POS systems and any other way you could find to gather shopper information? It's about to be put at risk by a data broker—and not in the way you expected. Acxiom, one of the world's biggest data brokers, is opening a portal this week that will let consumers see much of the information that Acxiom has about them and where (in general terms) it came from, as well as the ability to correct it. The portal will also let consumers opt out of having the information used in the future.
What's that have to do with your CRM data? Simple: Acxiom is doing this to get out in front of federal regulation. The example it sets may well end up as the model that the Federal Trade Commission (FTC) uses for all non-credit marketing data. Unless you're ready right now to give your customers access to their data—or at least a big chunk of it—that data is at risk.
Genesco (NYSE:GCO), which has been waging what at first appeared to be a quixotic battle against Visa's PCI fines for a 2010 breach, is doing surprisingly well. First a U.S. District Court in Tennessee rejected Visa's arguments that Genesco shouldn't be allowed to sue Visa over the $13 million in fines that Visa assessed after the breach. Now Genesco has filed its own motion for summary judgment, asking the court to declare that Visa couldn't fine Wells Fargo and Fifth Third $5,000 each for the breach because, under California law, that's only allowed if it's in proportion to the amount of the breach.
Those $5,000 fines are pocket change compared with the major PCI fines that the banks were assessed (and passed along to Genesco, as usual). But if U.S. District Judge William Haynes Jr. buys Genesco's argument—and he seems to be agreeing with Genesco a lot so far—that could augur badly for Visa, both in this case and in future efforts to assess PCI fines that aren't directly related to provable damages caused by the breach.
Citi has paid $55,000 to settle a lawsuit by the Connecticut attorney general over a 2011 breach that exposed payment card numbers of 360,000 cardholders—only 5,066 of which were from Connecticut. The settlement, which was announced last Thursday (Aug. 29), is the first to come out of the breach more than two years ago, and could set the standard for settlements in other states. (California had more than 80,000 affected cardholders, and it helped out with the Connecticut investigation.)
At the time the breach was revealed in June 2011, media reports said thieves eventually stole $2.7 million using affected accounts. Reports also said the hackers didn't have to do anything sophisticated to get access to the card data. The thieves just logged into the Citi site reserved for credit card customers, noticed that the URL included the account number, replaced that with a different account number and got access to another customer's information without any further authentication. An automated program made it possible to collect data on hundreds of thousands of numbers. And that, unfortunately, isn't the worst of it.