Wal-Mart's Kiosk Trial Raises Serious PCI, Data Ownership Issues

Wal-Mart this month became the latest major retailer to experiment with self-service kiosks, selling space in 77 stores for units that buy back used video games and issue credits directly to various payment cards.

The initial trial is entirely isolated, with the kiosk vendor having access only to its own network and not to Wal-Mart's. But the $375 billion chain is officially considering having the machines offer in-store credits in the form of gift cards, which would mean allowing the kiosks two-way access to POS and potentially CRM data. That would force some serious strategic debate about how far outside vendor kiosks can—and should—be allowed to play inside a retailer's databases.

The initial version of the kiosks collect payment card information as well as drivers license data. Even setting aside the potential future POS/CRM access, the payment and highly-sensitive driver's license data will force some of that debate right away. How secure are the kiosks? Who is ultimately responsible in the event of a security breach, both from a legal and PCI perspective?

Beyond lawyers and assessors, consumers and the dollars they control will likely blame the retailer for any problems that started with a kiosk in or right next to its store. Wal-Mart officials are stressing that the Wal-Mart logo will not be used on any of the trial kiosks, although the Wal-Mart blue and yellow brand colors will absolutely be used. "This is not Wal-Mart's machine," said Melissa O'Brien, a spokeswoman for Wal-Mart's entertainment division. "We are leasing space to them in our store vestibules just like with do with other companies." And that nuanced distinction will be explained to every Wal-Mart customer how?

The insistence that no brand be displayed will be a nice point for the lawyers, but it won't do much for public perception. PCI Safe Harbor and legal indemnification won't help much if consumers feel betrayed.

Another troubling issue is data ownership. If Wal-Mart gets consumers to come to their stores and asks them to interact with a kiosk in the store, can the kiosk vendor use that information to help other retailers? As a pragmatic matter, how can they not do so?

The kiosks will know precisely who is returning what products and for how much money. Wouldn't consumers goods manufacturers—such as the ones that made that game as well as the ones that make rival offerings—kill for such data? Or to even be able to send a message to those people? And what about other retailers trying to steal some marketshare?

Alan Rudy, CEO of E-Play, the Ohio-based kiosk operator that is working with Wal-Mart on this trial, insisted the units securely handle credit and debit card data. He said E-Play retains ownership of all information gathered by the kiosks and has no plans to share or sell it, but he wouldn't rule out anything for the future.The devices, built by NCR (which owns a minority stake in E-Play), are now in service on a trial basis at some Wal-Marts in New York, Rhode Island, Connecticut and Massachusetts, said Wal-Mart's O'Brien.

Currently, the E-Play machines compensate shoppers for used games by depositing money into their credit or debit card accounts. However, O'Brien, E-Play spokeswoman Vicki Greenleaf and CEO Rudy said other forms of dispersing buy-back money, possibly in the form of in-store credit or even Wal-Mart gift cards, might be examined if the kiosks prove to be successful. The company, which also distributes kiosks that rent movies and games, is in discussion with retailers, which Rudy would not name, that are considering directly connecting the kiosks to their stores' POS payment systems.

Any time game owners want to sell titles to E-Play, the kiosks require credit or debit cards to be swiped. To meet state regulations pertaining to the buy-back of second-hand goods, the kiosks also require driver's licenses to be swiped or scanned by the machine, Rudy said.

Rudy was unwilling to discuss the details of how the kiosks protect credit and debit card information, but he said the devices are PCI compliant, that data is encrypted and that E-Play owns and process all collected information. The kiosks send alerts to E-Play if tampering occurs. The machines take photographs of all customers and Rudy said this feature has been used by police to catch credit card thieves.

Unlike other kiosks that accept credit and debit cards for payment, E-Play's do not retain sensitive information once a transaction is completed, Rudy said. "Credit card information gets settled at the machine right away when a customer is in front of it," the CEO said. "We don't keep credit card data any longer than we need to."

The kiosks do retain some basic customer information, which Rudy would not divulge. However, he said all sensitive customer information is stored at E-Play headquarters. "Everything inside the kiosk is encrypted, but even if somebody tore into it, any information they could get would only be basic information," Rudy said. He noted that basic customer data, but not credit card or driver's license information, is shared by all machines in the E-Play network so that a customer is recognized at all kiosks. However, even known customers must swipe their cards and driver's licenses whenever they want to sell a game, Rudy stressed.

He said all information is transmitted via a secure cellular network. However, Rudy said the company has been in discussions with "a number of grocers" that are interested in having the kiosks tied directly into their POS systems so they can include kiosk activity as part of their sales. "They look very closely at in-store sales," he said. "If our machine takes up nine square feet and they had to remove, say, a windshield washer fluid display for it, they have to make up that revenue. We can tie our kiosk into their POS system so they see the same actual revenue number every day tied into their actual reporting system."

The CEO acknowledged that E-Play gathers quite a bit of potentially lucrative information about its customers. However, he insisted the company has no intention of sharing any of that CRM data to the retailers (including the stores whose space it leases) game makers or advertisers.The company's privacy statement says it might share information with law enforcement and third-party service providers that "may help us process information, extend credit, fulfill customer orders, deliver products to you, manage and enhance customer data, provide customer service, assess your interest in our products and services, or conduct customer research or satisfaction surveys." The privacy policy notes that those companies "are also obligated to protect your personal information in accordance with e-Play’s privacy policies, except if we inform you otherwise at the time of collection," and warns that disclosure of personal information might also be required due to litigation.

"There've been no discussions on selling customer information," Rudy said. "I would be very hesitant to do that and we certainly wouldn't do it without the permission of the consumer." The CEO also said he'd fear angering host retailers by, for example, selling to competing retailers information cleaned from its kiosks. "I doubt our retail partners would be willing to work with us if we did that, so that's why we won't do it," Rudy said.

Currently, accepting E-Play game-buying kiosks involves virtually no input from a retailer's IT department if the units are set-up to pay money only by making deposits to credit or debit cards, as is the case in the initial Wal-Mart trial. Wal-Mart is remaining non-committal about its long-term interest in the machines and whether it would like them to offer Wal-Mart-specific forms of payment for the games that are purchased. "It's too early to say or speculate at this time," O'Brien said. "It’s a very small pilot. We are watching with great interest but we can't speculate at this time how fast it will grow. For us, it’s a great service for customers and a convenience."

Rudy said the company has game kiosks in some Wal-Mart Canada stores and in about 200 other locations, mainly Exxon and Speedway gas stations. He said E-Play has plans "with several partners" to implement a system where those who sell their games to the kiosks are issued a slip bearing a barcode they can take to the service desk. The barcode would be scanned to determine the amount of store credit available to the disk seller.

Greenleaf and O'Brien said public interest in the Wal-Mart kiosks has been high, particularly among gaming enthusiasts. O'Brien acknowledged many people are asking if there is, or ever will be, a way to get their game trade-in money in a gift card or other form that can be used immediately at the store. However, the retailer is taking a similar arms-length approach as that taken by Best Buy when it began testing kiosks last summer. "That’s a next generation we're looking at, the in-store gift card credit," Greenleaf said, noting "there certainly are other capabilities that e-Pay has in place with these machines" for paying game and movie sellers.

If any alternative payback method were instituted, it wouldn't take place unless there is a future expansion of the kiosks to other Wal-Marts. "There isn't currently an expansion plan (but) we're optimistic about expansion and looking forward," O'Brien said. She noted more E-Play kiosks will be installed, as part of the trial, before the end of May.