StorefrontBacktalk

As wearables get more sophisticated and integrated into our physical environments, virtual environments and entering the sacrosanct enterprise data stream, they certainly promise wonderful advantages. But as any other IT veteran knows, never look a corporate gift horse in the mouth without first performing security penetration testing. (The enterprise IT motto: Trust and get fired.)

What brings these happy thoughts to the surface was an interesting piece in Wired yesterday (July 21) about a wearable vendor’s efforts to focus on context in making its device more valuable. It’s a terrific goal, but the more IT allows these devices to access, collect and manipulate sensitive data, the more valuable those databases will be to cyberthieves and corporate spies for your direct rivals. In IT, greater convenience often means greater risk, something vendor slides somehow always forget. I am not suggesting a sci-fi plot where these devices learn all about us and then take over the planet and make humans into their slaves. (Dawn of the Wearable World? The Wearables War?) But a few security limits wouldn’t be out of line.

One of the most hyped aspects of mobile is the potential for mobile payment to radically update the payment space, the first true change in payment in many decades. Those efforts have gone essentially nowhere, with the exception of Starbucks (which doesn’t really do mobile payment, in that it’s simply a picture of the barcode from the back of the Starbucks stored-value card).

Recent large-scale data breaches—specifically Target and Neiman Marcus—have brought new attention to the issue of the U.S. shifting to EMV (often deployed as Chip and PIN), a payment approach that replaces the magnetic strip with a chip and is has been deployed for years in much of Europe as well as Canada and Mexico. The arguments in favor of EMV—as opposed to mobile—are unrealistic, as became clear during U.S. Senate testimony on Tuesday (Feb. 4). Given EMV’s struggles, mobile payment is now becoming crucial. Can the industry get its act together? (Answer: Of course it can’t, but let’s be hopeful and pretend that the adults will take over.)

Recent reports have both Amazon and Apple exploring ways to bring their version of mobile payments into brick-and-mortars (beyond Apple stores, of course). If these two players are hunting to get into the largest retail chains, Apple has several huge advantages.

But if mom-and-pop retailers are the intended quarry, then the advantage (especially in non-urban geographies where iPhones and iPads are not nearly as dominant) goes to Amazon.
First, what are the rumors? The Wall Street Journal has been out-in-front on both stories. On the Apple front, the paper describes the play as letting shoppers use their personal Apple mobile devices to make the purchases, with Apple leveraging “the hundreds of millions of credit cards on file through its iTunes stores.”

Quick breach quiz: What do Target and Starbucks have in common? Both recently suffered well-publicized security problems that were caused by third-party software. How well do you know everything that every piece of third-party software is doing on your system?

Let’s take a quick look at the latest reports of how the Target situation materialized. Target is now saying that the cyberthieves “stole a vendor’s credentials, which were used to access our system,” but the chain didn’t say which vendor was involved. A few suspected vendor systems have emerged. The Wall Street Journal has reported that Target “shut down remote access to two websites used by employees and suppliers in a move to tighten security following a massive breach of customer data over the holidays. One system is a human resources website for employees called eHR. The other is a database called Info Retriever that suppliers use to access sales data for their products in Target.”

Business would be so much easier if executives didn’t have to deal with human beings, with fears, hesitations and general avoidance of anything new. It makes little difference if those human beings are employees and you’re trying to push an aggressive cloud program or if those mammals are customers and you’re trying to get them to move to mobile or some form of biometric identification. If you’re struggling with pushing these behavioral changes, you might have an unlikely company to emulate: Starbucks, which seems to have mastered how these humans think and has consistently used a go-slow (make that extremely slow) approach.

A campaign unveiled by the coffee bean behemoth last week illustrates the latest example of this decaffeinated strategy. Starbucks is considered the most successful U.S. retailer when it comes to handling mobile payments and, for that matter, mobile anything. When the holiday shopping season for 2013 came around, the normal reaction for most retailers would be to push its mobile app and encourage shoppers to load dollars onto the mobile app of intended gift recipients. Instead, Starbucks deliberately chose to not push mobile at all, but to instead encourage the purchase of old-fashioned plastic Starbucks cards, the kind that fit neatly into holiday stockings.

When Target on Friday (Jan. 10) gave its periodic data breach update, it said something stunning, something that sets it apart from every major retail data breach for the past nine years. Namely, Target said that it suffered a sharp drop in shopper purchases after—and presumably as a result of—the chain announcing its breach. Although that might sound perfectly reasonable, it’s a very different experience that retailers have experienced at every major breach since TJX back in 2005.

(An aside on Target’s announcement. In that data breach announcement, it chose to not only disclose the sales hit, not only to increase the number of impacted shoppers, but it chose to also casually mention that it was closing eight U.S. stores on May 3, 2014. Really, Target? You couldn’t have waited a week to announce those May store closings? That was probably the most blatant “let’s cram every bad piece of news we can think of and maybe the media will only focus on only one of them” statement I’ve seen in an impressively long time.)

When Neiman Marcus on Friday (Jan. 10) confirmed that its payment card systems had been breached in mid-December, it said it learned of the breach in the same way almost every breached chain had (with one exception, which will likely surprise you): when someone else told them. “Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores,” Neiman Marcus spokesperson Ginger Reeder said in an E-mailed statement. Sound familiar? The truth is that almost every breached chain learned of the situation not because the intrusion set off some alarm—or even that its IT people discovered the attack hours or days later during routine systems analysis—but when someone else noticed that a lot of fraudulent purchases were happening and that chain XX was the common point of purchase.

Sometimes this discovery happens by law enforcement investigating an unrelated incident or by a processor or even one of the card brands tracking the fraud. But why is it that the intrusions are almost never discovered? Interestingly enough, in the massive Albert Gonzalez attacks that hit a huge number of major chains (including JCPenney, Target, 7-Eleven, TJX, Sports Authority, BJ’s Wholesale Club, OfficeMax, Boston Market, Wet Seal, Barnes & Noble, DSW, Forever 21 and Hannaford) some seven years ago, only one chain detected they were attacked, albeit not in time to stop it. Who was this IT vigilant chain? Target. (How’s that for irony?)

It’s well known that mobile devices are compact storehouses of vast amounts of data that they seem eager to broadcast to the world, which makes it all the more baffling that few companies have discussed — much less implemented — mobile-specific privacy policies. Putting off such a move (“procrastination” is such a negative word) may have made sense up to now to give us all time to get a handle on what the limits should be, but you really will regret waiting much longer. This new year we have entered may be a good time to craft a mobile privacy policy. If you’ve decided to do that, here are some things to consider.

You do really need a policy. Your employees expect IT to protect them, and your company’s executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you’re doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren’t allowed to do.

In 2014, IT executives are going to have to make some very difficult decisions about privacy. Quite often when we talk about difficult decisions, we mean that we know what the right thing to do is, but it’s just hard to bring ourselves to do it. In this case, though, part of the difficulty will be knowing what the right thing to do is. For that reason, every industry — nay, every company — will come to very different decisions based on the concerns of their employees and customers.

Of course, some companies have to face their privacy demons more than others. Yes, I’m looking at you, Google. Not that Google is likely to ever change how it handles privacy issues. (SAT time: Google is to privacy as (A) Osama bin Laden is to peaceful negotiations, (B) Lady Gaga is to rational thought or (C) Microsoft is to customer-centric. Answer: (D) all of the above.) The reason I’m looking at Google is that it just displayed privacy ineptitude on an epic scale.

When the Target cyberthieves hit the chain in late November, they might have simply thought it would be a good time to steal a lot of money. But it also delivered another benefit: banks are simply too scared about losing any holiday revenue to implement standard security procedures. It appears to be the ultimate in a security calculated risk.

When a credit or debit card number is accessed by thieves, typical procedure for quite a few years has been to shut down the impacted cards and immediately re-issue the cards to those customers. This process means the customer will be without that card for anywhere from 2 days to sometimes a week. Thieves count on this, which is why they stage such massive attacks. They know that once it’s discovered, they may have as little as an hour or two before the card data becomes worthless. That’s why they try and monetize the stolen data—usually by making ATM withdrawals and retail purchases quickly, using lots of accomplices making simultaneous purchases/withdrawals.

Data breaches can happen to anyone so I have no desire to give Target a hard time for having been successfully attacked by cyberthieves. But when a retailer tries to take a situation where it was unable to protect its customer information and turn it into a means of getting those victims to give you more money, that’s pushing it. And push it is precisely what Target CEO Gregg Steinhafel did Friday (Dec. 20) when he announced a special Data Breach Sale where he encouraged people to come back to Target, spend more money and give up more payment and he’d offer 10 percent off on Dec. 21 and Dec. 22. In other words, he’s offering to do exactly what Target would typically do near the end of a critical holiday sales period.

If this is indeed apology money, why not make it a clean refund to impacted shoppers, which Target said is at least 40 million people? Instead of a refund, he is asking people to pay a mere 90 percent of the sticker price. Is this discount just for those 40 million victims? No, it’s offered to everyone anywhere. What is the CEO’s stated rationale for offering the discount universally? He said it was in the “spirit” of “we’re in this together.” Yeah, I’m sure that those 40 million potential fraud victims feel like they’re in this with non-Target shoppers and the non-impacted Target.com shoppers and especially Target shoppers who just happened to not buy from the stores on the days the thieves were siphoning the data.

In an interesting marketing play, Instagram on Thursday (Dec. 12) announced that it would offer a new service—to be called Instagram Direct—where its users could send messages and images to small subsets of their friends and families. At the news conference, Instagram CEO Kevin Systrom tied the rollout to the holiday, saying “As we as we enter into the holidays, it’s a perfect time to be able to share with a small group or someone you love.” That’s true, as long as the someone you love includes marketers who will getting quite a Santa sack full of personal information about you and your friends.

The dirty not-so-secret secret with all of these social programs is it’s always been about how much data can be collected from consumers, to be turned around and used to send increasingly personalized sales pitches. (Kind of gives Secret Santa a whole new meaning.) The two motherloads of shopping data are not-coincidentally both involved in this Instagram deal: photographs (and their associated metadata) and relationship connections. Why relationship connections? If you’re a consumer goods manufacturer (think Toyota, Nike, Nabisco, Sony), a retailer (think Walmart, Macy’s, Target, Amazon) or a marketing firm (think Genghis Kahn, Idi Amin, Mussolini), how much is it worth to you to know which consumers are close friends or close relatives with other specific consumers? As a major gift-giving occasion comes up for the first consumer, how would you like to be able to send highly-customized pitches to those people who are close friends/relatives of that consumer?

To be nice, it’s fair to say that Near Field Communication (NFC) has hardly been a smash when it comes to mobile payments in the U.S.. But the key reason it’s gone nowhere is not it’s technical hurdles—although those tech hurdles are many—and it’s not been a lack of household name retailers backing it.

Even mild-mannered Tesco—the world’s second most-profitable retailer and the third-largest by revenue—couldn’t resist stomping on NFC. The cause of NFC’s U.S. mobile payment death has been a lack of incentives for shoppers to use it. Most critically, it simply wasn’t any easier to use than regular magstripe swipes and it required a change of behavior.

That’s why it was genuinely surprising when $3 billion Canadian and U.S. restaurant chain Tim Hortons announced Dec. 12 that it was beginning a mobile payment rollout using NFC. That overshadowed the almost-as-surprising detail that they were launching it solely on BlackBerry. Say what you will about Blackberry users, but if they’re still using Blackberries in 2014, they certainly don’t crave the latest cutting-edge gadget. So why is this 4,350-restaurant chain (including 817 stores in the U.S.) embracing NFC for payment? The reason actually reinforces why the technology has cratered in the U.S..

The penetration of mobile into so many unexpected parts of business is forcing quite a few new ways of IT thinking. Consider the retailer’s dressing/changing room. Under the guise of theft-prevention, many are now scanning every piece of clothing that a shopper brings into the room, along with the identification being beamed from that customer’s mobile device. Instant CRM, with details of every purchase being considered by that mobile tied in with them by name, automatically captured.

That mobile device will typically be a customer’s smartphone. But the next step is where where an interesting debate is emerging. When the shopper leaves that dressing room and chooses to purchase only one—or perhaps even none—of the garments/accessories, at least one chain is now experimenting using a different mobile device (tablet) to try and get an answer to “Why?” In marketing circles, understanding why a customer opted to not purchase six items can be even more valuable than knowing why they purchased the seventh.

The cliché dictates that a picture is worth 1,000 words, but if it’s a mobile picture from a customer/prospect and you’re a CIO or CMO, it’s worth a heck of a lot more. Several vendors, well aware of many mobile device owners’ love of taking digital photos of anything and everything (including selfies, which to me have always suffered from a major lack of raison d’être), actively encouraging these shoots, hoping to lasso in a goldmine of data. The pitch to shoppers is simple: if you see anything you’d like to buy, take a picture of it and we’ll quickly identify it, through software and crowdsourcing.

Whether or not those identifications will work or not—and whether there are much easier and more accurate ways for those products to be identified—is something I’ll get to shortly. But the goal here is all data. First, the images are being shipped through a mobile app, so everything is being associated with a specific identified shopper. (Hello, CRM database.) Secondly, the images usually come with exact geolocation data (Seems that you took this picture in the housewares section of our direct rival on Elm Street. Good to know) plus date/time.

For years, Starbucks has been the best retailer when dealing with mobile payment. Mostly, that’s been because their efforts are barely mobile payment at all, but instead is just the phone displaying a picture of the barcode from the customer’s Starbucks plastic card. Low-tech perhaps, but it’s worked wonderfully. Now the chain is trying something new, a way to use Twitter to send $5 gift certificates. But it’s effort is so needlessly convoluted that it is making itself an excellent example of what not to do in mobile, when the program is designed for customers or employees.

Here’s what Starbucks is doing with its Twitter effort dubbed Tweet-A-Coffee, according to a recap of some panel comments reported in Mobile Commerce Daily. “To send a gift card, consumers sync their Starbucks loyalty program account with their Twitter account. Consumers then send a $5 gift card by firing off a tweet to the @tweetacoffee handle and the recipient’s Twitter handle. Recipients can then redeem the offer by loading the gift card straight to the Starbucks’ mobile app, which is scanned at the point-of-sale by an employee. The offer can also be redeemed by showing the email confirming the gift card on a mobile device or by printing the E-mail.”
Let’s break that down. Shoppers must first create a Starbucks.com account, assuming they don’t already have one. Then they must create a Twitter account, assuming they don’t have one of those. Then they have to sync that Starbucks.com account with their Twitter account, which involves a lot of info-sharing between the two.

In another compelling pitch for consumers who are not really good at math, a Korean vendor (AppDisco) is offering Android mobile users money every time they unlock their phone (and look at an ad). How much money? Although they don’t mention the figure on their site or in their news release, it turns out to be one-half of one penny—and no money is paid until the user accumulates $10.

That comes to 2,000 screen-activations before the consumer gets anything.

With so many companies—especially in retail—experimenting with using mobile in every possible way, it’s always nice to hear some encouraging words from a key security standards body chief.

But recent mobile remarks from the general manager of the PCI Security Standards Council—the group that controls how any merchant is allowed to use any kind of payment card—is enough to make a CIO long for the return of rotary dial. In effect, Bob Russo told a private conference call of QSAs (the people who assess whether someone is managing payment security properly) that when it comes to mobile security, it’s your neck if you want to proceed.

With relatively few changes, chains have been using the same online checkout since shortly after e-commerce emerged. With an eye on seeing if the number of lines could be sharply reduced from today’s average of 30 checkout fields, a pair of Silicon Valley firms has proposed a way to cut that down to 13. Many of the suggestions are annoyingly logical.

For example, why ask for the house number and then the street and then the municipality and then the state and then the ZIP Code and then the country? By reversing it and asking for the ZIP Code first, the state, country and municipality could autopopulate. In theory, that’s a shopper savings of three lines. Why ask for first and last names in two fields when one field could just ask for Name? Why ask if the shopper wants to register, login or checkout before seeking their E-mail address? If you ask for E-mail first, you can autopopulate many of those fields based on that address’ history. And why ask for country when an IP address can autopopulate where the shopper is based? Why ask what kind of payment card they’ll be using and then ask for the number, when the reverse sequence will save another field (as the number will indicate the kind of card).