StorefrontBacktalk

What brings these happy thoughts to the surface was an interesting piece in Wired yesterday (July 21) about a wearable vendor's efforts to focus on context in making its device more valuable. It's a terrific goal, but the more IT allows these devices to access, collect and manipulate sensitive data, the more valuable those databases will be to cyberthieves and corporate spies for your direct rivals. In IT, greater convenience often means greater risk, something vendor slides somehow always forget. I am not suggesting a sci-fi plot where these devices learn all about us and then take over the planet and make humans into their slaves. (Dawn of the Wearable World? The Wearables War?) But a few security limits wouldn't be out of line.Read more...

Recent large-scale data breaches—specifically Target and Neiman Marcus—have brought new attention to the issue of the U.S. shifting to EMV (often deployed as Chip and PIN), a payment approach that replaces the magnetic strip with a chip and is has been deployed for years in much of Europe as well as Canada and Mexico. The arguments in favor of EMV—as opposed to mobile—are unrealistic, as became clear during U.S. Senate testimony on Tuesday (Feb. 4). Given EMV's struggles, mobile payment is now becoming crucial. Can the industry get its act together? (Answer: Of course it can't, but let's be hopeful and pretend that the adults will take over.)Read more...

But if mom-and-pop retailers are the intended quarry, then the advantage (especially in non-urban geographies where iPhones and iPads are not nearly as dominant) goes to Amazon. First, what are the rumors? The Wall Street Journal has been out-in-front on both stories. On the Apple front, the paper describes the play as letting shoppers use their personal Apple mobile devices to make the purchases, with Apple leveraging "the hundreds of millions of credit cards on file through its iTunes stores."Read more...

Let's take a quick look at the latest reports of how the Target situation materialized. Target is now saying that the cyberthieves "stole a vendor's credentials, which were used to access our system," but the chain didn't say which vendor was involved. A few suspected vendor systems have emerged. The Wall Street Journal has reported that Target "shut down remote access to two websites used by employees and suppliers in a move to tighten security following a massive breach of customer data over the holidays. One system is a human resources website for employees called eHR. The other is a database called Info Retriever that suppliers use to access sales data for their products in Target."Read more...

A campaign unveiled by the coffee bean behemoth last week illustrates the latest example of this decaffeinated strategy. Starbucks is considered the most successful U.S. retailer when it comes to handling mobile payments and, for that matter, mobile anything. When the holiday shopping season for 2013 came around, the normal reaction for most retailers would be to push its mobile app and encourage shoppers to load dollars onto the mobile app of intended gift recipients. Instead, Starbucks deliberately chose to not push mobile at all, but to instead encourage the purchase of old-fashioned plastic Starbucks cards, the kind that fit neatly into holiday stockings.Read more...

(An aside on Target’s announcement. In that data breach announcement, it chose to not only disclose the sales hit, not only to increase the number of impacted shoppers, but it chose to also casually mention that it was closing eight U.S. stores on May 3, 2014. Really, Target? You couldn’t have waited a week to announce those May store closings? That was probably the most blatant “let’s cram every bad piece of news we can think of and maybe the media will only focus on only one of them” statement I’ve seen in an impressively long time.)Read more...

Sometimes this discovery happens by law enforcement investigating an unrelated incident or by a processor or even one of the card brands tracking the fraud. But why is it that the intrusions are almost never discovered? Interestingly enough, in the massive Albert Gonzalez attacks that hit a huge number of major chains (including JCPenney, Target, 7-Eleven, TJX, Sports Authority, BJ’s Wholesale Club, OfficeMax, Boston Market, Wet Seal, Barnes & Noble, DSW, Forever 21 and Hannaford) some seven years ago, only one chain detected they were attacked, albeit not in time to stop it. Who was this IT vigilant chain? Target. (How’s that for irony?)Read more...

You do really need a policy. Your employees expect IT to protect them, and your company's executives expect you to make sure that corporate data is protected from the things that employees do with their mobile devices. But your customers also want to know what you're doing with their data, and various contractors, distributors, suppliers and anyone else in your network need to know what they aren't allowed to do.Read more...

Of course, some companies have to face their privacy demons more than others. Yes, I'm looking at you, Google. Not that Google is likely to ever change how it handles privacy issues. (SAT time: Google is to privacy as (A) Osama bin Laden is to peaceful negotiations, (B) Lady Gaga is to rational thought or (C) Microsoft is to customer-centric. Answer: (D) all of the above.) The reason I'm looking at Google is that it just displayed privacy ineptitude on an epic scale.Read more...

When a credit or debit card number is accessed by thieves, typical procedure for quite a few years has been to shut down the impacted cards and immediately re-issue the cards to those customers. This process means the customer will be without that card for anywhere from 2 days to sometimes a week. Thieves count on this, which is why they stage such massive attacks. They know that once it's discovered, they may have as little as an hour or two before the card data becomes worthless. That's why they try and monetize the stolen data—usually by making ATM withdrawals and retail purchases quickly, using lots of accomplices making simultaneous purchases/withdrawals.Read more...

If this is indeed apology money, why not make it a clean refund to impacted shoppers, which Target said is at least 40 million people? Instead of a refund, he is asking people to pay a mere 90 percent of the sticker price. Is this discount just for those 40 million victims? No, it's offered to everyone anywhere. What is the CEO's stated rationale for offering the discount universally? He said it was in the "spirit" of "we're in this together." Yeah, I'm sure that those 40 million potential fraud victims feel like they're in this with non-Target shoppers and the non-impacted Target.com shoppers and especially Target shoppers who just happened to not buy from the stores on the days the thieves were siphoning the data.Read more...

The dirty not-so-secret secret with all of these social programs is it's always been about how much data can be collected from consumers, to be turned around and used to send increasingly personalized sales pitches. (Kind of gives Secret Santa a whole new meaning.) The two motherloads of shopping data are not-coincidentally both involved in this Instagram deal: photographs (and their associated metadata) and relationship connections. Why relationship connections? If you're a consumer goods manufacturer (think Toyota, Nike, Nabisco, Sony), a retailer (think Walmart, Macy's, Target, Amazon) or a marketing firm (think Genghis Kahn, Idi Amin, Mussolini), how much is it worth to you to know which consumers are close friends or close relatives with other specific consumers? As a major gift-giving occasion comes up for the first consumer, how would you like to be able to send highly-customized pitches to those people who are close friends/relatives of that consumer?Read more...

Even mild-mannered Tesco—the world's second most-profitable retailer and the third-largest by revenue—couldn't resist stomping on NFC. The cause of NFC's U.S. mobile payment death has been a lack of incentives for shoppers to use it. Most critically, it simply wasn't any easier to use than regular magstripe swipes and it required a change of behavior.

That's why it was genuinely surprising when $3 billion Canadian and U.S. restaurant chain Tim Hortons announced Dec. 12 that it was beginning a mobile payment rollout using NFC. That overshadowed the almost-as-surprising detail that they were launching it solely on BlackBerry. Say what you will about Blackberry users, but if they're still using Blackberries in 2014, they certainly don't crave the latest cutting-edge gadget. So why is this 4,350-restaurant chain (including 817 stores in the U.S.) embracing NFC for payment? The reason actually reinforces why the technology has cratered in the U.S..Read more...

That mobile device will typically be a customer's smartphone. But the next step is where where an interesting debate is emerging. When the shopper leaves that dressing room and chooses to purchase only one—or perhaps even none—of the garments/accessories, at least one chain is now experimenting using a different mobile device (tablet) to try and get an answer to "Why?" In marketing circles, understanding why a customer opted to not purchase six items can be even more valuable than knowing why they purchased the seventh.Read more...

Whether or not those identifications will work or not—and whether there are much easier and more accurate ways for those products to be identified—is something I'll get to shortly. But the goal here is all data. First, the images are being shipped through a mobile app, so everything is being associated with a specific identified shopper. (Hello, CRM database.) Secondly, the images usually come with exact geolocation data (Seems that you took this picture in the housewares section of our direct rival on Elm Street. Good to know) plus date/time.Read more...

Here's what Starbucks is doing with its Twitter effort dubbed Tweet-A-Coffee, according to a recap of some panel comments reported in Mobile Commerce Daily. "To send a gift card, consumers sync their Starbucks loyalty program account with their Twitter account. Consumers then send a $5 gift card by firing off a tweet to the @tweetacoffee handle and the recipient’s Twitter handle. Recipients can then redeem the offer by loading the gift card straight to the Starbucks’ mobile app, which is scanned at the point-of-sale by an employee. The offer can also be redeemed by showing the email confirming the gift card on a mobile device or by printing the E-mail." Let's break that down. Shoppers must first create a Starbucks.com account, assuming they don't already have one. Then they must create a Twitter account, assuming they don't have one of those. Then they have to sync that Starbucks.com account with their Twitter account, which involves a lot of info-sharing between the two. Read more...

That comes to 2,000 screen-activations before the consumer gets anything.Read more...

But recent mobile remarks from the general manager of the PCI Security Standards Council—the group that controls how any merchant is allowed to use any kind of payment card—is enough to make a CIO long for the return of rotary dial. In effect, Bob Russo told a private conference call of QSAs (the people who assess whether someone is managing payment security properly) that when it comes to mobile security, it’s your neck if you want to proceed.Read more...

For example, why ask for the house number and then the street and then the municipality and then the state and then the ZIP Code and then the country? By reversing it and asking for the ZIP Code first, the state, country and municipality could autopopulate. In theory, that's a shopper savings of three lines. Why ask for first and last names in two fields when one field could just ask for Name? Why ask if the shopper wants to register, login or checkout before seeking their E-mail address? If you ask for E-mail first, you can autopopulate many of those fields based on that address' history. And why ask for country when an IP address can autopopulate where the shopper is based? Why ask what kind of payment card they'll be using and then ask for the number, when the reverse sequence will save another field (as the number will indicate the kind of card).Read more...