Evan Schuman's StorefrontBacktalk

Some major retailers have been debating whether the buying and selling of used merchandise (please shoot me if I ever say “pre-owned”) is a business model worth pursuing. Wal-Mart and Best Buy, after pushing the idea for about six months, have surrendered plans to buy and sell used video games. But Amazon, always the more adventurous of E-tailers, thinks the idea has huge potential. A Financial Times of London story cited an Amazon ad for programmers: “As people upgrade to the latest and greatest there is a plethora of valuable, perfectly good products that need a new home. We help facilitate the pairing of new owner with device, while also creating an open marketplace.”

What makes the Amazon concept so intriguing from an IT perspective are the CRM implications. Instead of tracking purchases to merely profile the customer, the new requirement is to also profile the products purchased. What is each product’s life expectancy? What is the optimal point to make an offer to a customer who might be starting to get bored with that product? How much of an upgrade can that consumer afford? Should the company start pitching new prospects based on a software projection of what already-sold merchandise will likely come back into play? And you thought Amazon needed a huge data warehouse before?

When Brian Bradley left Circuit City as its senior vice president, Multi-Channel (well, more precisely, when Circuit City went out of business and left Bradley and tons of others unemployed), years after having worked at J.C. Penney, he felt that he had a good handle on retail merged-channel, cross-channel and multi-channel issues. But when he began his new gig as executive vice president at HSN (formerly the Home Shopping Network), Bradley discovered television as another retail channel and started looking at customer interactions very differently.

One of Bradley’s first takeaways from the $2.8 billion HSN was that consumers’ interactions with content are strongly influenced by their physical location. Why? It’s expectation. Consumers see brick-and-mortars as places to look, touch and buy products. Video demos feel out of place in that context. At home watching TV, however, the expectations are much more tolerant. “Depending on where a person physically is can dictate how you can have their attention,” Bradley said. “Out on the street? She’ll have seconds. In-store? A minute or two. On the Web? Maybe 15 minutes. But on the TV? Hours. People go to the Web with certain goals in mind. There’s a lot of bouncing back and forth as they’re trying to solve a problem. There’s more ADD, bouncing around.”

Do you know what question Franchisee Columnist Todd Michaud hates? “If I can go buy a basic cash register for a couple hundred bucks that does everything that I need, why on earth do I have to spend $10,000 on a POS? Someone has asked him this question almost once a week for the last 4 years. Do you know why he hates it? Because after 4 years, he still doesn’t have a good answer.

“I typically say something like, ‘It is our requirements that drive us to that price point. Adding centralized menu management, polling, integrated inventory management and labor management into the mix requires that we buy this type of system. You can’t do that stuff with a cash register or basic POS.’ Typically, the response I get is something like: ‘So? I don’t care about all of that complicated stuff. I just need to ring sales.’ It’s no wonder franchisees think that retail CIOs are out of touch with reality. Here is the really crappy part. When you add in all of the other costs, such as high-speed broadband, hardware maintenance, software maintenance, help desk, installation, inventory management, labor management, training and various upgrades along the way, that $10,000 POS is probably going to cost franchisees $20,000 over five years–not to mention that they wrongfully expect the system to last 7 to 10 years.”

The almost daily reports of consumers and retail employees using either weak passwords or the same passwords in multiple places—or both—is being met with yawns by retail security executives. But the kneejerk response—forcing consumers and associates to be smarter about security—has had little effect, beyond being counterproductive.

For example, a company can automate rules for choosing passwords and require that they be changed periodically. But the stronger the password, the more it will fuel its own failure. Let’s say the rules require that passwords be at least 11 characters and include numerals, characters and non-traditional characters (&, %, |, @, #, ~, etc.). Add to that requirement that no character or number be repeated and that each password must pass a dictionary search. Sure, you’ll get a strong password, but you’ll also almost guarantee that that password will be written near the computer in plain sight as well as typed into a desktop file in clear text. As Newton’s IT director said, “To every password action, there is an equal and opposite stupid user reaction.” This is the topic of this week’s StorefrontBacktalk column on the McAfee security blog.

Although retail sites are obviously very fond of cache, a new report from Forrester Research states that many developers are focusing only on one type of cache and leaving a lot of potential performance boosts in the ether. The report talks about server cache versus browser and edge cache. “Forrester has found that many companies do not take advantage of all three levels of caches in their architecture. Application development professionals often focus on optimizing the server-side cache while ignoring the browser cache or optimize their Web-page design to take advantage of browser caching only to be stung by geographic latency because they don’t know that they should use a content delivery network.”

Forrester stresses the importance of factoring in geography when making cache decisions but points out that IT shouldn’t confuse a dense population of customers with the company’s best (read: most profitable) customers. “Caching nearest to your users goes without saying, but most companies must allocate their caching dollars carefully, and your biggest investment should be close to your most profitable customers. Your most profitable customers may not be located in your highest concentrations of customers. Work with your marketing department to analyze customer profitability and location, and then review this data at least annually.”

PCI Columnist Walt Conway initially thought the PCI Council’s revised guidance on audio recordings were not that big a deal. He quickly changed his mind.

“You will need to reconfigure your call center application to stop recording the security codes. This point is where I start to have some problems. If your application can’t do this, you need to upgrade or replace it with one that automatically interrupts recording when, for example, the payment screen is displayed. And forget about using manual interrupts, at least if I’m your QSA. In practice, they can be too easily missed, forgotten or ignored. Large retailers will make a business decision and budget for the investment. But what about smaller merchants, charities and universities with call centers?”

Intel and Microsoft are working on what is truly the next generation of digital signs. These devices will be able to share content—both ways—with phones. But they could also use facial recognition to identify repeat customers without the benefit of loyalty cards or RFID. The cameras embedded within the displays would simply recognize faces the system has captured before, ultimately having the potential to identify those consumers.

The camera software will initially be designed to differentiate between genders and to detect products the customer has touched. That information could signal a coupon to be sent to that consumer’s smartphone. None of these options is rocket science. But they do show a concerted effort to leverage the kind of data that is accessible in-store and, ironically, much harder to capture online. Think of it as Big Brother with a sales commission.

This has been a difficult—and truly odd—last few weeks in the retail IT world. Target CIO Beth Jacob made the highly unusual move of issuing a statement denying that the retailer planned to sell its Target India IT operation. (What does it mean when the executive vice president of a $63 billion retail chain publicly reiterates its commitment to your team? Update your resume.)

“Our captive center in Bangalore continues to be an important part of our long-term strategy and is highly integrated with our work and team in Minneapolis,” said a statement attributed to Jacob, who is a Target executive vice president in addition to being the chain’s CIO. Added Tim Baer (another Target executive vice president and general counsel): “We do not know the source of this ridiculous speculation, but we can absolutely reaffirm that it is unequivocally not true.” If the speculation is so ridiculous, why issue a statement quoting two executive vice presidents? The only sentence in the execs’ statement that describes these rumors says: “The company emphatically refutes the irresponsible rumor that it is engaged in any discussions, or has any plans, to sell its Target India operations.” This is where things get scary.

At a presentation at the Financial Cryptography and Data Security conference, a Cambridge University computer lab team dissected the recent 3-D Secure (3DS) protocol—branded as Verified By Visa and MasterCard SecureCode. The team found that not only was the security lacking, but it sharply undermined other security mechanisms.

“3-D Secure has so far escaped academic scrutiny, yet it might be a textbook example of how not to design an authentication protocol,” wrote Cambridge University’s Steven J. Murdoch and Ross Anderson. “It ignores good design principles and has significant vulnerabilities, some of which are already being exploited. It’s bad enough that EMV Verified by Visa and MasterCard SecureCode have trained cardholders to enter ATM PINs at terminals in shops. Training them to enter PINs at random E-Commerce sites is just grossly negligent.” The pair, however, found that 3DS did get one part right: the money and where it comes from. Although “other single sign-on schemes such as OpenID, InfoCard and Liberty came up with decent technology, they got the economics wrong, and their schemes have not been adopted. 3-D Secure has lousy technology but got the economics right, at least for banks and merchants. It now boasts hundreds of millions of accounts.”

As eBay has discovered, there’s a lot of money to be made in them thar online auctions. So it’s no surprise that lots of startups are trying to creatively find their own slice of the auction pie. But a site called Biddees, from the people who brought you shoes.com, is taking an unusual approach that just may prove to be the most needlessly complicated auction site in quite some time.

This wonderful story from Internet Retailer does a nice job of detailing this cocoon of complexity: “In order to see the current price of a prepaid card, which is guaranteed to be at least $1.50 less than the card’s face value, shoppers first have to use a token called a Little Biddee Thing, which costs 99 cents. Each time a customer views the current price of a card, the price automatically drops 50 cents. If the shopper is the only person viewing the card, he has 30 seconds to buy the card at the current price,” the story said. “If another person is already viewing the card, the shopper enters a queue before he can see the card’s price. If the card is purchased while the shopper is still in the queue, the shopper will be transferred to the next auction for the same product. An auction ends when someone purchases a card or when its price reaches zero. The last shopper gets the card for free.” Of course. What could be more natural?

For many retailers, flat or minuscule in-store revenue increases are becoming the norm, with online increases the only thing that looks bright. Mobile is going to quickly fall into that category (although a percentage increase for anything as new as mobile is meaningless, it still looks cool on an earnings report). But how can this work given the small revenue percentage E-Commerce still controls? Let’s take a look at Amazon’s latest numbers (which look pretty much like all of its numbers.)

The king of E-Commerce reported on Thursday (Jan. 28) a 42-percent increase in net sales for the fourth quarter just ended, along with a net sales increase of 28 percent for the whole year, to $24.5 billion. (To be precise, it’s actually 29 percent if you exclude a $182 million unfavorable impact from year-over-year changes in foreign exchange rates throughout the year, the company reports.) Sure, you say, but revenues are not the point. What about profits? Net income soared 71 percent (to $384 million) for the quarter and 40 percent (to $902 million) for the year. Amazon’s official guidance for the first quarter 2010 is equally rosy, suggesting a sales increase of as much as 43 percent. For those arguing that E-Commerce will always be a footnote to in-store, these numbers are hard to ignore.

Former Woolworth’s CIO David Wills is in the middle of a criminal trial, accused of accepting more than $3.7 million in bribes related to IT decisions about a POS system and some server upgrades. The fraud accusations involved approximately $37 million in IT contracts that were awarded by the retail chain.

According to The Australian newspaper, the executive “allegedly received $1.78 million between February 1997 and January 1999 in exchange for awarding an IT contract to Israeli software firm Az-Ben. He is accused of accepting a further $1.92 million from Az-Ben for giving advice to NCR that was likely to influence NCR to enter into a contract with Advance Retail Technology.” The newspaper story added that the “contracts were for Woolworth’s APOS2000 project, an upgrade of its point of sale systems and servers for the Millennium rollover. In December 1997, the retailer began a $130 million overhaul of its systems.”

Although it’s hardly a stunning revelation that retail IT will be spending more on POS software maintenance this year than they expect, it’s unusual for a research report to quantify it precisely. A new report from the IHL Group and RISNews, however, tries to do just that.

Beyond showing a modest IT spending increase at both the store and enterprise level, the report found a “disconnect between what retailers are claiming they are paying today for software maintenance” and what the vendors they are considering for their next POS are actually charging, said IHL President Greg Buzek. “So those people considering buying Oracle for POS their next time, they are currently only paying 10.1 percent of license fees towards maintenance. If they actually buy Oracle, they will be adding an additional 11.9 percent to their annual software maintenance cost for POS. If they move to accounting/finance/HR, it would be an 8.4 percent increase. And if it’s Oracle merchandising and supply chain applications, it would be 8.6 percent more than what they pay today with their current vendor.” The vendors examined were Microsoft, SAP, Oracle, JDA, Micros, IBM, NCR, Retalix, Epicor and Fujitsu.

Last week, PCI changed its policy on audio recordings. It now instructs retailers to treat a digital audio capture exactly the same as if it was written. This means that all of those call centers asking for credit card details over the phone must dispose of those recordings, or at least the parts that store the prohibited data, immediately.

The PCI community has been debating the audio rules for years, with our first story on it back in August 2007. (No, we won’t say that this is the first sound decision from PCI in years. Plays on words and data security stories rarely mix well.) The issues go beyond the literal digital audio capture ruling that PCI just issued. Another key concern are overheard snatches of conversation. In theory, that is where a cyberthief calls a call center with a series of long questions. The thief records the call and later extracts the sound of other call center operators reading back credit card numbers, expiration dates and CAV2/CVV-2/CVC-2/CID details.

At an NRF panel earlier this month, McDonald’s CIO David Grooms was asked by the moderator what he would tell people his primary job is. Grooms said, “I’m in sales,” and then added that he wanted his staff to say, “We make hamburgers.” Grooms is right that a CIO needs to be a master of sales, but that’s mostly because the CIO needs to sell both upstream and down.

The CIO needs to sells ideas upstream to senior management and sideways to line-of-business peers, convincing them that the technology is the right move and that it needs to be approved and funded. If that works, it’s barely 30 percent of the battle. If the stores aren’t sold on the idea, Franchisee Columnist Todd Michaud opines, the data won’t be used and the project is doomed to fail. And you’re to blame.

Fearing it would lose control over all of its franchisees, Burger King has now sued hundreds of its franchisee stores because they missed a chain deadline for purchasing new POS systems. The litigation highlights—albeit acrimoniously—a difficult franchise IT issue: Chains mandating equipment investments that most franchisees believe do not benefit them enough to merit the cost.

One key issue that both sides are arguing is timing. Some of the franchisees have argued that Burger King is being punitive by moving so quickly. They are pointing out that the chain’s deadline was Dec. 31, 2009, and that the lawsuits started being filed within a few days of the deadline passing. Burger King argues that it has been extremely patient, having informed its franchisees of the POS upgrade rule back in April 2008–giving the stores a rather generous 20 months to arrange for and make new POS purchases. Indeed, Burger King is saying that it was even willing to give franchisees more time if they needed help raising the money, as long as they were truly trying to follow corporate’s edict.

Dear StorefrontBacktalk Reader: I am truly surprised at you. Here you are, raised to be proud money-grubbing capitalists and you’re leaving cash on the table like Bill Gates at a charity reception. (And can you believe how much Bill Gates jokes have changed in the last 15 years?) We’ve been giving away autographed copies of a best-selling security book and we still have some left. All we ask is that you fill out 5 minutes’ worth of questions on a one-page survey about whether your trust your QSA.

Even if you don’t like the book, they’re selling for decent bucks on eBay even without the author’s signature. Heck, they even make a great gift for that IT staffer who didn’t get a raise last month because you really wanted him to quit. Seriously, we only have a few left and they are easy to turn into cash. Is a 5-minute survey such a lot to ask? And if you fill it out, I won’t have to come back next week and beg even more pathetically.

Read more …

Over the last few weeks, one of the most common questions we’re hearing discussed is “Is PCI really worth it?” These are multi-billion-dollar retail chains asking this question. But there’s a lot more behind the question than it might initially seem.

In a marked contrast to the same kinds of questions two years ago, the intent is not to ignore security. Indeed, many of the chains considering such a heretical question are already putting in place security procedures that go well beyond current PCI requirements. This isn’t a safety or security issue. It’s a simple CFO’s ROI balance sheet, contrasting the bureaucratic and paperwork costs of dealing with the very formal PCI procedure with the limited fines and other bad things that will happen if a chain suddenly stops pursuing PCI compliance. A report released this month from Ponemon tried to quantify the cost of breaches today, but its conclusions are rather underwhelming.

Late last month, President Barrack Obama finally named his cyber coordinator, some 10 months after he declared filling the position a priority. The person who was tapped for the position comes to the job with a resume boasting jobs that include chief information security officer at eBay and chief security officer at Microsoft. But the interesting part is how this new job so closely parallels the worst parts of today’s typical retail CIO gig.

The role itself is a spreadsheet of contradictions. White House jobs, especially those senior enough where the President is personally involved in the selection, are highly coveted. And yet, quite a few of the people who were approached for this particular gig rejected it. This position is supposed to get a lot of POTUS face-time. And yet, in a town known for its inflated titles (another czar anyone?), this job title is the underwhelming Cyber Coordinator. Coordinator? That’s the best they could do? But there’s a serious issue with this gig. Some of its applicants complained of insufficient authority. In many ways, this lack of authority problem nicely encapsulates all of the problems with IT security management today: all responsibility; no authority; not enough money; plenty of blame.

For your overflowing folder marked “Ludicrous PCI Scare Tactics That Too Many People Believe” comes a renewed effort from some security vendors to say that out-of-date operating systems this year will cause instant PCI non-compliance. The cure: Give the vendor a lot more money. (Funny how that “cure” seems to treat so many ills in these letters. It’s the Penicillin of PCI.)

A letter from a POS vendor making the rounds warns retailers—under the headline “Information Security Advisory”—that an out-of-date OS will cause lack of compliance with PCI. The warning isn’t true, but the popularity of this and related PCI claims is moving beyond annoying. Are these vendors lying or is marketing being allowed to make the claims without anyone checking? A recession drives marketers to desperate measures. (OK, so does prosperity, but let’s not go there.)

PCI Columnist Walter Conway argues that it may sound like heresy coming from a QSA, but he sees some merchants over-emphasizing their PCI annual assessment. The main event for them is a clean Report on Compliance (ROC) for Level 1 (and soon Level 2) merchants or a Self-Assessment Questionnaire (SAQ) for everybody else. They believe that once the ROC is signed, they can relax until the next year.

But PCI is not like that. PCI has requirements that demand regular attention if merchants are to remain compliant the other 364 days in a year. CIOs and merchants who focus only on their annual PCI validation may actually find that they unintentionally make themselves more vulnerable to a costly data breach. They also make their PCI revalidation the following year more difficult, and possibly more expensive, than it has to be.

Just as certain a fact as stating that many of today’s social network sites will be gone in two years is the fact that new social sites—invariably much more niche and focused—will replace them. Hidden in plain sight within the millions of posts in dozens of languages of these huge number of sites is every trend, every individual customer profile and every hint of what customers will buy—and perhaps even their desired price range—that your chain could ever wish for. There’s only one problem: There is no simple spreadsheet-friendly way to access that data.

You can read it without limits. But to automate that process and to process the data in a way to get anything meaningful out of it, that’s difficult. We are deluged with products and services that are trying to solve problems that hardly anyone has ever experienced. Who will be the first to conquer this one? Many companies—including SAP and Oracle—are trying to figure it out. But they typically try to fall back on algorithms and filters. The software needed is closer to what the CIA and the NSA use to parse billions of phone calls and E-mail messages while trying to figure out plots. It’s much closer to artificial intelligence than cryptography. Military satellite technology eventually came to consumers in the form of GPS. How long will it take for AI to visit the local retail chain, where software will peruse the world to find out the best assortment to be displayed tomorrow?

The disruptive potential for social media and E-Commerce is huge, literally because it allows for so many—and ostensibly credible—connections that simply weren’t viable 10 years ago. The influence on purchases is vast. But those influenced purchases are indirect, which drives marketers crazy because they can’t be easily quantified. (Note: This scores social media two very well-deserved honors: driving lots of sales and driving marketers mad. The first accolade is more profitable, but the second is more fun to watch.)

What brings up this topic is a maddening news release issued by a customization vendor called ChoiceStream. In reporting its own survey, ChoiceStream concluded that “consumers are not as interested in shopping when engaged with social networks. The survey found that while M-Commerce is a hot spot for recommendations in 2010, social networking is not. Of the respondents who belong to a social networking site, only 8.5 percent report that they have ever made a purchase while on the site. And only 27 percent indicate any interest in product recommendations from trusted retailers.” That so misses the whole point of social networks and E-Commerce.

Longtime self-checkout enthusiast Home Depot is sticking with self-checkout but making a change in its self-checkout software. The home improvement superstore is pushing NCR software out and bringing Fujitsu in, at least in the chain’s U.S. and Canadian stores. The chain had been using NCR machines running NCR software but will now apparently be loading Fujitsu software onto those NCR machines, according to Fujitsu officials. The NCR hardware will be staying, for now.

The change was for several reasons, including “some functionality in the Fujitsu software that we really liked and needed” that wasn’t offered by NCR and testing that showed Fujitsu’s software on NCR self-checkout units performed about 20 percent faster than when NCR’s own software was loaded on its units, said Cara Kinzey, Home Depot’s Senior VP of IT.

One of the most respected retail technology trackers on Wall Street, Citi, has put out a list of major retail IT leaders, ranking them from the most sophisticated and advanced to the least sophisticated. The most worldly ones include, in order, CVS, Walgreens, JC Penney, Target and Kohl’s, while the more hick-like chains are Costco, BJ’s, Family Dollar, SuperValu and Safeway.

“We consider CVS and (Walgreens) to be the most advanced, as they have already implemented chain-wide computer synchronization, advanced inventory management and pharmacy workflow optimization systems,” said Deborah Weinswig, from the Citi investment research and analysis group. “The warehouse clubs are considered to be the least sophisticated of the group. However, BJ and (Costco) have fewer inventory management needs as a result of their unique business model.”

“Do you have any issues with me bringing my parents to my interview?” Franchisee Columnist Todd Michaud has now been asked this question three times when talking to candidates for entry-level IT positions. Ironically, a bad economy has created a stay-with-parents environment that has allowed applicants to be a lot more picky about jobs, especially tech jobs. That spells serious trouble.

Michaud describes the first parent-included IT interview he did, where the mother reminded him that her daughter was trying to decide about him, too. This makes for an awkward interview, but even worse, what does it say about the applicant’s independence? Their ability to lead? Are programmers expecting instant gratification, the product of an “Everyone’s a winner” upbringing? A frightening column for anyone hiring for IT positions this year.

Shortly after Heartland tried to sweep away most of the lawsuits against it with a series of recent negotiated settlements, a group of banks is trying to persuade other banks to reject the settlement offer and support a class-action lawsuit instead.

The lawsuit, filed Tuesday (Jan. 19), hit Heartland hard for its “lack of Payment Card processing system security; its desire to use a ‘lowest bidder’ system of selecting its outsourced IT ‘auditors’; its reliance on a ’snapshot’ telling it that, at one identifiable point in time, its system supposedly complied with the bare minimum industry standards; its startlingly poor IT oversight in general; and (Heartland’s) complete and utter disregard of the oversight responsibilities they had to their fellow members of the Associations that allowed the intruders to make trip after trip in and out of the Heartland Payment Card processing system.” The lawsuit also referenced Heartland’s initial response to the attack. “Thirteen months later, the ‘clean up’ efforts would be seen for what they were—worthless.” (Pause. But other than that, Mrs. Lincoln, how was the play?)

The most popular parlor game in retail tech circles these days is plotting out mobile strategies. For some, that strategy may be little more than “not now.” But the simple act of trying to craft a single, coherent mobile strategy may itself be flawed. Most retailers now need to prep three distinct strategies for dealing with the three separate ways mobile devices will be used.

The mobile retail world has now neatly morphed into three categories: consumer-used (with true M-Commerce, mobile research from home and on the road, etc.); retailer-used (for price checks, inventory inquiries, in-aisle supply chain inquiries, etc.); and consumer-in-store (2D barcodes, price comparisons, SMS communications with the chain, watching demos, mobile research from within the store, direct payment, etc.). To make matters worse, some applications sit in multiple categories, such as a retailer-used device that is temporarily given to a consumer for checking online inventory or seeing a demo.

PCI Columnist Walt Conway is intrigued by the large number of retailers that are pursuing–well, at least exploring–approaches that include both tokenization and end-to-end encryption. He wonders “if that really makes sense from either a PCI or an economic perspective.”

Maybe tokenization and end-to-end encryption are just two closely related approaches that can, when properly implemented, accomplish the same thing: minimize your total PCI scope. One thing is for sure, though: Either way, you will need to bring your checkbook.

Frozen dessert chain Tasti D-Lite is getting creative with incentivizing customers to post nice thoughts on social networking sited to promote the chain: coupons. “Participants who register their loyalty programme ‘TreatCards’ online are given the option of allowing Tasti D-Lite to send an alert on their behalf, whenever points are earned or redeemed,” according to this wonderful Reuters piece. When the customer “swipes his card at the store’s point-of-sale system, his Twitter or Foursquare followers immediately get an update that reads: ‘I just scored 5 TastiRewards points at Tasti D-Lite Columbus, Circle, NYC! myTasti.com.’ The customer is then awarded points for the message, which he can later redeem for treats.”

Meanwhile, a few stores in the Subway chain are seeing whether online food orders via SMS are more accurate and more profitable. During the trial, one manager found that the “text ordering service alleviated all phone-in orders. Doing so improved operations because his employees no longer had to leave the sandwich counter to answer the phone,” said a story about the trial in QSRWeb. “He said he also found that order accuracy improved since customers were sending the orders in directly.”

Home Depot will spend about $60 million on more than 10,000 handheld units that are designed to help associates perform mobile checkouts, process payment cards, stock shelves and make phonecalls, according to BusinessWeek. “This is the first big customer-service tool we’ve given our associates in a very long time,” said Home Depot CIO Matt Carey.

The chain has been trialing these devices since 2008, when we reported that they were initially tested along with an RFID-based loyalty card that flagged associates when certain high-priority customers entered the store and set off a door-based reader.

The former CIO for Limited Brands, who had spent 12 years with Ernst & Young, has been named CIO of the $15 billion, 3,100-store Gap chain. Tom Keiser, now Executive Vice President/CIO, will report to Chairman and CEO Glenn Murphy and serve as a member of the Executive Leadership Team.

“Tom brings with him a successful track record in the retail industry,” Murphy said. “Through his leadership of rolling out effective technology platforms that delivered solutions for employees, customers and stores around the world, he has consistently demonstrated how effective IT investments and execution can deliver business results.

Back in October, the National Retail Federation (NRF)—through its chief economist—issued its annual projection of how the 2009 holiday season would fare financially. That prediction was a one percent drop in revenue compared with the identical 2008 period. StorefrontBacktalk thought that was absurd, and we did our own prediction, which is that the season’s revenue would actually be up slightly, a figure we estimated would be an increase of “1.5 percent to 2 percent.”

Well, the NRF issued its final official tally Thursday (Jan. 14): an increase of 1.1 percent. For our team, which never did better than a C- in economics class, that ain’t too shabby. For the record, we knew the figures would be released about now and were fully prepared to eat crow if we had to. Glad we got it a lot closer than the NRF did. Personally, we hate eating crow.

The retail senior management edict of “Innovate” is so shop-worn that it’s become almost clichéd. But in all of those innovation memos from all of those CEOs and COOs, what’s often missing is encouragement to fail. After all, if IT leaders are so scared of failing that they never try anything truly new or creative, they may fail less but they’ll succeed in leapfrogging their competition almost never. That was a key point made during a National Retail Federation (NRF) conference panel discussion with three of the most influential retail CIOs: David Grooms from McDonald’s, Rollin Ford from Wal-Mart and Neville Roberts from Best Buy. Grooms agreed when Roberts said that IT leaders must today “be prepared to fail” and to get comfortable with failing. “CIOs must foster the right culture so [IT staffers] don’t have a fear of trying new things. There’s always a new shiny toy out there,” Roberts said.

But Grooms added: “You should try and fail really small. You test, take some risks, adjust and go back. But you really can’t take that long. You can’t take three years to develop an app. You must launch and learn.” Roberts took the opportunity to tweak his own wording. “Fail is such a strong word,” he said. “I prefer to think of it as a sub-optimal business case outcome.”

When Best Buy kicked Visa contactless payment out of its stores, some gave the $35 billion chain kudos for standing up to the world’s largest card brand on the sensitive topic of interchange rate. But how truly gutsy was it? Will it make any difference at all?

On the Best Buy side, though, many attendees at the National Retail Federation (NRF) conference were wondering whether the change would have much of an impact at all. One attendee compared the move to a hypothetical apparel retailer that is furious about children working in overseas sweatshops. To put an end to it, the apparel retailer would tell the supplier, “That’s it! No more. I want you to take the pink frilly tuxedos with the Mod Squad characters sewn into the chest and get them out of here and don’t bring me any more pink frilly tuxedos with the Mod Squad characters sewn into the chest until your suppliers have changed their practices. You can bring me lots of other clothes, but I am now drawing the line at pink frilly tuxedos with the Mod Squad characters sewn into the chest. It’s for the children.”

Forrester Research on Monday (Jan. 11) said it was seeing light at the end of the retail IT tunnel, with a conclusion that “the tech downturn of 2008 to 2009 is unofficially over.” It predicts the IT market in the U.S. will grow by 6.6 percent in 2010 and the global IT market will rise by 8.1 percent in U.S. dollars. Wondering if Forrester isn’t always optimistic in mid-January? Well, the firm predicted (just about one year ago) a dire year for 2009, with slow economic improvements in the second half of 2009. So it pretty much nailed that one, giving us yet more reason to believe Forrester’s new optimistic report for 2010.

Forrester Analyst Andrew Bartels cites “growing evidence that an economic recovery started in the U.S. and other countries in Q3 2009.” He also predicts the data will show “a small increase in buying activity or, at worst, just a small decline” taking place during the fourth quarter, adding that “the pieces are in place for a 2010 tech spending rebound.” Forrester predicts the good times will come slowly but “pick up steam later in the year, with computer equipment [especially PCs and storage] and software leading the way, and IT consulting services following.”

In a cruel twist of fate, hapless contactless payment supporters (a dying breed if ever there was one) were swiped by some more bad news this week, courtesy of a new report from Discover Financial Services. It seems that in a trial of its Zip contactless payment program, most consumers tried to hide the stickers inside their phones, a move that unintentionally cripples performance.

According to a copy of a report that Discover prepared about its initial trial results, 69 percent of those participating in the Zip trial wanted the sticker hidden. “The pilot management team was impressed by the creativity demonstrated by participants in finding various ways of hiding stickers under the phone’s protective case (“skin”), under the battery cover and other unseen yet convenient locations.”

For retail CIOs, this is the worst of times and it is the best of times. It may be the worst of times because the emergence of smartphones at the POS, the increase in the amount and availability of customer data, and the growing tokenization and end-to-end (E2E) encryption options may have CIOs (and their QSAs) reaching for the aspirin bottle. On the other hand, it may be the best of times because the CIOs who can address these challenges will be rock stars in their companies.

At the National Retail Federation (NRF) show this week, several vendors were pitching payment card readers (and other peripherals) that could attach to a smartphone, thereby converting it into a POS device. Some of the readers are already PCI PTS approved. With one of these and a Blackberry, merchants can move the POS from a fixed counter to anyplace inside – or even outside – their stores. And the best part is that merchants can have this wireless capability for a price far less than current wireless POS devices offered by most manufacturers. PCI Columnist Walt Conway can think of several merchants he works with that will be looking at these devices very seriously. But, he argues, the PCI implications are complicated.

A settlement with Visa announced Friday (Jan. 8) will require Heartland Payment Systems (HPS) to pay $59.22 million to compensate Visa card issuers for costs they incurred as a result of Heartland’s massive 2007 data breach. The Visa settlement follows two other recent agreements, one with American Express and another with a group of breach-affected cardholders, and it will bring Heartland’s breach-related settlement compensation tab to about $65 million.

But the bleeding won’t stop there. HPS has yet to reach agreements with Discover, MasterCard or others. The Visa agreement, described in a filing with the Federal Securities Exchange Commission (SEC), calls for HPS to take out a $53 million loan to help it pay $59.22 million to Heartland Bank and KeyBank National Association, two of its sponsor banks. Visa will pay back to the banks $780,000 in fines it collected from them after the breach.

The only state left in the U.S. that still prohibits retailers from capturing drivers’ license numbers—Nebraska—may be about to give up its resistance. Its state Senate on Monday (Jan. 12) overwhelmingly (33-8) approved allowing the practice. The bill still has to clear a few hurdles before it becomes law (the new vote was only a preliminary first-round vote). It also has a stretch limo-sized list of restrictions. But the move is still quite important, as retailers have been using driver’s licenses for a lot more than age verification and check-cashing, including keeping a tally on customers who return too often without receipts.

There’s an interesting provision that turns a programmer into a criminal if the program permits usage beyond the Nebraska limits. “Intentional or grossly negligent programming by the programmer that allows for the storage of more than the age and identification number shall be a Class IV felony.” Turning a careless programmer into a felon? I can just see new indemnification clauses being demanded by every programmer who is being aggressively recruited. What about shareware or freeware? Good luck tracking down which open-source programmer wrote that particular portion of a Linux program. (“Hey, Brenda, what’s the term for grossly negligent programming in Nebraska?” “An Oracle upgrade.” Rimshot.)

Franchisee Columnist Todd Michaud thinks that every Software-as-a-Service (SaaS) offering should come with a mandatory label that reads: “WARNING: Does not easily or cheaply integrate with existing systems. Side Effects May Include: Lack of upgrade path, poor performance and a spider-web of dependencies. Please consult with your IT professional before implementing.”

Why? As Michaud was walking the aisles of this week’s National Retail Federation (NRF) show, several vendors told him: “We help our partners by offering a completely outsourced solution so that IT is no longer a bottleneck to achieving the results they deserve.” Michaud writes: “Whoa there, Silver; hold on a second. In every organization that I have worked for, the demand for the IT department has always been greater than the supply.”

There is only one thing that is faster than a cyberthief grabbing stolen card data: A lawyer suing that breached retailer. Only 13 days passed from the Dec. 15, 2009, announcement of a breach at social networking application development site RockYou until a lawsuit against RockYou was filed. The case, filed in U.S. District Court in San Francisco by RockYou user Alan Claridge, asserts that RockYou failed to use even rudimentary security to protect the personally identifiable information (PII), including E-mail addresses, of millions.

“RockYou stored users’ PII in an unencrypted database with poor network security,” Claridge said. “RockYou’s willful failure to secure its users’ sensitive PII led to multiple security breaches that exposed 32 million users to identity theft and other malicious conduct. Although security threats are unavoidable in a rapidly developing technological environment, RockYou recklessly and knowingly failed to take even the most basic steps to protect its users’ PII by leaving the data entirely unencrypted and available for any person with a basic set of hacking skills” to access.

For those of you are venturing to New York City’s Javits Center for the NRF show next week, I want to first assure you that your fears that it will be freezing in the Big Apple in mid-January are unwarranted. The latest forecasts have high temperatures staying below 32 degrees so freezing it will not get. On Sunday, it will be a balmy 26 degrees.

But as long as you’re coming, we’d love to ask you to drop by some of the StorefrontBacktalk events and do what our readers do best: yell at us. The first shouting opportunity will be at the RetailROI event at the Marriott East Side (Lexington and 49th) on Saturday at 2:45 PM. This charity event (www.retailroi.org) is designed to raise money for global orphan care and adoption support. But to do that, we get geeky for awhile. Our panel is on retail security and it starts at 2:45 PM and features the CIO of the world’s largest restaurant group: Delaney Bellinger from Yum Brands (Pizza Hut, KFC, Taco Bell and Long John Silver’s, among others). Also on the panel are two of our esteemed columnists (Franchisee Columnist Todd Michaud and PCI Columnist Walt Conway) plus Mark Rasch, the former head of the U.S. Justice Department’s high-tech crimes division.

With its latest batch of M-Commerce performance benchmarks being published, online performance tracking firm Gomez noticed that the average mobile response time of major retailers is 3.7 seconds. That contrasts with an average response time of 2.2 seconds for those same chains’ Web sites and an industry ideal time of two seconds. But are those differences meaningful? Indeed, even that two-second target is suspect. To make it meaningful, wouldn’t it have to factor in the consumer’s demographics? Is a 61-year-old corporate CEO going to have the same time sensitivities as 31-year-old unemployed painter? What about a teen-ager?

The truth is that the influence of age, income and background are trivial—in terms of projecting how long that person will wait for a page to display—when compared with something much more personal: Why is that person trying to access that Web page right now? If they’re in an airport trying to find an alternative to a snowed-in flight, they have little choice but to be patient. Or a 16-year-old trying to download a new hot song. And if it’s a consumer merely browsing to kill time? Almost any delay will make that consumer flee.

PCI Columnist Walt Conway sees PCI 2.0 mandating the use of automated cardholder data discovery tools, will impose rules that will literally overrun the council’s PCI training program and will likely not alienate Level 2s enough to make a difference. (That’s the secret to a happy marriage, knowing the precise moment that an aggravation level will overtake apathy and stopping nanoseconds short of it.)

But Conway sees the data discovery prediction the most significant. “If you have a lot of locations, you have work to do setting up and scanning all those databases, workstations and servers. Especially watch to see if the Council decides to implement data discovery like it did wireless scanning (Requirement 11.1). If this happens, merchants will not be able to sample locations and will have to search each one. The good news is that you can conduct these searches internally and there are good open source products available. Your QSA likely would only need to verify the results of your automated discovery and to review the scope of your search.”

Within a few months of Best Buy threatening Visa that it will halt accepting its contactless card unless Visa changed its fees, the $35 billion 1,023-store chain made good on its threats and became Visa contactless-less.

The controversy involves Visa forcing chains to accept more expensive signature—as opposed to the more retail-friendly PIN—authorization. Best Buy is still accepting Visa magstripe cards plus other brands’ contactless offerings. “After several discussions with Visa produced no agreeable changes,” the chain started removing its acceptance of Visa contactless cards in October, completing the cutoff in November, said one Best Buy executive involved in the decision. The cutoff happened store by store along with POS upgrades. “Our decision was based on the costs associated with requiring contactless debit transactions be processed as signature debit.”

A San Mateo, Ca., consumer was browsing Amazon.com and he saw a CD-ROM from the Discovery Channel called Cells. It only supported Mac and Win98 so it’s price was a mere $5 million more than $2.9 billion. Yes, this piece of educational software was selling for almost $3 billion, plus $3.99 for shipping. (Geez, how much does Amazon require now for Free Super Saver Shipping?) Just for the fun of it, the consumer—Brian Klug—purchased it. Not only did Amazon’s system process the item at the $3 billion charge, but it sent a clean confirmation note. Even the credit card’s limit didn’t trigger any “this doesn’t seem right” alarms. The screen captures of the purchase have been widely posted.

Posted price glitches can happen, even to as sophisticated a site as Amazon. But the fact that it went through a credit card process—the card wasn’t charged until the product arrived, but it was verified—and an E-mail confirmation suggests that this glitch is a bigger concern than it might appear.

“We don’t really do anything here. We just manage the people that do stuff to make sure they don’t screw up.” Franchisee Columnist Todd Michaud used to give this answer a lot when asked about what type of work his franchise IT group did. They were responsible for picking other people to do a job that they were qualified to do and to then deal with it when they don’t do it well.

Sounds like a dream-come-true right? The perfect answer to “What do you want to be when you grow up, Billy?” It is very frustrating to try to hire someone for this role and get it wrong.

In tracking PCI issues within various major chains, we have seen that the differences in perception can be staggering. In an attempt to get a handle on where most companies stand, we’re putting out a small survey on usage and challenges.

As a thank you for retailers involved in PCI completing the survey, we are offering them a free autographed copy of Hacking Exposed: Network Security Secrets, which Amazon has labeled a best-seller.