Evan Schuman's StorefrontBacktalk

When Rite-Aid and Walgreens both announced pharmacist chat programs last month, they were the latest chains to try and use chat to get closer to their customers. But, ironically, the preservation of chat discussions of super-sensitive patient medical history may prove a very serious threat to security.

It’s ironic because both chains are taking substantial steps to secure the access to confidential patient data, but neither is specifying steps to protect transcripts of that very same data. Imagine forcing call center employees to comply with all PCI rules regarding not preserving prohibited payment card data and then allowing them to write down all of that data in plain-text files that are then transmitted to consumers (who are unlikely to protect them) and saved in the chain’s files.

Among the most frustrating data-analytics facts in retail today is that the goldmine of customer data locked in social networks is virtually untouchable because of the way the data is structured.

Think about it: millions of customers and prospects post their innermost product thoughts on Twitter, Facebook, Youtube and the blogs of themselves and their friends. this info is free and often visible to all. But how do you take that data and match it to specific customers/prospects so that the data can be acted on? That’s the untouchable part.

Just how out-of-control does mobile commerce get when you’re creating M-Commerce sites for different smartphones on different carriers? Pretty wild, according to the numbers from a new survey of retail M-Commerce sites by Web-metrics company Gomez. The best sites (Petco, QVC, Nordstrom) perform consistently well; the worst (Levi Strauss, REI, American Eagle Outfitters) always have mediocre availability. But in between, it’s chaotic: Content that shows up in seconds on one phone can take half a minute on another, and a site that’s 99 percent available on one carrier can drop to 89 percent on a different one.

Tuning E-Commerce site performance for multiple browsers is an old problem, of course. But programming is just the beginning of the mobile performance problem. It also depends on smartphone hardware, which varies widely in horsepower, and mobile carriers, whose performance can change dramatically if a user moves literally just a few feet away. That makes the puzzle hugely more complex–at a time when retailers can’t afford to avoid that complexity.

With several major retail mobile sites starting to yield significant traffic and/or sales–Pizza Hut’s iPhone app, for example, is about to pass the 2 million download mark–senior execs at various chains are grappling with what should be expected of the telephone terminals, what Lily Tomlin’s Ernestine the switchboard operator might have called Ringy Dingy Revenue.

What is a realistic near-term goal? Is it to generate true additional revenue or is it acceptable–initially, at least–to simply shift purchases from Web to mobile? Moving from revenue to the much-beloved profit margin, is it possible to say whether mobile or Web has lower operational costs?

In the latest saga of North Carolina’s attempts to get sales tax revenue from E-tailers–its battles with Amazon are nothing if not creative–the state offered tax amnesty to 450 retailers, if they cooperated. Only 27 accepted the offer, which is barely 6 percent of those approached. Those 27 “represent a variety of large national and smaller specialized retailers,” said Beth Stevenson, the public information officer for North Carolina’s Department of Revenue.

The deal was simple. If the retailer agreed to collect North Carolina’s taxes for four years, the state would agree to not “assess tax, penalties or interest” and “to not exercise its authority to obtain consumer information from the retailer to collect a tax liability.” I’m stunned that more retailers didn’t leap at the offer. I’m really curious as to which national chains agreed to this proposition, as it would almost certainly force them to also pay taxes to every other state. Then again, if the chain’s participation stays secret, the other states wouldn’t know and it couldn’t be used against the retailer.

Staples, Office Depot and OfficeMax are standing in for the rest of the E-tail world in a lawsuit filed last Friday (Aug. 27). The office-supply giants are being accused of illegally using patented technology in their Web sites–though it’s not clear what features of the sites are violating the law. The suit, filed by a company Microsoft co-founder Paul Allen owns, also names E-Commerce companies eBay and Netflix, along with search engines Google and Yahoo, social networking sites Facebook and YouTube, and Apple and AOL.

Retailers aren’t usually hit with patent lawsuits. Those are usually reserved for manufacturers, although the ways retailers handle debit cards, gift cards, micropayments and site accessibility have attracted litigation in the past. This time, though, it’s their Web sites that have the office stores under legal attack. But there’s nothing special about these Web sites that make them dramatically different from other large E-tailers. That means if these retailers lose in court–or settle the case–every other major retailer will soon be looking down the barrel of the same legal gun.

In last week’s lead story, PCI Columnist Walter Conway wrote a hard-hitting column questioning whether–under very limited circumstances–carelessly used encryption might actually weaken a retailer’s data security. In security circles, it’s heresy to question encryption and, predictably, the emotional reaction to the column was intense.

It’s not often that people challenge our technical conclusions while simultaneously questioning the marital status of our mothers. The column suffered from one key technical error, questioning how easy it would be to extract clues to an encryption key from encrypting the short payment card expiration date field. Walt admitted that error–and explained the context–in his column this week. (By the way, if anyone else wants to yell us at, this week has a column from Frank Hayes that questions the very premise of security passwords. Gluttons for punishment we be, a rare breed of journalistic masochists.) But there’s a bigger issue at play here, a long-standing technology frustration beneath the emotions.

PCI Columnist Walt Conway wants to withdraw one point from last week’s column while reinforcing the rest. To suggest that the key could be derived from encrypting too small and easily guessable a field was wrong. But the essence of the concern is that properly configured systems would not be vulnerable to this type of attack. How many retail chains do you know that who have properly configured security systems?

Retailers looking to purchase a product rather than develop one in-house have to be equally thoughtful. They should make sure the software vendors providing their POS applications have experts on cryptography as part of their development teams. It’s not enough to ask what algorithm or key length the POS uses or even to check that the application is on the PA-DSS list of Validated Payment Applications without understanding the operational implications of how that application handles cryptographic functions.

While retailers debate mobile geolocation efforts and the resulting privacy implications, Apple’s Patent people are preparing for the battle after the arguments have died. On Thursday (Aug. 19), the U.S. Patent Office made public an Apple patent application that, among other things, uses a consumer’s heart rhythms to not only confirm that person’s identity but analyze vibrations to determine the kind of transportation that person is likely using.

And here’s a passage that’s sure to capture the attention of privacy advocates everywhere: “The photograph can be taken without a flash, any noise or any indication that a picture is being taken to prevent the current user from knowing he is being photographed. As another example, a recording can be taken to capture the current user’s voice through, for example, the microphone. The recording can be taken when the current user makes a phone call with the electronic device. In some embodiments, the electronic device can record any voices or sounds that are detected, regardless of whether or not a phone call is being made.”

Franchisee Columnist Todd Michaud can’t help but smile when he reads polls about how many companies are experimenting with social media. Responses along the lines of, “We are trying different social media tactics but have not landed on a solid strategy,” tend to be the most popular answer. Can you imagine a CIO making the statement, “We are playing around with ERP to see if we can build a business case”?

The world is moving to an open, sharing, social platform at a lightening pace. As a result, people behave differently today than they did yesterday. How have your sales and marketing strategies adapted to this change? What if you could provide incentives to customers to entice their social graph to visit the location (receive 10 cents on your loyalty/gift card for each of your friends who checks in)? Laugh if you will, but I believe the restaurant industry will see multi-level marketing become a large part of its business in the next three to five years.

When the U.S. Federal Reserve’s new gift card rules took effect on Sunday (Aug. 22), it made severe changes to when gift cards can expire and even more severe changes to when the money on those cards can expire. These changes could prove problematic for retailers who have stockpiles of cards with the old wording. But those headaches are trivial compared to what their IT counterparts, who need to incorporate the new accounting rules for existing and new gift card accounts, will face.

The new rules apply to activity as of Sunday, which means that the millions of cards already in circulation must be handled differently until they’re all gone.

As retailers plunge ahead with Mobile-Commerce plans, they are continually looking for market evidence that there’s gold in them thar hills. Anything to appease corporate’s comically relentless search for ROI proof, whether it’s realistic or not. Late last month brought Amazon’s boast of $1 billion in M-Commerce revenue. That was great for starters, even though a lot of the sales were for e-books and Kindles and other especially M-Commerce-friendly purchases. Still, a billion dollars is a billion dollars.

Today, from China, we have a new stat that’s almost four-and-a-half times better. China’s Union Mobile Pay is reporting an M-Commerce sales volume equivalent to $4.4 billion U.S. (30 billion yuan, which is about 3.1 billion euros), according to a report Tuesday (Aug. 25) from PaymentsSource. That service also reported 140 million registered users, as of the end of last year. There are always caveats, and it should be said that China is a much more mobile-payment friendly country, that the infrastructure has fewer obstacles (with government blessing) and that mobile is sometimes the only viable payment method accepted by some Chinese merchants. But $4.4 billion? That’s hard to dismiss with even a billion caveats.

Nordstrom might be the last retailer you’d expect to worry about slugging it out with competitors online for customer service. The tony $8.6 billion chain also doesn’t have a reputation for tech wizardry. But when Nordstrom unveiled its redesigned Web site last Saturday (Aug. 21), it also spotlighted a feature that the retailer quietly began offering in September 2009: merged online and in-store inventory systems. As a result, a customer buying through any Nordstrom channel has access to products that happen to be in any store or online warehouse.

That fully merged-channel inventory system took four years of work to become a reality, according to Nordstrom spokesman Colin Johnson. The process started with breaking down organizational silos and laying the foundation, then moved to creating a single view of inventory and finally layered the brick-and-mortar store inventory view on top of the online inventory system. That explains why multichannel commerce seems like such a slow slog for most retailers today: It really does take years. Considering that Nordstrom’s in-store approach of pampering customers can’t be replicated online, the retailer was wise to start the march early–and arrive first.

Disparate mobile-payment-related moves from Bank of America, US Bancorp, Verizon and Visa this month show a continuing shift to mobile payment from key telecom and financial players. The moves are not aligned, which shows the type of multiple experiment efforts typical at the start of a major channel. Bank of America and Visa are beginning a mobile contactless payment trial to run from September through New Year’s Eve in the New York metro area, with an identical trial at US Bancorp slated to start in October.

An unspecified number of consumers in the trials will be provided with contactless chips to insert into their phones. The problem with those trials is it’s likely testing the wrong things. Few have questioned whether the payments will work. The issue is whether consumers will bother to make contactless payments. People chosen for these trials will be much more likely to participate, so it’s not clear what they will prove. The Verizon trial comes in the form of a $400,000 investment by Verizon in CardStar, which consolidates CRM and membership cards in a phone, according to The Wall Street Journal.

Heartland Payment Systems again finds itself in the glaring light of a data breach probe, but this time, the injuries are almost entirely self-inflicted. The incident in question is the Austin, Texas, data breach of several hundred payment cards from a four-location Greek cafeteria—which one Austin detective said crafts a terrific baklava—that happens to use Heartland as its processor.

A preliminary investigation by the Austin Police Department Financial Crimes Unit—which knows its way around credit card theft—ruled out a skimming attack against Tinos Greek Café. That placed the attention on a database of the cards used at Tinos, either in Tino computers (just PCs) or at Heartland, said Sgt. Matthew Greer of that financial crimes unit.

On paper, global expansion limited to E-Commerce sites should be light-years easier than doing it with overseas brick-and-mortar locations and employees. In reality, not so much. It’s certainly easier. But with tariffs, taxes, postal codes and local customs, delivering a seamless and fully integrated experience is next to impossible.

Gap, along with its Banana Republic, Old Navy, Piperlime and Athleta brands, announced August 12 plans to move from a site supporting one country to one supporting 65 countries by the end of December. The $14 billion chain is tackling the expansion with two parallel efforts: It’s going to build its own physical fulfillment centers in both Canada and the U.K., in addition to crafting dedicated customized E-Commerce sites for those two countries; and it’s using a vendor to add a small Flash module to replicate local checkout.

Encrypt every part of your payment data and you may be giving your least favorite cyberthief a beautifully wrapped gift. That’s the secret dare not spoken aloud by security advocates, and it was hinted at–albeit obliquely–by the PCI Council in its latest update.

Although it can be considered cryptographer heresy to suggest that encryption is ever a bad thing, if it’s applied to certain fields, encryption may actually sharply undermine security by making it much easier to break the encryption key. And when that happens, pens PCI Columnist Walt Conway, the whole gig is up.

When the PCI Council periodically sends out sanctioned teases about an upcoming version, the fun part is the tea-leaf-like reading of its deliberately vague hints. And the Council has offered us quite a bunch to choose from, including “expanded definition of systems components to include virtual components,” “recognize that issuers have a legitimate business need to store sensitive authentication data” and the especially intriguing “update requirement to allow business justification for copy, move and storage of CHD during remote access.”

The most powerful change from the hints was a warning that too much encryption may actually weaken network security. (See this week’s PCI column from Walt Conway.) But let’s delve into some of the more mysterious and intriguing elements first.

Mobile Commerce is just beginning to demonstrate how tricky it can get. On Tuesday (August 17) Barnes & Noble announced new versions of its free e-reader app for the iPhone and iPad. The app has most of the features of Barnes & Noble’s Nook tablet e-reader. But one feature is notably absent: the Nook’s ability to let users read anything in Barnes & Noble’s electronic inventory when the device is inside one of the book chain’s 723 stores.

That Nook feature, which Barnes & Noble calls “Read in Store,” doesn’t just allow customers to browse whatever they want in the store. It also allows the retailer to track each customer’s browsing habits to the second — and to the page. That’s a potential gold mine of data for feeding recommendations to customers as well as managing dead-tree inventory. And because “Read in Store” has turned out to be very popular with Nook-using customers, Barnes & Noble knows there’s a demand for the feature–and a lot of customer data to be acquired from it.

In the 15 years since Web pioneer eBay began, the E-tailer has never bothered to have a rewards program. That changed on August 13, when it unveiled a 2 percent rebate on “most items purchased through the site with PayPal.” Although the size of the rebate is certainly modest, eBay may have let a wee bit too much honesty show through in its statement.

“We’re giving eBay’s most loyal shoppers something special in return–money to spend on eBay,” said Lorrie Norrington, president of eBay Marketplaces. Hey, the truth is the truth. We’re simply used to marketers dressing it up a bit more. Then again, why pretend that eBay wants its customers to pocket these rewards?

Within a few days of each other, two of the nation’s largest pharmacy chains–Walgreens and Rite-Aid–this month rolled out programs in which their customers can use Internet chat to talk with pharmacists about medical advice 24×7. But each chain opted for a very different approach, with $63 billion Walgreens giving its pharmacist chatters full access to the medical databases on patients across the country while $26 billion Rite-Aid took the more conservative route of limiting chatters to generic advice based on nothing more than what consumers choose to share.

The moves–and different strategies–are especially interesting given how pharmacies today find themselves in arguably the most data-sensitive retail segment. This space has all of the usual retail privacy concerns and regulations, in addition to medical requirements such as the U.S. Health Insurance Portability and Accountability Act (HIPPA).

It turns out that charging $19.99 to review harassing or libelous comments posted on a Web site really is a really bad idea. On Monday (August 9), the local-Web-message-board group Topix officially agreed to stop its ill-advised, year-long attempt to monetize the monitoring of its sites. Topix says it will now review all reported abusive posts for free, remove inappropriate posts within three working days and report illegal activity to law enforcement.

Topix had help changing its mind: In May, 23 state attorneys general called on Topix to stop its pay-for-policing charges, with the implicit threat that they’d get tougher if Topix didn’t end this policy. As we said then, retailers also have lots of ideas for making money on the many non-customers who hang out at their E-Commerce sites just to comment. But you wouldn’t charge $19.99 to have a security guard stop thugs from roughing up someone in your store. Maybe that’s the test case to use for deciding whether an audience-monetizing idea is over the top.

In the merged channel world of E-Commerce versus In-Store versus Mobile, the difference invariably comes down to convenience. E-Commerce beats in-store with convenience, while Mobile beats E-Commerce with convenience. The only way for channels to survive is to stress their unique value to consumers. With that in mind, the $1.9 billion Pep Boys has come up with a deliciously creative way to do something only an in-store channel can do.

The 560-store automotive chain selected one train station to act as a trial. Customers who happen to use that train station–located just outside Philadelphia–can drive into the station, park, take the train into work and when they return to the station, their car has been repaired and is sitting in the parking lot again. If it works, this approach eliminates the hassle of getting the car to the mechanic and retrieving it (a fun trick that typically requires two drivers to switch off).

This week’s study on Web-browser privacy has one especially interesting element: how the university researchers reached their results on the number of people who use browsers in private mode while shopping online. Did the researchers from Stanford University and Carnegie Mellon University just extrapolate from available Web survey numbers, the way you might expect cash-strapped academics to do?

No, they actually bought ads on three types of Web sites (adult, gift shopping and news) and tracked how many users of each type of site were in private mode when they landed on the ads. The researchers shelled out $120 to buy a total of 155,216 ad impressions, split evenly among the three Web site categories. That gave their survey a far better statistical sample than many high-priced analyst studies use.

In Web browsers, privacy isn’t all it’s cracked up to be. A university study released Wednesday (August 11) says the “privacy mode” available in Internet Explorer, Firefox, Chrome and Safari Web browsers aren’t as secure from prying eyes as users might hope. All four browsers can leak information to some degree, ranging from leaving traces in a PC’s memory to displaying cookies when in private mode, according to a report from the research teams at Stanford and Carnegie Mellon.

The study also points to an interesting project by the Electronic Freedom Foundation (EFF) called Panopticlick, which tries to uniquely identify a user through information the Web browser can’t hide, such as screen resolution, plug-ins, time zone and fonts. The EFF claims it can use that information to identify a browser returning to the site 99 percent of the time, even if it’s in private mode. Fortunately, that still doesn’t expose more information than a cookie.

Business people are a lot better at cutting business deals than they are at creating the technical infrastructure to make those deals work. That’s one of the points readers made after hearing about the new mobile contactless payment alliance between AT&T and Verizon. Telcos, in particular, have a long history of having good ideas but failing to deliver on them because of conflicting objectives or simply poor execution of the technology.

Even when telcos get an industry-wide standard right and make it a profitable business–with text messaging, for example–there’s usually a reason. “SMS was a technical feature of the GSM standard which was baked into every operator’s infrastructure,” one reader wrote. “Engineers from various European operators collaborated to build the spec. Business people weren’t in the room. It wasn’t even originally intended for consumer use. Only later did unanticipated revenue opportunities arise, when it was already built. Mobile payments are being led by business people at the U.S. operators–very unlikely to be able to agree to the commercials, let alone standards.”

Implementing retail technology in a franchise environment can be like building a house of cards. Each franchisee is likely to be slightly different than the next or have a slightly different requirement or slightly different existing technology. Although each of these variances may be small and seemingly unimportant when viewed alone, the more variances there are–and the longer they remain outside the standard–the more unstable the foundation of the “house” becomes.

But, argues Franchisee Columnist Todd Michaud, this situation gets even more challenging because the person who had the implementation role before you could have stacked the deck against you. It is much easier to say “yes” to a request for something different than it is to say “no.” In most cases, these requests will genuinely move the business in the right direction. But that’s a double whammy: It means your predecessor may have created a field of variance landmines that you must painfully discover on your own.

For retail IT directors, the end of American Eagle Outfitters’ 8-day E-Commerce collapse just marks the start of a new fear: that they’ll have to begin dispatching staffers to do sneak inspections of outsourcers. Will they need to burn precious staff time in unannounced audits, looking over the shoulders of service providers to make sure those techs are doing their jobs?

Will they eventually have to turn to a whole new class of outsourcers who do nothing but check up on the big outsourced teams? And who will watch those watchers?

Or is this an overreaction to a disastrous but highly unusual event? A wholesale failure like the American Eagle debacle is big news because it’s so rare. Datacenter disasters happen. There’s no way to bring the risk to zero. And beyond making sure good practices are being followed, returns diminish quickly–you can suddenly find you’re spending a lot of money to prevent something that almost never happens.

With word spreading rapidly of a mobile contactless payment alliance between AT&T and Verizon–with T-Mobile thrown in, pretty much so that the first two carriers have someone to complain to about each other–the analysis generally has leaned to this being groundbreaking. In reality, this grouping is not likely to last long, nor will it make much of an impact while the companies stick it out. The alliance does bring together some key players in an attempt to challenge Visa and other card brands. But this deal has all the markings of something that five executives sketched out–five people who will never get within 5,000 yards of the conference rooms where the hard details will be worked out.

Please don’t get me wrong. Mobile payment is a huge issue and some major players will need to jump in, but retail is the key. More precisely, retailers are the key. The issue of mobile payments comes down to sharing revenue, and it will require lots of trust. Now there’s a word not typically associated with AT&T. Asking retailers “Who do you trust more, Visa or AT&T?” is like giving parents of 3-year-old twins a babysitting choice of Jeffrey Dahmer, Idi Amin or Osama bin Laden.

It seems a failure in an Oracle backup utility coupled with the failure of IBM hosting managers to detect it and to verify that a disaster recovery site was operational were the key factors in turning a standard site outage at American Eagle Outfitters into an 8-day-long disaster, according to an IT source involved in the probe.

The initial problem was pretty much along the lines of what StorefrontBacktalk reported on Thursday (July 29), which was a series of server failures. But the problems with two of the biggest names in retail tech–IBM and Oracle–are what made this situation balloon into a nightmare.

In its latest earnings report, Amazon briefly mentioned a rather startling figure: “In the last twelve 12 months, customers around the world have ordered more than $1 billion of products from Amazon using a mobile device.” The knocks against M-Commerce investment has have been that it’s too early, that there are too few actual customers using it, that there are too few smartphones, and that consumers are using it to search and price-compare, but to not to actually buy.

Those who have resisted M-Commerce have said that screen-sizes are never going to compete with desktop machines and that the revenues M-Commerce will realistically deliver in the near-time could never cover investment costs. With one offhand remark, though, Amazon simply obliterates those arguments one billion times over.

In one of the longest site outages ever for a multi-billion-dollar retailer, Tuesday (July 27) saw the apparent end of more than a week of Web problems and days of an outright crashed site for Pittsburgh-based clothing chain American Eagle Outfitters, which outsources much of its Web operations to IBM. The site crashed last Monday (July 19) and stayed dark until Friday, when it limped along with various parts not functioning until Tuesday (July 27) afternoon.

The site’s problems, though, shed light on an interesting strategy. During the many days of complete Web site death, the $2.7 billion apparel chain’s mobile site still looked alive, although it was not functional. This availability raises the question: Should retailers look to their mobile sites as emergency backups for their Web sites? Should pages indicating that a site is down automatically include a link to the site’s mobile version?

Have you read your contracts with all your PCI service providers lately? These are the third parties that store, process or transmit cardholder data for you. PCI Columnist Walter Conway thinks you should check your contracts to know whether your service providers are doing all they can to help you become PCI compliant. He is specifically thinking about one particular PCI Requirement.

That Requirement is 12.8.2, which states that merchants need to “maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of cardholder data the service providers possess.” Some disappointing service providers seem to treat this requirement as an annoying inconvenience. They either pretend it does not exist or isn’t their problem. The result is that you, the retailer, are caught in the lurch.

Oracle CEO Larry Ellison was the best paid executive with any public company over the last decade, pulling in $1.84 billion in compensation, according to The Wall Street Journal.

Concerned about all of the license fees you’ve paid Oracle over the years? Fear not. It’s been put to good use. You’ll be pleased to know that you helped financed several extra aircraft for Ellison. What to get the man who already owns Air Force fighter jets and an America’s Cup yacht? Oh, CIOs, you’ve given him so much already.

Make no mistake, the number-one challenge IT teams will be faced with over the next five years is helping their business partners extract meaningful information from the yottabytes of data being shoved into their archives. And when Franchisee Columnist Todd Michaud uses the term “meaningful information,” he defines it as information used to create action.

We are at the dawn of an age where great companies will figure out how to successfully combine operational, marketing, customer service and social media data sources into systems and tools that enable the business. These firms need to clearly define their Information Supply Chain. Companies that don’t figure it out will be left out in the cold.

On Wednesday (July 21), Target.com’s gift-card site started the day virtually off-limits to its customers, courtesy of a “This Connection is Untrusted” warning due to an expired security certificate. Target may be the most recent example of retailers inadvertently letting their certificates expire, but it’s far from alone. Such lapses are becoming an almost weekly E-tail occurrence.

The problem is easy enough to fall into, which is the real issue. The nature of the certificates forces them to have strict expiration dates, which means that a 2- or 3-year-old certificate is likely to expire on the watch of someone other than the person who initially arranged for it.

For a retail industry populated with execs who learned their trade in pure brick-and-mortar environments, the vertical is embracing mobile and abandoning physical stores at an impressive rate. (With the infrequent exception–such as Pier 1–proving the rule.) The latest proof point comes from the announcement Tuesday (July 20) that $3 billion Liz Claiborne is shuttering the stores that bear its name.

Closing doors is one thing. But when those doors have the corporate moniker on them, it hurts. The company is keeping open its outlet stores for other brands: Juicy Couture, Lucky Brand, Kate Spade and Kensie. Legitimate pragmatic reasons exist for the move—such as Liz Claiborne’s distribution deals with JCPenney and QVC, along with its annual losses. But the decision is yet more acceptance of today’s new mobile and virtual realities. Physical stores are merely one channel today–and they are often no longer the most important.

Franchisee Columnist Todd Michaud has a little game he likes to play when meeting QSAs. It’s called “Is It Compliant?” In this game he provides the QSAs with a fairly common situation in his restaurants and asks them to tell him if they think it is compliant or not. It doesn’t matter if these QSAs are under contract (paid) or if he just bumped into them at an industry event. They could be doing a full audit or an assessment, providing paid-for advice or shooting the bull over a beer.

To date, Michaud has not received three answers in a row that match.He encourages StorefrontBacktalk readers to play his game at home. Find a few different QSAs and ask them some tough questions. Here are some fun ones to get you started.

While the PCI Council debates changes for their self-assessment questionnaires, PCI Columnist Walter Conway has listed some sorely needed changes. For example, how about SAQ A requiring that service providers be not merely PCI compliant, but certified as a Level 1 Service Provider.

Or requiring these merchants to have vulnerability scans to prevent the bad guys from hijacking their customers. Or how about addressing mail order/telephone order (MOTO) transactions and requiring that you cannot do MOTO and still qualify for SAQ A.

Corporate identity thieves are getting more ambitious by the month. In June, the FTC shut down a crime ring who created bogus companies with names that sounded similar to legitimate businesses, then opened merchant accounts to steal money from compromised payment-card accounts.

Now the state of Colorado is warning that its official business-registration records are being changed by crooks who then use the forged data to get lines of credit and steal from other businesses.

When you’re a category leader in retail, you have an unavoidable problem. Someday you may run out of room to get bigger. When that happens, you may have no place to grow but sideways. That’s a challenge two online giants have dealt with in recent weeks. The different ways Amazon and eBay have decided to deal with this issue are instructive–and so are the ways they’re exactly the same.

In Amazon’s case, it’s bound to happen: Eventually there won’t be any more books, DVDs, toys, gadgets, power tools, Halloween costumes or cans of organic pumpkin for the E-tailer to offer online.

Sometimes, retail innovation is knowing when not to play. And for $1.3 billion Pier 1 Imports, it sometimes can mean knowing when to play again. But this time around, the home furnishings chain is only going so far—and it’s not nearly far enough.

Back in 2007, after years of E-Commerce activity, the retailer shut down all of its Web activity to pour its efforts into in-store. In six weeks, though, Pier 1 is returning to the Web: as a brochure site only. You can see, but you can’t buy, unless you drive to a store.

PCI Columnist Walter Conway is not a boxing fan, but he wants retailers to remember the fight referee’s opening instruction: “Remember to protect yourself at all times.” Why? Because, he is discovering that the number of vendors lying about PCI is soaring.

“I guess I could be diplomatic and say these vendors just don’t understand what PCI requires, but it is a bit late for that. PCI has been in effect for several years, so ignorance is no longer an excuse. That train has left the station,” he penned. “Any vendor that can’t properly describe how its application or service will impact a merchant’s PCI scope or compliance is–in this QSA’s opinion–simply not telling the truth.” Do we have examples? Oh, yes!

The beauty of social media done properly is its honesty. That’s why major companies love the idea of social media much more than actually doing it. Part of the social media challenge is letting your employees share their views, which will encourage your customers to share candid views right back. This exchange creates that much-discussed customer dialogue. The problem is your employees may say things that make you uncomfortable. That’s the whole point, as Best Buy discovered with its Brian Maupin video incident. Maupin is a very creative Best Buy employee who made a wonderfully funny series of videos, including this one about a customer trying to buy an iPhone.

Upon learning that the video pointed out key weaknesses in a product it’s trying to sell (even though Best Buy is never mentioned or referenced), ridiculed customers and used colorful language, Best Buy suspended the creator. But after a huge amount of media coverage, the retailer decided not to fire Maupin, who quickly issued a statement saying he may not take his job back anyway. The social media lesson, though, is key. It’s easy to put out promotional Tweets. But when your employees truly try to create a dialogue, you need to have the stomach for it.

Visa on Wednesday (July 14) sent a direct message to acquiring banks: Stop making retailers retain credit card information unless you want to stop servicing Visa. A key Visa security executive (Eduardo Perez, the head of global payment system security) said the brand is now merely “strongly encouraging [acquirers] to not require” retailers to store PANs but, by September, that might become an official edict.

This is an unusual twist in the ongoing saga of Visa versus the retailers. Merchant groups for years have begged for retailers to not be forced to retain PAN data and Visa typically has responded, “We don’t require that.” But Visa has now, for the first time publicly, conceded that many acquirers have indeed been requiring such data.

How do inventory systems handle items that employees are required to intentionally destroy? That’s the problem for JCPenney, which, it turns out, is contractually obligated to throw out unsold merchandise from its American Living brand. The requirement has been part of the retailer’s deal with Polo Ralph Lauren, which designed the products, and was presumably created so the pricey products wouldn’t end up with discounters, thereby devaluing the brand. (The retailer now says the deal will be changed so unsold merchandise can be donated or liquidated, which is standard practice.)

But that leaves open the question of how a retailer’s inventory systems are supposed to deal with such oddball requirements. Every retailer deals with inventory losses: Grocers have spoiled chickens; bookstores have damaged paperbacks; and everyone has theft. Although it all gets rolled up on the balance sheet as lost inventory, accountants like to know exactly what happened. Spoiled? Stolen? Damaged? Intentionally destroyed? No matter what it is, IT better have a transaction code. Just remember, whenever a retailer cuts a supplier deal with unusual conditions, sooner or later someone in IT will have to sort it out.

Against a backdrop of years of vigilance in protecting consumer privacy, a newly public Amazon Patent application raises a wide range of privacy concerns. The Patent Pending envisions making gift recommendations to strangers, leveraging Amazon’s legendary database of consumer data. It speaks of using third-party databases, in addition to its own, to suggest gift ideas for–in an example the Patent Pending actually uses–”single Protestant Asian women between the ages of 25 and 35 with disposable incomes greater than $50,000.”

And because Amazon’s new invention would make specific gift recommendations for anyone who asked, it raises the question of how easily crooks could go on private-data fishing expeditions, trying one gift after another to uncover personal details about their targets.

When eBay purchased mobile barcode scanning application RedLaser last month, it was the start of a mobile strategy that has the auction giant moving well beyond traditional barcodes. Plans include support for 2D and 3D barcodes, QR codes, Code 128, gift card codes and, interestingly enough, car VINs (Vehicle Identification Numbers).

“Our plan is to integrate the barcode scanning capability into all of our applications and to evolve (to support) every kind of code, all of the various forms and shapes of barcodes,” said eBay Mobile VP Steve Yankovich.

Under what circumstances does a retailer become a PCI service provider? What about a shopping center operator that provides telecom services that its tenants use to authorize card payments? Consider, too, a college or university that outsources its bookstores or food court to a third party that continues to use the school’s network.

In the world of PCI, service providers are different from retailers. Retailers accept payment cards for goods and services, whereas service providers help enable those transactions by storing, processing or transmitting cardholder data for the merchant, writes PCI Columnist Walter Conway. Another difference is that merchants validate their compliance to their acquirer, while service providers submit their ROCs to the card brands. In the real world, these roles may get muddled, with merchants unwittingly crossing the line and becoming service providers.

When federal agents arrested a group and accused them of being Russian spies, the media quickly turned its attention to a particular spy, one Anna Chapman. A model who appeared to be sent from Central Casting for either a James Bond film or to play Natasha in a Bullwinkle movie (she also has decent resemblance to Mata Hari, but this story is strange enough as is).

This Russian spy case, though, has two key elements impacting retail IT: their use of steganography to embed images on public Web sites, plus some blatantly bogus retail purchases that no store detected.