In 2013, nearly 66 percent of US smartphone owners used their devices to help them shop, and 80 percent of smartphone owners said they want more mobile-optimized product information while they’re shopping in stores (see Figure 1). These are the sorts of statistics driving the retail-sector mobile revolution. Retailers are keenly interested in becoming more engaged with the mobile-integrated lives of their customers. At the same time retailers are embracing their own mobile devices as a kind of retail Swiss Army knife—multifunctional, powerful, yet compact and portable. With both consumers and retailers desiring more mobile integration in the retail realm, a diversity of mobile solutions has naturally emerged, perhaps most visibly the mobile point of sale.
Meanwhile, loss prevention departments are challenged with the task of how best to support their operations partners in these mobile endeavors. “It’s not a secret that customers are changing the way they shop and the way they want to use their own mobile devices when they shop. It’s a matter both of choice and of convenience,” said Mike Wiley, former senior manager of asset protection operations at The Home Depot. “Loss prevention needs to be proactive in figuring out ways to mitigate the risk that comes with these new technologies without it being too cost prohibitive.
“It’s critical to have a seat at the table from the very beginning, so we can have an idea of the sort of impact these new systems will have on loss opportunities. Being there from concept until rollout gives us the time necessary to reduce risk exposure to the company. Once a project charter is written or work development has already started, it’s much more difficult to get things changed,” advised Wiley.
“For mobile point of sale, there needs to be a real shift in thought process. Retail in general seems to be moving from a traditional front-end checkout area—one that we like to think of in loss prevention as somewhat secure—to essentially a sales-anywhere philosophy.”
“It’s not a secret that customers are changing the way they shop and the way they want to use their own mobile devices when they shop. It’s a matter both of choice and of convenience. Loss prevention needs to be proactive in figuring out ways to mitigate the risk that comes with these new technologies without it being too cost prohibitive. It’s critical to have a seat at the table from the very beginning, so we can have an idea of the sort of impact these new systems will have on loss opportunities.”
The Mobile Point of Sale Family Tree
The family of mobile point of sale solutions represents one facet of what a recent study refers to as “the ecosystem of technological capabilities, retail store attributes, and customer attitudes and beliefs.” The ground-breaking study, “Mobile Point-of-Sale and Loss Prevention: An Assessment of Risk,”was commissioned by the Retail Industry Leaders Association (RILA) and sponsored by Checkpoint Systems and Ernst & Young. Researchers John Aloysius and Viswanath Venkatesh of the University of Arkansas’ Sam M. Walton College of Business produced the report that will serve as an indispensable roadmap for operations and loss prevention departments alike while exploring the nuances of mobile point of sale deployment.e
There exist many species and subspecies of mobile point of sale solutions, because in practice, each retailer must craft a solution that fits their specific needs. There are, however, a few notably dominant varieties. Chief among these is the system in which a roaming sales associate armed with a payment-card-equipped smart device processes payments away from fixed checkout areas.
Another emerging system takes self-checkout a step further. Instead of a customer scanning and bagging merchandise at the self-checkout kiosk, they use a mobile device to scan products as they shop and bag them as they go. When finished, the customer displays the phone to the self-checkout kiosk, transferring the scanned UPCs. The customer then completes payment as normal. Retailers benefit from customer-driven automation of their operation. Customers avoid checkout lines and enjoy smartphone-enabled shopping perks, like smart price comparisons, e-coupons, and running price totals of their selections. Functionally, this system extends the autonomy granted to customers using conventional self-checkouts. The customer still scans the products, still bags them, but the process is delocalized, no longer close in time or space to the payment.
According to many retail experts, the next major shift in transaction technology will be the emergence of the mobile wallet paradigm. A customer’s smartphone is used to pay, either by third party via an encrypted broadband Internet connection or by direct radio communication between the customer’s smartphone and a store device.
“It’s our job as store operators and asset protection professionals to adapt to whatever new and innovative payment solutions are of interest to our customers,” says Wiley, “but at the same time, adopting a new technology represents a pretty big investment for retailers. We’re at the point where many applications can be simplified onto one device, making that device very convenient for consumers.”
“This technology is moving quickly, because of the competition in retail as it is today,” said the vice president of loss prevention for one major department store chain, whose company required that he remain anonymous. “If a particular retailer has a quicker, more efficient transaction that creates an enhanced customer experience, they could take away customers simply based on ease of the sale. So as the technology continues to evolve, more retailers will want to adopt it.”
RFID Non-Interaction Model
There is also a vision of a future in which, at least for certain retailers, all transactional processes are automated—a customer walks into a store, fills a bag with merchandise, and then walks out. Scanning, payment, and validation happen automatically. The transfer of ownership is so seamless, the store becomes almost like a well-stocked, well-organized, remote storage facility. Just grab what you need and get back to the rest of your life.
Of course, this speculative future won’t be possible for many retailers and won’t be desired by many more. Retailers may lose opportunities to upsell or to advertise in-store, for example. And the loss prevention challenges would be spectacularly daunting.
Integrating a conventional store with RFID-powered automated checkout has been anticipated for years, but it isn’t right around the corner, said Scott Thomas, global director of retail market development at IP security solution provider Genetec. “Ten years ago, what people thought would be on the horizon is RFID. There’d be RFID tags on everything, you’d have virtually no interaction with a salesperson, you’d put your items in your bag, and you’d show your card on the way out when your account would be automatically billed,” said Thomas. “Of course, that hasn’t happened quite as predicted, but I can see eventually there being a combination self-checkout process where people go to a kiosk, present their form of payment, and they’d be able to check themselves out of most any place. That’s doable technology, and we might start to see it in the next five-plus years.”
The major barrier to an RFID-tagged store is cost. Tags are still expensive, whether they’re reusable or disposable. They were expected to become as cheap as a penny or two apiece, but they remain in the five- to 10-cent range. “If you add a nickel to a dollar purchase, you’ve added a five percent margin,” explains Thomas, “and most of your items can’t absorb five percent. Even on a 10-dollar item, you’ve added a half percent. In some cases retailers can absorb that, in other cases it can’t.”
Thomas adds, “The other thing is implementation costs. You need RFID readers at the point of sale and RFID security systems to replace EAS antennas. And, of course, they’ll raise a whole new set of security concerns.”
Fracturing the Transaction
One unifying factor common to all of these transactional technologies is the psychological changes that come with them. For their entire lives, consumers’ checkout experiences have involved waiting in lines, waiting for employees to scan products, and then paying for them. These fundamental processes of a transaction—scanning, payment, and validation—aren’t commonly thought of as separate processes at all, since they almost always occur simultaneously and in one place.
Only after all of these steps have occurred does the consumer move the item from the mental bin labeled “store property” to the bin labeled “my property.” Consumers have strong conditioning—a lifetime’s worth—linking checkout lines and fixed registers to the transfer of property. In a very real sense, mobile point of sale breaks this conditioning, challenging a lifetime of norms, by fracturing these transactional processes and scattering them in time and in space.
“There’s a whole new grey area surrounding the point at which ownership passes from the store to the customer,” said Aloysius, associate professor of the University of Arkansas Department of Supply Chain Management and coauthor of the RILA-commissioned study. “There’s also a sense that it’s a lot less easy to validate the purchase. Some things that have been built into the transaction now have to be separate. But these are things that are outside the existing norms. It’s the kind of thing that may not be so easy to handle both from the customer viewpoint and from the employee viewpoint.”
From the consumer’s perspective, this may be a bit shocking at first, but consumers can be adaptive, and new practices quickly become norms. If the processes can be simplified or made more efficient and painless, consumers will embrace the change as a better shopping experience, having eliminated—or at least improved—one of the least pleasant aspects of shopping.
But from the retailer’s perspective, the change is much less straightforward. Many store processes are intimately tied to existing conventional checkout procedures, procedures that are time-tested and have been built iteratively, with changes made over years as necessitated by new policies and technologies. To varying degrees, mobile point of sale systems disrupt these procedures, necessitating retailers very carefully redesign them to accommodate new transactional paradigms and the new psychological paradigms that accompany them.
From the operations standpoint, this may not be as huge of a challenge as it initially seems. Since these fundamental transactional processes are linked to sophisticated data structures requiring very well-defined inputs, migrating these processes to accommodate a mobile transaction may turn out to be relatively straightforward— after all, products are still being scanned; cards are still being swiped.
But for loss prevention, the change to mobile point of sale can prove to be anything but straightforward. According to the University of Arkansas study, the change can “disrupt many of the existing loss prevention processes that are embedded in or designed around the transaction process.” Conventionally, because transaction processes happen at more or less the same time and place, transaction-related loss prevention processes can be consolidated to that same time and place. “But with mobile point of sale,” said Aloysius, “you suddenly lose all that. Take for example the model of a customer walking around a sales floor, scanning products with their cell phone. That’s the scanning component, so that’s going to happen first, and it may happen at many different locations around the store. And then they might walk up to an employee at a traditional cash register and make a payment. But what you notice is that the payment does not occur at the same time or at the same place as the scanning.
“And to layer on something to the story,” Aloysius added, “there’s a form of validation that happens when you have a traditional cash register, because remember that the store employee who conducts the transaction has the opportunity to check—maybe in great detail or maybe just superficially—on the customer’s transaction for errors, for signs of malicious acts, for any sort of anomaly. In some cases the store employee will do that, while in other cases such as self-checkout, it’s easy to have a fixed point camera over the belt so you can sync validation with the customer’s motion as they put the item in a bag.
“But with mobile you lose a lot of that. So, all of a sudden, you need to rethink processes; you need to figure out—what do I do if I can’t have a fixed point camera or if I can’t instruct my employees to look for certain signs of malicious acts? What can I do instead? And that’s the kind of problem that you can get with mobile point of sale. In a way it’s just a whole new world,” said Aloysius.
A multiplicity of loss prevention complications come with restructuring transaction processes for mobile point of sale, and for some varieties, validation can become a major challenge. “For systems where a customer is not interacting with an employee at any point, you’d have to be very cautious about validation,” said Aloysius. “It’s not impossible, but you’d probably have to build in at least the possibility of an exit check. Part of our research looked into consumers’ tolerance to these checks, and this sort of careful study of processes can be very important. For example, it surprised us that based on our surveys, people weren’t too concerned about the time it took, but privacy intrusion really did bother people. They were bringing up that stores had no right to stop them unless they believed that there was a reason to stop them. Finding out what it is about a check that bothers people lets you fine-tune the nature of the process.”
Validation becomes an increasingly important component of the transaction process not simply because it becomes disjointed from other transaction processes, but because mobile point of sale gives customers greater autonomy in the store. Greater customer autonomy is an ongoing trend in retail, as more streamlined stores and increasing consumer product knowledge—and mobile access to Internet-based knowledge—contribute to an expectation of greater shopping independence, reducing the number of employees it’s necessary to have on the floor to help customers. But there are worries that greater customer autonomy could contribute to loss, as customers who feel less watched may take opportunistic advantage of their autonomy.
“There are fears in LP about what they don’t know about these devices, and I think one of the greatest fears is they don’t know what they don’t know. There are going to be things that you and I haven’t thought about, has never entered the realm of possibility. Things that some bad guy is going to figure out and exploit. That’s when you have to pick it up and start addressing it. I think that’s the biggest fear—What else don’t we know? What else should we be worried about?” said Scott Thomas, global director of retail market development at Genetec.
One risk that goes hand-in-hand with a greater emphasis on validation is the risk of employees falsely accusing customers of theft. “Of course you don’t want employees accusing people falsely, but especially in the initial stages, there’s going to be a lot of mistakes,” said Aloysius. “Customers won’t be sure whether they’ve scanned something, they won’t quite understand the process, and there are going to be a lot of genuine mistakes. What you don’t want to do is start accusing people of malicious acts, because that’d be the surest way to kill the innovation. Just one accusation will turn into hundreds of people who hear about it or read about it and decide, ‘I don’t want to take that risk.’ During our research we did get the impression that there needs to be a lot more training, that employees weren’t quite ready for the change. They didn’t know how the system worked, and they also didn’t quite know how to handle a lot of people walking around making a bunch of mistakes.”
Loss prevention departments will need to carefully reexamine apprehension policies after deployment of a mobile point of sale system, but this won’t be the only change for LP professionals on the floor. “With loss prevention professionals, their job could become a lot more difficult,” says Aloysius, “because traditionally what you try to do is create this zone of surveillance, and that’s pretty easy in a traditional store because you just funnel people through a fixed point and then just the notion that they have to walk through this fixed point is sometimes sufficient to act as a deterrent. With mobile, especially a system where you scan and walk out without having to go through any kind of cash register, you suddenly lose all of that. There is no sense that you’re being watched, since it’s almost impossible for you to have cameras at every point in the store, especially if it’s a large footprint store with lots of aisles.”
While mobile point of sale may create substantial changes in the way lossprevention professionals go about daily work, Home Depot’s Wiley believes they’ll adapt quickly. “We need to give credit where credit is due. For loss prevention associates, adapting to change in today’s world is a daily if not hourly process,” Wiley said, “and I’d venture to say that most associates can visualize what mobile transactions might look like in the future because they’ve already gone through many of the what-if scenarios in their minds. Many LP associates might even shop with their own mobile devices. We need to realize that when and if we make big changes to processing sales transactions, it most likely won’t be a surprise. Many of them have literally grown up with smartphones and understand the technology well.”
Just as mobile point of sale systems will change the jobs of retail sales associates, they could also enable new routes of internal theft. “Talking to retailers, the first and foremost concern is the devices themselves walking out the door,” said Genetec’s Thomas, “and the second concern is fraudulent transactions. With the point of salemoving throughout the store employees can create refunds or load gift cards anywhere a camera isn’t looking at them. Likewise, if you’re a floor person and you happen to leave your mobile POS device unattended somewhere, like at a docking station, if you’re not logged off another associate could pick it up, walk into a dressing room or a bathroom and create a fraudulent transaction.”
Mobile point of sale systems may open new avenues for external loss as well. Although it is standard to encrypt mobile transaction data, one careless retailer could poison the well for everyone. “Most all retailers use some type of encryption software for mobile point of sale, but there have been some instances in the past where a retail store’s transaction data was picked off and used to create bogus credit cards, bogus return transaction data, and stealing personal pedigree information,” said the department store VP. “Encryption of any type of wireless transmission in the retail environment is of the utmost importance.”
There’s an analogous concern about the adoption of mobile wallet systems. If consumers’ mobile devices aren’t properly secured and updated, or if attackers find security holes in the mobile payment software, they’ll be able to steal customers’ account data. “It’s just like in the skimming cases, where they’re stealing credit card info by putting a false mag stripe reader on the gas pump,” said Thomas. “I think there’s a real fear that people are going to be able to get close to you, bump your phone, and get information off it. I think the first time it happens, it’ll make big news and everybody will start taking a closer look about how to guard against it. In the bigger picture though, it will be a universal problem. It won’t just happen in a store. It could happen on a subway, on the street, in a school, anyplace.” In this case, poor implementation by a single third party could threaten the adoption of the entire technology. If a story emerges in the media that causes consumers to lose trust in their mobile wallet, they’ll stop using it, which could translate into the loss of a valuable tool for retailers.
Is it the responsibility of retail loss prevention to test third-party mobile payment apps? Might a loss prevention organization award “Security Certified” stamps of approval to software that checks out? Looking to the future, if part of the loss prevention mission is to support operations, is it the job of loss preventionto predict what technologies operations may want to adopt, and protect these technologies before they are adopted, or maybe even before they are considered?
One could shed light on such questions by considering another question—What is the loss preventionresponse to the threat of organized retail crime (ORC) exploitation of mobile point of sale? The answer, according to Wiley, is the same as to any question about ORC exploiting a new technology. “We need to try to understand what opportunities might come up, or what overrides or ways to circumvent our system they might come up with. We have to get ahead of the curve. We need to embrace RILA, NRF, LPRC, and ORC taskforces around the country. We need to communicate with each other to understand what our risks are. One of my colleagues said it best—‘We all have the same criminal. We have one thing in common and that’s the same criminal.’ So we need to work on solution development internally as well as continue to support these industry groups to continue working together.”
As with any change in the retail landscape, there are widespread predictions that ORC will have great interest in mobile point of salesystems, since disrupted transaction processes may be exploitable. “We actually did some interviews with criminals, and they’re not really geared up for this change yet, so they haven’t figured out how to game the system,” said Aloysius. “One thing that they did assure us, however, is that it wouldn’t take them long. They don’t know what they’re going to do yet, but someone’s going to figure it out pretty soon. Some of the people we talked to told us that one of the major sources of information was from people who worked for retailers. That’s how they found out who’s monitoring what, where the cameras are, what times are good, and you can infer that with new innovations there’s a lot of stuff that’s invisible to them at first, so they’re going to have to go to store employees for that information.”
There is one more persistent threat, which accompanies most any decision, whether technological or not, that is epitomized in a bit of wisdom that issued from the lips of none other than Donald Rumsfeld, who said, “There are known knowns; there are things we know that we know. There are known unknowns; that is to say, there are things that we now know we don’t know. But there are also unknown unknowns; these are things we do not know we don’t know.”
Scott Thomas elaborated, “There are fears in loss prevention about what they don’t know about these devices, and I think one of the greatest fears is they don’t know what they don’t know. There are going to be things that you and I haven’t thought about, has never entered the realm of possibility. Things that some bad guy is going to figure out and exploit. That’s when you have to pick it up and start addressing it. I think that’s the biggest fear—what else don’t we know? What else should we be worried about?”
Loss Prevention Responses
“There are a lot of challenges out there,” said Thomas, “but there’s a technological answer for almost every one because that’s what technology companies do. We’re changing the landscape with technology.” As problematic as mobile point of salemay initially seem to be, it is no different from any other major shift in the retail environment insofar as the problems are almost always addressable given careful thought and deliberate execution. Maintaining control over device function, tracking the device’s location, and linking device data to surveillance camera data can address many of the worries about fraud and device misuse. Many retailers restrict mobile point of saleusage to tenured associates, disallowing temporary or holiday hires. Many also have policies in place necessitating that in-store LP associates be notified as to when and where a device will be in use.
Thorough training and well-crafted policies are really the backbone of the loss prevention reaction to mobile POS systems. As the role of LP professionals continues to shift from detective to analyst, addressing technological problems with technological solutions begins to seem easier and more natural. For example, certain mobile POS systems may give rise to greater customer autonomy, which may make customers feel less watched, which may give the impression that stealing is easier. What’s the answer? “One possibility,” Aloysius suggested, “are these devices that beep when people pass, that give you the notion that someone is watching or something’s happening. More of those types of psychological deterrents may be necessary.” Said another way, change in behavior caused by a new technology is countered by another new technology addressing the psychology of that behavior.
Mobile devices can also directly benefit loss prevention efforts. Some devices are equipped with cameras, allowing photographs or video to be recorded from them directly to serve as a forensics or tracking tool. Tracking media access control (MAC) addresses of the devices of suspected shoplifters could allow automated notification of when the device—and, therefore, the suspect—makes a return visit.
As consumers’ personal lives and retailers’ business practices become increasingly mobile-integrated, the careful deployment of mobile transaction technologies stands to benefit consumers and retailers alike. The job of loss prevention is, as always, supportive—anticipate process issues and plan accordingly. Most importantly, start work with operational partners early in the deployment process to minimize exposure to loss. New technologies will continue to increase the complexity of the systems in which loss prevention operates. There’s no choice but to embrace them, study them, and maybe celebrate them.
This article was originally published in 2013 and was updated February 23, 2016.