Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Mobile Payments Posts

Yesterday on the blog we reported on recent information provided by the PCI Council regarding Version 3.0 of the standards. Many in the industry and writing about it, including the well-known blogger PCI Guru, who pointed out in this post the comments Bob Russo (General Manager of the PCI SSC) made with regard to mobile devices at the point-of-sale. Russo said:

“The fact is that many consumer mobile devices simply can’t provide the level of security needed to adequately protect payment card data. In other words, they cannot create a trusted environment equivalent to the PCI DSS compliant cardholder data environment. [...] We encourage merchants and others to understand the risk of using mobile, work with their acquirer and make their own decisions about whether they want to accept that risk. [...] We’re working with others in the industry including: standards bodies, vendors, banks and processors. But we are unwilling to lower the bar for security by writing a standard that current mobile devices could meet. If we wrote a secure standard for mobile now, no consumer devices would be able to meet it.”

In essence, Mr. Russo stated in no uncertain terms that the Council does not consider Android, IOS or other tablet environments to be secure or compliant at the present time. He recommends that merchants, if they are going to use these devices, work with their acquirer to ensure that both merchant and acquirer are aware of and accepting of the risk being presented. 

When one looks at the Point-to-Point Encryption (P2PE) Solution Provider requirements, I see this as the logical point at which mobile devices will be deemed acceptable by the Council. While there are currently no validated P2PE solutions available today, such a solution would move the mobile device into Domain 4 as part of the segmentation between encryption and decryption environments. The Council already recommends P2PE for mobile environments in the document “Accepting Mobile Payments with a Smartphone or Tablet.”

It’s clear that the use of mobile devices as POS terminals is growing in demand. The Council will absolutely need to provide requirements about these devices in the near future. QSAs today are no doubt challenged by how they should respond to these devices being present in a merchant’s environment when preparing a ROC. A validated P2PE solution – including a point of interaction (POI) that meets all the PIN Transaction Security and Domain 1 P2PE requirements may be the final destination.

Let’s face it, in this day and age everybody’s in a rush. I constantly find myself in a rush, and find it necessary to use my tablet for nearly everything. I never thought I’d be “that guy,” tied to technology, but here I am. I’m using my tablet to shop, make airline reservations, text, read emails, listen to music, watch movies….and the list goes on.

Targeting Tech-Savvy Guests

So as technology users go, so goes the industries that service them and want their business. Hotels specifically are trying to target and capture those business professionals who are tech savvy. Besides giving away “freebies” to these frequent travelers, hoteliers are trying to upgrade their technology within the hotel itself by increasing bandwidth, providing free internet, installing more kiosks, adopting electronic couponing and enabling their employees to be more mobile to better serve guests, among many other efforts.

Elimination of the Front Desk?

Recently at HITEC, one of the hotter topics of frequent discussion was the elimination of the front desk. The proposal is to have a fleet of employees with tablets and tablet add-on devices waiting to help guests check in. Imagine a check-in clerk meeting you as you get out of your cab, with a PMS running on their tablet. The clerk can take your payment, create your room key, and apply any number of coupons and loyalty information from your smartphone while the two of you are walking toward the elevator, to your room. Bringing the “front desk” to the guest rather than the traditional way is not that far away.

What About Credit Card Security?

Convenience and the “cool-factor” are definitely great and admirable, but what about credit card security? How secure are these new devices? And do they work in the budding credit card security industry? Well the answer is like all answers these days, “it depends.”  Property Management Systems run securely on tablets today, add-on devices that encrypt data are available by nearly all device makers, and tokenization and encryption is readily available by nearly all interfaces and banks, which should all work securely.

Recently, Merchant Link “lifted the hood” on a PMS tablet integrator and found a couple of areas for improvements that definitely would have affected PCI status. Those improvements are underway and will result in a much more secure solution. This effort was supported by many different parties including the PMS manufacturer, the tablet integrator, the encrypting device maker, and most importantly, the customer. By demanding to understand the transaction flow in detail, the customer led the effort in creating a more secure product and process.

Ultimately, we all want the quality of our stay and service enhanced and technology can help. However, as fast as technology is racing, it requires all parties to work together to create technology that not only improves and speeds up service, but does so in a way that keeps our personal and financial data safe.

In case you missed it, we presented in Motion Computing’s booth Monday afternoon at the NRF show. We demonstrated how retailers using Windows can go mobile now with the innovative SlateMate tablet with magstripe reader and barcode scanner, with no change to workflow and without sacrificing the security they need to protect payment data and comply with PCI.

Learn more by clicking on the presentation below.

I was catching up on a couple trade magazines on my flight home tonight and by the end of the second one, I had come across no less than 7 stories about mobile payments and wallets. The buzz is deafening! The interesting thing though is, consumers seem indifferent. According to CatapultRPM in the latest issue of Digital Transactions, 58% couldn’t care less about paying with their phone. And many are saying consumer adoption will be slow at best. Personally, as far as mobile payments go, reaching for my back pocket to grab a card out of my wallet versus reaching for my front pocket to grab my phone requires about the same level of effort. But if I could digitize everything and ditch my analog wallet altogether, now that would be exciting.

Leave it to Apple to get it right. Instead of launching head strong into the fray with another payment tool they took a different approach. iOS 6 released last week with Passbook, which seems to be a nifty tool to de-clutter my wallet by storing a digital version of many of the things in my wallet. Apple will certainly be amongst the big players in the mobile payments world, with 180 million account holders with saved credit card information on iTunes, they have a huge network to leverage.

Other major players include PayPal, Google, ISIS and retailers themselves via MCX, but their solutions include very limited support at the point of sale today. These and other entrants to the space seem to be more focused on getting their piece of the transaction stream revenue pie than on providing value to merchants or consumers. In most cases, their solutions will increase the cost to the merchant without providing much value to the consumer either. To gain broad adoption, there must be real benefits for all parties.

Apple, with their focus on the non-payment side of the wallet, is positioned to offer real conveniences and drive adoption. It’s a smart strategy. I’ve had iOS6 on my iPod Touch for a few days and even though I haven’t used Passbook just yet, I’m intrigued at what it can do, and more importantly what it might do to the leather wallet I carry.

Here’s what’s in my wallet at this very moment and my ideas for how I might pare it down with digital technology:

  1. Insurance and other non-secure ID cards – How cool would it be if you could take a card-sized photo of both sides and create a digital version of that card that allows you to “flip it” front to back, just like turning a page in an e-book. I have 5 such cards in my wallet right now that I’d love to ditch.
  2. Credit cards – It will take a while to sort out but I’m confident I’ll be able to use my digital wallet for payment.
  3. Boarding pass – Thanks to American Airlines’ mobile boarding pass app and Apple Passbook, I can eliminate the old paper boarding pass.
  4. Loyalty cards – Some of these are on my key chain, some are in my wallet… Passbook seems to require merchant participation, but I go back to the camera. 100% of my loyalty cards are barcode-based. Can I take a high enough resolution picture to use the stored image at check out? I’m going to try it for sure…
  5. Receipts – I travel a lot for work so I hang on to receipts for my expense reporting and my wallet is overflowing within two weeks of travel. Digital wallets should be able to store digital receipts and in the meantime I’m thinking my camera can help here as well. If Passbook will sort and store them I’m really getting somewhere.
  6. Business cards – Some phones can exchange contact info, but most of the time I get a card. The size is relatively standard and OCR programs exist to retrieve the data.
  7. Gym membership card and locker key – Those of you that know me know I don’t have either of those, but if I did I would darn sure want it in my phone.
  8. Driver’s license – I may always need this for TSA and the occasional policeman that pulls me over for speeding, but it’d be nice to have a different form factor. I can keep this but slide it under the case that houses my phone.
  9. Cash – While I can pay for 99% of my purchases with electronic payments, I still feel best with cold hard cash in my pocket. I just saw a nifty phone case with a money clip on Amazon…

Out of 9 things I want to eliminate from my wallet, only two or three of them are really payment-focused. This leads me to conclude that the company that wins the larger share of the “digital wallet” will be the one that focuses on the value to the consumer and lowers costs for the merchant.

So what do you think? I’d love to hear what’s in your wallet and your creative ideas for making it digital…

About 18 years ago, I facilitated a test for a pay at the table application for VeriFone. The system was extremely clunky but way ahead of its time, and only did one thing – process the payment tableside. The handheld devices were heavy and really confused the guests. During a site visit about two weeks later, I noticed most of them were gathering dust on a shelf under the POS system. The servers all agreed that while they definitely received higher tips using the handhelds, it just wasn’t worth the trouble.

Wow, have we come a long way! Now the application that the server can take to the table includes the menu, transmitting orders, payment processing and so much more. The quantum shift in our industry is a movement towards these tablet POS systems. At RSPA’s RetailNOW 2012 show, nearly all of the POS vendors were showcasing – or at least discussing – their tablet applications. Some applications resided solely on the tablet, while others used the device as an order entry point for the main POS server. They take up less space and give a cutting edge look to the POS system. The look is so sleek that while having lunch during the conference I glanced at an older POS sitting on the counter and remarked that it almost looked “old fashioned” now after seeing all of the tablets.

The one question I have of these systems is “Does it employ encryption at the swipe?” Most of the time the answer is “yes” which points to another shift in our industry. For a POS system to not include encryption at the swipe seems to me like a dangerous oversight. Combine encryption with tokenization, and you’re not only enhancing data security, you’re also effectively taking the POS system out of PCI scope. Why wouldn’t a developer go ahead and include both? Unfortunately, some make no mention of it at all.

Mobility is probably the biggest advantage of the tablet-based POS. A server can comfortably walk around the restaurant, transmit orders to the bar, kitchen or service station without ever leaving the floor. An expediter can deliver food without a trip to the workstation. I heard one example of a server ordering appetizers for a table and the dish arriving before completing the rest of table’s dinner order! QSR locations could use the tablet for guest ordering or “line busting.” All of this translates into faster table turnover and guest satisfaction. A secure credit card transaction can also be run tableside without the guest’s credit card ever “disappearing into the kitchen.”  Each application has its own approach, but I have noticed some drawbacks on some of them:

  1. One system seemed to require the guest to include the tip in the original authorization amount, which is very awkward.
  2. Some required the server to carry a printer which seemed clunky. I trust it is only a matter of time when a truly ergonomic mobile printer is developed.
  3. Some allow the guest to sign the tablet. This facilitates signature capture but requires the server carry two tablets, so their lifeline to the restaurant isn’t cut while the guest closes out their own ticket.

Cost is where a merchant should really examine what they are getting and the long term impact. There are some really inexpensive, entry level systems but long-term operating costs should be calculated. System developers need to make revenue somewhere. There are tablet applications for less than $50 plus the cost of the tablet and card reader. This would lead me to believe that the revenue will come from a fee built into the payment processing transaction costs. Bundling the fee is a convenient and beneficial model for some, but those with higher traffic could pay much more in the long run. For security purposes, any tablet application that does not include at a minimum, encryption at the point of swipe should be avoided. The security features may cost extra, but it is just not worth risking a breach.

One more note…two of the POS companies at the RetailNOW Show described open-architecture, cloud-based POS systems. The restaurateur would purchase a low-cost base application and then buy “add on” features from an app store. Innovative developers would then be encouraged to put their applications in the app store to participate in the revenue stream. A novel approach and it will be interesting to see if it catches on.

What are your thoughts on tablets at tables? Let us know by leaving a comment below.

When you think of digital wallets, names like PayPal, Google Wallet and Isis spring to mind. It’s been interesting watching these players position themselves to win the competition for both merchant and consumer mindshare. Each has taken a different approach, and each has had some highs and lows. Google Wallet yesterday announced a significant change to their product offering. Up until now, you were only able to take advantage of Google Wallet if you owned a Citi MasterCard. For the rest of us, no dice. As you may recall, prior to the wallet, Google had another product, known as Google Checkout. While Google Wallet holds your credit card on your phone, Google Checkout kept your card data in the cloud.

With the change, Google Wallet will now allow you to use any credit card; Visa, MasterCard, American Express or Discover. They are accomplishing this by storing your credit card in the cloud. When you store a card, a “virtual” MasterCard will be issued and stored on your phone. When a purchase is made from your phone, the charge will be against the virtual MasterCard. This insures that merchants still receive card present rates. In the background, Google will then charge the consumer’s card of choice. The weakness, of course, remains the need for NFC phones, of which only five are available in the US.

Another change is the addition of a new security feature that allows you to remotely disable your mobile wallet on a lost phone. You need web access to do this, but it’s a step in the right direction.

So, what does this mean for the world of payments? Google has come up with a rather unique way to gain acceptance of their wallet in their battle for consumer mindshare. And, they have done it in a way that will keep merchants happy too in that they will continue to enjoy card present rates. As every merchant knows, there is a significant difference between card present and card not present rates. Google appears to be subsidizing the gap in the interest of gaining penetration. From the consumer perspective, purchases will now show up on their statements with Google as the merchant of record. What impact this will have on chargebacks or return processing remains to be seen. One thing is certain however, in the battle for the mobile wallet, Google has just raised the bar, allowing almost any card to be placed in your wallet and used wherever MasterCard PayPass is accepted.

UPDATE (8.6.12):
Over the weekend, additional information was released indicating that Google was a bit pre-mature in their announcement. It appears that American Express has not yet reached an agreement with Google for processing cards via Google Wallet.  CNET released news on Friday of an email from the VP of Social Media Communications confirming that negotiations are still underway. It’ll be interesting to see how this develops…both parties expressed interest in coming to agreement. As I mentioned above, the two-card approach Google is taking could in effect mask the consumer’s actual purchase from the card brand, making purchases appear to come from Google. While it’s not confirmed that this is the approach Google is taking, no doubt American Express is concerned about Google getting between them and the American Express cardholder. We will continue to watch and comment as this story unfolds. Meanwhile, let us know your thoughts by posting a comment below.

From the old knuckle busters, to electronic transactions, to mobile wallets. The world of payments today is evolving at breakneck speed, with more change expected over the next few years than in the last few decades combined. At last week’s Electronic Transactions Association Annual Meeting & Expo, the message was loud and clear: keep up, remain versatile, and continue to innovate, or risk getting left behind.

Having attended the ETA show for many years, it’s interesting to experience the shift in focus. We’re not just talking about basic credit card processing anymore. For example, an exciting new wave of data mining is turning transaction data into marketing gold, providing valuable business intelligence for merchants, and a more personalized experience for consumers. It’ll be interesting to see the reaction as more of these programs are rolled out. I suspect merchants will be thrilled, but consumers may be wary given the high volume of marketing messages we are exposed to daily. But as long as these programs remain “opt-in” and provide real and relevant value, the outlook looks good.

As mobile wallets continue to evolve, which some predict will be the payment method of choice by 2020, I imagine we’ll see a shake-out with a select few companies rising to the top. As card types evolved years ago, most merchants came to accept MasterCard, VISA, American Express, Discover and Diner’s Club.  As mobile wallet options evolve, it will be interesting to see which options become standard.

When it comes to transaction security, the focus has shifted from technical problem to an essential and expected part of doing business. Various methods are still being discussed and debated and this year, many were wondering what EMV would mean for security.

Check out ETA’s conference highlights, photos and video here and we’ll hope to see you at the show in New Orleans next year!

Motion Computing, a leading global provider of tablet PCs and supporting mobility solutions, recently announced the availability of the Motion® CL900 SlateMate™ – the first tablet PC with an integrated magnetic stripe reader and barcode scanner. The tablet integrates Merchant Link’s TransactionShield solution to ensure cardholder data is never vulnerable while it’s being processed.
Following is an exclusive podcast with Mike Stinson, VP of Marketing at Motion Computing, who discusses trends in mobile point-of-sale solutions and the tablet form factor in retail environments.

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

by Beth McGarrity

There’s been a lot of talk recently about mobile payment systems; without a doubt they’re the next big thing.  Imagine being able to bump iPhones with the farmer selling apple cider at her roadside stand, or not having to carry a stack of bills to pay for that playset you found on Craigslist because you can swipe your credit card on the seller’s Android and the transaction is complete.

While these scenarios sound vaguely like the stuff of science fiction, companies like PayPal and Square have issued the first salvo in the mobile payments revolution.  Paypal is focusing on Bump’s aptly named bumping technology, whereas Square, founded by Twitter’s Jack Dorsey, uses a simple attachment so that users can swipe their credit cards at any point of sale from an art gallery to a weekend garage sale, effectively turning anyone and everyone into a merchant.

Even though these technologies are relatively new, they are being adopted at lightning speed; it’s not just micro merchants or weekend vendors who are making use of them.  Starbucks has launched a gift card upload capability so that coffee drinkers can pay for the purchases with their phones.  And Bank of America and US Bancorp in conjunction with Visa are piloting mobile payments programs in the New York area.

It’s interesting to see how these technologies are being perceived and adopted.  On the one hand mobility is a highly valued attribute and likely to attract consumers to brands, but, on the other. as consumers have become savvier about protecting their information assets, they are more hesitant to embrace these technologies.  With well-founded fears from physically handing over a credit card to have it be skimmed in a magnetic stripe scam, having stored data being mined during transmission or storage, or worse still – losing the mobile device that hosts the payment chip.

While it is true that there are myriad security concerns it’s great to see that all the articles linked to in this post acknowledge security as a major factor in the success of mobile payment technologies and that the companies who are pioneering the technology are building in security from the ground up.  Whether they are retail giants or micro sellers, retailers owe it to their customers to work with providers and processors who exhibit security best practices.

Google Advertisement