Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ Mobile Payments ’

I was catching up on a couple trade magazines on my flight home tonight and by the end of the second one, I had come across no less than 7 stories about mobile payments and wallets. The buzz is deafening! The interesting thing though is, consumers seem indifferent. According to CatapultRPM in the latest issue of Digital Transactions, 58% couldn’t care less about paying with their phone. And many are saying consumer adoption will be slow at best. Personally, as far as mobile payments go, reaching for my back pocket to grab a card out of my wallet versus reaching for my front pocket to grab my phone requires about the same level of effort. But if I could digitize everything and ditch my analog wallet altogether, now that would be exciting.

Leave it to Apple to get it right. Instead of launching head strong into the fray with another payment tool they took a different approach. iOS 6 released last week with Passbook, which seems to be a nifty tool to de-clutter my wallet by storing a digital version of many of the things in my wallet. Apple will certainly be amongst the big players in the mobile payments world, with 180 million account holders with saved credit card information on iTunes, they have a huge network to leverage.

Other major players include PayPal, Google, ISIS and retailers themselves via MCX, but their solutions include very limited support at the point of sale today. These and other entrants to the space seem to be more focused on getting their piece of the transaction stream revenue pie than on providing value to merchants or consumers. In most cases, their solutions will increase the cost to the merchant without providing much value to the consumer either. To gain broad adoption, there must be real benefits for all parties.

Apple, with their focus on the non-payment side of the wallet, is positioned to offer real conveniences and drive adoption. It’s a smart strategy. I’ve had iOS6 on my iPod Touch for a few days and even though I haven’t used Passbook just yet, I’m intrigued at what it can do, and more importantly what it might do to the leather wallet I carry.

Here’s what’s in my wallet at this very moment and my ideas for how I might pare it down with digital technology:

  1. Insurance and other non-secure ID cards – How cool would it be if you could take a card-sized photo of both sides and create a digital version of that card that allows you to “flip it” front to back, just like turning a page in an e-book. I have 5 such cards in my wallet right now that I’d love to ditch.
  2. Credit cards – It will take a while to sort out but I’m confident I’ll be able to use my digital wallet for payment.
  3. Boarding pass – Thanks to American Airlines’ mobile boarding pass app and Apple Passbook, I can eliminate the old paper boarding pass.
  4. Loyalty cards – Some of these are on my key chain, some are in my wallet… Passbook seems to require merchant participation, but I go back to the camera. 100% of my loyalty cards are barcode-based. Can I take a high enough resolution picture to use the stored image at check out? I’m going to try it for sure…
  5. Receipts – I travel a lot for work so I hang on to receipts for my expense reporting and my wallet is overflowing within two weeks of travel. Digital wallets should be able to store digital receipts and in the meantime I’m thinking my camera can help here as well. If Passbook will sort and store them I’m really getting somewhere.
  6. Business cards – Some phones can exchange contact info, but most of the time I get a card. The size is relatively standard and OCR programs exist to retrieve the data.
  7. Gym membership card and locker key – Those of you that know me know I don’t have either of those, but if I did I would darn sure want it in my phone.
  8. Driver’s license – I may always need this for TSA and the occasional policeman that pulls me over for speeding, but it’d be nice to have a different form factor. I can keep this but slide it under the case that houses my phone.
  9. Cash – While I can pay for 99% of my purchases with electronic payments, I still feel best with cold hard cash in my pocket. I just saw a nifty phone case with a money clip on Amazon…

Out of 9 things I want to eliminate from my wallet, only two or three of them are really payment-focused. This leads me to conclude that the company that wins the larger share of the “digital wallet” will be the one that focuses on the value to the consumer and lowers costs for the merchant.

So what do you think? I’d love to hear what’s in your wallet and your creative ideas for making it digital…

About 18 years ago, I facilitated a test for a pay at the table application for VeriFone. The system was extremely clunky but way ahead of its time, and only did one thing – process the payment tableside. The handheld devices were heavy and really confused the guests. During a site visit about two weeks later, I noticed most of them were gathering dust on a shelf under the POS system. The servers all agreed that while they definitely received higher tips using the handhelds, it just wasn’t worth the trouble.

Wow, have we come a long way! Now the application that the server can take to the table includes the menu, transmitting orders, payment processing and so much more. The quantum shift in our industry is a movement towards these tablet POS systems. At RSPA’s RetailNOW 2012 show, nearly all of the POS vendors were showcasing – or at least discussing – their tablet applications. Some applications resided solely on the tablet, while others used the device as an order entry point for the main POS server. They take up less space and give a cutting edge look to the POS system. The look is so sleek that while having lunch during the conference I glanced at an older POS sitting on the counter and remarked that it almost looked “old fashioned” now after seeing all of the tablets.

The one question I have of these systems is “Does it employ encryption at the swipe?” Most of the time the answer is “yes” which points to another shift in our industry. For a POS system to not include encryption at the swipe seems to me like a dangerous oversight. Combine encryption with tokenization, and you’re not only enhancing data security, you’re also effectively taking the POS system out of PCI scope. Why wouldn’t a developer go ahead and include both? Unfortunately, some make no mention of it at all.

Mobility is probably the biggest advantage of the tablet-based POS. A server can comfortably walk around the restaurant, transmit orders to the bar, kitchen or service station without ever leaving the floor. An expediter can deliver food without a trip to the workstation. I heard one example of a server ordering appetizers for a table and the dish arriving before completing the rest of table’s dinner order! QSR locations could use the tablet for guest ordering or “line busting.” All of this translates into faster table turnover and guest satisfaction. A secure credit card transaction can also be run tableside without the guest’s credit card ever “disappearing into the kitchen.”  Each application has its own approach, but I have noticed some drawbacks on some of them:

  1. One system seemed to require the guest to include the tip in the original authorization amount, which is very awkward.
  2. Some required the server to carry a printer which seemed clunky. I trust it is only a matter of time when a truly ergonomic mobile printer is developed.
  3. Some allow the guest to sign the tablet. This facilitates signature capture but requires the server carry two tablets, so their lifeline to the restaurant isn’t cut while the guest closes out their own ticket.

Cost is where a merchant should really examine what they are getting and the long term impact. There are some really inexpensive, entry level systems but long-term operating costs should be calculated. System developers need to make revenue somewhere. There are tablet applications for less than $50 plus the cost of the tablet and card reader. This would lead me to believe that the revenue will come from a fee built into the payment processing transaction costs. Bundling the fee is a convenient and beneficial model for some, but those with higher traffic could pay much more in the long run. For security purposes, any tablet application that does not include at a minimum, encryption at the point of swipe should be avoided. The security features may cost extra, but it is just not worth risking a breach.

One more note…two of the POS companies at the RetailNOW Show described open-architecture, cloud-based POS systems. The restaurateur would purchase a low-cost base application and then buy “add on” features from an app store. Innovative developers would then be encouraged to put their applications in the app store to participate in the revenue stream. A novel approach and it will be interesting to see if it catches on.

What are your thoughts on tablets at tables? Let us know by leaving a comment below.

When you think of digital wallets, names like PayPal, Google Wallet and Isis spring to mind. It’s been interesting watching these players position themselves to win the competition for both merchant and consumer mindshare. Each has taken a different approach, and each has had some highs and lows. Google Wallet yesterday announced a significant change to their product offering. Up until now, you were only able to take advantage of Google Wallet if you owned a Citi MasterCard. For the rest of us, no dice. As you may recall, prior to the wallet, Google had another product, known as Google Checkout. While Google Wallet holds your credit card on your phone, Google Checkout kept your card data in the cloud.

With the change, Google Wallet will now allow you to use any credit card; Visa, MasterCard, American Express or Discover. They are accomplishing this by storing your credit card in the cloud. When you store a card, a “virtual” MasterCard will be issued and stored on your phone. When a purchase is made from your phone, the charge will be against the virtual MasterCard. This insures that merchants still receive card present rates. In the background, Google will then charge the consumer’s card of choice. The weakness, of course, remains the need for NFC phones, of which only five are available in the US.

Another change is the addition of a new security feature that allows you to remotely disable your mobile wallet on a lost phone. You need web access to do this, but it’s a step in the right direction.

So, what does this mean for the world of payments? Google has come up with a rather unique way to gain acceptance of their wallet in their battle for consumer mindshare. And, they have done it in a way that will keep merchants happy too in that they will continue to enjoy card present rates. As every merchant knows, there is a significant difference between card present and card not present rates. Google appears to be subsidizing the gap in the interest of gaining penetration. From the consumer perspective, purchases will now show up on their statements with Google as the merchant of record. What impact this will have on chargebacks or return processing remains to be seen. One thing is certain however, in the battle for the mobile wallet, Google has just raised the bar, allowing almost any card to be placed in your wallet and used wherever MasterCard PayPass is accepted.

UPDATE (8.6.12):
Over the weekend, additional information was released indicating that Google was a bit pre-mature in their announcement. It appears that American Express has not yet reached an agreement with Google for processing cards via Google Wallet.  CNET released news on Friday of an email from the VP of Social Media Communications confirming that negotiations are still underway. It’ll be interesting to see how this develops…both parties expressed interest in coming to agreement. As I mentioned above, the two-card approach Google is taking could in effect mask the consumer’s actual purchase from the card brand, making purchases appear to come from Google. While it’s not confirmed that this is the approach Google is taking, no doubt American Express is concerned about Google getting between them and the American Express cardholder. We will continue to watch and comment as this story unfolds. Meanwhile, let us know your thoughts by posting a comment below.

Fresh off the road from a busy Spring schedule of conferences and events such as the recent RIS Retail Technology Conference and MICROS Retail Conference, I reflected on some of the latest trends in retail I picked up on in various sessions, conversations and reports.

Customers are King; Mobile Use and Commerce Increasing
Mobile has placed even more power into the hands of today’s consumer, with the ability to check competitors’ prices while in store (a phenomenon known as “showrooming”) and so retailers are being forced to adopt new pricing and promotional tactics. Marketing investments are focused on mining more data and using it to provide more customized promotions to increase engagement and loyalty. To keep up with today’s tech-savvy consumers, retailers are also increasingly adopting mobile point-of-sale solutions. We’re seeing some POS providers leveraging the tablet form factor, integrating barcode scanners and mag stripe readers into handheld devices that double as a tool to offer on-demand product information to shoppers wherever they are in the store.
 
Profits Are Up; Retailers Reinvesting Again
According to the NRF Foundation’s recently released Retail Horizons: Benchmarks for 2011, Forecasts for 2012, retailers have returned to profitability after the economic downturn. The survey revealed that marketing and advertising spend is up, as well as investment in IT upgrades, e-commerce and leadership development.
 
P2PE Emerging as Key Data Security Strategy
Point-to-point encryption (P2PE) is gaining greater momentum as one of the most effective ways for retailers to secure on- and offline and mobile payments, with the added benefit of reducing PCI scope. Unfortunately, hackers continue to target retailers, with their favorite method being to target data “in transit,” as it moves through and from the merchant environment. Attackers in 2011 were more successful at harvesting data in transit than any other method, according to the Trustwave’s 2012 Global Security Report. Meanwhile, the PCI Council just released updated point-to-point encryption requirements as well as a fact sheet outlining how merchants can securely accept payments using mobile devices with actionable recommendations on partnering with a P2PE solution provider to securely accept payments and meet PCI DSS compliance obligations.

So those are a few of the key trends I’ve observed.

What are you seeing and experiencing? Share your comments and thoughts below.

From the old knuckle busters, to electronic transactions, to mobile wallets. The world of payments today is evolving at breakneck speed, with more change expected over the next few years than in the last few decades combined. At last week’s Electronic Transactions Association Annual Meeting & Expo, the message was loud and clear: keep up, remain versatile, and continue to innovate, or risk getting left behind.

Having attended the ETA show for many years, it’s interesting to experience the shift in focus. We’re not just talking about basic credit card processing anymore. For example, an exciting new wave of data mining is turning transaction data into marketing gold, providing valuable business intelligence for merchants, and a more personalized experience for consumers. It’ll be interesting to see the reaction as more of these programs are rolled out. I suspect merchants will be thrilled, but consumers may be wary given the high volume of marketing messages we are exposed to daily. But as long as these programs remain “opt-in” and provide real and relevant value, the outlook looks good.

As mobile wallets continue to evolve, which some predict will be the payment method of choice by 2020, I imagine we’ll see a shake-out with a select few companies rising to the top. As card types evolved years ago, most merchants came to accept MasterCard, VISA, American Express, Discover and Diner’s Club.  As mobile wallet options evolve, it will be interesting to see which options become standard.

When it comes to transaction security, the focus has shifted from technical problem to an essential and expected part of doing business. Various methods are still being discussed and debated and this year, many were wondering what EMV would mean for security.

Check out ETA’s conference highlights, photos and video here and we’ll hope to see you at the show in New Orleans next year!

Motion Computing, a leading global provider of tablet PCs and supporting mobility solutions, recently announced the availability of the Motion® CL900 SlateMate™ – the first tablet PC with an integrated magnetic stripe reader and barcode scanner. The tablet integrates Merchant Link’s TransactionShield solution to ensure cardholder data is never vulnerable while it’s being processed.
 
Following is an exclusive podcast with Mike Stinson, VP of Marketing at Motion Computing, who discusses trends in mobile point-of-sale solutions and the tablet form factor in retail environments.

With 2011 and the “Year of the Data Breach” behind us, the hospitality sector still faces a world of challenges when it comes to payment security.  As such, many in the industry are wondering what’s next when it comes to payment technology and security best practices.  The SecurityCents blog aims to answer this question and much more in a series of podcasts with experts who will shine a light on trends for the next 12 months.

Today, we are speaking with Abby Lorden, the editor-in-chief of Hospitality Technology Magazine, who provides key insights into the latest issues and product innovations hospitality providers will be focused on in 2012.

Listen to internet radio with SecurityCents on Blog Talk Radio

As they often say in technology, you’re not wrong, just too early… and this may be the case with the mobile wallet.  Yes, the technology has been around for awhile.  But now that consumers have embraced their mobile devices and broadened their perspectives on payments, is it still not quite ready for primetime?

While 2012 was supposed to be the year of the mobile wallet, players like Google are still struggling to find merchants who are willing to support and embrace the new technology.  Recent attempts to hack into the Google Wallet application are not helping these players make their case.

Google Wallet requires a personal identification number (PIN) code and a phone lock screen, which the company claims provides a higher level of security than most credit cards have today.  However, this past month two incidents proved that the PIN code could be cracked.  These breaches also forced Google to discontinue the acceptance of prepaid cards.

While we know that there will continue to be a lot of hype around mobile commerce, we also clearly understand that adoption by merchants and processors will really depend on payment security.

To deny the possibility of an attack over a mobile payment network would be irresponsible.  Most merchants are awaiting further development in this area before they take that leap and adopt a mobile wallet solution.  Once the industry embraces an aggressive security strategy for mobile payments, we believe adoption by merchants will follow suit.

What do you think? Let us know by leaving a comment below.

By Yu-Ting Huang, Director, Global Product Marketing at Voltage

Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit www.voltage.com or follow them on Twitter at www.twitter.com/voltagesecurity.

By Beth McGarrity

The past few weeks have been a whirlwind of activity as we prepared for one of the biggest retail shows of the year.  More than 24,000 retailers, technology providers, suppliers and partners gathered for the retail industry’s premier event, NRF 2012.   For any professional in the retail sector, the “Big Show” is the go-to affair for networking, business development, educational opportunities and much, much more.

What is most exciting about an event like NRF 2012 is seeing, first-hand, key innovations and learning about the future of the industry.  As I walked the show floor, networked with colleagues and attended breakout sessions, several major themes resonated that will clearly shape the years ahead:

  • Developing More Customer-Centric Approaches: In today’s competitive marketplace, retailers need to better engage with customers, build stronger relationships and influence them through targeted and highly personalized communications and promotions – clearly tying back to the multi-channel theme.

  • Don’t Forget “The Brand:” In a philosophical reversal of the multi-channel approach, some thought-leaders played up the importance of brand, especially when consumers are faced with many choices and channels.  As CNBC pointed out: “Shoppers don’t think about shopping a ‘channel.’ They think about shopping, and if you’re lucky they think about shopping a specific brand.”

  • Big Data Goes Big Time: Retailers will step up their data gathering and mining processes to unleash the science behind truly influencing consumers.  This means that vast amounts of customer data, whether it is personal information, credit card data or purchasing patterns, will be collected, managed, sifted and acted upon.  While this data will certainly be used to develop more targeted marketing programs, it underscores the need for the most sophisticated data security solutions.

  • Customer Are Willing to Share: Along the lines of “big data,” many retailers are seeing that customers are actually willing to share more personal information these days. This will create the perfect storm of copious amounts of new data mining techniques and the use of algorithms for fully understanding how consumers interact with brands.

  • Going Mobile: While this one is clearly not a surprise, the development of next-generation mobile apps, and the payment security challenges that come with this new horizon, was top of mind at the event.  Convenience and efficiencies will certainly abound when retailers arm their sales associates with iPads and other mobile payment gadgets for instant credit card processing from any location within their stores.

  • Zappos Breach: The Zappos breach news certainly made waves at the event and reinforced the hard reality that data breaches can happen to any retailer.   Fortunately, customer credit card numbers were not compromised because they were stored on a separate server.   And, as our SecurityCents readers know we always urge merchants to securely store all necessary payment data in a server outside of their network.

  • Columbia Sportswear: Along the lines of payment security, we were very excited to announce that Merchant Link, along with our partners Equinox Payments and Voltage Security, has implemented a cutting-edge, reliable, cloud-based solution to protect sensitive payment data.  And, retail giant Columbia Sportswear served as pilot implementation partner – implementing this solution across its nationwide retail network.

  • Protect All Points: In support of the Columbia Sportswear announcement, we also developed a unique microsite called “Protect All Points,” which highlights all the key points about this implementation.

Finally, be sure to check out the sessions from the event streamed here.  It’s almost as good as being there in person.  And, NRF has a highly active blog, so be sure to check out posts like this one that highlights digital retail trends.

The “Big Show” certainly delivered and clearly there will be many exciting times ahead for the retail industry.  See you all back at the Javitz Center next year!