Mobile technology is changing the retail landscape, offering a bevy of options for retailers to consider.
By Erin Rigik, Associate Editor.
In today’s ever-evolving world of mobile payment technology, anyone with a mobile phone can take credit card payments, from a neighbor running a garage sale to an entrepreneur building a small business. Now, this payment acceptance technology is slowing finding its way from micro-merchants to larger operations.
At the Apple Store, for example, where customers are busy purchasing iPhones and iPads, checkout stations have been eliminated and customers make payments at the point of purchase using a mobile phone.
But as new mobile technology options spring up, c-stores continue to ponder which concepts are best for them, what new technology will lead the payment reform of the future and, most of all, is the card data secure?
How It Works
Mobile payment acceptance is a way of allowing a mobile phone to accept a credit card payment using an attachment, such as a dongle—a small piece of hardware that plugs into an electrical connector on a phone or computer and acts as a key for a piece of software, so the program only runs when the dongle is plugged in.
“When using mobile payment acceptance, we can think of the dongle, sled or other form factor that plugs into the phone as the point-of-sale (POS) terminal point of interaction, and the phone itself acts as a conduit, like the cable of a wired POS terminal,” explained Troy Leach, chief technology officer, PCI Security Standards Council (PCI SSC). “The phone may also act as a register without any ability to access sensitive payment information, but to simply identify the items and calculate costs and coupons.”
Using a phone as the POS turns stores into an “endless aisle” where checkout capabilities exist right at the point of consideration, said Richard Crone of Crone Consulting LLC. He described mobile payment acceptance as “an interim step” on the way to better technology. “Retailers can eventually avoid the capital expenditure altogether by allowing customers to use their own mobile devices to check out through an app for their store,” Crone said.
But in 2012, look for more businesses to offer checkout on a phone that includes a dongle for a credit card swipe. “You could see it in movie theatres—anywhere with a long queue—to make it more efficient, or during the next holiday shopping period as an added tool that could reduce lines at checkout and increase sales,” Crone said.
But along with the convenience mobile payment acceptance offers, it can also bring new risks to the security of cardholder data. The PCI SSC in May released its “At a Glance: Mobile Payment Acceptance Security” fact sheet, which provides merchants with recommendations on partnering with a point-to-point encryption (P2PE) solution provider to securely accept payments and meet their PCI DSS compliance obligations.
As mobile technology continues to evolve, PCI SSC ensures data security remains a top priority. “We already have pieces of this framework put together in other standards like our paid transaction security (PTS) standard, and P2PE, which we just released. The fact sheet is for small merchants on how they can accept mobile payments using a smartphone or tablet by partnering with someone with a validated solution—which can be found on our Website,” said Bob Russo, general manager of PCI SSC.
Adding mobile payment acceptance is going to impact PCI compliance, Russo noted. “A lot of these devices are not encrypting this data, and so it can be stored on the device or transmitted in an unencrypted manner. This fact sheet aims to ensure retailers can take credit cards in a mobile fashion, but securely, so they can remain PCI compliant. These devices also cut down the scope of what is expected to be PCI complaint because they are, in fact, encrypting.”
The same data security threats that impact a tradition POS system also exist in the mobile field. “The new P2PE standard takes card holder data and encrypts it at the very first point and potentially minimizes the compliance validation for a merchant to accept payment cards—so it applies when you go into a retail outlet with a traditional POS, and it applies to mobile as well,” Leach said.
Retailers interested in using mobile payment acceptance should be looking for validated solutions (those are solutions listed on the PCI SSC Website), that have gone through testing against physical and logical attacks. Retailers should be using approved devices that meet P2PE standards. General requirements must be followed as well, such as making sure the service provider stays in good standing and maintains PCI compliance, and that the contract with them is valid. “We typically wouldn’t unbolt our POS terminal and put it in our pocket, but we do that with the mobile phone, so user policies and protections need to be in place in case the phone is lost,” Leach said.
A major benefit of using a P2PE solution for mobile payment security is scope reduction, meaning when properly implemented, using mobile payment acceptance could lessen the requirements for the annual merchant compliance with PCI DSS, including the cost.
Mobile at Retail
“This could be a boon for c-stores depending on the price and whether the card companies release merchants from current PCI standards. This could become more affordable if coupled with an EMV upgrade,” said Russell Gibson, manager, marketing technical services for Sinclair Oil Corp.
But as far as reducing the scope of PCI compliance, Gibson was quick to point out the phrase “may reduce” requirements. “This configuration would have to have the ability to send the inventory sold to the store’s system and send the method of payment to the network. Why not just build current PIN pads to be cellular-enabled or WiFi-enabled, or both, and use 512 bit encryption? You can accomplish the same thing without throwing out the current POS system,” he said.
Leach concurred that PCI requirements are not necessarily reduced individually, but rather the scope of systems and networks that would have previously been considered part of the cardholder data environment (CDE) are reduced. In other words, “100% of the requirements are still applicable, but the number of systems and networks is reduced because the payment card footprint has been reduced,” he said.
Merchants would simply need to show they are using a lab-tested device that encrypts all payment transactions and that no card data is exposed.
“I think mobile POS will enter our industry, but probably not on a standard cell phone,” said Scott Hartman, president and CEO of Rutter’s, a 57-store chain at the forefront of mobile technology with an award winning app. “I think it’s going to be a more robust rather than a standard mobile phone. Using a standard phone—we’d be pretty hard on it over an extended period of time, so I expect to see other types of handheld devices that use a WiFi-based network the store already has entering the industry.”
Crone noted doing a card swipe on a phone doesn’t add a lot of value to the retailer in the same way a mobile wallet solution in the retailer’s own app does. The app makes the customer contactable before, during and after the sale, and payment through that app holds everything together from a branding and merchandising standpoint.