Data Security and Evolving Payment Systems

Geolocation, QR codes and NFC are just some of the technologies changing they way people pay at retail.

By Erin Rigik, Associate Editor.

In an ever-evolving world of payment technology, there’s no time for retailers to rest on their laurels when it comes to managing data security.

Most c-store chains that intend to strive for PCI compliance have taken the necessary steps to ensure data security, to the best of their abilities, across their entire chain.

Still, skimming remains a major threat to c-store operators. And retailers need to take steps to ensure staff is monitoring for any rogue devices.

“Certainly with all dispensers, if retailers would change the locks so there are unique locks for dispensers, as opposed to generic ones, that goes a long way,” said Russell Gibson, manager of marketing and technical services for Sinclair Oil Corp. “We also recommend that retailers do a walk around the site once a day and look at the dispensers to see if they have been tampered with or if a skimmer has been placed over the existing slot where the card goes. You can lock them up, but thieves can still put a skimmer over the card reader. It’s a lot easier to find and detect, and it’s not the preferred method that skimmers use, but as you take away options they find other options.”

Further, stores need to ensure if they’re running firewalls that those firewalls stay up. Skimmers can be added to phone lines, in between the point of sale (POS), and on card readers. Merchants can further install software that is encrypting at the magnetic stripe head, so even if the skimming occurs downstream at the magnetic stripe reader, the thief is only gaining encrypted data.

Enter EMV
The data security plot thickens as EMV (which stands for Europay, MasterCard and Visa, a global standard for inter-operation of chip-based cards) looms over the card industry.

Visa has set October 2015 as a deadline for merchants to install EMV payment terminals in stores, and the end of 2017 as the deadline for gas stations featuring pay-at-the-pump terminals to accept EMV payment or assume the liability and cost of disputed credit card transactions.

But experts have stated concerns about whether it is plausible for the U.S. to even meet the deadlines the card brands have set for converting to EMV chip cards from magnetic stripe cards, given the magnitude of the transition. Merchants remain frustrated that EMV doesn’t do more to eliminate PCI compliance requirements altogether.

“Looking at EMV technology, which has been breached before, if they’re going to require merchants to spend a billion dollars to accept their product liability cards, why not come up with something so that when merchants spend that billion, they’re done?” Gibson said. “While the hardware may be determined as far as what the spec is, the software is not. Visa is still mulling over whether or not we are going to require PIN. That’s crazy. Why spend a billion dollars if Visa isn’t going to require a pin?” Gibson said.

NACS maintains the position that PIN is essential to all transactions, to properly authenticate the person doing the payment, said Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS).

Avalanche of Options
At the same time, payment itself is in flux. “Over the next five years, payments are going to change dramatically,” Taylor said. “Five years from now you won’t recognize your payment system.”

Retailers agree, and trying to forecast which technology is going to win out is one of the industry’s biggest operational challenges right now.

“We don’t even know what mobile payment is going to look like,” Gibson said. But rest assured, mobile payment is here, it’s evolving and it’s only going to grow.

Gartner Inc., an information technology research and advisory company, reported that worldwide mobile payment transaction values are expected to surpass $171.5 billion in 2012, a roughly 62% increase from the $105.9 billion in 2011. The firm also predicted that the number of mobile payment users will reach 212.2 million by the end of the year, up from 160.5 million in 2011.
PayPal, Taylor noted, has more accounts than American Express and is growing faster.

Geolocation is attracting attention, and allows customers to use a cell phone app for transactions. “I activate the app and it says, ‘You’re in this convenience store on this street, in this town, what is your pump number?’ And the customer enters the pump number and sends it to, say Retalix, which sends the authorization request to PayPal who says, ‘Turn on pump 2.’ The customer pumps and PayPal pays the merchant. There are chains already using that and looking into using that. It’s still a fairly new convenient way to pay,” Gibson said.  

Isis, the mobile commerce joint venture created by AT&T Mobility, T-Mobile USA and Verizon Wireless, last month, announced the availability of the Isis Mobile Wallet in Austin and Salt Lake City, which relies on NFC (see Back Room on p.  82).  
But after Apple’s iPhone 5 arrived without NFC capabilities, it caused some in the industry to question whether NFC would become widely adopted since iPhone currently has more than 33% of the market.

Then there’s Starbucks, one of the leading retailers in mobile payments, which opted to use QR codes for its mobile payment app.
So with all the options in the marketplace, where do retailers need to be focusing their attention to be on the right side of technology?

“There are a lot of opportunities. As a merchant, it behooves you to get out there and pilot, sample. There isn’t going to be one solution that fits all,” said Bill Deichler, manager, payment methods for Murphy Oil, during an educational session on the future of payments at the NACS Show in October.

Taylor agreed that even as the debate continues over whether QR codes or NFC is the wave of the future, it’s important for retailers to be prepared for both.

But what all these new technologies have in common, Taylor noted, is that standards are missing. PCATS is looking to drive that conversation from a standpoint of retailer needs and security.

Setting Standards
The PCI Security Standards Council (PCI SSC) is also looking to maintain security. It released a set of best practices on Sept. 13 called “PCI Mobile Payment Acceptance Security Guidelines.”

The best practices aim to offer software developers and mobile device manufacturers’ guidance on how to include security controls in solutions for merchants to accept mobile payments safely.

Recommendations include: Isolate sensitive functions and data in trusted environments; implement secure coding best practices; eliminate unnecessary third-party access and privilege escalation; create the ability to remotely disable payment applications; and create server-side controls and report unauthorized access.

“Applications are going to market so quickly—anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC Chief Technology Officer Troy Leach. “It’s our hope that in educating this new group of developers, as well as device vendors, on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”

css.php