Magazine Article | December 16, 2007

Can Payment Apps Be Secure And Functional?

Source: Innovative Retail Technologies

Payment processing providers are certainly focused on security, but they haven’t overlooked the loyalty-building power of payment applications.

Integrated Solutions For Retailers, January 2008

For the last few years, consumer payment data security has been a dramatic and compelling focus of payment processing solutions. But once a payment system's security infrastructure is shored up, retailers should refine the payment element of the POS to reflect their attempt to delight customers. Here, VeriFone veteran VP of Marketing Jeff Wakefield and IHL Consulting Group Technology Analyst Sean Alexander talk payment processing security and application value.

How do payment processing solutions drive value and provide intelligence?
Wakefield: There is a lot going on in this area, mostly related to tying loyalty and payment programs together, whether using biometrics, contactless, or alternative debit networks.  These networks save the retailer substantial fees on their transaction processing and at the same time serve as a vehicle to deliver loyalty programs.

Alexander: Interfacing payment technology with loyalty data is important to both retailers and the consumer. Retailers that allow customers to pay and receive loyalty rewards with one card are on the leading edge, especially if that one card is not one of a dozen other retailer-branded cards cluttering up a consumer's wallet or keychain. Properly utilizing the data collected by a loyalty program can be a significant competitive advantage. From a retailer's perspective, identifying their best customers, knowing what those customers buy most often, and ensuring the items are always in stock is paramount. From a consumer's perspective, having discounts or rewards that apply based upon specific purchasing patterns is appealing to the consumer. That said, if a childless male customer only gets discounts on diapers, he's less likely to remain loyal than if he receives discounts on items he regularly purchases.

What's the most important thing a retailer can do to ensure the security of payment information?
Wakefield:  If a retailer has not segmented the portion of its network that processes, transports, or stores payment transaction data, that is the first thing it needs to do. Doing so limits the scope of the network and systems that the PCI DSS (Payment Card Industry Data Security Standard) requirements need to be applied to — logging, intrusion detection, monitoring, etc., which in turn will significantly reduce the costs to become and stay compliant, as well as the audit costs.

The problem with the overall payment system is that sensitive customer data must pass through retailers' systems, and in some cases be stored on retailers' systems. As long as retailers store or transmit secure customer data, organized crime will attempt to obtain it.  The solution is to eliminate this data from a retailer's system without requiring any change to its system. VeriFone has developed a patent-pending technology to cryptographically mask account numbers and magnetic stripe data throughout the retailer's system with the card associations, addressing PCI compliance by rendering the card data useless to criminals if a retailer's network is breached. VeriShield DSS will require industry support to implement, but when done, will vastly simplify the PCI compliance process for retailers.

Alexander: Retailers must recognize that security is a mindset, not a solution. There are good products on the market that can assist retailers in their quest for data security. However, retailers can get in trouble when they view such products as being 'fire-and-forget' solutions rather than part of a continuing process of protecting customer data. Criminals aren't going to quit trying to acquire data, so retailers must stay vigilant and proactive.

Ultimately, who's responsible for ensuring the security of payment information?
Wakefield: If you are talking about who is responsible for the security of consumer payment data within a merchant's infrastructure, obviously it is the merchant.  They are the only ones who can develop and implement  cohesive solutions for data security within their environments.

However, I believe it is the responsibility of the card associations to make changes to the existing payment system so that retailers do not have to be responsible for protecting this data. They could do this by requiring end-to-end encryption of the complete transaction or using a system that utilizes one-time account numbers that have no value to criminals after the transaction is complete. VeriFone is working with the card associations and the PCI Security Standards Council to try to gain industry support to make these changes to protect the consumer as well as reduce the impact of a breach on a retailer.

Alexander: Ultimately it is the merchant who has the burden of operating under constraints imposed by vendors and the card associations. While only the merchant has a detailed understanding of the various applications it is running and the interfaces between them, it's reasonable and right to expect, a) vendors to offer solutions that make the merchant's job of protecting information easier rather than more difficult, and b) card associations to have a positive working relationship with vendors and merchants alike.

How have pressures to secure payment information affected retailers?
Wakefield: The response has been all over the board. Some independent fuel retailers have stopped taking debit. One national chain went back to stand-beside dial terminals to meet the Sept. 30, 2007 PCI compliance deadline for tier-one retailers. Others have looked at the costs versus the risk and decided to do nothing, but most have taken steps to become compliant and secure sensitive data.

Alexander: There were a number of merchants that felt PCI guidelines were handed down with little or no input from retailers. Many merchants felt that many of the requirements were laid out in an unrealistic time frame and were overly burdensome to the merchants. Many retailers look at the situation as simply the cost of doing business, and some have faced a financial strain in an effort to comply. Recent research has shown that the IT priorities of many retailers have shifted to PCI compliance and away from more traditional retailing activities.

What's the hottest new form of payment that retailers should be prepared for, and why?
Wakefield: For a new payment technology to be widely adopted, it must offer clear benefits to all the stakeholders involved — the consumer, merchant, financial institutions, acquirers, banks, and card brands. Consumer adoption of biometrics is very low, so widespread adoption is unlikely. Smartcards require a significant investment by the merchants, with no financial benefit to them. 

Contactless offers speed of checkout for both consumers and merchants, and converting cash payments to electronic increases the fees to the financial institutions, so in this way, every stakeholder benefits. In addition, contactless support in cell phones, commonly called NFC (near field communications), will continue to drive contactless over the next several years.

Alexander: Contactless payment is beneficial to consumers in terms of speed and ease of use and to merchants in terms of its ability to shorten overall transaction time.  Retailers should be prepared for any of the aforementioned to be more widely used in the future. I would be hesitant to have them heavily invest in any of the particular technologies just yet. All solutions have pros and cons for all involved. The traction each solution has is different right now, as biometric and smartcard solutions both clearly lag behind contactless. Biometrics tends to receive consumer pushback in reference to privacy concerns, and smartcards receive pushback from merchants due to the up-front investment.

What are the three most important features any retailer should look for in a payment processing solution?
Wakefield: I would have to say first, make sure it is PABP (Payment Application Best Practices) certified. Second, talk to existing users and make sure it is reliable. And finally, look for any special features required to run your business.

Alexander: The three questions I would ask are: Does it line up with my overall security strategy? Is it supported and encouraged by other industry sources? Does it help me sleep at night?