By John Roach, Editor, Retail Solutions Online
Amid retailer worries and confusion over cardholder data security and PCI compliance come POS payment system vendors with different products and advice — often making things worse. Retailers concerned with payment standards and data security need a measure of uniformity, not vendors offering wildly varying solutions.
"The difficulties for retailers come when one vendor heads north, another heads east, and somebody else heads south," Chris Justice, North America president for payment system supplier Ingenico, told me. "When retailers are ready to implement a POS system, they're confused about which direction to go. There's no commonality among what we're doing."
Ingenico and fellow POS payment system providers Hypercom and VeriFone have created a new non-profit organization to address retailers' confusion. The Secure POS Vendor Alliance (SPVA) aims to develop common payment security standards among vendors of secure POS devices. With membership open to all payment industry stakeholders — retailers, vendors, card brands, etc. — the SPVA also plans to increase awareness of security issues and encourage adoption of best practices.
Consensus among POS solution providers on payment security best practices is much needed and long overdue. Paul Rasori, VeriFone global marketing SVP and SPVA secretary/treasurer, concedes, "There's inconsistency even among the three major vendors who created this organization as to what we currently advise retailers to do."
The SPVA's first step was to create four technical working groups to bring together POS payment industry experts around the following topics:
- Standardized implementation of existing security standards — to release a common interpretation of existing security standards and to foster widespread compliance
- Security of the payment device lifecycle — to develop end-to-end lifecycle management protocols and to suggest security standards and audit procedures over development, manufacturing, supply chain, deployment, and repair
- End-to-end encryption — to create recommended implementation guidelines for the encryption of cardholder data utilizing hardware-level security
- Security threat analysis and intelligence — to provide education and resources for members regarding current threats and ways to mitigate them
Once the working groups develop the necessary guidelines and standards, the SPVA will establish an "SPVA approval" program for POS vendors. Technologies that meet SPVA standards will bear the SPVA logo, assuring retailers that products meet these new security recommendations.
One of the initial challenges for the SPVA will be gaining retailer acceptance of its relevance and potential. "The first reaction among some retailers is a rolling of the eyes," Rasori said. "But we want to reduce risk for the retailer versus reducing risk for the card issuer."
The NRF is cautiously optimistic about the SPVA's chances. Richard Mader, executive director of the NRF's Association for Retail Technology Standards (ARTS), supports the SPVA's initiative and sees it as complementary to its own payment industry and PCI compliance education efforts. However, he also had some advice for the alliance: "I know vendors often take the lead on these initiatives, providing the manpower and marketing, but they must always follow the lead of retailer demands. Retailers are the customers."
VeriFone's Rasori contends that retailer needs are already front-of-mind for the SPVA. "Our charter is not about creating a compliance nightmare for retailers," he said. "It's about trying to simplify their compliance and the POS payment system buying process."
The last thing cost-conscious retailers want in a tight economy is a vendor-focused sales pitch presented as payment security standards. That's why the SPVA needs to keep retailers intimately involved in its analyses and recommendations. This will lead to payment solutions that clearly offer retailers the best value. Otherwise, retailers in an already acronym-heavy industry may offer one more in judgment of the SPVA: DOA.
Have a comment about this article? Let me know. Visit our blog or contact me at firstname.lastname@example.org.