Seven Tips For Building a Strong Payment Solution
By Lisa Terry
Payment has long fallen under the category of “necessary evil” for many solution providers, even when shares in the revenue stream sweetened the pot. Unfortunately, payment is only growing more complicated and is a constant moving target for security demands, continual innovation, and regulation. Emerging alternative payment solutions that skirt the credit processing system are also adding new options—and complexity.
But the good news is that payment is becoming more rewarding, as payment systems become closely intertwined with marketing and loyalty programs that represent a revenue opportunity for the solution provider as well as the merchant. There are many fronts to watch for solution providers seeking to stay on top of payment trends:
1. PCI Credibility.
Standards bodies always struggle to keep up with the pace of technology, but the issues some industry players have with The PCI Security Standards Council (www.pcisecuritystandards.org)
go beyond timing. Recent events causing ire include the 2011 rescinding of mobile payment solution certification while PCI worked on recommendations, complaints from Oracle (www.oracle.com)
that PCI’s data-gathering on breaches reveals vulnerabilities to hackers, and the delisting of processor Global Payments (www.globalpaymentsinc.com)
by Visa after their breach—even though they were certified as compliant, which is supposed to protect participants from penalties. These and other issues have some losing trust in the organization.
For example, the Retail Solution Providers Association (www.gorspa.org)
notes that PCI-SSC continually requests input from organizations like theirs, “but they are rarely listening to the input, particularly from the merchant and retail technology providers,” says Joseph Finizio, president and CEO, RSPA.
Bob Russo, general manager at the PCI Council, notes that PCI groups and task forces take into account a wide variety of viewpoints and constituents as well as forensic data to arrive at a solution. Regarding post-breach actions, “We’re concerned with the protection of data, and the standard is the best way to do that;” merchants must be able to trust the list, says Russo and the PCI has not received any forensic data on that breach. As for collecting data, it’s a confidential process, and is critical for spotting “hacking breakthroughs,” says Troy Leach, CTO for PCI. “We have to be able to notify everyone, not have it something one vendor is privy to…No one should compete on
A more long-running criticism is the model on which PCI is based. “The card brands make all the money and reduce their expenses on the backs of the systems providers who have nothing to gain by the rules, but everything to lose if there is a problem—even if is out of their control.” says Terry Zeigler, president/CEO of Datacap Systems (www.datacapsystems.com)
But PCI does have its supporters—and no competition in trying to standardize protection against security risks. “We believe that the PCI Security Standards Council provides significant value to the marketplace,” says Eddie Myers, president & COO of PayPros (www.paypros.com)
. “You can’t measure how many security breaches their guidance and recommendations have prevented.”
2. PCI and Solution Provider Culpability.
Despite all the official parties to a payment solution (bank, processor, merchant, etc.), solution providers—often several different ones—are putting in the POS, the network, the network security, the wireless network, and all the applications that integrate with POS and therefore touch the transaction. Walter Conway of StorefrontBacktalk (storefrontbacktalk.com)
says the PCI Council should clarify what actions, tasks or duties (i.e., configuring firewalls, changing default passwords, and other security-related functions) would cause a reseller/integrator to be considered a service provider and therefore a participant of record in PCI compliance.
This role points to the critical need for solution provider training on compliant practices, as well as merchant training to ensure they’re doing it right, several experts note, since merchants are ultimately responsible for card data security. While some feel solution providers are by definition outside PCI culpability, “discuss this with your QSA,” advises Erik Vlugt, VeriFone (www.verifone.com)
vice president of product marketing. “The QSA could determine if your duties control or could impact the security of cardholder data, which would make you a service provider.”
The PCI Council is launching a training and certification program for integrators and VARs in late summer, 2012, to address this need. The program will include online or in-person training as well as a certification fee. Successful participants will receive a certification mark for their marketing and be listed on PCI’s site. This is unlikely to impact liability, however; solution providers must ensure that their contract terms with merchants protect them, Russo says.
3. Mobile Payment Security. Mobile payment has come on fast, creating demand from traditional card-accepting merchants as well as businesses that previously have not accepted electronic payments. This growth has outpaced PCI’s ability to create guidelines. So the Council delisted merchant-facing mobile payment solutions in early 2011 while it worked on guidance. They later classified mobile payment acceptance applications into two separate categories, with those running on consumer devices not yet qualified.
“Yet, they allowed companies like Square to move forward with exactly that latter condition,” notes Datacap’s Zeigler. “It’s no small coincidence that the card brands are shareholders in Square, which certainly qualifies as a major conflict of interest and speaks again to the credibility and trustworthiness of the PCI programs.”
The dongle—also being developed by other vendors—works because data is encrypted in the peripheral (and not decrypted in the phone) and it meets hardware device standards for tamper resistance and limits on access, says Leach. The PCI Council, which formed a special interest group for mobile in 2012, is preparing a document on mobile phones to be released in Summer 2012, that will identify areas of higher risk as well as the controls available today or in the future to mitigate them. This will help explain why an encrypting dongle complies and a software-based solution currently does not. The Council has stated that consumer-facing payment solutions are outside its purview.
In the meantime, “Solution providers should support efforts to bring point-to-point encryption to mobile devices accepting card-present transactions so that cardholder data can be protected from the time of capture through the entire transaction lifecycle, suggests Geoff Kreig, VP product management for Merchant Link (merchantlink.com)
In late April the PCI Council released additional guidance on point-to-point encryption including a new section to incorporate merchant-focused guidance for use of a validated P2PE solution, scope of assessment for P2PE solutions and guidance on scenarios where there are multiple acquirers involved with a single solution.
4. Rapidly Approaching EMV. The real weak point in credit card security, many agree, is dated, inherently insecure mag stripe technology, though it’s likely to stay with us for a while, even as a backup to more secure approaches. More than 70 countries already use EMV, a card-brand-developed standard for integrated circuit chips embedded in cards. Visa is requiring U.S. acquirer processors and sub-processor service providers to support merchant acceptance of chip transactions by April 1, 2013.
Another reason to move to EMV: Starting October 1, 2012, Visa’s Technology Innovation Program will not require certain merchants to validate compliance with the PCI Data Security Standard in any year in which they log 75 percent of their Visa transactions on chip-enabled terminals that accept both contact and contactless chips as well as NFC-based mobile contactless payments. Mastercard seems to be leaning the same way, but it’s not clear what the other card brands will do.
An issue to watch is the evolving discussion on EMV’s impact on PCI compliance. Robert McMillon, VP, global security solutions at Elavon (www.elavon.com)
, notes that EMC is all about preventing the fraudulent use of cards and card numbers, while PCI is about securing the merchant environment to prevent data theft. But the Visa announcement creates a relationship. Merchant environments still must comply with PCI with EMV in place, notes the PCI Council’s Russo, especially since EMV still transmits data in clear text. “There are issues that need to be addressed that can only be addressed with the combination of EMV and PCI,” such as card-not-present transactions.
Another wrinkle is the possibility that in the U.S. EMV may encompass chip and signature instead of the chip and pin common elsewhere. “The situation is like Betamax versus VHS or DVD versus Blu-ray,” notes RSPA’s Finizio. “Stand back, watch and listen until a real direction becomes clear.”
Either way, solution providers will need high-level knowledge on how EMV works. “For example, the concept of offline authorizations (communication between the card and a POS system) should be understood,” suggests Henry Helgeson, Merchant Warehouse co-CEO (www.merchantwarehouse.com
“Future security solutions should include dynamic EMV data to reduce counterfeit fraud, PIN to authenticate the cardholder, encryption to protect data in flight, and tokenization to protect data at rest,” adds Merchant Link’s Kreig.
5. Digital Wallets. Many are confident in the inevitability of the march toward digital, cardless payments, but many hurdles must be cleared to get there. Providers including VeriFone say they already have strategies to deal with one of the major ones: the need for merchants to accommodate multiple wallet formats.
Also unclear is acceptance. “A recent study said that using digital wallets would become commonplace by 2020,” notes Jeanne Aiken, director of merchandising, ScanSource POS & Barcoding (www.scansource.com)
. “Many people watching the trend, however, expect it to slow down due to privacy fears, lack of infrastructure and resistance from credit card companies and other entities who currently earn money in the current system.”
But there are strong reasons for digital wallets to succeed, with chips embedded in phones. “The real opportunity…is the ability to use a mobile device as a payment vehicle that can be tightly integrated into demand generation solutions utilizing social media and global positioning,” says PayPros’ Myers. “The benefit to the business will be increased sales opportunities and marketing vehicles. There is no doubt the digital wallet market will accelerate, but only with the involvement of new players in the payment transaction flow—mobile service providers like ISIS.”
6. Paypal at POS.
is growing beyond online payments to position itself as a major player in traditional and mobile POS, including digital wallets. The company is offering several different payment models, including credit, debit, check imaging, or checkout via phone number plus a PIN, as well as emailed receipts, and is piloting POS-based payment with major retailers including Office Depot, Home Depot, and OfficeMax. The possibility of lowering merchant transaction fees is a real advantage, and processing software developers are working to integrate PayPal into their offerings.
“There’s a lot of potential for PayPal,” says Merchant Warehouse’s Helgeson. “Empty-hands transactions are certainly valuable, but the lack of a revenue model for ISVs and ISOs makes me hesitant to really get behind the concept.”
7. Near-Field Communication Payment. “NFC really needs to be considered alongside EMV,” says Merchant Warehouse’s Helgeson. “Merchants are already reluctant about replacing hardware. Hitting them up for EMV then coming back a few months down the line with NFC will not work. The last thing we need to do is touch the merchant twice. By implementing both technologies now, merchants will be prepared to efficiently adapt to payment trends.”