Although mobile payment conversations have been “in the works” for the past decade, there’s good reason for retail VARs to get ready now for big changes happening in the near future.
We all know mobility is a hot topic that’s causing a major disruption across every vertical market. Research firm MarketsandMarkets estimates the BYOD (bring your own device) and enterprise mobility market is growing at 15 percent CAGR (compound annual growth rate) and will reach $181 billion by 2017. Additionally, the Pew Research Center says that 56 percent of all American adults are now smartphone users. With the stage set for mobile payment, what’s keeping it from going mainstream? The fact of the matter is that the mobile payments discussions have been going on for more than 10 years now, and there have been several predictions along the way suggesting mobile payment is going to take off at any moment. To avoid adding another overhyped technology trend to the list, let’s look at what reputable sources such as RSPA, Element, and VeriFone are saying about this topic and discover for ourselves whether the changes happening in the marketplace that are causing some stakeholders to take this topic seriously are worth heeding.
Target, EMV Countdown Driving Major Retail POS Overhauls
Although retailer Target was but 1 of 600 breaches that occurred in 2013, the size and scope of the breach, which is less than three months behind us, will keep payment security front stage for the foreseeable future. What’s particularly relevant about this breach was that it wasn’t a failure of online security or even the cloud; rather, it highlights consumers’ vulnerability when using credit and debit payment at a brick-and-mortar POS workstation!
Europe and Canada adopted the secure “chip and PIN” (i.e. EMV, or Europay, MasterCard, Visa standard) credit and debit cards more than two years ago, while the U.S. has not yet made the move because of what some are calling a chicken-and-egg effect: Merchants don’t want to upgrade their POS terminals because they don’t see many EMV cards in use, and the reason we don’t see more EMV cards is because there are so few POS terminals in the U.S. that can read these cards. The December 2013 security breach at Target, which leaked 40 million customers’ credit and debit card information, combined with Visa and MasterCard’s October 2015 deadline to hold retailers responsible for fraud if they haven’t upgraded to EMV terminals, is making EMV a critical topic for U.S.- based VARs and retailers.
So, what does the upcoming EMV standard have to do with mobile payment? According to a 2013 survey of more than 200 retail, banking, and payment processor professionals conducted by ACI Worldwide, there’s a very close connection. Much to the surprise of those conducting the survey, nearly half (49 percent) of the respondents believed the United States’ migration to EMV will result in consumers turning away from card-based transactions in favor of mobile payments.
What PCI Security Standards Council, Industry Experts Say
Before we declare 2014 to be the definitive year mobile payment goes mainstream, however, it’s important to keep one thing in mind: The PCI (Payment Card Industry) Security Standards Council (SSC) currently has no single standard for mobile payment, and there’s no indication for a definitive standard to be released anytime soon. Does that mean retail VARs should remain in a holding pattern until that day arrives? Not at all, say the experts. “Although there are no specific requirements that have been established by the PCI SSC around mobile compliance, any merchant that is using a mobile processing solution must be PCI-compliant,” says Roy Bricker, senior VP of products and operations at Element Payment Services, a Vantiv Company. “Additionally, The PCI SSC has published two documents that VARs should become familiar with prior to choosing a mobile application, including a guide for merchants: ‘PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users’ and a guide for developers: ‘PCI Mobile Payment Acceptance Security Guidelines for Developers.’”
Both guides focus on how to protect cardholder data in a mobile environment, which includes best practices for securing cardholder data from initial point of swipe, through the mobile device, and all the way to the processor.
“An often overlooked issue when implementing a mobile payment solution relates to security compliance,” says Erik Vlugt, vice president of product marketing, VeriFone, North America. “Not only does moving to mobile create potential exposure as payment data is now transferred wirelessly, but it is also passed through a consumer electronics device that can be compromised. It is critical to implement mobile payments with a secure solution like PAYware Mobile, which encrypts the payment data immediately so that the security of the mobile device and wireless link becomes irrelevant.”
Todd Cripe, chair of the RSPA Strategic Technology Solutions Committee, concurs with Vlugt’s advice and adds, “Any solution that is transferring payment card information from a consumer’s mobile device to a merchant’s POS system runs the risk of having that data intercepted during transit. It is the VAR’s responsibility to ensure that the solutions it recommends are safe from the bad guys and that the VAR is not putting its customers at risk.”
“Encryption and tokenization are both valid approaches for safeguarding sensitive information in a mobile payment transaction,” says Cripe. “We suggest VARs work with their mobile payment vendors and ask, ‘Does the potential solution securely safeguard data at rest in the mobile device, and does the potential solution securely safeguard data in transit?’”
Why P2PE Is Key To Safe Mobile Payment Processing
In addition to avoiding Mobile POS systems that transmit and/or store unencrypted cardholder data, Bricker advises retail VARs to simplify the process for end users. “Using point-to-point encryption [P2PE] at the point of entry is the best way to ensure cardholder data is never exposed and remains undecipherable by hackers,” he says. There are many P2PE solutions available with hardware devices that support encryption technology. Bricker advises VARs to do their homework and thoroughly research each solution being considered. The PCI SSC guidelines corroborate Bricker’s advice, adding a few additional tips:
“Where merchants’ mobile device hardware and software implementation cannot currently meet the guidelines documented herein, they may choose to implement a PCI-validated, P2PE solution. Implementing such a solution would include the addition of a PCI-approved point of interaction (POI) device. With the use of a validated solution, account data is encrypted by the POI, and the mobile device would simply act as the conduit through which the encrypted payment transaction is transmitted.”
Which Mobile OS Should VARs Support?
One of the other mobile-payment-related challenges that makes VARs nervous is determining which mobile OS to support and/or recommend to clients. “Many experts have stated that they believe BlackBerry 10 is the most secure mobile operating system, so if security is the only consideration, BlackBerry gets the nod,” says Cripe. “If market share and financial strength are considered, however, then iOS and Android rise to the top of the list. And, although Android has received a lot of negative press about security issues, that doesn’t seem to be slowing its adoption rate. Apple’s iOS and Microsoft offer a more controlled ‘walled garden’ environment, so the argument can be made that they are inherently more secure.”
“However, all those issues become irrelevant in a P2PE environment,” says Vlugt. “By properly encrypting the cardholder data before it enters the host operating system, the VAR/merchant can choose any operating system that best fits its business goals and existing infrastructures,” he says.
Bricker concurs with this advice and adds, “A VAR should recommend a solution that supports P2PE through a secure hardware device on an operating system that meets the needs of its customers. As long as a P2PE solution is used, the mobile operating platform should not necessarily be a deciding factor for the VAR when selling/implementing a mobile payment solution.”
Mobile payment has been talked about for several years, causing some retail VARs to take a “wait-andsee” approach to adopting and recommending these solutions to customers. With the big shakeup already happening as a result of the upcoming EMV standard, this could lead to a big missed opportunity for those blinded by past skepticism. In fact, Juniper Research predicts mobile transactions will grow 400 percent over the next two years, reaching $1.3 trillion worldwide by 2015. There are multiple signs pointing to mobile payment getting ready to take off — whether that happens in 2014 or closer to the EMV mandate deadline mentioned earlier remains to be seen. However, as your retail customers are already turning their attention to updating their POS systems to achieve EMV compliance, why not take this opportunity to educate them about mobile payment as well? Even if they’re not ready to turn on this feature just yet, helping customers roll out mobile-payment-friendly POS systems will help them maximize their investments, and it will help you secure an easier upsell in the near future.