The Green Sheet Online Edition
March 08, 2010 • Issue 10:03:01
Let's be smart about smart phone payments
Smart phones have been around for awhile, but it was only with the surging popularity of the iPhone that these powerful devices entered the mainstream of mobile handset sales. With so many users and such a flexible platform, software developers quickly caught on almost overnight that there was a burgeoning market opportunity to deliver content, or "apps," to millions of new users around the world.
Clearly, Apple Inc. hit the sweet spot in the general market, developing a system that makes Web browsing and e-mail use as easy as making phone calls. Just as important, from VeriFone's perspective, is that unlike other smart phones, the iPhone represents a unified platform, both in form and function. Additionally, Apple, by controlling access to its App Store, maintains strict guidelines over software development.
With over 100,000 apps now available, it was inevitable that credit card acceptance solutions would appear. Leveraging the iPhone as a payment device opens up a vast audience of "micro" businesses (four or fewer employees) that, until now, have resisted payment technology in favor of cash and checks. It's estimated that 18 million businesses fit into this category, representing a tremendous opportunity for ISOs and acquirers to sign up new revenue sources.
Nonetheless, in some sense, making payments on the iPhone is a little bit like a wild frontier. Go to the App Store, and you can find over 30 payment apps. The problem is that many of the companies developing this software have little or no experience in payment security, and the user has little or no guidance on whether the payment app meets any of today's strict cardholder security requirements.
The iPhone is a great mobile platform but, in and of itself, is not a secure payment device. It wasn't built to be. It was designed to be a relatively accessible mobile platform that would appeal to the broadest segment of consumers. As this popular device establishes itself as a payment platform, there are three key considerations for those in the payments industry:
- Distribution and support
It's easy to market software these days. Whether it's through the controlled process of the iPhone App Store or less structured downloads for other platforms, software developers can find relatively low-cost methods of putting software into the hands of users.
But who is going to support those users? There's a vast distribution and support channel that can scale to meet the needs of hundreds of thousands, if not millions, of end points. Few of the companies rushing to provide payment applications have the wherewithal, the expertise or the experience to tap into this existing infrastructure. What are they going to do - refer customers to the wireless carrier or handset manufacturer?
The channel infrastructure is a key element in keeping things simple for merchants. ISOs and acquirers are able to provide their customers with simplified management of card transaction costs. Ideally, any merchant should be able to obtain one monthly bill that consolidates processor, interchange and gateway costs.
As noted earlier, there are already more than 30 payment apps for the iPhone. How is a small-business micro-merchant supposed to evaluate which option is best for his or her business?
Such a merchant is going to have to weigh a multitude of factors: Is the payment app tied to a specific gateway? Can it work with an existing merchant account, or can it help set one up? Are apps tied to a particular processor, or do merchants have to find one on their own? How do merchants make sense of interchange, basis points and fees? Can they assure their customers of security?
As with any new market segment, many players want to compete, but ultimately the field will consolidate around a select number of stronger companies that have the staying power and the resources to meet every challenge.
Growing popularity, growing threat
In payments, everything sooner or later comes down to security. Payment functionality on the iPhone is essentially a virtual terminal type of application. The app taking payment communicates with a gateway, which handles the authentication/authorization processes with processors and acquirers.
Most payment gateways evolved from an e-commerce environment where there were no physical devices present, hence the higher interchange rates for a less trusted payment process. Over time, some of these gateways acquired a level of trust with processors and acquirers that rely on them to vet the e-commerce companies they loop into the world of electronic payments.
However, adding physical devices to the online environment introduces a horse of a different color. Acquirers and processors are increasingly concerned that a proliferation of payment software on growing numbers of remote devices represents too many unknowns such as:
- Is the data captured the right way?
- Is the cardholder information secure on the device?
- Is data secure during transmission?
Security on any computer device is a moving target. As we've seen with Microsoft Corp.'s Windows operating system, the most popular systems draw the most attention from the criminals and malicious interlopers who create viruses, worms, spyware and other malware.
Mobile devices are quickly becoming the reigning computer devices of choice. Widely available and affordable wireless broadband, along with increasingly popular applications and lower-cost devices, is putting powerful computers into the hands of many. The criminal element is sure to follow.
Protecting the data
In the multilane retail segment, VeriFone is seeing increasing momentum for adoption of end-to-end encryption of card data. Frustrated by an inability to maintain or prove 24/7 fidelity to Payment Card Industry Data Security Standard requirements, larger retailers and their processors are focusing on encryption as a solution to ensure that even if a breach occurs, they won't give up the goods.
Many acquirers and processors are quickly coming to the conclusion that what works for large retailers may hold the key to resolving security for the vast numbers of Level 4 merchants. It's now up to acquirers to ensure the integrity of these smaller merchants, which is a real headache; imagine multiplying the task by a factor of 10 or greater when it comes to supporting millions of micro-merchants.
Encryption from the point of swipe ensures that any data that transits from a remote device and is transmitted over a Wi-Fi or cellular network will not be usable to any criminal that is able to intercept it. So it only makes sense to ensure that smart phones used for payments be equipped with an encrypting device that relieves merchants and acquirers from the risks of breached data.
Anybody entering this market needs to be able to isolate the security of the transaction within a device that an acquirer is able to certify. Without that confidence in the end-point, the acquirer may be unwilling to accept the risk, or will drive up rates to a level at which the risk is balanced.
VeriFone has seen tremendous interest in employing secure, mobile technology from industry professionals, as well as from merchants who have previously been unable or unwilling to accept credit card payments. There's definitely a need and desire to equip the iPhone and other smart phones with a secure but simple-to-use card acceptance solution.
Paul Rasori is Senior Vice President of Marketing with VeriFone. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.