The Green Sheet Online Edition
March 26, 2012 • Issue 12:03:02
Security and the changing face of the POS
New payment methods, including an expanding range of mobile wallets, are being trumpeted by the day. Older methods, too, such as the EuropayMasterCard/Visa (EMV) chip technology, widely accepted just about everywhere except in the United States, have the formidable backing of major card brands Visa Inc. and MasterCard Worldwide.
The good news is POS hardware and software are increasingly versatile in terms of the payment acceptance and value-added capabilities they offer. Critical for acquirers, ISOs and merchant level salespeople (MLSs) in evaluating this evolving mix of options is helping to assure the solutions they deliver will not only offer added convenience and benefits for merchants and shoppers, but also provide the requisite data protection.
Encroachments on many fronts
At the Mobile Payments Conference hosted by Mobile Marketing and Technology in San Jose, Calif., March 8 and 9, 2012, Ben Love, Vice President, Mobile Strategy at Vantiv LLC, told the audience he'd just counted more than 90 mobile wallets either in development or on the market; back in July 2011, he'd counted just 31.
Recently, online payment powerhouse PayPal Inc. publicized a new POS offering that integrates PayPal payments with existing physical POS equipment. As of this writing, The Home Depot USA Inc. is rolling out PayPal's POS at 2,000 Home Depot locations nationwide. When a merchant's POS system is equipped with PayPal POS software, a customer can initiate payment at checkout by swiping a PayPal prepaid card or by entering a phone number and PIN that connect to the customer's PayPal account.
Also, on March 15, PayPal introduced a new dongle designed to enable small businesses to accept payments using smart phones in much the same way Intuit Inc.'s GoPayment and Square Inc.'s Square solutions work.
Meanwhile, Visa, MasterCard and Discover Financial Services are now mandating merchant EMV adoption in the United States, with a liability shift for fraudulent transactions to merchants who do not comply by the final deadline, which Visa set at 2015 for most merchants and 2017 for the petroleum sector.
On the card versus in 'the cloud'
EMV technology embeds a microchip in a credit card for secure payments at the POS. Combining EMV on cards or smart phones with near field communication (NFC) technology, which is a type of low-signal radio transmission, creates a contactless payment method. Because EMV is hardware-based, it requires an investment in new cards by card issuers and new POS terminals by merchants and acquirers.
PayPal software can be downloaded by the merchant for free and loaded directly onto the merchant's POS equipment. Generally, no new hardware and often no card are needed for implementation. PayPal uses both tokenization and encryption to secure information.
Security a central issue
The differences in the technologies are important. EMV's hardware-based approach protects personal information through highly secure encryption techniques. Customers hold onto their own information because the personal and financial data is stored in their cards or phones.
PayPal's POS solution is software-based. Personal information is collected, encrypted and stored in large warehouses of remotely located computers collectively called "the cloud." PayPal retains responsibility for securing the information.
Paul Coppinger, President of Apriva's POS division, said cloud-based security solutions work best in the mobile environment because "the cloud allows for tighter control of consumer information without leaving the merchant PCI scope." When it was founded, Apriva's inaugural project was to create a communication system for the U.S. government that allows secure mobile transmission of classified information.
Coppinger said the federal government's system was more difficult than building a secure payment system, and that the assignment helped shape Apriva so that security is systemic and central to everything it does - a critical factor to consider when looking for POS solutions for merchants.
PayPal and security concerns
At a Feb. 15, 2012, Goldman Sachs conference in San Francisco, Jim McCarthy, Global Head of Product at
Visa, was quoted as saying he doesn't believe the PayPal POS system is secure. PayPal vigorously disputed the accusation.
Jennifer Kent, Research Analyst with Parks Associates, a Dallas-based market research and consulting company, is well versed in payment technology and recently co-authored a white paper for Parks Associates titled Mobile Payment - Stepping into Uncharted Territory.
Kent told The Green Sheet that much of the criticism leveled at PayPal's POS solution may have more to do with the competitive environment of the marketplace than real concerns with PayPal security. She pointed out that for PayPal (which also encrypts data) to even be on a POS system, it must be Payment Card Industry (PCI) Data Security Standard (DSS) compliant.
"PayPal has to follow stringent rules to go in a POS," she said. "Peace of mind comes from the stringent rules they have to follow. I think Visa's criticism is just a competitor trying to undercut the competition using security."
The 'cloud' as target
Kent added that PayPal may be more of a security risk, not because it does a bad job of protecting its data, but because its millions of users and the vast amount of user data locked in the cloud are more of a target than the EMV information kept on individual consumer credit and debit cards or smart phones.
Anuj Nayar, PayPal Director of Communications, believes PayPal at the POS brings a new paradigm to payments because of the way it leverages the Internet. "We've taken the wallet out of the device and put it in the cloud," he told The Green Sheet, adding that providing security at the consumer level is what PayPal does.
Nayar pointed out that PayPal has been in business 13 years without a significant data breach and that the PayPal POS solution is already PCI compliant because none of the data is stored with the merchant.
"Our solution is not indexed to a credit card number," he said. "Everything at the POS is masked like on an ATM. When you do a transaction, you get a receipt right away, so if somebody else is using your information you would know right away."
Gary Glover, Director, Security Assessment for SecurityMetrics Inc., said that a "somewhat disturbing difference" between a PayPal POS transaction and an EMV transaction is that "the PayPal transaction is done with a very 'public' piece of information, a phone number. An EMV transaction is done with a probably very private account number that is in my wallet, and then a PIN."
He then described how he could "shoulder surf" at The Home Depot and learn someone's PIN, and if he knew who the customer was or could find that out fairly easily (for example, by overhearing the person's name or by seeing a piece of mail in the person's cart), then all he would need is that person's phone number to make a transaction.
"It's fairly easy to find a phone number on the web if you have a name and general location or something you can use to pinpoint _ Facebook friend with phone listed, etc.," he said.
Chip, no PIN
Kent noted that EMV payments are not a significant security threat. "You input a PIN to share information. EMV contact payments were developed with the traditional payments model in mind," she said. "The players who developed EMV are thinking about PCI compliance. They have a legal responsibility if somebody cracked the chip design."
Visa is confident in the EMV chip to the point where it believes customer input of the PIN isn't necessarily a requirement for security. Stephanie Ericksen, Visa's Head of Authentication Product Integration, said in a January 2012 company blog, "In the U.S., we can rely on online processing where transactions are transmitted in real-time to the issuer for approval. With that in place, there's no need for the offline authentication that was the genesis of chip-and-PIN.
"In the longer term, we expect the industry will reduce or even eliminate its use of static verification methods, such as signature and PIN in favor of new and dynamic forms of cardholder verification."
Andy Chau, President and Chief Executive Officer of terminal manufacturer PAX Technology Inc., said at the recent Mobile Payments Conference that he believes eventually no PIN will be needed for EMV transactions in the United States.
Lack of trust in NFC
The game changes when EMV is paired with NFC. "The customer needs a little more trust in the technology," Kent said. She believes people are not familiar with the NFC radio-based communication and so have not developed a trust in the technology. "They have a ways to go with consumer education," she said. "There is a fear of the unknown. The onus is on the company to prove the security of chips and technology."
Kent believes the acceptance of NFC in payments will come when consumers begin using NFC outside of the typical retail payment environment, for example, when boarding a bus, picking up a rental car or obtaining information from a quick response code on an advertisement.
"If players have a stake in using NFC for nonpayment applications, it lowers the barrier to acceptance," she said. "That being said, it only takes one large security breach to cause a significant setback for everyone involved."
Doug Clare, a Vice President of Fraud Solutions at Fair Isaac Corp., an analytics and consulting firm working in the financial services industry, told The Green Sheet the authentication credentials used by EMV adequately secure transactions. "If the EMV transaction is compromised either in a contact or contactless transaction, it does not compromise the integrity of the entire card," he said. "EMV creates new credentials every time the card is authenticated."
Rick Oglesby, Senior Analyst with Aite Group LLC, pointed out that security is not a key factor in introducing new payment technology on the consumer side, but it is a significant factor on the merchant/acquirer side. "Chip and PIN is the most secure card-based technology," he said. "When you get rid of the card and you are looking at mobile payments, the jury is still out."
One significant factor in EMV implementation is cost. "When you adopt the EMV/NFC technology you are limiting the scope of PCI compliance for merchant compromise at the point of sale," Oglesby said. "EMV through NFC has a higher level of security but at a cost to the merchant."
And the cost of hardware and continuing PCI compliance (even though the scope is reduced) remains a barrier to EMV for many retailers, he noted.
Security issues are far from settled in the payments world. Cynthia Merritt, Assistant Director of the Retail Payments Risk Forum at the Federal Reserve Bank of Atlanta, wrote in a Feb. 2012 blog, "The truth is that while recent developments in the application of NFC technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security."
A need for standards
"It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong," Merritt noted. "Reported security mishaps may be beneficial, in the end, if they serve to temper consumer
adoption while financial institutions and their mobile service partners work to identify and manage potential security issues."
At the recent Mobile Payments Conference, Tony Bates, President and Chief Financial Officer of PSC, a PCI and Payment Application DSS assessor and Approved Scanning Vendor, noted no industry standards exist for digital wallets.
"The card is still the cardholder's responsibility, but much of the security is out of the cardholder's control," he told conference attendees.
Bates noted that the dilemma in the industry is how to get widespread mobile adoption without one set of industry security standards. He believes a familiar technology adoption model is currently at work. He calls it "get it working, make it pretty, [then] make it secure."
Bates also believes there are many solutions looking for problems in the payments space. He said vendors who lack payment backgrounds rarely look at their solutions from a data security point of view, and this often goes unnoticed.
For instance, tech stores that sell payment apps often are in "total ignorance" of the liability they could face if customer data were compromised through one of their apps, he said.
Advice for ISOs and MLSs
Payment professionals want to help customers protect sensitive payment information and comply with all industry security requirements. So what should they do?
When asked about maintaining data security in retail environments, Mustafa Shehabi, co-founder of the payment technology strategy, consulting and software development firm PayCube Inc., said he favors helping merchants stay outside of PCI scope. "At the end of the day, merchants and acquirers are not interested in being PCI compliant; they want to stay away from PCI," he said.
Richard Crone, founder and CEO of electronic payments consulting firm Crone Consulting LLC, recommended a strategy to readers of The Green Sheet as they consider the Visa and MasterCard mandates to install EMV technology.
"On anything hardware related, delay making an investment in the hardware for as long as you possibly can," he said, adding that the technology is changing so fast merchants and consumers may have decided to go with more and better options by the time the mandate goes into effect.
"The hardware is obsolete the day you put it in," he said. "NFC just locks you into Visa. I'm bullish on the device independent, carrier independent approach."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.