The Green Sheet Online Edition
February 11, 2013 • Issue 13:02:01
Sustaining the mPOS (r)evolution
Mobile devices and payments are two peas in a pod. This is self-evident if we take the growth trajectory of the mobile POS (mPOS) into account. The reasons for the migration from countertop POS terminals to mPOS are portability, a comparable level of security, form factor and - most importantly - lower cost.
For most developing countries, cost will be a primary factor in determining the success of mPOS implementation; the relatively higher cost of countertop POS terminals has limited their spread.
The proliferation of mPOS is critical because it ties in with the plans of central banks, which are promoting electronic payments in lieu of cash. Electronic payments are an economic stimulus and have low transaction costs.
The current situation
Mobile POS terminals are available that are approved by the Payment Card Industry (PCI); accept mag stripe and Europay/MasterCard/Visa (EMV) cards; and are priced below $30. And their prices are likely to decline as volumes increase. (This doesn't include the cost of the phone; however, businesses typically do not purchase mobile phones for payment acceptance, so mPOS is likely a function they will add to a phone already in use.)
This low cost makes mPOS viable in countries where acquirers absorb the asset and maintenance costs of countertop POS equipment. For example, the asset cost in India of a countertop terminal at the lower end is about $110 (after adding import duties), and the maintenance cost comes to about $7 a month. For this to work economically, merchants must do business of about $3,000 to $3,500 a month, assuming a 20-basis-point spread.
Most small to midsize merchants do insufficient business to cover the cost. Thus, the reason the spread of countertop terminals has stagnated in India in recent years is no mystery.
PINs and PEDs
Countries in Europe, Asia and regions of South America have a large number of PIN-based cards. In India, all debit card transactions will have to be authenticated by PIN as of April 1, 2013.
This is already the case in a number of countries. In fact, over 50 percent of POS transactions are currently being made with debit cards. Thus, for mPOS to be implemented, as a practical matter, cards have to be PIN-authenticated, or mPOS will be marginalized.
Cardholder PIN authentication has to be done on a PIN-entry device (PED). Two types are in use:
- PIN Transaction Security- (PTS) approved devices. The PCI Security Standards Council imposes rigorous conditions on devices before they can obtain PTS approval. As a result, PTS-approved devices are expensive (upwards of $100) and bigger than the size of most smart phones.
- Non-PTS approved PEDs. While these devices offer merchants the advantages of being both cheap and small, they are also ripe for security compromises. With these types of devices, PINs could easily be compromised, posing the risk that cardholders' bank accounts would be drained of funds.
The question and its solution
Therefore, we ask the pertinent question: What is the best solution - balancing cost and security - that can sustain the mPOS (r)evolution worldwide? For mPOS to succeed, it should be capable of safely accepting magnetic and EMV cards, as well as safely authenticating PINs.
A solution that balances cost and security is a PCI-approved mag stripe and EMV card reader used in conjunction with one of the two following options:
- One-time password (OTP). An OTP is sent to the cardholder's mobile phone, which is then used to authenticate a POS transaction, as opposed to the usual static PIN authentication. This is critical because static PIN authentication can be done only on a PTS-compliant device; this is what pushes up the cost of such readers. If OTP can be used instead, all that would be required is a $35 dongle, which enables OTP authentication to be done directly on the mobile phone.
- Out-of-band authentication (OBA). When a PIN-based card is used, the terminal prompts for the cardholder's mobile phone number. The mPOS transaction gateway calls the mobile phone using interactive voice response (IVR) and prompts for the PIN.
The PIN entered by the cardholder reaches the gateway on a different channel. The gateway will create a PIN block, construct the necessary ISO packet and send the transaction to the processor. The processor sends the card information and the PIN in one packet to the issuer for authentication. Since the encrypted track 2 data and the PIN are entered on different devices and travel on different channels, interception of both the PIN and track 2 data is virtually impossible.
The solution of using either OTP or OBA with a mag stripe plus an EMV acceptance device also works because:
- It offers the same level of security as a countertop POS terminal or an mPOS dongle that accepts mag stripe and EMV cards and allows PIN authentication.
- The infrastructure for sending OTPs to mobile phones is already available in a significant number of countries. In India, OTPs received on a cardholder's mobile phone can be used to authenticate online transactions instead of static PINs or passwords. In the case of OBA, all that is required is a technical change at the processor's switch, which can easily be done.
Adoption of mPOS will take off throughout the world when the payments industry begins to grasp that transactions can be both secure and low-cost.
What are OTP and OBA?
A one-time password (OTP) in the payment processing realm is a password that is valid for one transaction only. The strength of OTPs is that, unlike PINs, they are not vulnerable to multiple attacks, and should they be intercepted by fraudsters after they are used, the criminals will be obtaining worthless data that is no longer valid.
Out-of-band authentication (OBA) is a way of authenticating transactions that uses two separate channels simultaneously to identify users. In payments, one channel used for OBA authentication is typically the network used by the merchant's payment acceptance device; a cellular network is commonly the other channel. This makes it unlikely a hacker or malware could access or infect the entire authentication process.
Venkat Kalyanaraman is the Chief Infrastructure Officer at MRL Posnet Private Ltd., a technology-driven transactions facilitator based in India. He holds a Masters in Business Administration from the University of Texas in Dallas. Sunil Rongala, MRL Posnet's Head of Risk Containment and Business Strategy, is a professional economist and holds a Ph.D in Economics from Claremont Graduate University in California. Email Kalyanaraman at firstname.lastname@example.org and Rongala at email@example.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.