With the emergence of smartphones, the next evolution in point-of-sale transaction processing has begun, fueled by devices not designed for the POS environment yet becoming increasingly popular nonetheless.
Indeed, a wave of mobile applications enabling merchants to use their own phones to accept customer payments electronically has surged into the retail sector. Branded both by traditional POS terminal vendors and firms new to the industry, they offer merchants a less expensive and portable method to accept electronic payments than do traditional countertop terminals and purpose-made wireless devices.
And this has helped to make mobile POS devices and applications hot items in the product portfolios of some ISOs and agents.
"There's a tremendous interest and draw for mobile POS right now," says Jon Perry, founder of DFW Card Merchant Services, a Fort Worth, Texas-based ISO. "Merchants don't want to spend $400 to $500 for a standalone POS system if they don't have to."
Perry estimates that about 12% to 15% of his company's merchants have signed on to use a mobile-POS application within the past year. In some cases, such as storefront merchant who provides in-home installation services for customers, a mobile-POS application supplements a traditional POS terminal. In other situations, a merchant might use a mobile phone to accept all of its customer payments.
Mobile-payment acceptance often is most appropriate for businesses that interact with customers in places other than storefronts, such as home contractors, consultants who work at customer sites, street vendors, flea-market sellers and other roamers. Perry, who speaks at many conferences, even has used a mobile phone-based POS service to accept payments from individuals signing up for a conference on site the day of the event.
But the service is not for everyone. "If you are doing more than three or four transactions per minute, mobile is not right for you," Perry says. "This is for someone doing more like one transaction per hour."
Ultimately, mobile-payment acceptance appeals to a primal merchant need to control costs. "Anything that reduces their cost of operation is what drives them to adopt new technology," says Stephanie Clements, founder of Veritas Merchant Services, an ISO based in Louisville, Ky.
Veritas offers Boston-based RoamData Inc.'s RoamPay application. "We introduced it six months ago," Clements says. "About 2% to 3% of our merchants have signed on so far, but it's growing very quickly."
As with any new technology, merchants have questions. And one of the most common involves whether the new applications are secure, says Will Graylin, RoamData founder and CEO.
"Security first and foremost is an issue, particularly end-to-end security," Graylin says. "This industry even in the last four months is going through a very rapid transformation. There are many sole proprietors in the small-business market that are a great untapped opportunity for this. That's why it's important to show it's secure."
As with any electronic-payment system, mobile phone-based POS transactions could be compromised in a number of ways. Crooks could gain access to credit card numbers using key-logging software, they could hack in to the encryption technology or steal a merchant's authentication identity and password, or they could use a computer virus to capture card information as it travels over a merchant's network, for example.
The public mobile-network connection represents the biggest difference between a mobile phone POS application and a purpose-made wireless POS terminal. Phones support multiple ways to communicate, such as via e-mail, text messaging, Skype or social-media posting, and they support Internet browsing. Many purpose-made wireless terminals tie in to payment networks via a private, self-contained Wi-Fi network that may itself be connected to a secure landline network.
"There's a fundamental difference," says Gary Glover, director of security assessment at SecurityMetrics in Orem, Utah. "There are a lot of communications applications on that phone that are not part of the traditional POS environment. A POS network is usually single-focused. The hard part is, how do you make sure the POS application on the phone is isolated from everything else?"
POS Evolution
The success of new mobile-POS applications depends how effectively ISOs and agents can assure their clients that the payments they accept are isolated and secure.
Such assurances usually start with standards. Some new mobile-POS applications adhere to the standards of the PCI Security Standards Council and are certified compliant with the council's existing Payment Applications Data Security Standard. However, PA-DSS certification covers POS terminals in general, and it was not designed as a mobile-specific standard, according to Bob Russo, the council's general manager.
"Mobile-payments technology is still evolving, and to date there hasn't yet been any standardization when it comes to securing the applications and devices," Russo says. "The mobile devices themselves could present a security risk to any payment application, even those that can achieve all of the PA-DSS requirements. Our charter looks to develop standards related to securing the payment process, and so we are working through our analysis of the security of mobile-payment software and devices."
Russo's comments echoed a statement issued by the council last November that it no longer would certify new mobile-POS applications under the broad PA-DSS standard until it completes further study.
In its statement, the council noted it is working to determine "applicable security requirements for mobile-payment applications, the security capabilities and features of mobile communications devices on which the applications reside, and the necessary interaction between such devices and payment applications to effectively secure cardholder data."
Some submissions of applications that did not "meet the intent of the [PA-DSS] program requirements" helped spark the council's move, Russo says. "The rapid development and deployment of these new and innovative mobile-payment technologies has brought a level of complexity to the industry never seen before," he says. "This new complexity and the resulting influx of mobile payment applications introduce a new set of risks and threats that may affect the security of cardholder data. The council is looking at this carefully."
The council expects to complete a multiphase examination in the coming months, Russo says.
Scott Henry, director of product marketing at payment-terminal maker VeriFone Systems Inc., says it is important to note that the council did not say existing mobile-POS applications are unsafe. "It doesn't mean you can't develop new applications or use the ones that are out there," he says. "If it does cause a market hiccup, it will not be a big one."
Decertification of some applications is possible, Russo says, noting that only a few mobile applications thus far have been certified. "We understand the appetite in the market for this information and are working as diligently as possible to complete a comprehensive examination of the mobile-communications device and mobile-payment application landscape and deliver guidance to the market," he says.
Swift Growth
A new, more-focused mobile-POS standard could result from the council's investigation, and that ultimately would help the industry, says RoamData's Graylin.
"PCI has an important role to play, but things are going so fast they need to do something to curtail people from developing nonsecure applications and breaching the customer trust," he says. "Security of any technology is something that people pay more attention to over time. There were certain things that the PCI (standard) didn't account for earlier, and now they are working to create the type of rules that will be adopted industrywide."
Part of what the council did not account for-and really no one could-was the rapid growth in mobile applications that has occurred. Thriving application ecosystems have developed around the open operating systems of Apple Inc.'s iPhone, Google Inc.'s Android phones and Research in Motion Ltd.'s BlackBerry devices, enabling any company wanting to reach business mobile phone users a clear, very large target market.
"We do a lot of research about which phones we want to be on, but really if you hit the iPhone, Android and BlackBerry, you're talking about 80% of the market," says VeriFone's Henry.
The rapid rise in mobile-payment applications and devices also is transaction processors much to get their arms around, and in very little time. Developing business applications for those operating systems has become so easy virtually any software engineer with a development kit can do it.
For ISOs and their merchant customers, that means a sudden broadening of applications from which to choose. Services that support mobile-payment acceptance are now available not only from the terminal manufacturers such as VeriFone that ISOs and their customers have come to know and trust, but also from software designers and individuals who may be new to the merchant-acquiring market.
Mobile-Industry Security
The mobile-phone industry has its own security measures. Apple has a strict application-certification process that can involve several months of testing and review. However, for payment-specific standards, the PCI standards are the primary voice.
The PCI council's moratorium for now leaves mobile POS security matters in the hands of the companies supporting the applications. RoamData's Graylin says.
"The responsibility is with the industry and the ISOs to inform merchants and customers," he says. "We train the ISOs on what kind of security we have and how they should answer these questions. We give them the proper tools and support the ISOs as they market the application."
Some merchants still may ask about PCI compliance, so ISOs should be prepared to talk about whether their applications are certified, Security-Metrics' Glover says.
"Some merchants are at least familiar with PCI compliancy," says Veritas' Clements, whose company has offered a mobile phone-based POS application for the past six months. "The biggest question we get from merchants about it is, 'Is this PCI-compliant?'"
VeriFone's PayWare application reportedly was the first mobile phone-based payment-acceptance system to be certified under existing PA-DSS rules. Merchants traditionally have not asked many questions about the security of POS terminal systems, but that is beginning to change with the introduction of new technology and increasing general awareness of computer viruses and Internet security, VeriFone's Henry says.
"Security issues are starting to creep into the adoption discussion," he says. "I would say five years ago security barely registered among the top five questions asked. Now it's No. 2 or 3."
Still, many merchants, particularly the smallest ones or the newest entrepreneurial businesses, likely will not ask about POS security. "Security questions very rarely come up when we're with a merchant," says DFW Card's Perry. "We usually have to bring it up. Merchants assume that if you're selling it, then it must be secure."
Perhaps the most-important thing ISOs should know and convey to merchants about the new wave of mobile-POS applications is how payment acceptance and the transmission of payment data are encrypted. Some mobile-POS applications call for credit card numbers, expiration dates and security codes to be keyed in by hand using the phone's keypad, but others use a card magnetic stripe reader that attaches to the phone's audio port.
Encryption Differences
"We keep track data at the card reader [with encrypted swiper hardware]. Otherwise, it can end up with a skimmer," says RoamData's Graylin. "Track data could be used to copy the card. It's like your wallet being stolen but you don't know it."
Several mobile-POS applications use 128-bit encryption. RoamData uses a 168-bit DES 3 double-encryption scheme and sends the data to its own server instead of one owned by a third party. DFW Card offers a mobile-POS application from eProcessing Networks LLC called ePN Mobile that requires a mag-stripe reader from MagTek that carries an encryption key that periodically must be refreshed.
Vendors are starting to move toward card reader hardware as a rule of thumb, VeriFone's Henry says. VeriFone offers its device for the iPhone 3GS and iPhone 4, and Henry suggests it will be available soon for Android and BlackBerry phones.
From an underlying platform perspective, the most important thing might be to ensure that the applications use Secure Socket Layer technology, a protocol created by Web browser firm Netscape to manage secure Internet transmissions, several experts say.
"The best practical advice [ISOs can offer merchants] is make sure you use an app that uses SSL and to understand that you're on a public network," says SecurityMetrics' Glover.
If done properly, mobile POS apps "can be just as secure as any dedicated POS terminal," RoamData's Graylin says.
What merchants should aim for is to have several layers of security, Henry says. If ISOs and POS vendors can demonstrate that depth of security, it probably will be enough for merchants, regardless of how quickly the industry achieves a new comprehensive standard, he says.
DFW Card's Perry says he understands why the PCI council views the need to review the standards for mobile-payment acceptance to be an urgent one.
"Even with a regular POS [device], it could be secure, but a manager could log in to it from his home [virtual private network] where there's a virus. Now take that to the level of an iPhone or Android phone," Perry says. "You can get inside those phones to introduce a key logger or a virus."
The PCI council also is looking into mobile POS payment acceptance from a merchant perspective, and the Secure POS Vendor Alliance is keeping an eye on the issue as well. Alliance Chairman Paul Rasori says the group is looking at mobile-payment issues as it finalizes its agenda for this year, though primarily from the perspective of customers using their phone to pay merchants.
Despite the activity around certification, the mobile-payment acceptance market is not in peril as it waits for the council to act, SecurityMetrics' Glover notes. "The industry will move forward. These apps are not all horribly insecure and big disasters waiting to happen," he says. "They're just not that well understood yet."
Gaining that understanding, however, is key to the long-term future of these applications and their place in the ISO portfolio. ISOs ultimately are in the business of selling trust. It is the first thing merchants buy before they buy anything else.
