Mobile

Let’s start with mobile. Smartphones are ubiquitous now. Regardless of the flip phones we see on television, touch-based smart phones are taking over our lives. There sure is a lack of drama when someone angrily hangs up a touchscreen phone by mashing their finger on the Gorilla^® Glass versus slamming that flip phone shut to end a call. Businesses realize that these devices are everywhere and are always on the lookout for ways to monetize it.

One of the simplest mobile payment options doesn’t even require a smart phone. SIM-based payments are commonly used in the US to attract charitable donations after natural disasters, but they can also be used to pay for taxis, parking, and even items in vending machines. They typically require the user to send a text to a 5 or 6 digit number with some code associated with it, and the charge will show up on their mobile phone bill at the end of the month. As a business, you may choose to accept SIM-based payments in this realm, or soon as part of a Near-Field Communication (NFC) scheme (more on this in a bit).

SIM-based payments use the same SIM chip that authenticates your phone to your carrier to figure out who purchased something, and bill them accordingly. It’s a neat solution for on-the-go payments, or something that is self-service in a manner whereby the “store” is automated or electronic. You must have the ability to receive such confirmation of payments in your store, which will require you to both have a contract to accept them and a reliable Internet connection. Just like an online payment card transaction, if your internet connection goes down you won’t be able to receive the payment information unless you invest in sophisticated over-the-air technology (which still must have 2-way connectivity to function).

From a PCI perspective, if your business ONLY accepted SIM-based payments, you wouldn’t need to worry about PCI DSS unless you were somehow getting payment data back from the provider (unlikely this is the case). It’s an interesting alternative, and depending on the ticket size and how someone’s phone plan is set up, it might work. For individuals with company phones, however, this type of payment scheme may not work, or may cause problems for the individual at the end of the month.

With any change in payment acceptance you can expect you will see a change in fraudulent activity. Just like someone can spoof a magstripe card by capturing and reprinting the data, some SIM cards can be spoofed in the same way. You may end up accepting a fraudulent payment and allowing someone to exit the store to end up having the equivalent of a chargeback hit you without much recourse. Ten years ago this type of spoofing was very difficult to do and typically required equipment purchases into the six-figure range. Now with some parts you can get from eBay and knowledge, you can do this for under $2000. If your store front is unattended, this may not be an issue if the ticket size is small. It’s no different than any other kind of fraud. But if you are using SIM-based payments in places where your average ticket size exceeds $10, you may find yourself learning quite a bit about fraud (the painful way).

Near-Field Communication

NFC technology has been used in the payment space for years as an alternate, dynamic payment mechanism. Payment brands released products like Blink (Visa) and SmartPay (MasterCard) where Radio-Frequency IDentification (RFID) chips were embedded in traditional plastic, magstripe cards as an alternative to swiping. You simply wave your payment card over the reader and walk out with your goods. No signing, no PINs, nothing static to capture and replay. In fact, this is one of the two technologies you must accept to qualify for Visa’s Technology Improvement Program (TIP) which can effectively eliminate the requirement to validate compliance annually (See http://brandenwilliams.com for thoughts on killing PCI assessments). Some NFC payments might be SIM-based as well, thus going through a carrier instead of a payment scheme. Some geographies have different adoption rates than others, so you should understand your options when building your payment strategy for each area you are doing business.

NFC payments have a huge advantage to merchants as they are an element that allows you to qualify for Visa’s TIP program along with accepting EMV transactions. For those of you reading this outside the US, you can also qualify for the TIP program if you already accept EMV or Chip & PIN. It might even work to your advantage, especially if you can deploy some level of point to point encryption in your network to encrypt the information that EMV considers “routing,” but can in fact be used to push fraudulent transactions through in other parts of the world. Keep in mind that the Visa TIP only works for Visa, and you may have a couple more hoops to jump through for other payment schemes for the same benefit.

Many smart phones are now coming with NFC capabilities built in to replay your existing cards over the phone transmitter. For example, Google Wallet (at the time of this writing) allows you to register your Citibank MasterCard and use your phone to pay for things anywhere that SmartPay is available. This doesn’t change anything for you as a merchant as it will use your existing infrastructure to complete the payment.

NFC carries its own risks as well. While the information is dynamic, computing power increases at incredible rates. Cryptanalysis is not only possible, but becomes feasible in some cases when bad guys put their efforts to try to reverse these algorithms. What does that mean for you? It means that while the risk of a spoofed card is reduced to almost zero with EMV, it is still possible and can still happen. The rate is so low that you can probably write it off as a cost of doing business, but you should understand your liability if you end up in that situation.

Square

We would be remiss if we didn’t mention this creative little scheme (https://squareup.com/)! This solution has popped up recently allowing you to both accept payments with phones and tablets, but it also creates the equivalent of a digital wallet whereby users can put payment information into an app on their phone and use that app to pay for goods and services. It’s not quite the same as say the Starbucks app where you can register your Starbucks card and pay via a barcode on your phone as you still are passing your actual payment card information to the merchant for processing. Merchants like the technology as it can enhance their ability to provide top notch service to their customers. Consumers like it because they can almost get to the point where they just need a house key, phone, and ID to live their lives.

One element of the Square scheme is the tiny reader that can capture a magstripe and send it along for processing. This makes payment acceptance for small businesses a breeze when they are doing events outside of their standard storefront. Think about all the outdoor festivals you have been to and all those extra wireless terminals you see. As a merchant, I’m definitely looking to that device as a way to save money and time. No longer do I have to take the card to the back of the store for processing, I can swipe it right in front of the customer and get them out the door.

Keep in mind, using Square won’t excuse you from your PCI DSS responsibilities. Depending on how you have it set up, you may have greatly reduced responsibilities and risk, but it’s not as complete of a solution as some of the other options out there. Your biggest risk with Square may simply be the concept of acceptance. If people are unwilling to use the app on their smartphone, or allow you to swipe their card through the fancy reader, you won’t be able to close the sale.

Google Checkout and Paypal

Let’s spend a few minutes talking about card-not-present transactions. Online retailers have to deal with PCI DSS just like brick and mortar ones do, but the security at online retailers tends to be much better because they live with electronic fraud every day. Brick and mortar stores tend to focus on theft and fraudulent payment devices more than they do an external attacker constantly pounding on their door to steal things. Regardless, there is a fantastic solution for eTailers to adopt that will allow them to be exempt from PCI DSS.

Both Google and Paypal offer products to merchants that take the burden of payment processing away. These may be offered in multiple delivery methods, but the way to ensure you are exempt from PCI DSS is to ensure you are redirecting your users to Google and Paypal during the payment portion of the checkout process. If you are accepting the card information and passing it to Google and Paypal on the user’s behalf, you are still in the middle of the transaction and must comply with PCI DSS. Both allow you to set up a recurring payment for subscriptions as well, so businesses with those models can take advantage as well.

Essentially in these schemes you would get your user all the way to entering payment information and then pass them to Google or Paypal with key information related to the transaction. The user would then choose how to pay within those systems (there are multiple methods) and then be routed back to you after the payment has completed. You will get cash in batches but without the payment card information attached.

Some disadvantages include losing track of the user while they check out. Some eTailers focus on their user experience so much that passing their customers to a third party during the most critical part of the transaction may be unacceptable. Google and Paypal aren’t new technologies anymore, so I would largely argue that using these services won’t dramatically increase your cart abandonment rate. Another disadvantage may be the cost to process. Doing the processing directly may cost less per transaction, but in theory, those savings should be used to secure your network and deal with PCI DSS compliance. With some analysis, you may learn that it is cheaper in the long run to outsource your online payments to any number of companies like this. Some things to look out for include:

EMV

EMV, known as Europay, MasterCard, and Visa when you spell it out, is a global interoperability standard for payments meant to boost assurance in payment card transactions, specifically at the point of interaction (POI—the point where the information is read off of a customers payment card). Some areas of the globe use Chip & PIN, but Chip & PIN just one possible implementation of EMV. It’s incorrect to use EMV and Chip & PIN interchangeably. The chip contains cryptographic algorithms to authenticate the card, and can be presented by themselves or used with a cardholder signature or PIN. PINs are optional and may not be used for every implementation. The majority of EMV transactions are done online, but offline transactions may happen in some geographies.

EMV is not yet globally implemented, so you may see different implementations in different places depending on where you go. Here in the US, a large number of processors simply cannot handle an EMV transaction today, even if their merchants have EMV-capable terminals for customer use. Most new terminals deployed today have the hardware to do NFC or contactless, EMV, and traditional swipe transactions, but the presence of hardware doesn’t mean the presence of capability. If you are doing a technology refresh, go with the fully capable terminal and turn on the specific features as your processor is prepared to handle them. In Visa’s case, you must be able to accept both a contactless and an EMV transaction at a payment terminal, and process that transaction correctly if a customer presents either of those at 75% or more of your total terminals to qualify for the TIP. There are other nuances with this program as well as other payment brands’ programs, so check with your acquirer for details.

Europe vs the US vs the Rest of the World

Europe is a bit different than the US or the rest of the world when it comes to payments, including the EMV topic we discussed above. If you are a global business, you may be struggling with the differences between Visa and MasterCard in Europe and how those must be balanced with other global operations. In some cases, you might find some requirements relaxed while others are more stringent. Rest assured, you will need to fully investigate these differences and it’s a bit beyond the scope of this book. It’s not that we don’t want to take the time to write about it; it’s more like the situation changes so frequently that we fear that this would become rapidly outdated and not useful to the readers.

In addition to requirements the penalties vary from place to place. You will not only find selective enforcement by some payment brands, but you will also find inconsistencies between each brand on how they enforce and how big the penalties are. We discussed some of those penalties earlier, and those should be used as a benchmark. You could end up paying more or even less than what you read about. Your acquirer may even refund some of those penalties, further invalidating the numbers. Do yourself a favor and check with your acquirer for any up-to-date information on global enforcement.

Customer Experience

Lastly, let’s explore the concept of customer experience. Our readers are largely charged with securing the infrastructure or complying with PCI DSS, but you will have another force that will dictate how you do business—the customer experience. This may dictate more about how you build and manage your payment systems than any other single force in your company. Many of the authors’ customers are experimenting with all of the emerging technologies above with varying impact and success. Collecting money from a customer is an important part of the customer experience, but mostly to the business. You can expect that your company will begin to experiment more with this in the coming years in ways that will challenge your compliance status. Wireless terminals, kiosks, festivals, third-parties, pay-by-cellphone, and integrated physical and virtual shopping experiences will impact everything you are doing with respect to payments.

Your challenge (you must accept it or you will find yourself looking for work!) is to meet the business folks with solutions to their payment acceptance problems. Don’t put the “NO” in inNOvation, put the YES in succYESs (ok, that was a stretch but the “y” is silent…). Be creative. Learn how the business wants to operate. Learn what is important for them. Learn about the customer. Only then can you adequately put your brainpower to use to come up with solutions that solve both the business and security needs with the compliance requirement.

The Case of the Cashless Cover Charge

Melissa’s Mainstage is an intimate concert hall in SOHO, Manhattan. Melissa focuses on bringing local, regional, and some national acts through her venue but keeps the seating under 300 people. Her goal is to charge under $10 for cover for every act, some times as low as just a few dollars, and donate some portion of the fee to a local charity for the needy. She has had a few instances of cash missing from the daily take as well a few customers wanting alternative payment options to cash when coming through the door. She accepts major credit cards once inside, but the door is cash only. She decides to take advantage of SIM-Based payments and on a trial basis and allows customers to send an SMS with the event name to a five-digit code that will place a charge on their cell phone bill. Since the dollar amount is typically very low, she doesn’t see any major customer challenges. The first week she put the plan into effect, she had an amazing 97% adoption rate effectively reducing her cash risk by the same amount. She could track each cover by phone number and validate any transaction by simply checking the cell phone of the customer at the door. For the 3% that chose cash, she could choose to motivate them by making a cash cover charge slightly higher than the SMS payment. Or, as long as the adoption rate remains high, she could just opt to accept cash as a non-preferred alternative.

To fully understand Melissa’s decision, you must realize that this change does not in any way affect her PCI compliance posture. She still does her normal compliance work for her bar and merchandise sales, but she now has a cashless solution for the door as well. She knew that by piloting and ultimately implementing this solution she would not create a PCI headache in the process.