Contactless payments, smart phones and e-commerce are delivering speed and convenience to consumers and, as a result, debit cards have nudged cash from the ‘most frequently used method of payment’ top slot in the UK. While card payments start to outstrip cash payments, there are a range of innovative alternative payment methods just coming into view, but which do promise to add further complexity and opportunity to the retail payments landscape (which is one of the reasons why consumer protection has become so high on the agenda). Ralf Gladis outlines what all of this means for security.
Research conducted by the Trade Association UK Finance found that innovations in technology, and particularly so in payment solutions, were encouraging consumers to alter their habits which had resulted in 13.2 billion card payments by the end of last year, with cash payments now amounting to slightly less at 13.1 billion.
This is a first, and marks an important change, not just in terms of how shoppers like to purchase their goods, but also in how retailers equip themselves for the future. With the growth in credit and debit card usage comes the inevitable surge in security issues. A study by comparethemarket.com found that almost five million people had their debit card, credit card or bank account replaced or cancelled last year due to fraud.
Shoppers, for whom convenience is vital, like to balance their concerns about security with the benefits of fast, easy payment solutions and they look to retailers to ensure the technology they use is fit for purpose. It must support their card transactions without risking their personal data or put them in danger of theft, which puts Point of Sale (PoS) systems directly in the spotlight.
It’s accepted that magnetic stripe technology on debit and credit cards can be faulty and easy to breach. In the last couple of months, researchers at Positive Technologies found a flaw in mPoS devices that allows attackers to execute ‘Man-in-the-Middle’ transactions or modify payment amounts when using magnetic stripe transactions.
Many retailers now favour a mixture of countertop PoS terminals that offer Chip and PIN card readers plus card readers for contactless payment and/or smart phone payment. To secure transactions using these methods, however, retailers need a highly encrypted connection to the payment service provider.
Against a backdrop of headline-grabbing data breaches putting millions of customer credit card details at risk, and more than 100,000 non-EU cards without any Chip and PIN protection, Visa and Mastercard have introduced new security standards. These rely on point-to-point encryption (P2PE) to deliver rigour into the payment process with the aim of building trust among consumers.
Here, the customer’s payment data is strongly encrypted directly at the PoS terminal without the use of intermediate storage. Strong coding helps to keep the data secure, allowing it to be transmitted safely via any device . In fact, because no real data is displayed or stored, it’s worthless to a hacker or cyber thief. This reduces the risk to both retailers and shoppers.
The additional advantage of using Payment Card Industry (PCI) P2PE standard solutions is that it becomes unnecessary for retailers to add PCI certification into their IT landscape, which saves them both money and effort.
Given that many retailers have already rolled out – or are in the process of building – omnichannel environments, there are obvious benefits in that P2PE PoS solutions can be connected with smart phones and tablets. While mobile devices do not come with the security of static terminals, the P2PE encryption will ensure that customers’ card data is guaranteed.
What’s next on the horizon?
As well as the innovations being introduced by credit card payments companies, a second EU Payment Services Directive aims to reduce the costs of payment processing for retailers and improve security for customers. The way that this will work is to ensure the customer is authenticated against two out of three factors – knowledge, possession and inherence. Knowledge relates to a username or a password or PIN, for example. Possession is the item being used to make the payment, such as a debit card or a smart phone. Inherence, however, is where things become interesting. This is a physical characteristic of the customer which, using today’s technology, could mean their voice, their fingerprint or the iris in their eye.
Biometric authorisation is what the future looks like. Fingerprint recognition is a common feature on smart phones already and is now being integrated into payment transactions. For retailers, there are some significant advantages and particularly when it comes to instant payments: those made in ‘real-time’ by a third party at the request of the customer. These will speed up the process, but importantly for the customer they will make the experience seamless, which is an objective of all retailers.
For security, this type of payment will be subject to authorisation under the new Directive if the transaction value exceeds 30 Euros or its equivalent in sterling. Although the legislation has been introduced under EU law, much like the General Data Protection Regulation, experts don’t anticipate any changes to this in the short-term for UK retailers once the UK exits the EU. In short, UK retailers will need to ensure they comply.
Retailers can also expect to see a rise in voice commerce and facial recognition payments. Already, customers are using Alexa to order their online shopping, but the additional authentication that’s needed under the new rules will ensure that the system cannot be abused or confused by the wrong voice. This is a good thing considering that, last year, a BBC reporter was able to fool HSBC’s voice recognition software when his twin brother mimicked his voice.
Facial recognition is very likely to become part of the automated payment experience, which will lend itself particularly well to transactions in bricks-and-mortar stores. Pilot schemes have already been carried out. One such is the MasterCard Identity Check, commonly known as ‘Pay by Selfie’, where a payment can be authorised by the customer by taking a photo of themselves with their smart phone. The photo is compared with a comparison image and, if the two pictures correspond, the transaction goes ahead. We envision a time when an intermediary app to facilitate this process is no longer needed in the retail environment.
Mastercard has said that it will make biometric identification available to its customers next year, either through fingerprints or facial transactions, not just for in-person payments but also for remote transactions. This will provide security for customers and it also meets their convenience preferences.
At this point many retailers, who are deep in their e-commerce and omnichannel transformation projects, may not be willing (or able) to establish the infrastructure needed to store biometric characteristics securely and ensure they are complying with data protection rules. Connections need to be made between hardware manufacturers and payment service providers to start the process so that smart phones, tablets or virtual reality glasses can save a highly encrypted copy of the customer’s fingerprint, voice pattern or iris to a given device.
Offering payment choice without breaking the bank
Wherever and however retailers are using PoS terminals, what they do need to ensure is that they suit their own particular IT infrastructure. Offering customers biometric payment facilities will only work if the back office is equipped to process them with the appropriate technology.
It’s easy to be caught up in meeting soaring customer expectations, but for retailers, IT resources can be severely stretched. One benefit of using point-to-point encryption at the PoS is that it reduces IT efforts for PCI security audits while increasing data security at the same time.
Given the challenges of digitisation, omnichannel and security, retailers should really consider spending precious IT resources on more important projects than payments. To achieve that, they can process payments independently from their bank. Processing payments directly with a bank or acquirer means retailers are locked-in because changing to a better or cheaper service always results in a good deal of IT effort.
However, there’ an additional option. If they use a payment service provider as a conduit for payments, retailers can change banks and acquirers without any IT changes: a phone call is good enough to switch acquirers. This significantly improves the retailers’ negotiating power with acquirers to reduce costs and use IT resources for other innovations such as omnichannel solutions or tightened security.
Ralf Gladis is CEO at Computop