Payment technology developments over the years have revolutionised the way in which retailers operate - yet sophisticated payment technology implementations have become so ubiquitous they are barely noticed by consumers ... until they become unavailable.
However, says Andrew Turpin, Director Prism Payment Solutions Business Unit at trusted transactions company, Prism Holdings, these developments are placing increasing pressure on retail IT budgets.
He points out that 20 years ago most retailers in South Africa didn`t accept credit cards; today retailers in the major urban areas would go out of business if they were not equipped to handle credit card payments.
"And a similar trend has emerged with debit cards. Today, those retailers who don`t yet accept debit cards are moving quickly to implement these systems because their customers expect this facility to be available, if it isn`t, they simply take their business elsewhere," he adds.
South African retailers are well advanced in preparations for the global migration to the EMV (Europay, MasterCard, Visa) global standard for the design, security, and functionality of smart card terminals and applications.
Smart cards are set to become the primary method of card payment in the next few years as Visa and MasterCard have mandated that all new generation payment cards issued by their member banks must be EMV compliant. This means EMV compliant POS (point-of-sale) terminals have to be installed at retail outlets around the globe so that they can safely accept any EMV-type smart card from any EMV card issuer.
Several of South Africa`s largest retailers including Edcon, Pick `n Pay and Shoprite Holdings, are leading the way in terms of EMV-readiness in SA.
According to Turpin, the move to smart EMV cards was based largely on a need to reduce the risk of fraud associated with other payment tokens such as magnetic stripe cards. It will be all but impossible to tamper with a smart card and the secure storage of the PIN on the card and the ability to `update` the card at any terminal during a transaction will make fraud more difficult.
Smart cards also make it more difficult for thieves to pass off stolen payment cards as their own since the authentication requirements for these cards is more stringent.
The migration to EMV may not be attracting the media hype that year 2000 compliance did but it is a change of similar if not greater global impact as it does not merely affect how data is stored but it fundamentally changes the way consumers transact at the POS on a daily basis.
EMV, EPP, authentication and other security issues
To authenticate a consumer payment at the POS, the electronic payment system may examine what the user has (eg a banking card), what they know (eg password or PIN) and who they are (eg biometric scanning of a fingerprint or retina).
"At present, most retailers simply rely on the presence of the card and a cursory examination of a signature, to authenticate the user - hence the high rate of credit card fraud. For debit cards, the presence of the card is not enough - it has to be accompanied by a PIN. In the South African EMV environment, PIN authentication is mandatory.
"However, the local retail sector is still quite a way off the introduction of `who they are` authentication of consumers utilising biometric technology, although interest in this area has been piqued," Turpin adds.
Meanwhile, when EMV technology is fully in place and with most EMV transactions requiring a PIN to accompany card usage, the only obvious avenue left for criminals to commit fraud will be to obtain both the victim`s PIN and the card.
In order to reduce this risk, the Payment Card Industry (PCI) - an alignment between Visa and MasterCard for securing EPPs (encrypting PIN pads) - released specifications for POS devices in 2005.
All existing POS devices will have to be replaced by 2010 with devices that meet the PCI EPP security requirements - a requirement with enormous financial and operational implications for the retail sector.
"PCI EPP and EMV are inextricably linked. Both were introduced to minimise the risk profile inherent in card transactions," Turpin explains.
The payments industry is of necessity governed by standards and dominated by the international card associations, without which interoperability would be impossible. EMV Level 1 type approval focuses on the hardware used to read the card and EMV Level 2 type approval is focused on ensuring that the correct business rules are applied to the data made available from the card.
And the EPP specifications address the issue of PIN theft through observation, as well as card swapping scams. For example, the issue of PIN observation is tackled through specific design recommendations that mandate the manufacturer provides `a means to deter the visual observation of PIN values`. This requirement can be achieved by using a privacy shield, a body block or limiting the viewing angle through design, with a polarising filter or a recessed PINpad."
How secure will EPP specifications make POS devices?
Turpin points out that in cryptographic terms, no system is ever regarded as infallible, merely very strong - and no algorithm is regarded as impossible to crack, but rather not cost-effective to crack in a timely manner with foreseeable technology advances (based on Moore`s Law that processing power doubles every 18 months).
One of the major design features of EMV is that should a particular chip card ever be compromised the rest of the cards in issue and the scheme itself still remains intact. The technology and time required to achieve this is deemed high enough to not make this venture profitable to a criminal.
In the same vein, PCI EPP mandates that an EPP should, in addition to being tamper evident, be tamper responsive and on detecting a tamper event should immediately erase all sensitive data within it. PCI EPP goes further in stipulating that the level of protection should be such that it should cost a criminal an inordinate amount of money and effort per EPP to circumvent these mechanisms.
Beyond security to value-add
While the cost of complying with new security requirements for payment systems may be regarded as a "grudge" investment by many retailers, a growing number are becoming increasingly aware that their POS systems can be used for far more than simply accepting payment for goods or services. Retailers recognise that their payment systems can add value to their business and generate additional sustainable income.
Caltex SA, for example, shifted up several gears in its ability to provide its forecourt and C-Store customers with a fully functional card acceptance capability following the roll-out of a countrywide payment infrastructure provided by Prism.
In addition, this infrastructure - involving 1 400 POS terminals linked to the EasyPay payment switch - not only provides Caltex with an EMV-ready payment hardware platform, but the adoption of a multi-application terminal like the VeriFone Omni 3750 allows the paypoint to become a single place of purchase, payment and value-added-service delivery.
Because the terminals run a multi-application architecture, they give Caltex the ability to introduce new applications such as prepaid offerings or even smart card-based loyalty schemes. In addition, EasyPay offers value added services such as EasyPay Bill Payment and Prepaid Electricity so Caltex can easily include these as part of its offerings.
Disruptive and imminent technologies
Other technology developments which are likely to impact the retail sector in the not too distant future include advances in `wireless` technologies like radio frequency identification technology (RFID) - which enable so-called `proximity payment` solutions.
"Global experience to date clearly indicates that this type of payment mechanism is a useful substitute for cash transactions as it`s suited to micro-payments, particularly where speed is an issue such as at fast food outlets, petrol stations, parking garages, road toll plazas, and even movie theatres. RFID is also used at automatic vending machines and - as London Underground and Hong Kong`s Mass Transit Railway has shown - RFID has found significant traction in public transport systems where commuters alternatively would pay cash for their tickets," he says.
The newer and more popular Bluetooth and WiFi (802.11*) technologies are the enablers of `vicinity` payment solutions. Technologies such as 802.11 have enabled the portability of always-online payment terminals which increase convenience and have been responsible for the development of new payment behaviour which is awkward to achieve without portability.
A customer need not leave the comfort of his vehicle, nor let his PIN-based debit or EMV card out of his sight when paying for fuel, because the attendant can bring the payment terminal to the driver to authorise the transaction. Portability means that the consumer never has to let his payment card leave his sight or direct control thus increasing security and convenience.
An example of this is a recent pilot project run by Prism in partnership with FNB at Shell which uses GPRS capability to facilitate a "no wires" rapid installation and ensures that the transaction data service is "always on". FNB is marketing Prism`s EMV ready FlexiLANE solution to its large retailer customer base with specific emphasis on multi-lane food retailers, petroleum retailers, restaurateurs and hotels. The solution provides state-of-the-art point of payment aggregation for those merchants who require multiple terminals and/or PIN pads. The pilot demonstrated that a typical installation of several portable WiFi terminals via a FlexiLANE hub and connecting to the bank via GPRS can be configured and transacting within three hours.
Proximity technologies are applicable to 10cm or less, and vicinity technology makes sense when confined to 100m radius or less, but cellphone wireless technology, and in particular the now readily available GPRS or broadband wireless make transacting anywhere anytime feasible.
"So that`s where the cellphone fits in. In developing countries like SA, more people have cellphones than have bank cards and technologically, the mobile phone has the capacity to handle proximity payments. Indeed, Visa has stated that the mobile handset will be an important domain for contactless payments; MasterCard is already testing the technology and cellular handset manufacturers like Nokia are developing phones with payment capabilities.
"It`s not inconceivable that in the not too distant future, you will go along to the supermarket and instead of handing over your credit or debit card to the cashier, you simply make the payment from your cellular handset with or without having to access the cellular network."
There are in fact many examples of mobile payment technologies and pilots currently in operation, such as the technology recently piloted by Prism which allows prepaid electricity consumers to access their entitlement of free basic electricity (FBE) using a standard cellular handset.
With the EasyPay over Mobile service, anyone who owns a credit card will be able to pay utility and other third-party bills from their own cellular handset knowing that the transaction is secure, private and authenticated.
"Voucherless Top-Up (VTU) is a technology that enables the distribution of cellular airtime via a standard GSM handset with access to a cellular network. The main driver for VTU is that prepaid users want to be able to recharge their airtime simply, securely and conveniently," he explains.
"However, one of the challenges of GSM communication in Africa is the logistics involved in `selling` airtime to end-users. In this system, a vendor (an entrepreneur with a cellular handset) purchases bulk airtime from the network operator. Airtime value, as opposed to a virtual voucher, is then `transferred` directly from the vendors` cellular handset to that of the customer. No stockouts can be experienced since no stock is issued as the airtime sold is instantiated in real-time in the network operator`s systems.
"It is believable and probably inevitable that we shall soon observe a convergence within the retail payment arena, where the use of mobile phone, chip cards, contactless tokens, portable card acceptance and even the use of biometrics become common place, but one thing is sure, and that is that payment evolution and payment token innovation is unlikely to abate anytime soon. The retail payment revolution is far from over," Turpin concludes.
* IEEE 802.11 or WiFi denotes a set of wireless LAN standards developed by working group 11 of IEEE 802. The term is used specifically for the original version; to avoid confusion that is sometimes called "802.11legacy". The 802.11 family includes three protocols that focus on encoding (a, b, g); security was originally included, but is now part of other family standards (eg, 802.11i). Other standards (c-f, h-j, n) are service enhancement or corrections to previous specifications. 802.11b was the first widely accepted wireless networking standard, followed, paradoxically, by 802.11a and 802.11g. The frequencies used are in the microwave range. Most are subject to minimal governmental regulation. Licenses to use this portion of the radio spectrum are not required in most locations.
- A Federal Reserve Bank of Philadelphia Payment Cards Centre Discussion Paper published in 2001 stated:
"In a relatively short period, credit cards have become many consumers` preferred means of payment for travel, entertainment, retail purchases, and (in some cases) bill payment. In 1970, only 16% of households had a credit card, but by 1995, approximately 65% had at least one credit card. Consumers` use of credit cards also increased as merchants` acceptance and the distribution of card-reader terminals increased. Credit cards are now accepted at over four million locations in the United States and over 14 million locations around the world. According to the most recently available figures, consumers used their credit cards to purchase over $1 trillion of goods and services in 1999. Currently, credit cards account for almost 20% of all non-cash transactions."
Share