What’s Holding mPOS Back In Big Retail?

There’s only one thing that’s holding mPOS back from being the POS environment of choice for all retailers: security. That’s the point of view of Bluefin Payment Systems CEO John Perry and it’s Chief Innovation Officer, Ruston Miles. Perry and Miles joined MPD CEO Karen Webster in a digital discussion on how mPOS and P2PE are the combo platter that could accelerate retail’s adoption of mPOS as its primary POS channel – and Apple Pay notwithstanding. Get the details of what they talked about:

MPOS SECURITY: LESSONS LEARNED

After a two-year journey, Bluefin Payment Systems became the first company in North America to receive PCI validation for a point-to-point encryption (P2PE) solution. P2PE has become an integral part of retail POS security, alongside tokenization and EMV. And the validation, noted Perry, came at a time when consumers, retailers and the entire payments industry were suffering from a series of data breaches.

AND … SPEAKING OF BREACHES

By the end of 2014, there were a total of 783 data breaches in the U.S. (just over 2 per day), with over 85 million exposed U.S. consumer records. That’s a 27.5 percent increase over the number of breaches in 2013, said Bluefin’s Chief Innovation Officer, Ruston Miles.

Over the last year, added Miles, the “primary attack vector” was not hackers getting in and exposing a database full of credit card numbers – or data at rest. While these kinds of hacks still do happen, they do not happen much in the payments space. What Bluefin has found is that the attacks that are predominant now are those on data in motion, as it moves through the system.

“It doesn’t matter if you have EMV or not, or what kind of data is in the system, the hackers are getting to it as it’s moving,” said Miles.

What’s necessary for both the traditional POS and mPOS, then, is a “holistic approach” to security – a combination of EMV, tokenization and P2PE.

And that prompted question No. 1.

Karen Webster, MPD CEO and Digital Discussion Host, observed that while attending the NRF conference, a number of merchants mentioned that they were considering reversing the order of priority of those three layers of security – EMV, tokenization and P2PE. The reversal of priority, she said, was to put P2PE first – so encrypt data as it travels through the POS environment.

Miles replied that although EMV is necessary for fraud prevention, it does nothing to stop data from “walking out the door” and being exposed by hackers. That’s where encryption comes in. But for a number of larger merchants, it comes down to how many counterfeit, lost or stolen cards they experience or receive in a year. What’s the major risk in protecting their brand? It’s not really counterfeit cards – it’s data breaches.

In addition, even after the U.K. migrated to EMV, there were many merchants implementing encryption solutions.

“Why would they be implementing PCI validated P2PE in the U.K. if EMV was supposed to fix everything?” asked Miles.

THE HOLISTIC APPROACH TO SECURITY

According to Miles, after many conversations internally and with enterprises, two types of securing technologies really stand out today.

One type builds higher, stronger walls to protect the bad guys from getting in. But with those higher walls come an obligation to keep them high, he said, and that’s where a lot of breaches happen.

“It might even be just one small hole in a retailer’s network that does it – hackers get in and expose the whole thing. So that kind of higher wall and stronger security technology is sort of a losing game in my opinion.”

The second type of technology is one that devalues data – hackers can get in but the data is made useless to them. This includes technologies like tokenization and P2PE. P2PE encrypts cardholder payments and account data at the point of capture, protecting it as it flows through merchant IT systems. It becomes especially important for mPOS because even just a smartphone involves a number of players – cell providers, OS providers, software and hardware providers, the merchant – and because of this, there are number of areas where things can go wrong.

“We now have a different understanding of how this all fits into the mobile space, and how much more important it is to implement.”

Question two came from the audience and related to processors that don’t have certified terminals. What, asked Webster, do merchants need to do to solve this problem?

The root question to that, said Miles, is if P2PE is so great, why are there so few validated solutions?

“There’s a really good answer to that – No. 1, it’s very different from the kind of end-to-end encryption on the marketplace that a lot of processors and other gateways implemented. They were able to go and build a largely software approach to end-to-end encryption.”

But when PCI looked at P2PE, it concluded that the system is only as secure as any point in the end-to-end chain. So anything important needs to happen in hardware, not in software.

“By making that choice, the whole system is that much more secure, but that really means that a lot of processors and legacy gateways have to go upgrade their systems, implement new hardware, and have new processes,” said Miles.

“But we have a large number of large retailers interested in the distinction between validated and unvalidated encryption solutions. So, we’re going to see more and more validated solutions joining the list.”

THE MOBILE POS EVOLUTION: MORPHING INTO RETAIL

In retail, a fundamental transformation is happening at the POS – it’s now wherever it makes the most sense for consumers, which includes the consumer’s own cellphone or a merchant’s mobile device.

Merchants are taking advantage of mPOS solutions to benefit the consumer experience and interaction. And like what happened in e-commerce, said Miles, mPOS is moving from startups and small businesses to larger retailers that are expecting top-of-the-line mPOS products and security – right out of the gate.

“I think that one of the primary things that’s holding enterprises back from mass adoption of these mPOS solutions is, in fact, security,” said Miles. He added that these enterprises have internal PCI mandates where every application and system has to be PCI compliant. That is not possible with mobile apps, and that makes technology like tokenization and P2PE important.

It does not matter whether mPOS is a merchant’s primary or complementary system when it comes to P2PE – Bluefin’s whitepaper indicates that in order for mPOS to be successfully adopted within an organization, there are four key elements to consider. One of those elements is “seamlessness” – with mPOS, larger merchants and even smaller ones requiring that it be an integrated experience. The solution also needs to be scalable to work with inventory management, loyalty programs and other real business applications.

But what will really make for an “mPOS win,” said Miles, is a solution that is not branded – one that doesn’t require the merchant to use a specific device, set of apps, etc. Rather, providers like Bluefin use a platform that has SDKs so that other app players can innovate and create apps that make the most sense for consumers and businesses.

Then, of course, there’s the key element of security. As mPOS skyrockets, can it keep up?

A common misperception among merchants is that mPOS is less secure than traditional POS systems. In reality, explained Miles, there’s not much difference between the security in each – in fact, often times mPOS systems will prove to be even more secure, which could spark merchants’ interest in leapfrogging EMV to secure mPOS systems.

Question No. 3 … In Europe, observed Webster, to get an mPOS device certified, Visa and MasterCard require it to be chip and PIN and encryption enabled. Will this requirement happen in the U.S.?

“This year, no. But I’d love to see it happen,” said Miles. “We’ve seen a lot of people starting to better understand how these technologies interplay and what they can do – it would be my hope that the [card] brands take notice of that and see the desire in merchants to protect from breaches and do offer incentives for it or mandate it.”

Right now, he said, the focus is on EMV – that’s what’s doing the most to protect issuers, which is largely where the networks are seeing business.

WHY PCI VALIDATION FOR MOBILE P2PE?

When Bluefin looked into its crystal ball, it saw that devaluing data was the secure route to take. With its solution, the encryption is all done with hardware – tamper-proof, self-aware devices injected with millions of keys so each transaction is unique.

“The data is encrypted before it goes into the mobile device. From there, the apps can safely interact with the data without picking up PCI scope and exposing data to hackers. After that, information is passed on to the P2PE solutions provider, in this case Bluefin,” said Miles. When the cardholder data is encrypted, he added, there is really no change in consumer or merchant behavior – and the transaction is just as fast.

For Bluefin, “it was also important to make this solution available to our software partners – we wanted to help them move into mPOS with their own applications, and our SDKs allow them to do that.”

One key thing to keep in mind is that Bluefin’s solution takes an mPOS vendor out of scope for PCI if the payment app only accepts card data through the secure card reader that’s approved, and Bluefin is the one doing the decryption. But that doesn’t mean merchants suddenly have zero responsibility, said Miles.

“The 334 PCI requirements that every merchant has to make goes down to 35 questions with our solution – these are soft questions, not technical.”

HOW P2PE WORKS WITH MOBILE PAYMENTS

“When we launched our P2PE for mPOS, we wanted it to be the most useful for merchants,” said Perry. “There are versions of the secure card reader that accept contactless EMV – NFC payments – doing that all with the P2PE technology.”

No matter what the payment type is, the merchant should be assured that the data is encrypted before it ever enters the mobile device. Accepting mobile payments using the same secure technology is something that the company has to work with manufacturers on, but it’s definitely on the roadmap.

Question No. 4 … Webster then asked, “Would that also apply to cloud-based systems where there is no physical contact with a POS device?”

The major takeaway, said Perry, is that point of interaction – somewhere, the data is going to get from a consumer’s phone into a merchant’s mPOS device. Somewhere, there needs to be a technology that interfaces there – whether that be contactless EMV, keyed in transactions, a swipe, etc.

“It’s in that device where you’ll find Bluefin’s P2PE solution. As soon as it senses the data, it encrypts it. With any of these cloud-based solutions, the concept is still to encrypt data before it gets into the device.”

“So why would one need P2PE in an Apple Pay environment where there’s no card data being transferred?” Webster asked.

“Any of the data flowing through the system should be encrypted, whether or not it’s of greater or lesser value than the next. With Apple Pay, when you get outside of the secure element with HCE, we’re starting to get further away from that device being a trusted device connected to the token,” said Perry.

However, Perry added that P2PE, while helpful in encrypting data, is sometimes just an additional layer of security with cases like Apple Pay.

LOOKING AHEAD: WHERE DOES THE MARKET GO FROM HERE?

The four essential elements of mPOS, Perry reiterated, are revenue generation, security, seamlessness and scalability. And for security specifically, those looking for an effective solution need to have a good understanding of what each technology – EMV, P2PE and tokenization – does.

There’s a lot of misinformation going around about P2PE, said Perry. But there’s a real opportunity in implementing the technology alongside EMV.

“It doesn’t matter what type of data flows through the consumer and merchant – the encryption really is what will drive the perception of consumer security. They need to understand that this data is flowing in a secure method.”

For the complete digital discussion, view the video below.