Beyond chip-and-PIN: the future of retail payments
This post was updated on January 4, 2017
Securing consumer payment data continues to dominate the retail industry’s agenda. A recent “The State of Retail Payments 2016” study by the National Retail Federation and Forrester showed that reducing credit and debit card fraud by implementing the new Europay, Mastercard, and Visa (EMV) chip card standards was its top payment challenge this past year. But it also found retailers busy with new data security enhancements.
With the one-year anniversary of the EMV mandate now behind us, I sat down with FreedomPay, a leader in commerce payments technology, to discuss where we are and where we’re headed with retail payment security. Sharing insights and best practices, I spoke with Chris Kronenthal, one of the industry’s preeminent payment security experts and FreedomPay’s chief technology officer, and Tom Smith, vice president of marketing.
Here are the highlights of our conversation.
So, let’s start with EMV chip card acceptance. Where are things now?
In 2016, retailers made a lot of progress in their transition to EMV. They also improved customer service challenges considerably, bringing the transaction times back to the two to three seconds that consumers are used to.
By year’s end, the bulk of EMV-related learning will have happened. And while there will still be remaining installations and updates that need to take place, most retailers can, and already are, shifting their focus back to addressing the broader issues of security and beginning to look again at innovations like integrated commerce and value-added services.
As retailers look beyond chip-and-PIN, what else should they consider for payment security?
The reality is that card security is just the beginning of the journey, not the end. For overall payment security, we recommend a trinity of best practices to better protect payment card data: EMV, point-to-point encryption (P2PE) and tokenization. This is in-line with the recommendation of the Payment Card Industry (PCI) Security Standards Council (SSC) around a layered approach to payment security—where those three components are key.
Can you explain a little more about how these components work together?
The EMV chip card is meant to be an identity solution, verifying the authenticity of the card user. But once the chip card transaction happens, you want to look at how that transaction data is being protected as it goes back to the banking network. P2PE is the encryption mechanism that helps securely deliver that data. And the third component in the journey, tokenization, is looking at what data actually goes back to the merchant’s point of sale to act on in the future for a refund or a void, and swapping a sensitive data element with a non-sensitive equivalent.
What should retailers look for in a payment solution provider?
It’s important to look at two key things. You want to make sure that your provider has the full support and certifications that back up the fact that they offer a truly secure implementation. The must-have requirement is the validation from the PCI Security Standards Council that a provider’s solution meets its standards for P2PE. The PCI SSC has also released P2PE 2.0, the next iteration of that validation, of which only a handful of providers are certified.
Beyond PCI validation, retailers should also look at the solution’s functionality and ask themselves what will they be allowed or not allowed to do based on how the technology works. It is now those technological differentiations, where value really exists among providers.
On that note, congratulations on being one of the first to receive this new certification. What is the most important gain for a retailer of a validated P2PE solution?
The biggest gain is that it offers the safest, simplest path to mitigate fraud responsibility. The PCI SSC has made it very clear. There is only one way to guarantee scope reduction for a merchant’s point of sale and network infrastructure, and that is unequivocally a validated P2PE solution.
Anything else requires the approval from an independent auditor to look at your specific environment, and then that audit has to be approved by the merchant acquirer who is underwriting your risk of fraud back to the payment card companies. So with any provider that purports to being secure and encrypted but are not PCI-validated, the retailer is at risk of bearing the full cost burden of a fraud.
So, let’s segue into talking about innovation around the credit card processing process since retailers are going to be investing in the change to P2PE solutions. How do retailers make sure they are futureproofing their systems through the choices they’re making to enable innovation with the consumer at the point of sale, as well as innovations they might want to take advantage of as they actually implement these solutions?
There are a set of core things that every merchant should be looking at from their service provider’s perspective. The big three are security, scalability, and high availability. Credit card processing is one of these key fundamentals like cable and electricity. You expect it to work. And so payments technology providers like FreedomPay have chosen backend systems and infrastructure that allows us to hit all three of those.
We want to offer our customers the strongest security so we follow best practices from the PCI Council and pick technologies that are recognized for their strength in security. We also want to give merchants the ability to scale workloads in a highly available, very cost-effective environment. And that’s why all the folks we talk to, including ourselves, are now looking at the major cloud providers like Microsoft and an Azure platform to achieve that.
Knowing that a provider has that kind of backbone—with technologies that can manage the security of a cloud-based infrastructure, the infinite elasticity to handle their transactions, and the futureproofing from a globalization standpoint and what’s required to innovate—is one of those differentiation criteria.
What does Azure bring to the table for you?
As a payments technology provider focusing on value-added components (e.g., consumer identity and loyalty,) we rely on the scalability of the Azure platform as we generate a 360-degree consumer profile across demand generation and fulfillment in that merchant’s outlet. The ease of access to that data through Azure data feeds, pulling the data into Office 365 and a Power BI model; that’s really why we picked the technology stack that we did.
Further, the Azure platform has reached a maturity level that when you get into high volume, low latency enterprise workloads, and you need things like premium storage and the advanced functionality of SQL Server, the things that Azure has done to function at an enterprise-level makes it very business friendly. Azure’s ease of integration is also very important for us. The ability to easily integrate our value-added services and the extensibility of Microsoft’s ecosystem of partner solutions on a common technology platform allows a faster go-to-market for merchants and helps enable them to take advantage of new innovations.
Q: As we look into the future, what do you see as the ideal payments scenario with the biggest benefit to consumers and retailers?
As we think about integrated commerce and mobility, a utopian model would be an application by the retailer that is activated through short-range Bluetooth. As a shopper walks into my store, it says here’s my merchant app and here’s how you can quickly and easily add your payment method to it, which involves security and tokenization.
The shopper can then interact with the app as they walk around, and through means of facial recognition and traffic management, the retailer can give that consumer the best possible experience. And when they get to the checkout lane, they are reminded of all the coupons and offers relevant to them. And when they pay by their preferred method, there is a frictionless and totally secure experience between the terminal, POS and the backend providers. All that data is then represented both back to the consumer and merchant so each can decide how the experience went. The shopper can decide if they want to do it again, and the retailer can determine how to further improve the experience they deliver. I think that should be everyone’s goal in achieving.
Learn more
We hope this post has given you a glimpse into how retailers can adopt safer data security practices and futureproof themselves for future innovations. If you’d like to learn more, visit FreedomPay’s website. And for more information on what Microsoft Azure can do for your business, go here.
And if you’re heading to the National Retail Federation’s BIG Show 2017 this month, make sure to visit us at the Microsoft Booth (#2803). Here you’ll be able to see for yourself where retail payment security is headed and how FreedomPay’s innovative commerce technologies are transforming today’s shopping experience across the retail ecosystem: in-store, online, and on-mobile.
LinkedIn: Brendan O’Meara