Mobile 2 Go Blog: Cut the Confusion on Data Security
Acquirer advice: Define your topic, focus on your goals
Q: But for several months now, we've heard of many c-store retailers taking mobile payments.
A: I've been talking about what we call "open-loop" transactions. The retailers you refer to are "closed loop." If you've got your own proprietary wallet and your own fuel card, then you don't have to pay the interchange. But in those cases, you've got costs in creating the program, handling it and [covering] the liability for it.
Q: I see. So moving past a customer using his or her phone to pay for gas, there are other mobile-payment options mentioned for our space, specifically mobile phones or tablets that have card-swipe devices attached.
A: Yes. A retailer may be doing line-busing with that device. In such a case, we have recommendations. First, make sure they use an encrypted card reader. There are a number of devices at reasonable prices that will plug into an iPhone, Android or iPad or connect via Bluetooth where a card that's swiped is immediately encrypted by the reader. So even if the iPhone has malware, you can't view the information. We strongly suggest that. The other piece is dependent upon the individual retailer and employees--it's to lock down those devices. If you're giving employees a company iPad, you don't necessarily want them surfing the Internet. In these environments, lock those down. That's a secondary measure to make the devices more secure.
Q: We've talked a lot about mobile, but data security in general and the movement to EMV, which you mentioned earlier, are big issues. What are your thoughts?
A: There's a lot of confusion out there. But know this--EMV helps prevent credit cards from being duplicated--chip and PIN [personal identification number] in particular--but it will not completely secure data systems. As a retailer, you still have to pay attention to your PCI [Payment Card Industry] status and continue to run a compliant shop. EMV deployment is not going to eliminate fraud. For instance, [Minneapolis-based mass retailer] Target had a large breach last year. They reissued all their cards with EMV. An argument could be made that even if they deployed EMV before the incident, they still could have been breached.
I know retailers have businesses to run. But when it comes to credit cards, they have to be in a daily mindset with compliance.
Now when EMV rules do come into play and liability shifts to the merchant--non-pay-at-the-pump in Oct. 2015 and pay-at-the-pump in 2017--the hope is that it comes at the right time, during an equipment upgrade cycle. Our advice is to deploy EMV as soon as you can within a financially responsible timeframe, but you don't want to be the last one on the block to do it. With our parent company in the U.K., we've found that as more EMV devices are deployed, fraudsters would identify which locations weren't compliant and they'd take their cards there.
Q: Easier said than done. As you say, EMV is a big, expensive undertaking.
A: Certainly. And beyond expense, it will require education. It needs cashier and merchant training, as well as customer training because the flow of the transaction is different from swiping a card. With EMV, you have to leave the card in the reader for second or two.
Q: We've covered a lot. What advice would you give retailers who may become overwhelmed?
A: I'd go back to my initial comment on loyalty. It's critical for anyone who wants to deploy a mobile solution that they identify what they want to accomplish. Is there a problem to solve? Is it giving more convenience to customers, more options make to make their products more salient? The answer to those questions will point them in the right direction. Folks can get caught up in the excitement of new technology, but if you lose sight of the end result, that's a problem. It's easy--and risky, as we've discussed--to deploy a solution that's not relevant to the customer or to you.
For more discussion on the trend of mobile and on issues of data security, look for the May issue ofCSP magazine.