Mobile Apprehension

Despite retailer questions over payment and security, app momentum building.

Angel Abcede, Senior Editor/Tobacco, CSP

Article Preview: 

Even as uncertainty over mobile payments and standards persists, Jenny Bullard of Flash Foods is letting loyalty-card holders use a smartphone application, or app, to pay at the pump.

Persuading more drivers to forgo paying with credit cards for the much cheaper automated clearinghouse (ACH) “debit” alternative has given the project purpose, as well as brought the 172-store chain fi rst to market in its area with mobile payment.

“We’d rather promote our program because of the lower transaction fee,” says Bullard, CIO of Flash Foods, Waycross, Ga. “Visa and MasterCard have not come to the table with a viable solution for retailers.”

To accept mobile payment using Visa or MasterCard today in many instances would mean a “card not present” transaction, which carries a higher transaction fee and the responsibility of a possible chargeback—not just for the preauthorized sale, but also for the whole amount, Bullard says.

Flash Foods is among the first convenience chains to embrace mobile payments via its own app. Many retailers have launched mobile apps in the past two or three years, but most have done so without the payment option. Instead, those chains started out with store-location and gasprice functions. But for Flash Foods, the time for mobile payment was right.

And Flash Foods isn’t the only one. The 589-store Cumberland Farms has been taking mobile payments for about a year, and this past spring revealed that customers have saved $1 million on gasoline since it launched the SmartPay Check-Link in January.

The program lets customers of the Framingham, Mass.-based chain pay for gasoline and in-store purchases either with a mobile phone or payment card. Free to enroll, SmartPay Check-Link users automatically save cents on every gallon of gasoline, every day. Following the transaction, the program automatically emails app users a receipt and tells them how much money they saved on that transaction.

Despite the potential, some critical uncertainties have deterred the industry from adopting mobile payment on a wide scale. Consider:

Lack of standards. Mobile payments can happen in dozens of ways. With no standards, retailers struggle with how to execute their programs.

Weak security. Beyond short, memorable passwords, consumers are lax on securing mobile transactions, leaving the channel vulnerable to hackers and data thieves.

No connectivity between phones and point-of-sale (POS) devices. Not all POS devices are equipped to handle mobile payment.

No incentive. As Bullard mentions, the major credit cards have provided little incentive. And without the ACH alternative in place, retailers see little benefit in upgrades and convincing customers to pay with mobile.

Still, mobile-payment programs such as the ones at Flash Foods and Cumberland Farms exist in spite of these barriers. Gray Taylor, executive director of the Petroleum Convenience Alliance for Technology Standards (PCATS), Alexandria, Va., says chains with the technological savvy and wherewithal to build such closed-loop payment infrastructures can bypass standards, even flying under the radar of data thieves.

Programs that focus on a single retailer, using one mode of payment, are less appealing to hackers because of the limited scope of their programs, Taylor explains. Even though these chains may process thousands—if not hundreds of thousands—of transactions daily, the option is good only at that specific chain, whereas other targets offer credit-card numbers that can be used at thousands of retailers or on the Internet.

“The joke,” Taylor says, “is you know you’ve reached a level of success when you get hacked.”

No Single Way

A driving guide for Flash Foods’ implementation was ease, Bullard says. It had already established a loyalty program with a magnetic-stripe card called Rewards in a Flash back in 2005; in 2008, it established the ACH debit element called GOBLUE. Customers already knew how to initiate a transaction at the pump, and the processing elements were set up at the back end.

Adding the mobile element meant a software update to the POS and the interfaces between the POS provider, The Pinnacle Corp., Arlington, Texas; and the ACH processor, National Payment Card, Coconut Creek, Fla.

“We didn’t want to force any new hardware or network infrastructure on our clients in order to support mobile payments,” says Drew Mize, COO of Pinnacle. “They didn’t have to segment their [local-area network] or have additional hardware to route messages. They didn’t have additional layers of data security.”

In the Flash Foods model, customers call up the app on their phones, type in their GOBLUE passwords and then receive a “tokenized” seven-digit code. They start the transaction by entering that code at the pump or inside the store. (See sidebar on p. 92.)

Of course, that’s not the only way to handle the transaction. Jason Groff, director of petroleum and convenience for NCR Corp., Duluth, Ga., says its solution uses quick response (QR) codes.

In NCR’s model, people who download the app fill out a profile, the extent of which the retailer can determine. A customer starting a transaction at the pump simply taps the app to take a photo of or scan the QR code, which identifies the pump and initiates the purchase. If the customer opts for an ACH or gift card, he or she enters a personal identification number (PIN). At that point, other in-store offers may come up on the phone or the customer may opt to shop the store from the pump. Groff says all the purchases can go on that single transaction and the customer can pick up the items in the store.

The two processes illustrate examples of the many ways a mobile transaction can occur, says Taylor of PCATS. Another way involves near-frequency communication(NFC), wherein a small chip in the phone can initiate a transaction much in the way contactless or tap payment options work—with the wave or tap of the card on a card-swipe terminal.

The underlying problem, Taylor reiterates, is that mobile payment has no standards. In this instance, some options go into the cloud, while others can interact directly with the POS. He says 125 mobile wallets exist today, each having different processes and structures.

“It’s like the wild West,” Taylor says. With the exception of NFC, no standards exist for any of the current options or processes. “No one knows who’s going to win or lose.”

A lot rides on standards development. “Ubiquity of service is the only way that a consumer will actually discard a leather wallet in favor of digital,” says Eric Barfield, director of product strategy for WorldPay U.S. Inc., Atlanta. “And standards are the most common way to drive ubiquity.”

Secure Element

A critical part of standardizing mobile payments will be data security. Mobile encourages a more relaxed data-security standard by its very nature. For instance, Taylor says he’s shortened his own passcodes for mobile so he can more easily key them in when doing financial tasks such as checking his bank account.

A better security method—even potential standard—would be one that takes advantage of multiple technologies. Taylor suggested facial-recognition technology tied to a four-digit PIN. What occurs in such a case is a one-time-use code that’s megabites in size, a format that can better deter hackers.

Another option would be tracking the unique way people handle their phones, Taylor suggests. The technology exists to capture the distinct ways individuals handle their phones, providing another digital signature to use as a one-time code.

What’s even more important than a high-tech code is what he calls each individual’s “secure element.” Essentially, it’s digital evidence of the person’s identity.

No standards exist regarding secure elements and, in some cases, phone companies or payment-card companies are moving to not only own that piece of the equation, but also charge for its use. Taylor says it’s a conversation that has to occur between retailers and lawmakers, so individuals are ultimately left to own those digital authentication elements.

Moving Forward

Despite the barriers that exist, mobile payments will soon enter the c-store space in a significant way.

“Apps in general are building a tremendous amount of momentum as petroleum and convenience retailers work to engage the customer,” Groff of NCR says. “Whether it’s a very large or very small operator, it’s a regular question.”

Part of that question is what value mobile payment brings to the retailer and, ultimately, the consumer, says Mize of Pinnacle. Beyond a scenario of closed loop combined with ACH, mobile payment currently has no value for either.

“It costs no less than consumers using a mag-stripe card—and in some cases more, because of card-not-present rules,” he says. “But if you remove interchange fees with [an ACH model], the retailer has the capability and opportunity to lower the price on the transaction … and the consumer [gets] an incentive.”

Taylor believes c-store chains of more than 100 stores will undoubtedly move into mobile payments. They have the physical infrastructure and the financial incentive of lower-cost transactions.

“The biggest driver is reducing the portfolio of payment costs,” he says. “It’s not a magic bullet, but magic BBs if you can take [a percentage] of that cost out of your base.” 

Mobile Payments in a Flash

Flash Foods Inc. wants its customers to phone it in—their payment, at least, for gas or in-store merchandise. The Waycross,Ga.-based chain of 172 stores initiated a pilot test of mobile payment at one of its stores this spring. Here’s how people pay:

Step 1: Download the app. Available to customers signed onto its GOBLUE loyalty program, customers download the app to their smartphones.

Step 2: Enter a PIN into the app. The first time they use the app to pay, customers will also have to enter their e-mails, but after that, it’s just the PIN.

Step 3: Receive a code. The phone then returns a seven-digit code that’s good for 5 minutes.

Step 4: Enter the code at the pump or inside the store. The code will initiate the transaction and open the pump.

Step 5: Rollback. The pump rolls back the price per gallon by 10 cents (a promotional per-gallon discount this summer).

Step 6: The customer fuels. 

Click here to download full article