ATLANTA --When technological advances cause confusion and uncertainty, convenience store retailers may want to take a time out, breathe and calmly think about what their businesses really need.
Jumbled amid concerns about data security, loyalty opportunities and, of course, the enormous potential of mobile, cooler heads must prevail. At least that's what I got from a recent discussion with Chris Francis, vice president of market development for WorldPay US Inc., Atlanta.
I reached out to Chris to better understand data security in a mobile world and almost immediately, we began talking about confusion that exists in the marketplace:
Q: I've been hearing concerns about data security as the industry grapples with the concept of mobile--everything from marketing to payment. As an acquirer and transaction processor, much of that falls into your arena. What are your thoughts?
A: That's a loaded question right now. But it's important to take a step back. Yes, you're correct in that security with mobile devices is going to be paramount, especially with Android-style [devices] and some iPads. … Users can add applications--especially with Android, but it's not unheard of in Apple devices--where it's possible the application they've loaded may have malware.
But just in the way people spoke of loyalty 15 years ago, everyone is saying they want it, but there are so many flavors. Mobile is in the same space. You can mean couponing, push marketing, location-based messaging, things that have nothing to do with payment. A merchant could be talking about a mobile device with an EMV [Europay MasterCard Visa] reader with Bluetooth, or mobile could mean a consumer device with the ability to pay for a transaction. We have to first define what we're talking about.
Q: As a payment processor, can you talk about payments and security with mobile?
A: Let's start with a consumer using a mobile phone to pay at the store. With the exception of Google Wallet and Isis, which have had challenges with their networks trying to get to banks, most mobile wallets are a "card not present" transaction, which get charged a higher rate. It makes it expensive for the retailer. Thinking of convenience stores, it's a non-starter. Fuel retailers are making such a small margin on gasoline, it wouldn't be worth it. But that said, Visa, MasterCard and MCX [Merchant Customer Exchange, Dallas] are working on strategies to enable mobile wallets to provide enough [data] to make it a card-present transaction.
Q: But for several months now, we've heard of many c-store retailers taking mobile payments.
A: I've been talking about what we call "open-loop" transactions. The retailers you refer to are "closed loop." If you've got your own proprietary wallet and your own fuel card, then you don't have to pay the interchange. But in those cases, you've got costs in creating the program, handling it and [covering] the liability for it.
Q: I see. So moving past a customer using his or her phone to pay for gas, there are other mobile-payment options mentioned for our space, specifically mobile phones or tablets that have card-swipe devices attached.
A: Yes. A retailer may be doing line-busing with that device. In such a case, we have recommendations. First, make sure they use an encrypted card reader. There are a number of devices at reasonable prices that will plug into an iPhone, Android or iPad or connect via Bluetooth where a card that's swiped is immediately encrypted by the reader. So even if the iPhone has malware, you can't view the information. We strongly suggest that. The other piece is dependent upon the individual retailer and employees--it's to lock down those devices. If you're giving employees a company iPad, you don't necessarily want them surfing the Internet. In these environments, lock those down. That's a secondary measure to make the devices more secure.
Q: We've talked a lot about mobile, but data security in general and the movement to EMV, which you mentioned earlier, are big issues. What are your thoughts?
A: There's a lot of confusion out there. But know this--EMV helps prevent credit cards from being duplicated--chip and PIN [personal identification number] in particular--but it will not completely secure data systems. As a retailer, you still have to pay attention to your PCI [Payment Card Industry] status and continue to run a compliant shop. EMV deployment is not going to eliminate fraud. For instance, [Minneapolis-based mass retailer] Target had a large breach last year. They reissued all their cards with EMV. An argument could be made that even if they deployed EMV before the incident, they still could have been breached.
I know retailers have businesses to run. But when it comes to credit cards, they have to be in a daily mindset with compliance.
Now when EMV rules do come into play and liability shifts to the merchant--non-pay-at-the-pump in Oct. 2015 and pay-at-the-pump in 2017--the hope is that it comes at the right time, during an equipment upgrade cycle. Our advice is to deploy EMV as soon as you can within a financially responsible timeframe, but you don't want to be the last one on the block to do it. With our parent company in the U.K., we've found that as more EMV devices are deployed, fraudsters would identify which locations weren't compliant and they'd take their cards there.
Q: Easier said than done. As you say, EMV is a big, expensive undertaking.
A: Certainly. And beyond expense, it will require education. It needs cashier and merchant training, as well as customer training because the flow of the transaction is different from swiping a card. With EMV, you have to leave the card in the reader for second or two.
Q: We've covered a lot. What advice would you give retailers who may become overwhelmed?
A: I'd go back to my initial comment on loyalty. It's critical for anyone who wants to deploy a mobile solution that they identify what they want to accomplish. Is there a problem to solve? Is it giving more convenience to customers, more options make to make their products more salient? The answer to those questions will point them in the right direction. Folks can get caught up in the excitement of new technology, but if you lose sight of the end result, that's a problem. It's easy--and risky, as we've discussed--to deploy a solution that's not relevant to the customer or to you.
For more discussion on the trend of mobile and on issues of data security, look for the May issue ofCSP magazine.