Digital Transactions Authoritative, insightful and timely information for payments professionals
The use of customer off the shelf (COTS) technology suggests that a merchant can leverage personally procured Android or Apple devices to execute point-of-sale operations. Even in today’s rapidly evolving payment technology, it’s a bold assumption. Such an implementation poses significant security challenges beyond contravening numerous acquiring and payment card industry data-security (PCI) regulations.
PCI and EMV have made commendable strides in safeguarding merchants against sensitive-data compromises and, more important, protecting that data from unwitting merchants. Manufacturers, banks, and ISVs spend significant capital certifying these devices and deploying them securely. Modern point-of-sale devices are bastions of virtual and physical security. Any product strategy that suddenly degrades trust in the physical device and the operating system, solely for the sake of customer convenience, deserves to remain a myth.
Ingenico and Verifone, the dominant POS products in the U.S. market, are well on their way to embracing the mobile revolution. They and others currently deploy Android-based models in multiple form factors. Others have built sophisticated, “hardened” offerings on top of Android, protecting against physical attack and handcuffing the operating system to fend off digital assaults.
Downloaded applications cannot be added to these hardened devices, much to their prospective owners’ dismay. That is one of the underlying promises of COTS, that merchants can use their devices as they’ve always seen fit. Payment acceptance is just another app they can download.
As previously mentioned, however, there is hope on the horizon. EMV and NFC technologies represent huge steps, but critical hurdles remain. The United States is the only country still accepting the magnetic stripe for branded credit/debit, saddling POS product evolution, much less merchant environments, with obsolete, brutally insecure credentials. Still, progress is being made here. For example, Mastercard has begun retiring the magstripe.
Once in-the-clear stripe data is removed from payment ecosystems, EMV technology can really come into its own, leveraging secure communications and tokenization to eliminate major fraud vectors. The gold at the end of the rainbow is when card numbers are replaced by tokens throughout, which means a 3-year-old iPhone would be as secure as anything else.
Nobody would question that mobile is here and could largely replace legacy POS platforms in many use-cases. The real question is, how long before you can buy a POS terminal at the Apple Store?
—Cliff Gray is a senior associate at TSG, a payments advisory firm.
