A New Norm

 

Semi-integrated POS systems are quickly becoming a preferred option for acquirers and merchants.

Among the many outcomes stemming from the U.S. payment card industry’s burgeoning migration to the EMV chip card standard is the rise of semi-integrated point-of-sale systems, which enable merchants to use sophisticated POS software without worrying as much about EMV certification.

Dubbed semi-integrated because such systems offer merchants the benefits of POS software without directly integrating the payments module into that software, these POS products possess the enviable attribute of making EMV certification easier for the software developer while enabling merchants to accept payment methods in addition to magnetic-stripe cards.

While semi-integrated POS products are not new, they are attracting rising interest, and use, among merchants, developers and payments companies. In addition to enabling new payment methods, such products potentially can reduce the scope of an organization’s Payment Card Industry data-security standard compliance obligations, speed the EMV certification process, and reduce future costs. This can make the work of an independent software vendor or value-added reseller much simpler in today’s EMV world.

Generally, what distinguishes a semi-integrated POS product from the integrated POS sort is the separation of the payment transaction flow from the business-management software created by the developer. Payment data is captured via an attached PIN pad or POS terminal. The software that handles the transmission of sensitive payment data, often including the tokenization and encryption duties, is embedded in the card-accepting device. Only non-sensitive data like the payment amount and a customer identifier are sent to the POS software.

That separation of the payment data is a primary reason for the popularity of semi-integrated POS systems. By segregating the payment data, the developer’s certification obligations are lessened while the merchant, and consumer, benefit from more secure payments.

Time Savings

“A lot of integrators may understand what EMV means to them, but they don’t understand what it entails to support certification,” says Russ Palay, product director for integration services at Apriva, a Scottsdale, Ariz.-based mobile POS specialist.

What it means is months per certification application. Palay says it could take up to six months for the certification, which involves ensuring the transaction flows according to EMV protocols, to complete. Using a semi-integrated POS product could cut that down to just weeks, or even days.

EMV certifications in particular are proving troublesome to developers. Each time the developer’s software changes, it must be recertified. Each time the developer wants to use a different PIN pad or POS terminal, it must be recertified. Each time any nuance of the system touching the payment transaction flow changes, it must be recertified. This was not necessarily the case in the pre-EMV days of magnetic-stripe transactions.

Certification for mag-stripe payments verified the integrity of the message transmitted through the payment channel and the communication channel, says Rob McMillon, vice president of product security at VeriFone Systems Inc., a San Jose, Calif.-based POS hardware and software maker. “With EMV, you introduce the EMV cryptogram,” he says.

The cryptogram is a unique code generated by the chip card that issuers check to verify the card is authentic and not counterfeited. As part of the EMV certification, the cryptogram function has to be certified that it performs correctly and maintains its integrity. “In that situation, you have to go down to the terminal and all the way to the card brand for the decryption of the cryptogram to validate its integrity,” McMillon says.

It can be an odious task to do that for each card brand, each processor and each device, and then repeat the entire sequence whenever one piece is updated, such as the EMV standard. With semi-integrated POS products, because they eliminate PC-based POS systems from the certification chain, “you vastly simplify the number of certifications that have to get done,” McMillon says.

“Developers have their specific niches,” Palay says. “They may handle the inventory piece, the sales piece, but they don’t need to handle the payments.”

Moving the payment data out of scope, a reference to technology that reduces or eliminates the parts of the system subject to the PCI security rules, alleviates that obligation from developers.

Constant Cycle

“EMV has made it very difficult for most small and mid-tier developers to eat the cost of doing certification,” says Terry Ziegler, president and chief executive of Datacap Systems Inc., a Chalfont, Pa.-based payments software specialist. “It’s very difficult for them to amortize their costs with each certification if they’re putting on a couple accounts on each processor.”

Easing the EMV certification costs is paramount, he adds. “With EMV there’s a constant certification cycle that’s going.” For example, chip-and-signature is the current predominant verification method, but should most issuers adopt chip-and-PIN authentication, a separate certification process may be necessary.

Rather than the developer taking on these tasks, such companies as Datacap, Apriva, Ingenico Group, VeriFone, and Heartland Payment Systems Inc. do.

Even with the benefits, there are considerations for which to account. Someone must oversee the EMV certification process, choose which devices to support, court developers, and maintain the middleware that manages the communication between the payment-acceptance device and the POS software.

Decisions about which devices to support take on greater importance because of EMV certification issues, says Jeremy Gumbley, chief technology officer at Bristol, England-based payments provider Creditcall Ltd.

“Form factor is a big deal,” Gumbley says. For example, in the unattended space, payment devices need to be ruggedized to withstand the elements. In attended payments, vendors can choose conventional countertop POS terminals and PIN pads or mobile ones.

CardFlight, a New York-based mobile POS provider, announced in March a deal with online-payments specialist Stripe to offer Stripe merchants a CardFlight reader that uses semi-integrated payment technology to enable card-present transactions for Stripe merchants who want to accept face-to-face payments.

“We developed middleware that the app developer can embed into their native app,” says Derek Webster, CardFlight founder and chief executive. “The reason we call it semi-integrated is because ultimately it’s getting built into a piece of compiled software they’re deploying.”

Another benefit of semi-integrated POS products is the compliance relief it can afford merchants who no longer operate POS systems that store sensitive payment data. Typically, merchants must certify their level of compliance with the PCI Security Standards Council’s requirements, and developers must adhere to PCI rules for payment applications.

Greatly Reduced Scope

By one estimate, from Mike English, vice president of product development at Princeton, N.J.-based merchant acquirer Heartland Payment Systems, a developer might see as much as an 85% reduction in what falls under the PCI compliance scope. Twice a year developers have to certify their compliance, English says. “If the developer doesn’t have to spend time on payments, that’s actually a benefit for them,” he says.

Developers, too, won’t have to spend huge amounts of money on certification costs, either. The special toolset necessary to certify starts at $10,000, says Andrey Tikhonov, senior director of payment technology at Infinite Peripherals Inc., an Elk Grove Village, Ill.-based mobile POS hardware maker. Each card brand will have its own testing requirements, usually starting at $10,000, he says. Fees could easily climb to a starting point of $30,000 when processor fees are tacked on, he says.

‘Pretty Big Leap’

Infinite Peripherals has embarked on the semi-integrated POS approach, too. The company is working with two large U.S. processors, who Tikhonov declined to name, that will provide Infinite Peripherals with access to approximately 60% of the U.S. acquiring base. “This will be a pretty big leap,” Tikhonov says. He anticipates these certifications will be completed early in the second quarter.

Longer term, Infinite Peripherals plans an integration with “practically every U.S. payment processor,” he says. “We are prioritizing the integration based on demand from our customers.”

Customer demand, as with many facets of the payments industry, will drive the types and number of semi-integrated POS products. Typically, the sales conversation will be more involved than for merchants looking for a traditional countertop EMV terminal without an integration.

“There is a distinction,” says Robert Martin, vice president of security solutions at Ingenico Group, a France-based POS terminal maker with U.S. operations based in Atlanta. “We have a conversation with our customer. We ask what are their needs? Do they need signature capture, forms-management capabilities? From that, we determine what’s the best path to go.”

For example, a quick-serve restaurant focused on moving consumers through the checkout line quickly may defer on signature capture and favor contactless payments, he says. Other merchants may have a loyalty program that needs to continue.

At Heartland, English says the sales pitch on semi-integrated POS products is both a little more complicated and a little simplified. For starters, the ISV has some work upfront, he says. “We provide the ISV with help in terms of support for the integration and some validation testing to make sure they have integrated everything correctly,” he says.

Semi-integrated POS customers work directly with Heartland’s salespeople. “It’s a lot more work upfront, but at the end of the day it’s a lot cleaner solution for the ISV, VAR, the merchant, too, and potentially the dealer,” English says.

At Creditcall, most developers will purchase the semi-integrated POS product on their own, says Gumbley. Typically, it’s not an online purchase given Creditcall’s focus on the mid-size merchant. “We’ve historically had a developer-centric approach to the sales channel,” he says. “We enable developers to find us on the Internet.”

Another sales avenue is independent sales organizations. At Apriva, which works with more than 1,100 resellers, Palay says ISOs want to develop relationships with ISVs, but don’t have the means to do so. Those opting to use Apriva’s semi-integrated POS product, which works with Anywhere Commerce’s Walker card reader, can resell it to merchants. “We have a lot of small ISOs maybe focusing on the kiosk vertical,” Palay says. “We’ll help make those introductions.”

Merchants’ penchant for semi-integrated POS products equals revenue for payments companies. “EMV is not going away,” says VeriFone’s McMillon. “And so the EMV certification requirements are not going away.”

Huge Growth

In nations that adopted EMV long before the United States, merchants typically use either a semi-integrated POS product or a standalone POS terminal, he says.

The next 18 months could prove a boon for semi-integrated POS products, says CardFlight’s Webster. “There’s a lot of ISVs that haven’t made their decisions about their EMV migration plans yet,” he says. “There will be huge growth.”

Expectations are that they will see value in easing the EMV certification process, benefiting from a reduced compliance burden, and being able to more quickly get a product to market.

“Semi-integrated POS products on the surface provide a lot of value for the U.S. market because they help alleviate the certification burden and help security across the board,” McMillon says. On a broader plane, the importance of normalizing the payment environment that will come through widespread adoption of semi-integrated POS products “is going to have an enormous and profound impact for years,” he says.