Evan Schuman's StorefrontBacktalk

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system.

The consumer would then visit that merchant and present their goods for purchase. The cashier would scan the products’ barcode—just as always—and would tell the consumer the total amount. The consumer would launch the mobile payment app, type in their password and then the exact amount of the purchase.

The app would display a large barcode on the screen. The cashier would simply scan the screen showing the barcode with the same laser wand that was used to scan the products’ barcodes. The phone’s barcode would include the exact price of the product among other items (including a date time stamp tied into that specific phone) and it would also expire in 60 seconds.

By using the laser scanning device, this approach theoretically sidesteps any wireless security concerns.

According to the patent’s Tennessee-based holder, inventor Bob Lovett, the application would also update the credit limit—or bank account balance—that the consumer could still use. "The merchant’s scanner also outputs a barcode containing the product’s price," Lovett said. "The cell phone’s camera makes a copy of the barcode and then converts it to dollars and updates your remaining balance. This will alert card holder when an account is overdrawn."

The phone’s payment data would include the consumer’s age, Lovett said, which would theoretically accelerate purchases of age-restricted items (alcohol, cigarettes, fireworks, adult-themed magazines, etc.) as well as establish retailer due-diligence and enabling such purchases to go through self-checkout.

But one of the more intriguing possibilities is the approach’s digital micropayments potential. Such micropayments have historically gone virtually nowhere beyond ringtones and song downloads. Physically retailers have had an especially difficult time dealing with small payments, other than with cash.

Lovett makes his argument for micropayments using a purchase of a can of Coca-Cola as an example.

"Rather than sending the Coke’s price for authorization, the merchant’s POS will add the credit card to a spreadsheet with date/time stamp along with other small purchases," Lovett said. "Once every twenty four hours, when the banks’ server farms are least busy, the merchant will send the spreadsheet to the bank for processing. The merchant will pay five to ten cents for each microtransaction, versus twenty-five cents for Visa."

The approach will also have an E-Commerce component, as the mobile phone will also display a lengthy numeric equivalent right below the barcode, Lovett said, allowing for the number to be used on any E-Commerce site. That number would literally be used just as a debit- or credit-card number would be used.

Richard Mader, the executive director of the Association for Retail Technology Standards (ARTS) council, said that an initial scan of Lovett’s patent made it look promising.

"From a 30-minute review, it appears to be a excellent security method, unique to individual, can incorporate PIN or bio-metrics, would eliminate the merchant knowing and storing the CVV and card number," Mader said. "With further review, if no holes (materialize), this could be the ‘right’ standard method for mobile payment security. Since mobile in (the U.S.) is still in its infancy, now would be the time to agree this is the right method."

One industry executive who has pushed for more stringent security requirements—including a controversial effort to get the card data out of retail databases and to place it solely under bank control–also had kind words about this mobile patent approach.

"It does seem that it takes out some of the weak links in the payment process," said David Hogan, the CIO for the National Retail Federation. "It looks good on paper to me."

Hogan has been arguing recently—especially after the Hannaford data breach–that payment methods in general (and PCI specifically) need to be radically tweaked.

"PCI is a valiant attempt but I think that this recent incident (Hannaford) shows that you cannot just keep up with these professional (ill-intentioned) hackers," Hogan said. "The banks, the card associations and the merchants need to come up with a different type of payment method."

Hogan cites chip-and-PIN efforts in the U.K. and now Canada. "Is it foolproof? Probably not, but it’s a significant leap forward."

Another industry observer, Gartner security analyst/VP Avivah Litan, also said the technique had some strong potential.

"It’s indeed interesting because each cardholder has a unique code algorithm—which is only known by the bank/issuer/processor–that provides a unique encrypted validation code for each transaction," Litan said. "It’s a great solution. It would be like stealing your secured chip card so it’s a little like Chip-and-PIN."

One scenario to defeat such a system would be either steal the phone right after the consumer has in the password or to surreptitiously steal the password and make arrangements to steal the phone later, perhaps as the customer walked home past a dark alley.

There are a few reasons why that’s unlikely. The first method—stealing it right after the consumer has typed in the PIN—is too risky as authorities could be alerted easily and quickly. Stealing it later is much riskier—in the physical confrontation and assault sense–than most data thieves want to get. Besides, it’s a modern cellphone with a constant signal broadcasting an exact location. It would be like deliberating stealing a credit card with a homing beacon on it.

Still, Litan points out this Patent still has a long way to go to navigate the rough waters of retail payments. Will banks, credit card associations and major retailers support it? Who will be willing to pay a cut of the dollars? If it pushes charges away from credit cards, will those forces resist it with a fury?