A Breakthrough In The Contactless Payment Chicken-and-Egg Dance?
Written by Frank HayesContactless payments have been stuck in a chicken-and-egg loop for years: Customers don’t use contactless payment cards or NFC-equipped smartphones, so retailers don’t see the need to install equipment and promote its use. And without lots of their favorite retailers deploying contactless, consumers have no reason to take it seriously.
But on August 31, Cimbal launched a contactless payment system that may finally crack that hardware dilemma—and it may reduce the PCI risk associated with those mobile payments by keeping that data out of retail files. Many retailers have tried contactless systems where a customer’s smartphone displays a barcode that a cashier scans to complete the transaction. Cimbal flips that process: The retailer displays a barcode that the customer reads with his phone’s camera. That switch means retailers don’t need new barcode-reading hardware. It also means customers never show retailers their account information, so it can’t be stored—or stolen. (StorefrontBacktalk Franchisee Columnist Todd Michaud suggested an approach like this in March.)
Cimbal’s system works like this: Consumers download a smartphone app (available now for iPhone and by the end of the year for Android and BlackBerry) and register a bank account with Cimbal. When a purchase is made, the seller displays or prints out a 2D barcode that’s the equivalent of an encrypted bill, identifying the seller and the amount. The consumer scans the barcode with the phone’s camera and keys in a PIN to authorize payment of the bill. The transaction is sent to Cimbal, which sends immediate confirmation to the retailer.
Cimbal is already operating the system for consumer-to-consumer payments. It is also claiming multiple unidentified large retailers are trialing the system for a Q4 2010 retail rollout. Cimbal said its transaction fee will be about half of current payment-card merchant fees, with no fees at all on the consumer side. Although retailers won’t need new barcode-scanning hardware, POS systems will need to be able to display a 2D barcode on a screen or print it out on paper for the customer to scan.
Those POS software changes may be cheaper than buying new hardware, but they’re not a trivial proposition. Still, the biggest implications of Cimbal’s approach for retail IT aren’t in POS hardware or software. If retailers and customers begin using it, this could completely change how IT handles a whole category of transactions.
After all, the retailers that have tried 2D barcodes—Target and Starbucks are using 2D barcodes for gift cards, Sears, Polo Ralph Lauren, Best Buy, the Gap, Nordstrom and others—have treated them like conventional payment cards. The customer displays account information that goes into the retailer’s systems, where it’s processed and may or may not be retained.
Whatever else those conventional contactless approaches do, they don’t reduce how much data needs to be protected.
To be clear, this approach wouldn’t reduce any PCI headaches because all the data must still be accounted for. But by reducing the amount of stored data, it clearly will reduce the risk of data theft—albeit by a minuscule degree, at least until mobile payments become a significant share of revenue. That all said, it’s a start.
With Cimbal’s approach, the retailer never receives any account information from the customer. There’s no payment card data to retain. The only thing the retailer receives is confirmation from Cimbal that funds have moved from the customer’s bank account to the retailer’s.
This approach is possible because Cimbal is positioning itself as a simple middleman. It doesn’t need to partner with banks, card companies and the rest of the financial world. It’s a utility—albeit a very small utility right now. Although Cimbal says it’s lining up major retailers, it can’t claim the customer base of Visa or MasterCard. Whether it can scale up—and whether it can reliably deliver payments to merchants in addition to handling disputes and fraud—has yet to be proven.
But in a crowded contactless field, where a wide variety of 2D barcodes and NFC chips have failed to break through, a simpler approach—for customers, cashiers and retail IT—sounds like it might actually work.
-Marc
September 13th, 2010 at 10:54 am
The first thing and the biggest thing that springs to mind is the time it is going to take to complete this transaction. One of the real benefits of contactless using NFC is the reduction in transaction time but here, you are adding at least 3 more processes to the transaction. Whilst it may solve one problem, it seems to create many more.
September 13th, 2010 at 1:02 pm
I find this intriguing as both a consumer and a merchant. I think the biggest hurdle they’ll have to overcome is brand trust. It’s one thing to link ones bank account to Paypal (which doesn’t exactly have a spotless reputation itself), but it’s going to take some serious convincing for me to link my bank account to a relative stranger on the market. Saying “of course we’re secure” isn’t going to cut it.
September 14th, 2010 at 9:15 am
Security-wise, this is a great solution for brick and mortar retailers. They won’t release the merchandise until they have assurance that the money’s in the bank.
This also solves the problem of the consumer not being able to verify the payee who is hiding behind a fraudulent barcode. As an attacker, I’d want to hack the payment screen to show my barcode containing “pay to the order of Temporary Accomplice the sum of $10,000.” If the smartphone displays the payee, it would be harder to fall for phishing tricks. The user still has to understand who they are paying. How many of us would honestly catch an authorization to pay MALL 0F AMERICA as bogus?
The risk also moves to attacks on the smart phone. A fake client could ring up some quick unauthorized charges once the user enters their real authentication info. Smart phones are among the more secure devices people carry, as the software vendors try to stay ahead of the jailbreakers, but they’re nowhere near as good as a hardened security device.
September 14th, 2010 at 12:19 pm
You just perfectly demonstrated the weakness I was pointing out in this system, and how it will still be susceptible to thieves.
I successfully phished your web admin. Under the “Most Recent Comments” you re-typed my comment as “Mall of America” when I had very deliberately typed “MALL 0F AMERICA”. Note carefully the difference between OF and 0F.
Phishing 101. Register a look-alike name through an automated registration system, and harvest the money as soon as it enters the account. I hope Cimbal is combatting this by requiring new merchants to go through a manual vetting process and/or requiring them to post a large bond, but that’s a hard way to launch a new business.
September 17th, 2010 at 4:49 pm
Besides the security risks to the consumer listed above. If I am a retailer/merchant how will I know the transaction has been validated? When will I receive the money? If it is just an approval code on a stranger’s phone I cannot say it would put me at ease.
October 1st, 2010 at 8:28 am
And of course it needs a perfectly working data connection for the user’s mobile for all carriers in all deployed locations. Consumer / merchant going to get fed up waiting for the payment to be received, I suspect.
Most card data theft issues have resulted from hacking into retailer / processor databases, rather than attacking one card in use. Clearly Cimbal will have the bank details of all user’s so they had better have watertight systems.
The card systems are open and therefore scalable. There is also competition of a sort. What is the proposal here – Cimbal process all transactions for all retailers with connections to all banks? I can see why they might want this but in reality they would have to licence to 3rd parties, create interopeability standards, promote a brand, create and enforce rules etc – sound familiar?
Let’s not confuse a clever bit of technology with a payment system.