A Breakthrough In The Contactless Payment Chicken-and-Egg Dance?

Written by Frank Hayes
September 11th, 2010

Contactless payments have been stuck in a chicken-and-egg loop for years: Customers don’t use contactless payment cards or NFC-equipped smartphones, so retailers don’t see the need to install equipment and promote its use. And without lots of their favorite retailers deploying contactless, consumers have no reason to take it seriously.

But on August 31, Cimbal launched a contactless payment system that may finally crack that hardware dilemma—and it may reduce the PCI risk associated with those mobile payments by keeping that data out of retail files. Many retailers have tried contactless systems where a customer’s smartphone displays a barcode that a cashier scans to complete the transaction. Cimbal flips that process: The retailer displays a barcode that the customer reads with his phone’s camera. That switch means retailers don’t need new barcode-reading hardware. It also means customers never show retailers their account information, so it can’t be stored—or stolen. (StorefrontBacktalk Franchisee Columnist Todd Michaud suggested an approach like this in March.)

Cimbal’s system works like this: Consumers download a smartphone app (available now for iPhone and by the end of the year for Android and BlackBerry) and register a bank account with Cimbal. When a purchase is made, the seller displays or prints out a 2D barcode that’s the equivalent of an encrypted bill, identifying the seller and the amount. The consumer scans the barcode with the phone’s camera and keys in a PIN to authorize payment of the bill. The transaction is sent to Cimbal, which sends immediate confirmation to the retailer.

Cimbal is already operating the system for consumer-to-consumer payments. It is also claiming multiple unidentified large retailers are trialing the system for a Q4 2010 retail rollout. Cimbal said its transaction fee will be about half of current payment-card merchant fees, with no fees at all on the consumer side. Although retailers won’t need new barcode-scanning hardware, POS systems will need to be able to display a 2D barcode on a screen or print it out on paper for the customer to scan.

Those POS software changes may be cheaper than buying new hardware, but they’re not a trivial proposition. Still, the biggest implications of Cimbal’s approach for retail IT aren’t in POS hardware or software. If retailers and customers begin using it, this could completely change how IT handles a whole category of transactions.

After all, the retailers that have tried 2D barcodes—Target and Starbucks are using 2D barcodes for gift cards, Sears, Polo Ralph Lauren, Best Buy, the Gap, Nordstrom and others—have treated them like conventional payment cards. The customer displays account information that goes into the retailer’s systems, where it’s processed and may or may not be retained.

Whatever else those conventional contactless approaches do, they don’t reduce how much data needs to be protected.

To be clear, this approach wouldn’t reduce any PCI headaches because all the data must still be accounted for. But by reducing the amount of stored data, it clearly will reduce the risk of data theft—albeit by a minuscule degree, at least until mobile payments become a significant share of revenue. That all said, it’s a start.

With Cimbal’s approach, the retailer never receives any account information from the customer. There’s no payment card data to retain. The only thing the retailer receives is confirmation from Cimbal that funds have moved from the customer’s bank account to the retailer’s.

This approach is possible because Cimbal is positioning itself as a simple middleman. It doesn’t need to partner with banks, card companies and the rest of the financial world. It’s a utility—albeit a very small utility right now. Although Cimbal says it’s lining up major retailers, it can’t claim the customer base of Visa or MasterCard. Whether it can scale up—and whether it can reliably deliver payments to merchants in addition to handling disputes and fraud—has yet to be proven.

But in a crowded contactless field, where a wide variety of 2D barcodes and NFC chips have failed to break through, a simpler approach—for customers, cashiers and retail IT—sounds like it might actually work.


6 Comments | Read A Breakthrough In The Contactless Payment Chicken-and-Egg Dance?

  1. Ray Lee Says:

    The first thing and the biggest thing that springs to mind is the time it is going to take to complete this transaction. One of the real benefits of contactless using NFC is the reduction in transaction time but here, you are adding at least 3 more processes to the transaction. Whilst it may solve one problem, it seems to create many more.

  2. Preston Says:

    I find this intriguing as both a consumer and a merchant. I think the biggest hurdle they’ll have to overcome is brand trust. It’s one thing to link ones bank account to Paypal (which doesn’t exactly have a spotless reputation itself), but it’s going to take some serious convincing for me to link my bank account to a relative stranger on the market. Saying “of course we’re secure” isn’t going to cut it.

  3. A Reader Says:

    Security-wise, this is a great solution for brick and mortar retailers. They won’t release the merchandise until they have assurance that the money’s in the bank.

    This also solves the problem of the consumer not being able to verify the payee who is hiding behind a fraudulent barcode. As an attacker, I’d want to hack the payment screen to show my barcode containing “pay to the order of Temporary Accomplice the sum of $10,000.” If the smartphone displays the payee, it would be harder to fall for phishing tricks. The user still has to understand who they are paying. How many of us would honestly catch an authorization to pay MALL 0F AMERICA as bogus?

    The risk also moves to attacks on the smart phone. A fake client could ring up some quick unauthorized charges once the user enters their real authentication info. Smart phones are among the more secure devices people carry, as the software vendors try to stay ahead of the jailbreakers, but they’re nowhere near as good as a hardened security device.

  4. A Reader Says:

    You just perfectly demonstrated the weakness I was pointing out in this system, and how it will still be susceptible to thieves.

    I successfully phished your web admin. Under the “Most Recent Comments” you re-typed my comment as “Mall of America” when I had very deliberately typed “MALL 0F AMERICA”. Note carefully the difference between OF and 0F.

    Phishing 101.  Register a look-alike name through an automated registration system, and harvest the money as soon as it enters the account. I hope Cimbal is combatting this by requiring new merchants to go through a manual vetting process and/or requiring them to post a large bond, but that’s a hard way to launch a new business.

  5. James Says:

    Besides the security risks to the consumer listed above. If I am a retailer/merchant how will I know the transaction has been validated? When will I receive the money? If it is just an approval code on a stranger’s phone I cannot say it would put me at ease.

  6. David Says:

    And of course it needs a perfectly working data connection for the user’s mobile for all carriers in all deployed locations. Consumer / merchant going to get fed up waiting for the payment to be received, I suspect.

    Most card data theft issues have resulted from hacking into retailer / processor databases, rather than attacking one card in use. Clearly Cimbal will have the bank details of all user’s so they had better have watertight systems.

    The card systems are open and therefore scalable. There is also competition of a sort. What is the proposal here – Cimbal process all transactions for all retailers with connections to all banks? I can see why they might want this but in reality they would have to licence to 3rd parties, create interopeability standards, promote a brand, create and enforce rules etc – sound familiar?

    Let’s not confuse a clever bit of technology with a payment system.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.