Burger King Trial: No PCI, No Hardware Changes, A Lot Of Cloud

Written by Evan Schuman
June 14th, 2012

Burger King has been doing its own mobile payment trial at about 50 stores near Salt Lake City in Utah. But the fast-food chain isn’t working with Google Wallet, ISIS, PayPal or any of the other major mobile players. Its approach is trying to avoid the political—and technological and security-related—friction associated with the more well-known strategies by using a Starbucks-style stored-value card, and then adding a heck of a lot of cloud.

Burger King’s method can work on any iPhone or Android, completely denies any payment-card data to the retailer (keeping the whole trial out of PCI scope), requires no hardware changes and is all based on a cheap printed QR code stuck on the back of the POS or on a drive-through window.

The trial—Burger King is working with vendor Firethorn Mobile—is fairly simple. The consumer downloads the app onto his or her iPhone or Android phone, and then uses a regular payment card to load money into the app. At this stage, it’s a stored value card—not meaningfully different from what Starbucks uses.

Once inside the store, the customer scans the QR code. Given that it’s a static printed QR code, it doesn’t represent the order. “It merely says, ‘You are in Store 2007 and at register 3,'” said Steve Statler, Firethorn’s senior director of strategy.

This is where the cloud kicks in. The associate keys into her POS that a mobile app customer is there and that information goes into the cloud, along with her restaurant and register number. When the consumer scans the QR code, that info also goes to the cloud. Once a match is made, the associate’s POS screen tells her to proceed and take the order. Once the order is complete, it goes back to the cloud, which then sends the order and the amount to the customer’s mobile screen with a request for payment authorization. Once approved—and once it’s been verified that the funds are truly there—the money is credited to that store’s Burger King account and the associate is told to serve the food.

“We’re opening a two-way dialogue with in-store systems and the customer’s phone,” Statler said.

From a PCI perspective, it’s out of scope, because the restaurant is never given any payment-card data. We’re not talking about a token or end-to-end encryption or anything else. The store never even sees the data, nor can it access that information.

The authentication with the Burger King trial is with a four-character PIN. But, Statler said, the authentication is decoupled, so a retailer could just as easily choose to use a retina scan.

“It’s like Starbucks, but without the hardware,” he said. “For a large national chain, doing an upgrade to optical scanners is very expensive.”

Future capabilities—which are not being tested in the Burger King trial—would be adding menus to the app, along with integrating CRM profiles.

One other way to avoid friction, in this case, involved Apple. As Apple moves into mobile payments—or at least gets very close—there are always concerns about getting mobile apps approved for Apple’s App Store. By having the app be a Burger King app (as opposed to a Firethorn app, which is how Firethorn used to do this), Apple is much more inclined to clear it through.

“The reality is that the people who have the power to make this mobile (effort) happen are the retailers,” Statler said. “It’s got to be their app.”


One Comment | Read Burger King Trial: No PCI, No Hardware Changes, A Lot Of Cloud

  1. Dom Celentano Says:

    The BK mobile payment is in my opinion, a gateway entry point to introduce consumers to mobile as a shopping tool. Payment via mobile gets the “fast” into fast food payments, which still rely on traditional systems. However the intrigue is really the next steps that can be implemented in digital consumer engagement.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.