Kroger Starts Mobile Coupon Program

Written by Evan Schuman
August 1st, 2008

With the background of repeated recent payment data breaches coupled with wireless security concerns, the U.S. Patent and Trademark Office last issued a trademark for a cellphone payment that leverages current retail equipment, an instantly encrypted validation code and completely sidesteps wireless communications. Plus, it avoids the retailer having to store the credit card number at all.

The Patent itself covers a variety of uses (see the Patent’s full text here as well as some illustrations that accompanied the federal filing), but its core functionality would require consumers to download a small applet to their phone, which would then be associated with a payment method plus a password and potentially some other authentication approach such as any form of biometrics. Password-only protection is the default scenario. Another piece of software would be installed in the retailer’s POS system.

The consumer would then visit that merchant and present their goods for purchase. The cashier would scan the products’ barcode—just as always—and would tell the consumer the total amount. The consumer would launch the mobile payment app, type in their password and then the exact amount of the purchase.

The app would display a large barcode on the screen. The cashier would simply scan the screen showing the barcode with the same laser wand that was used to scan the products’ barcodes. The phone’s barcode would include the exact price of the product among other items (including a date time stamp tied into that specific phone) and it would also expire in 60 seconds.

By using the laser scanning device, this approach theoretically sidesteps any wireless security concerns.

According to the patent’s Tennessee-based holder, inventor Bob Lovett, the application would also update the credit limit—or bank account balance—that the consumer could still use. "The merchant’s scanner also outputs a barcode containing the product’s price," Lovett said. "The cell phone’s camera makes a copy of the barcode and then converts it to dollars and updates your remaining balance. This will alert card holder when an account is overdrawn."

The phone’s payment data would include the consumer’s age, Lovett said, which would theoretically accelerate purchases of age-restricted items (alcohol, cigarettes, fireworks, adult-themed magazines, etc.) as well as establish retailer due-diligence and enabling such purchases to go through self-checkout.

But one of the more intriguing possibilities is the approach’s digital micropayments potential. Such micropayments have historically gone virtually nowhere beyond ringtones and song downloads. Physically retailers have had an especially difficult time dealing with small payments, other than with cash.

Lovett makes his argument for micropayments using a purchase of a can of Coca-Cola as an example.

"Rather than sending the Coke’s price for authorization, the merchant’s POS will add the credit card to a spreadsheet with date/time stamp along with other small purchases," Lovett said. "Once every twenty four hours, when the banks’ server farms are least busy, the merchant will send the spreadsheet to the bank for processing. The merchant will pay five to ten cents for each microtransaction, versus twenty-five cents for Visa."

The approach will also have an E-Commerce component, as the mobile phone will also display a lengthy numeric equivalent right below the barcode, Lovett said, allowing for the number to be used on any E-Commerce site. That number would literally be used just as a debit- or credit-card number would be used.

Richard Mader, the executive director of the Association for Retail Technology Standards (ARTS) council, said that an initial scan of Lovett’s patent made it look promising.

"From a 30-minute review, it appears to be a excellent security method, unique to individual, can incorporate PIN or bio-metrics, would eliminate the merchant knowing and storing the CVV and card number," Mader said. "With further review, if no holes (materialize), this could be the ‘right’ standard method for mobile payment security. Since mobile in (the U.S.) is still in its infancy, now would be the time to agree this is the right method."

One industry executive who has pushed for more stringent security requirements—including a controversial effort to get the card data out of retail databases and to place it solely under bank control–also had kind words about this mobile patent approach.

"It does seem that it takes out some of the weak links in the payment process," said David Hogan, the CIO for the National Retail Federation. "It looks good on paper to me."

Hogan has been arguing recently—especially after the Hannaford data breach–that payment methods in general (and PCI specifically) need to be radically tweaked.

"PCI is a valiant attempt but I think that this recent incident (Hannaford) shows that you cannot just keep up with these professional (ill-intentioned) hackers," Hogan said. "The banks, the card associations and the merchants need to come up with a different type of payment method."

Hogan cites chip-and-PIN efforts in the U.K. and now Canada. "Is it foolproof? Probably not, but it’s a significant leap forward."

Another industry observer, Gartner security analyst/VP Avivah Litan, also said the technique had some strong potential.

"It’s indeed interesting because each cardholder has a unique code algorithm—which is only known by the bank/issuer/processor–that provides a unique encrypted validation code for each transaction," Litan said. "It’s a great solution. It would be like stealing your secured chip card so it’s a little like Chip-and-PIN."

One scenario to defeat such a system would be either steal the phone right after the consumer has in the password or to surreptitiously steal the password and make arrangements to steal the phone later, perhaps as the customer walked home past a dark alley.

There are a few reasons why that’s unlikely. The first method—stealing it right after the consumer has typed in the PIN—is too risky as authorities could be alerted easily and quickly. Stealing it later is much riskier—in the physical confrontation and assault sense–than most data thieves want to get. Besides, it’s a modern cellphone with a constant signal broadcasting an exact location. It would be like deliberating stealing a credit card with a homing beacon on it.

Still, Litan points out this Patent still has a long way to go to navigate the rough waters of retail payments. Will banks, credit card associations and major retailers support it? Who will be willing to pay a cut of the dollars? If it pushes charges away from credit cards, will those forces resist it with a fury?


3 Comments | Read Kroger Starts Mobile Coupon Program

  1. Bill Bittner Says:

    It seems the only roll for the phone in this scenario is to remind the shopper of what coupons they have selected.

    Handling coupons is a four step process: presentation, validation, valuation, and redemption. Most of the current efforts are centered around presentation.

    By combining the approach described here with a retailer’s website, the consumer could select the coupons from the website and receive a text message on their phone at the same time the retailer gets the updates for their POS files. Then the consumer has a reminder while they shop and the website can do all the promoting. An even better approach might be a kiosk in the store where the customer can print their list. But I guess that eliminates the phone altogether … The customer would just use their FS card and the printer would print the list in aisle sequence.

  2. Evan Schuman Says:

    Editor’s Note: Absolutely! Indeed, the bulk of the Kroger program could just as easily on their Web site. In this deployment, it’s truly a reminder, as far as the consumer is concerned.
    But you have to throw in the more touchy-feely issues, such as using the cellphone for this is still going to seem new and different and fun. That won’t last long, though.
    The real issue here is the CRM component. Although a Web site could require registration and that the account name be linked to an active loyalty card, the unique identifiers within a phone allow that consumer to be tracked through many different campaigns through multiple retailers.
    That’s where the Cellfire part comes into play. Is it an advantage for the consumer? Maybe, to the extent that it could bring them more targeted offers in the future. I say “maybe” because the line between helpful offers and SPAM is quite subtle.
    Is it an advantage for the retailer involved in the trial? Not really. A Web campaign would likely deliver to them the same benefits.
    Is it an advantage for other retailers that want to take advantage of the data that Kroger collects? Definitely. Is it an advantage for the vendor selling this? Absolutely. As the central source collecting all of the data and then selling it to the highest bidder, the potential making money out of that cell phone is quite real.

  3. Justin Says:

    Im shocked that this even got to launch. Im sure someone lost their job over this. This does not do anything except SLOW THROUGH-PUT. “Oh hang on let me pull up the app, punch in my pass-word, wait, whats the total again? Oh thanks ok hang on…ok there you go now scan my bar code.” Good try and all…way to think digital, but good God…really?


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.