Mobile-Payment Vendors Beware: Sing The Song Of Standards Or Get Out
Written by Evan SchumanAs the various mobile-payment vendors—including Google, ISIS and PayPal—try and woo retailers, they are finding the conversation repeatedly veering away from flashy functionality and into issues of standards compliance and providing specs that match what retailers are using today. Those are points of resistance, though, when the vendors desperately need to differentiate their offerings and to argue for critical time sensitivities (“you must trial this right now”).
The retail chains, which hold most of the important cards in this game, are quite content to sit back and let the process take time. Cutting deals with whoever remains standing makes it slightly less risky anyway. We spoke with a few senior retail IT execs about their mobile-payment vendor discussions and the comments from two were the most illuminating. Dollar Tree CIO Ray Hamilton said he sees the tech limitations issues as already resolved (“I would prefer to pay with my smartphone than with a magstripe card—a crude, historic technology invented during my youth. Smartphones will have more than sufficient processing capabilities to encrypt data during the NFC transaction.”). No, it’s the standards issues that are his greatest concern, especially given that there are really hardly any significant mobile standards yet.
“I am motivated to accept any form of tender desired by the public, so I am planning to ensure that Dollar Tree will never miss an opportunity to accept a payment from a willing customer due to their form of legal tender,” he said. “I hope that a standard is developed to simplify the acceptance at retail. The landscape looks more like a battlefield between the wireless companies [ISIS], Google, Apple and others rather than a standards-based environment. This will not be widely and quickly adopted until retailers can and want to write to the specifications. If the offerings are fragmented, it will be difficult to reach a mass of users/accepters that makes it commercially viable.”
Another national retail IT exec—one who specializes in payment security and, therefore, wanted to keep his name and that of his employer far away from his comments—initially poked fun at the key issues. “Mobile payment security? As in jumbo shrimp and military intelligence?” But his team is seriously trying to fight off other departments that are being tempted by vendor seductions.
“Although we see mobile payment as inevitable, Network Services and I are digging in our heels until we find an adequately secure way of handling it,” he said. “We’re currently piloting an external-tokenization (approach), which will replace our existing POS and E-Commerce payment processes and substantially reduce our PCI footprint. To be acceptable, any mobile-payment scheme will have to play nice in this new environment.”
He added that his group is also “under continuing and increasing pressure from retail. We do not permit direct Internet access of any kind from our owned-and-operated stores. Any process or transaction bound for any outside entity (UPS, acquirer, etc.) is routed back via VPN through our corporate datacenter. A mobile-payment scheme would have to be happy with this, too.”
The chain is going to mimic the iPhone/iPod sleds that are becoming a commonplace retail feature, something his group is fine with as long as security testing is all smiles. “If, as is advertised, it has all of the same physical and logical security features of the new payment terminals we’re piloting, it would work just fine,” he said, before adding the mandatory caveat: “Budget, of course, is another matter.”
Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code.
-Marc
