By Ed Collupy
The baseball season is in full swing and I’m reminded as I continue to think about card payments in the petro/convenience store industry of the quote from the great Yogi Berra: “It ain’t over ‘til it’s over.” And yes, it feels like we’re in extra innings, but there are some wins as evidence.
The focus has been and remains to be about EMV (EuroPay, MasterCard and Visa) inside the c-store, and the planning for exterior implementation, but amidst these compliance-only initiatives other payment projects are taking hold. Some are centered on the customer experience at the point of sale (POS) , others will take EMV through its next steps, and often these two meet up with security-related improvements.
Looking at other retailer projects as their EMV implementations wrap up can provide a signal that there is more to do. Contactless EMV and selectable kernel systems are active initiatives that convenience retailers are apt to face.
Contactless payments, where the card isn’t dipped or swiped, are in higher demand. Payment card issuers discussed at a recent forum that they want to support this technology.
With foodservice being top of mind for many in the c-store industry, McDonald’s, which was slow to implement EMV, has been an early adopter of EMV contactless technology. Likewise, a major U.S. technology retailer will be moving to a sixth round of EMV certification in 2018, with a focus on this capability.
Transit authorities across major U.S. cities are only starting to plan for EMV, but have a desire to implement contactless systems, and many believe this could be the homerun-use case to spur levels of mobile payment adoption already found in Canada and Europe. And, the U.S. Payments Forum’s website suggests “now is the time for a full-throttled push…to debate the merits of dual-interface cards, mobile payments acceptance, and faster, more convenient check-out for merchants.”
Transaction size in convenience retailing ranges from low-value snack purchases to higher-value transactions that cigarettes and beer purchases drive. The capability to support selectable kernel configurations are optional PINPad features that support different capabilities for different transactions.
For example, if allowed by the payment system, a terminal might allow only ‘No CVM (Cardholder Verification Method) Required’ for small transactions and support signature/offline PIN for the larger ones. Selectable kernel configurations allow PINPads to invoke configurations dynamically to support the required terminal capabilities on a transaction-by-transaction basis.
The customer is at the forefront of many payment-centric projects that are in the news every day. Person-to-person payments are expected to increase beyond the 36% of consumers, who, in a recent Bank of America trend study, reported using such a service. Travel-related payments are amongst the top transaction types where this type of transaction is completed.
ExxonMobil recently announced the latest addition to its Speedpass+ mobile app gas station, making payments even easier for its customers who drive a Ford vehicle with SYNC3 technology or use an Apple Watch.
A new survey of 2,000 adults conducted by Morar Consulting for Adyen, a global multichannel payment company offering businesses an outsourced payment solution, found consumer expectations for retail payments in five years will be more demanding.
Seventy-seven percent expect retailers to offer mobile-payment acceptance. In addition, 67% expect to make wearable-device payments, and more than half of those surveyed believe they will be able to pay as they walk out of the store and have their credit card automatically charged, as Amazon is now testing.
SECURITY FOR TOMORROW
All of these advancements, moving payments forward, come along with yet additional security needs to ensure broad and confident customer acceptance.
To accomplish this and coming on the heels of EMV, is the development of, by POS software/hardware and other providers, point-to-point encryption (P2PE) and tokenization solutions.
Encryption and tokenization are two separate data security approaches and can be implemented independently of each other but will be most effective when implemented together.
P2PE occurs at one endpoint (e.g. PINPad) and decrypted at another endpoint (e.g. payment processor) and, in essence, scrambles cardholder data during transaction processing. There are multiple available implementation options of P2PE and each has pros and cons.
Depending on how you implement it, this could potentially bring benefits such as PCI scope reduction and greater flexibility for payment card routing options and likewise there could be downsides, including who in the payment cycle could decrypt and be exposed to a possible data breach.
Tokenization is a payment industry methodology for the replacement of sensitive data with a non-correlating unique identifier that cannot be derived or otherwise reverse engineered.
Also, tokenization provides an additional layer of security while cardholder data is in motion, in use, and at rest. Like P2PE, tokenization can reduce PCI scope and comes with the need to be thoughtful with your implementation methodology.
Along with your solution providers assessing the various flavors of data encryption and tokenization based on your business model and strategy makes sense as a next step as you consider new payment programs at your stores and on your mobile app.
Here are some questions to consider:
• What data does my business require post authorization?
• Do I do transaction-based analytics today?
• What is my current settlement and reconciliation
process? Will this be changing in the near future?
Advancing the bases is important to winning a baseball game. For petroleum/convenience retailers, the game is far from over and advancing payments forward in a thoughtful and secure way is important to winning, for your operation and for your customers.