Posted: Mar 05, 2014
Security fears serve as driver for stronger safeguards
By Ken Paull, CEO of ROAM
The recent high-profile security breaches involving point of sale (POS) systems in the retail sector didn’t involve mobile POS (mPOS), but no one in the broader electronic payments industry want to see breaches happen. We need to work together to eliminate breaches and ensure continued trust in electronic payments.
The only positive from incidents such as the Target breach is that they tend to raise awareness of risks, and an industry that is more aware is one that will be better prepared. We see this heightened interest in security happening now, not just with traditional POS systems, network security, and credit card technology, but also in regards to stronger security for mPOS. All in all, that’s a good thing.
Changing the conversation
For the past couple of years, mPOS has garnered attention for its ability to help businesses of all sizes, from small merchants to major retailers, drive more sales and bring greater efficiencies to many of their most important customer service processes. In this early adoption curve, the focus has tended to be on what’s cool and different—who can offer the sleekest-looking reader, or who can offer a visually appealing payment app. But now any headline regarding breaches are changing the conversation—putting more attention on security.
For ROAM, a mobile commerce platform provider which has always placed a strong focus on security, this change in the conversation has positive implications. Resellers and merchants alike are placing a higher value on security, which raises the bar above the standards, which have been lagging in this mPOS sector. In the long run, more attention on security will force all providers to up their games and will help reduce security risks. In the short term, however, the market needs to gain a better understanding of what a more advanced level of mPOS security entails.
Better mPOS security involves multiple factors, but a key starting point is encrypted card readers. ROAM was a leader in bringing out encrypted readers, which add a layer of security between the magstripe reader and the mobile phone or tablet so that unencrypted data never hits the device. This feature is now becoming standard in the mPOS marketplace. Payment acceptance applications also play a key role in a complete end-to-end mPOS solution. These apps should include security features such as user authentication and encryption.
When it comes to security of any type of system, a layered approach is best, and mPOS is different in this regard. So encrypted card readers is one layer, security at the app level is another. Another layer that will come into play as credit card companies and retailers migrate to EMV, is that the mPOS solution be EMV ready – meaning that they can provide mobile payment acceptance for both chip & PIN or chip & signature transactions.
As most everyone has probably heard in the wake of the recent data breach stories, EMV cards, used already in Europe and other parts of the world, are more secure than the magstripe technology used in the U.S. market. While it will take time for the U.S. market to completely move to EMV because of the change-out of infrastructure and the related costs involved, businesses are quickly realizing that it’s a necessary step and are starting to plan their EMV migration well ahead of the October 2015 deadline. ROAM, for example, is already helping its customers get prepared for this migration by leveraging the EMV expertise and capabilities of its parent company, Ingenico.
There’s also a middle tier for mPOS security that tends to get overlooked, but actually can provide some of the most effective security features. At the heart of this middle tier of security is what can be termed a “mobile payments engine” that provides the underlying technology powering these mPOS solutions. The most advanced engines enables businesses to implement pre-processing controls and set up custom risk profiles. This vital tier for mPOS security is addressed by our ROAMmcm 5 mobile payments engine.
Raising the bar
The more mature fixed POS market has offered these more advanced types of security features for some time, and fortunately, as the mPOS market matures it is finally catching up. As mPOS solutions start to move upmarket to larger retailers and services organizations, chief information officers and other leaders in these companies are simply going to demand this higher level of security out of an mPOS platform. At the same time, the smaller merchant category where mPOS enjoyed much of its early traction are going to get a nice “trickle down” benefit from the trend toward more advanced, layered security features which have demanded by these larger enterprises.
To the casual observer or consumer, mPOS might not seem very secure, since the transactions take place on a device that could be anyone’s smartphone. The average consumer just doesn’t realize the working of an encrypted reader or the multiple security layers that make mPOS safe.
Additionally, the nature of mPOS carries some inherent security advantages. For example, a mobile device isn’t hardwired into an in-store network meaning there is no single point or fixed communications line for hackers to exploit in order to penetrate these devices or the data on the network. When you can combine these inherently secure characteristics with a comprehensive set of safeguards in a mobile commerce platform, mPOS emerges as a secure technology choice that everyone can have a high level of confidence in.
To sum up, with the recent high-profile security breaches in the retail industry, and growing adoption of mPOS among larger retailers and businesses, the bar is being raised on mPOS security features. All the players in the mPOS ecosystem need to do more than just address this threat, but rather approach this as an opportunity to lower security risks for solution providers, resellers, merchants and consumers alike.
Ken Paull is the chief executive officer of ROAM.