You may have seen our post last year on Apple snubbing NFC (near field communications) technology in its iPhone 5. This year, reports suggest that Apple is including NFC capabilities in its new iPhone design. This further fuels the speculation it will add payments to its Passbook allowing customers to pay, receive offers and collect loyalty points through their mobile device.

The Integrated Retailer recently published an article suggesting NFC-enabled mobile devices will exceed 500 million by the end of next year. It seems the retail industry and its ancillary services are looking at NFC as a serious game changer in customer interactions, from point of sale, up and cross selling, providing customer offers and collecting insightful customer data.

We recently announced our partnership with Proxama to provide in-store coupons and vouchers via NFC-enabled posters that consumers can tap their phone to and redeem at the checkout. The partnership also allows us to create NFC enabled retailer apps that send offers directly to customer devices that are in range and have the store’s app installed. These services can be integrated into a mobile wallet to provide a holistic approach to customer interactions through one device.

The challenge for retailers now is to break down the risk perception consumers have towards NFC technology and using mobile wallets. However, we can see that this is the case throughout history, the most recent being chip and PIN services replacing signatures in payment card transactions, or online banking. People may think it is less secure or more risky than the legacy method, but once it is adopted these worries are forgotten.

The retail industry as a whole must now work to educate consumers about the simplicity of using NFC technology and mobile wallets to dispel any misconceptions customers may have on data security, privacy or ‘spamming’. By illustrating that a mobile wallet will be kept as safe as loyalty card data, online banking data and that offers will be tailored to the customer or be ‘opt-in’, we may alleviate some of these worries and drive NFC adoption amongst end users.

It’s unimaginable to envisage a supermarket with no customers, no check outs – manned or unmanned, gondola ends with tons of offers, and even the smell of freshly baked bread. But actually, Tesco has five and walk-in customers aren’t welcome. They’re not on the high street or even on retail parks. That’s because they are ‘dark stores’. They exist to serve the ever-growing needs for online shopping.

It’s ironic really: Tesco opened its latest ‘dark store’ in January and it created 700 jobs. In contrast, BlockBuster and HMV were slow to respond to the fast moving Internet-enabled business model, leading them into the red. 

Technology has rapidly changed the high street – although high rents and the changes in consumer behaviour have not helped. Some of this is down to the phenomenon dubbed ‘showrooming’, when people use their phones while out shopping to examine whether their prospective purchases are available cheaper online or elsewhere.

A recent survey found that four out of ten ‘showroomers’ end up making their purchases elsewhere. Indeed, one in five people said they only went into a shop to ‘check out’ something they planned to buy online.  Yet, some consumers still value what the high street can offer – the chance to inspect what they’re thinking of buying.

Various market research studies indicate that on average four of ten ‘showroomers’ end up making their purchases elsewhere – with some consumers even admitting that they only go in-store to ‘check-out’ things they planned to buy online.  There is an argument that consumers still value the high street – even if to inspect goods that they may eventually purchase online.

However, reflecting directly on the high street itself, technology can strengthen retention and sales. Firstly, being able to visualise and feel products is a big tick mark for the consumers. Retailers can capitalise on this and offer real-time discounts and incentives – increasing the likelihood of completing a purchase.  John Lewis, for example, offers free Wi-Fi to customers' in-store, which allows the retailer to match and improve offers as well as provide complimentary products or services using its multichannel infrastructure. John Lewis encourages consumers to do what most of us already do, go into the store, then look online to check if you can get it cheaper or with an offer.

Secondly, data is a key benefit for high street retailers. The more you know about your customers, the better they can be targeted with promotions and offers, giving you better ROI. Take voucher sites for example. Various websites today offer coupons and money back to an anonymous customer, making it difficult to tie that back to the person who redeems it. Alternatively, if this is issued through a mobile, it is unique to that handset, so you know the demographics of who is using the voucher, their location and when they use it. Retailers can instantly know if the unique voucher code has been used or not, and by who. Access to such customer buying behaviour data gives the retailer much better control over its marketing budget. But it’s not simply the data they collect on consumers – it’s also the data they can provide to their customers for future tailored deals.

High streets need to make available the tools consumers desire to interact in-store. This will allow the consumer to not only browse in-store, it will also encourage them to complete their purchase and take their shopping away with them.

December retail sales have disappointed.
British music industry loses the high street presence of HMV. 
Another few bite the dust. 
Britain gets a chilly welcome to 2013.

If you still need more evidence that the Internet has necessitated a rethink of customer engagement strategies, then you may as well shut shop and protect the few assets and cash-in-hand available to you.  The onset of the Great Reinvention (as we’d like to refer to the economic depression that started in 2008), marked the beginnings of the evolutionary process that would be driven by the Internet and the shift to online business and shopping.  To feign ignorance to the fact that we’re through the evolution phase (of four years) and are now stood at the chasm, would demonstrate poor judgement and a clear lack of understanding of the stark reality that faces us.

The jump across the chasm will require a rethink of customer interaction and engagement strategies – and, an in-depth understanding of how consumers think, shop around and buy. 

Blockbuster, Jessops, Morrisons and Comet have taught us that speed and agility are important considerations when adopting a multichannel retail strategy.  For those who’d like to argue that online shopping reduces the lucrative profit margins (that retailers have enjoyed in-store), should be inspired by the 44% y-o-y growth in web sales at John Lewis – a major contribution to the 13% growth in revenues in December 2012.

British high streets will get a face lift in 2013.  An experiential high street will start to emerge – one that caters to niche brands and customers and provides a face to virtual shopping experience.  Brick-and-mortar shops will adopt a lean presence as they rapidly embrace a multichannel environment.  Online only retailers will bring pop-up shops and digital windows to the high street – using tools such as augmented reality, QR codes and mobile apps to bring in customers.  eBay has already put this into practice by testing pop-up shops in 2012.

This experiential high street, with its multichannel infrastructure, will be driven by actionable insights – the ability to capture, combine and analyse customer interaction data to deliver personalised, value-add engagement to customers.

So, if you haven’t already, it’s time to embrace the Great Reinvention.

• Jones, D. The Sun, Price Crackers, p.24, 11 December, 2012
• According to Ofcom’s seventh International Communications Market Report
  
• The Economist Intelligence Unit’s Retail 2022 report
  

• Verifone pulls Sail out of 'fundamentally unprofitable' mobile -  14/12/201
• Should VeriFone's Exit From the Mobile Payments Space Worry - 15/12/2012 
• American Express Announces EMV Roadmap - 02/07/2012 
• iZettle launches Square-style mobile payments in the UK – 07/11/2012 
• www.sumup.co.uk/product 2012   
• Visa, startup iZettle settle mobile payments issue - 13/11/2012
  

• [1] – Payments Technology Conference 2012
• [2] - TFL's bank card plans unconvincing, says London Assembly - 18th November 2012 
  
• [3] - Awareness of contactless mobile payments doubles on last year - 10th December 2012
• [4] - Transport for London - Contactless Payments - 16th November 2012
  

NFC-enabled mobile payments only scratch the surface in terms of the services mobile technology can offer to retailers. For the true value to be recognised, businesses need to understand that it isn’t in the ability to just offer a payment service – it is in the customer interaction opportunities it creates.

Focusing on the mobile wallet from a pure payments perspective massively undervalues the impact mobiles can have. It could be said that tapping a phone is as useful as tapping a card, and as such, there’s no real benefit to the customer. However, if a consumer is tapping a phone for payment and simultaneously providing loyalty details and/or redeeming a money-off voucher, while using it to get additional in-store services, it is a bigger incentive for customers and retailers alike.

The mobile wallet enables the collection of valuable data to create customer interaction opportunities for retailers, marketers and advertisers. These interactions can include in-store customer loyalty programmes, vouchers, or location based services for customers.

For retailers data is one of the key benefits behind customer mobile use. The more you know about your customers, the better they can be targeted with promotions and offers, resulting in a better ROI.

For example, if retailers issue coupons and money back offers via mobile, it is unique to that handset, so the demographics of the user are known, as well as their location and when they use it. Retailers can instantly know if the unique voucher code has worked or not, and by who. By accessing this sort of data it gives the retailer much better control over the marketing budget. Retailers will be able to use this technology to tailor offers to the individual and build a personal loyalty package and shopping experience for the customer.

Mobile phones remain a key pain point for the market as there are only 12 or so NFC compatible phone models currently available. Apple often bides its time before diving in to developing tech markets. However, it unveiled a service called Passbook that pulls together loyalty cards, tickets and coupons. But Passbook drew coverage for what it doesn't do: it can't link directly to credit or debit cards, so consumers can't use it to replace their wallets. Once the next Apple iPhone is available, which is expected to have some sort of NFC capability, an integrated mobile wallet is expected to help drive adoption.

Adoption is really all about consumer education and that needs to start by addressing the underlying security concerns. Once users understand and have the confidence that a mobile is safer than a plastic card, due to all the security measures built into today’s mobile devices, we will start to see better traction. Consumers will also need the reassurance that they will be not liable if they fall victim to fraud, it’s down to the banks. The industry can then begin to reinforce the value proposition by introducing vouchers, loyalty services and targeted media.

Two news stories this week have really made the retail sector in the UK stand up and take notice. The first is Tesco’s introduction of an “interactive virtual grocery store” at London’s Gatwick airport, the first seen in the UK. Meanwhile, over in the US, Starbucks has announced a deal with Square, the company behind the same-named card payment reader, which will see Starbucks invest $25 million and switch its processing of debit and credit card payments to mobile payments.

Tesco’s introduction of the virtual grocery store is a huge step forward in the next level of customer interactions, driven by use of mobile. While this kind of technology has been used in other markets, predominantly in the Far East, for the first time UK consumers will be able to shop using a virtual shelf. Using their mobile phone customers can scan the products they want to purchase, adding them to their virtual basket and then arrange for them to be delivered to their home.

While this works very much  like the home-delivery service,  it means orders can be placed by scanning the products, away from the usual choose-and-click interface. This innovative offering takes advantage of technology already available in most of today’s smartphones. Consumers have the technology in their hands. All retailers need to do now is use it to their advantage through increased and innovative customer interaction points.

Starbuck’s support for Square is a very strong move, too – and again, it is mobile that is enabling this step change. Customers will still be able to use their cards and their payment card experience will not change.  But for Starbucks  could it mean the death of the till as the POS, as they are replaced with standard smartphones?  Starbucks also plans to roll out other Square products, including one that allows stores to sense when a user has walked in the door and accept payments simply by taking the user's name.

With more than one million mobile transactions to date, Starbucks and the wider industry is starting to experience the tip of the mobile-driven iceberg.

As this video by The Logic Group shows, mobile has a huge role to play in the future of customer interactions. Our industry should be searching for more and more innovative ways of influencing customer behaviour through the use of mobile technology.  This week’s news is certainly a strong indicator that mobile interactions are here to stay.

Irrational Fears
Have you ever had an irrational fear?  I've had quite a few in my time, but today I'll confess to one involving car windows.  When I had older cars with manually operated windows I had a phobia of cars with electric windows.  My fear was that if I drove one of these new-fangled electric windows cars, I'd have an accident on a bridge or along a body of water, my car would break through the safety barriers and would plunge into the dark icy waters.  I'd try in vain to open the door, but deformation from the crash would make that impossible.  The waters would flood the car electrics also stopping the electric windows from functioning.  So, as I sit in the rapidly filling car I would curse the day I stopped using cars with manual windows.  You'll be pleased to know that I did get over my irrational fear it's now over 5 years since I began using cars with electric windows and I'm still here.

It's security stupid

When I look at the recent hoo-ha surrounding the security vulnerabilities discovered in Google Wallet it makes me think that others might too be suffering from an irrational fear.  After all, for these vulnerabilities to be exploited, the miscreants need to have physical access to the phone itself.  As such, Google's assertion that the Google Wallet is still safer than the physical wallet holds.  After all, cards are totally unprotected in your physical wallet.

What is slightly less irrational is the fear that a rogue app downloaded from an official (or in some platforms unofficial) app store might allow the developer access to the wallet and it's contents.  It goes back to the initial slow uptake of internet banking on people's home PCs.  People will be weary, but if the industry players demonstrate that they are taking security seriously, it should happen.

Thus I don't think security fears are the key roadblock on the road to NFC nirvana.  The two biggest issues driving adoption of wallets are the availability of NFC-enabled smartphones and the fragmentation of mobile payment technologies.

Show me the NFC phone/PED

The former point is illustrated beautifully by the fact that neither of the two biggest selling smartphones in the UK last year (Samsung Galaxy SII and Apple iPhone 4s) sport NFC.  But 2012 may be a watershed year.  Already all major phone manufacturers bar Apple have announced NFC-ready phones and the much rumoured next iPhone outing (iPhone5 expected in September 2012) is also envisaged to sport the NFC standard.  On the other side of the equation 2012 also sees all major PED manufacturers rolling out NFC-ready models into the marketplace.

Together we stand, divided we fall

The fragmentation of mobile payment technologies though in my mind remains the single biggest obstacle to mass adoption of mobile payments.  Everyone seems to be trying to build their own mobile payments fiefdom, with the newswires littered by press release after press release on the launch of a mobile payment trial or technology.  This fragmentation not only makes life tough for handset manufacturers (who don't know what they should be supporting in their upcoming handsets), but they also muddy the water for the media and the public at large.

What we really need is an industry-wide effort ala Chip & PIN, which can give us consistent branding and a reliable user experience, which together with much greater marketing backing will really help drive adoption.  A whole new industry is there for the taking......if they only heed the advice of Khan Kubrat!*

* The Story of the dying days of Khan Kubrat (from Wikipedia):

According to legend, on his deathbed the Bulgarian leader (632ad – 665ad) Khan Kubrat commanded his sons to gather sticks and bring them to him, which he then bundled together.  He commanded his eldest son Boyan to break the bundle.  Boyan failed against the strength of the combined sticks, and so did the other sons in turn.  Kubrat undid the bundle and broke each stick separately.  He then proclaimed to his sons, "unity makes strength", which has become a commonplace Bulgarian folk slogan and now appears on the modern Bulgarian coat of arms.

Don’t you just hate it when you are rushing around town trying to do some last minute shopping when out of nowhere you are corralled by one or more young people dressed in colourful t-shirts, holding clipboards and eager to help you save the world by relieving you of some of your money.  Some refer to them as chuggers (i.e. Charity Muggers).  Whilst a tad harsh, this nickname does underline how unpopular this method of collection has become to parts of our society.  The issue is probably one of frequency – there seem to be so many that sometimes I feel like I’m tripping over them on my way to the shops.

And what makes it worse is that charity collectors used to be charming pensioners who quietly sat out of the way and patiently waited for someone to throw them a few coins.  Actually, this traditional type of street fundraiser has not disappeared all-together.  Almost every time I go to my local M&S I see a lovely old lady sitting on her folding chair with a large bucket ready to collect our loose change.  On cold days she even brings a colourful knitted throw over, which makes her look ever sweeter. The issue is that volunteers such as this seldom raise much money for charities.  Whilst their time is free, they often don’t have the extraverted attitude needed to engage passers by and get them to part with much money.  Charities quickly discovered that they can generate more money using professional fundraisers instead.  So even though they have to pay said young people at least the minimum wage (and by how eager they are one assumes they are actually on some sort of performance related commission) and pay the recruitment agency that provided them, they still end up with more money than using real volunteers.

So while this works for charities, the unfortunate reality is that chuggers will be perceived by some members of the public as decreasing the efficiency of a charity, as they cost money that can otherwise be used for more worthwhile things such as food, medicines or water sterilisation equipment.  Plus let’s not forget that they also decrease the efficiency of my town visit as they constantly try to stop me in my tracks and engage me in conversation.

So what can be done? I hear you say.  After all, charities need to raise money, especially in a global economic crisis which will end up hurting the needy hardest.  Well, there is a new service that will reduce, if not fully eliminate, the need for charities to rely on chuggers for their income.  This service is called Pennies.

The Pennies service is basically a digital replacement for the shop counter charity box.  A retailer registered with the Pennies scheme can offer their customers an unobtrusive option to round up their bill when paying with a credit or debit card with this extra money going to Pennies.  Pennies (who are a non-profit charity themselves) then distribute most of the money from a particular retailer to the retailer’s charity of choice with the rest going to one of 17 charities partnering with Pennies.  Having recently celebrated the first anniversary of their electronic charity box launch, Pennies are still a young organisation. Hopefully in time, we will see every organisation which accepts card payments join this worthwhile scheme.

As Pennies themselves point out, credit and debit cards account for billions of financial transactions a year.  Even a penny added to each one of those can amount to an awful lot of extra money for charities.  Maybe even enough money to make my journey down the high street chugger-free!

I am always weary of consumer surveys, and this week I have seen countless examples of how the questions can be worded in favour of a desired outcome! The latest was looking at the security of the mobile as a payment vehicle, and just under half showed that “lack of security” as a concern.

As an example of “leading a witness”, compare the following sets of questions, and decide if they take you to a different answer:

• Are you worried about the personal impact of payment fraud on your life?
• Do you think that more should be done to secure your payment information?
• Would you be concerned about all your payment details being sent over the air, and stored in your phone?
• Have you thought what you would do if you lost your phone containing all this sensitive information?
• Do you think that the lack of security is too big a risk to using your phone to make a payment?

Alternatively:

• Were you aware that payment fraud has decreased over the last year?
• Do you think that this was due to all the improved security measures?
• Would you be keen on maintaining the level of security, yet making payment faster and more convenient?
• Would you like to securely transfer your card details over the air so that you only have to carry your phone with you?
• Would you be in favour of improving the payment experience through use of your mobile phone?

This is a poor imitation on a “Yes Prime Minister” sketch from 1986 (regarding conscription), but looks to highlight how a survey can lead to a differing conclusion on the same question. I am not suggesting that this was the case with the mobile survey, but it always makes me think twice about the results.

I agree that adoption for mobile payments will be hampered by security, but not necessary the lack of it, but more due to ensuring that the ecosystem meets the needs of our secure payment industry. In Europe, we should be proud of the security measures that are being constantly reviewed and improved through the work of EMV, PCI and other bodies. There is always frustration from merchants as it is easy to dictate regarding the security without worrying about the “real” (often financial) implications of the standards. Innovation in the payment industry can be hampered by security, and mobile payments are no exception!

Security surrounding the phone is a constant discussion point. The deployment model includes careful consideration as to the security aspects involved, and it appears that this is unseen by consumers questioned in the survey. Half of me is pleased that the public are shielded from the complexity of the payment industry, whilst the other half wishes the public knew of how much time is spent on creating a secure solution, so that they could sleep safe at night knowing their mobile payments are protected.

The mobile has become a fundamental way in which we go about our business, and it is not stretching the imagination to see us using it for payments – but first I believe we will see it used it for loyalty, discounting, couponing and vouchers at a point of sale. This is not to say that this area is any less secure, but this space lends itself to the marketing and competitive spirit encouraging innovation. Even today, I can receive or download vouchers to be redeemed at a point of sale using my mobile – this may be currently using barcodes, QR codes or plain text but through our solutions, we will be closing the loop with NFC very shortly.

NFC voucher and coupon redemption will help drive the payment industry in this space. Many of the barriers to adoption are slowly being removed, and the explosion in real-time validation and acceptance of vouchers, coupled with the increasing number of Contactless PIN Pads in the field will further encourage NFC to become second nature. I can hear the same people who are currently scared of mobile payments crying “If I can use my phone for loyalty, why can’t I use it for payments?” Well, first we must diligently work though the security aspects of the solution, and then we will make it a reality.

Are you ready to use your phone for payment? Not yet, but it’s not far away!

I was recently sent a viral video of a baby who's used an iPad to such an extent, that she tried to use the same tablet UI gestures (swiping, clicking and pinch-zooming) when given a real (i.e. dead tree) magazine.

What struck me was how the video appeared to polarize opinion between the people who chastised the parents for 'ruining their child's future' and those who hailed this as a watershed moment in human evolution.

As with many things in life, I try to take the middle ground.

Yes, tablets and modern phone devices with their large capacitive screens are indeed enabling content consumption on a scale not seen before. And electronic paper eBook readers are enabling people to hold room's full of dead tree-style books in something that would fit in one's back pocket. Both of these points have to be worth something! Plus I don't remember reading about anyone selling their kidney for a desktop PC to browse the internet on.

But with schools and libraries still very much reliant on traditional printed matter, this baby (and her children and grand children no doubt) will grow up knowing how to read and use physical books just fine.

On the other hand, I can see that with the further development of these technologies, one day books will indeed be relegated to niche areas. Remember records, tapes and CDs anybody?

And before some of you start protesting violently or getting melancholy over the demise of paper as a form of an information transmission medium, just remember that it wasn't the first (see cavemen or for the believers amongst you Moses) nor were tablets the first to challenge the written paper's dominance. Do you recall the time when dictionaries were printed and we used to send letters to each other? The internet and email took care of both.

Just another step-change
And this is precisely why I have to disagree with the iPad evangelists hailing its ”magical and revolutionary” properties. We have to look at this as just another step change in the way we consume information and interact with technology around us. The bottom line is - consumers expect things to be easy. And following the ethos of taking complexity out of technology/online shopping Apple this year briefly captured the title of world's biggest company based on market valuation (before falling back to a still respectable second place) and Amazon has become arguably the biggest etailer in the world.

The power of 3
So what does this mean for all of us in the Loyalty, Fraud and Payment fields? Well, some could be confused into thinking that the answer is apps or cool chrome buttons, but for me the key in the success of modern smartphones and tablets is as much in under the skin integration as is with the resulting ease of use.

Combining payment, loyalty and fraud functions together into a single customer interaction management solution can make things easy for customers too in a number of interesting ways.

For example, combining Payment and Fraud data will help drive down card fraud even further than with the current methods of doing fraud checks with each payment over a certain value, which will lead to extra revenue for banks and retailers and lower banking costs for consumers.

Combining Loyalty and Fraud can improve loyalty scheme ROI by reducing losses due to sweethearting and allow retailers to pass greater rewards to their customers.

Combining Payment and Loyalty can mean the end of carrying numerous loyalty cards/key fobs as well as tedious sign up processes. It can even give retailers the ability to start offering all their repeat customers tailored offers at the point of purchase before they have even actively opted-in to a scheme.

The combination of all three services will contain all of the above benefits together with the advantages of storing the information in a single database. And together with other technologies such as tokenisation, this triad will allow retailers to offer their customers a fast, intuitive, safe and rewarding shopping experience whether in-store, online or on their phones.

And once that's all in place, we'll have plenty of time to spend fretting over what gradient to use in the latest iteration of our website's 'BUY' button.

Recently I received an email offer from a retailer, 3 for 2 off reptile food…”wow” I thought, as I have a parrot, rabbit and 2 dogs but definitely no reptile. Did they know something I didn’t about me?

Another simple case of mass marketing and a spray and pray attitude that not only dilutes the campaign but has completely missed a great chance to engage with a customer. It got me thinking…how often does this occur and am I getting the same offer as the person next door? Does this organisation really value my business and me as a customer? On the flip side, what actually does the reptile enthusiast get and buy regularly from this retailer? The answer to the latter is a reduced price off his purchase that they would have likely bought anyway, the consumer is happy but the retailer has diluted their campaign and given away profit due to an indifferent approach to consumer focused marketing and customer loyalty.

So, over the past few months there have been a number of key phrases and terms floating around the market…multichannel strategy, mobile enablement, contactless payments and social media being just a few. However, the one that has stuck in my head is “customer engagement”. How do we as consumers become engaged with a brand and ultimately become an advocate for their business? I look at the current economic climate and really appreciate that retailers must be having a tough time. There is not a day that goes by without reading in a paper or online news bulletin that retailer x or brand y is issuing profit warnings or looking to restructure debt. It is a tough time out there so how do retailers reach out to their customers and engage them at the right level and ensure that they drive repeat business? It is easier to retain business than to win new from scratch.

So an idea I would float is a strategy to engage each customer on a personal level. Everyone loves to feel valued and to get something special and unique to them. The other thought is to provide any purchasing incentive at the appropriate time with the correct level of focus. So where is appropriate? Every touch point of your business whether face to face or virtual allows engagement with a customer. It is at this point that accurate and relevant data is required to influence the future buying behaviour. Some say this is an impossible task and some say that the cost of such a programme would dwarf the annual 1% of sales IT budget……but is that true? Customer engagement is hard to track so most turn to a loyalty programme. Penetration of a good scheme may barely exceed 30% of your customer base so what happens to the other 70%? How do you reach out and engage?

Imagine me paying for my goods with a debit card. Nothing unusual there then… however when I do, the retailer is able to measure and define my engagement with their brand. Uniquely identifying my card linked to my basket of goods, the retailer I use is able to build and define a customer profile just about me; what I bought last month, last week and today. What I am actually buying, when, where and how much. More importantly are they at that point able to influence me on what I might buy next week by an instant reward or coupon especially for me, targeted at what I actually buy?

The final part of this chain is how does the retailer know who I am? I have yet to talk about key fobs or fancy loyalty cards that join the other 5 in my wallet. Well actually all they need is for me to use my debit card…it is unique to me!

Well they have arrived. After more than a year of discussion and debate the new requirements for Point to Point Encryption (P2PE) have finally been released by the PCI SSC.

These requirements, which are contained in the Point to Point Encryption: Encryption, Decryption and Key Management within Secure Cryptographic Devices (Hardware/Hardware) v1.0, were released this month and define how a payment solution provider may validate its P2PE solution thereby allowing merchants to reduce the scope of their PCI DSS assessments when using the solution.

For a merchant this simply means that in a card present environment, the card data which leaves the Secure Cryptographic Device (the PED) is not considered within the scope of a standard PCI DSS assessment. The major advantage to merchants is that this can potentially remove store networks completely out of range of the assessment, provided there is no other cardholder data being transmitted, stored or processed within that store network. In fact, if a merchant has a solution based on the decryption taking place at a third party service provider then the P2PE cardholder data is never considered within scope of the PCI DSS assessment, although there are still some requirements on the merchant related to this specification.

This initial document is for, what is termed, a Hardware/Hardware solution requiring the solution to provide encryption and decryption only with SCD or hardware security modules (HSM).

So when will the first validated solutions appear? Well, there lies one problem since the testing procedures won’t be available until the end of 2011. A new type of assessor, a P2PE QSA will only be trained and accredited in early 2012 with the intention that newly validated solutions will be listed by Spring 2012.

In the meantime, what does the new standard look like? Well it is clear a good deal of thought and detail has gone into this set of requirements. The requirements split the P2PE environment into six domains, each with its own set of requirements, definition of scope, and allocated responsibility.

The six domains split as follows:

Domain 1 and 2 are related to the SCD where the card reading occurs and encryption occurs and relates to the security of the device, the application code and environment executing on this device.

Domains 3 and 4 relate to the Encryption environment where the SCDs are placed and the transmission of encrypted traffic securely.

Domain 5 relates to the central decryption environment which must be performed in a secure PCI DSS secured environment, using an HSM device.

Domain 6 looks at all the Cryptographic key operations across the whole environment.

For a merchant all of this should be academic. The requirements for them will be to reduce installation and maintenance of the SCD devices as per a manual which will have to be provided to them, the P2PE Installation Manual (PIM). This covers installation of the solution and devices secure maintenance of the devices, secure delivery and inventory tracking and the like. Other than that, their responsibilities will lie in the remaining PCI DSS controls linked to education of staff, security policies, management of third parties and physical security of the devices and hardcopy cardholder data. Naturally, if the merchant has any other means of cardholder data capture and transmission and processing then this will be subject to the original PCI DSS controls in all their glory.

For a P2PE solution provider there is plenty of food for thought as the solution needs to be validated against a stringent set of controls, that are clearly (and quite rightly) based on some well defined controls with regard to key management, encryption and decryption. Some of the key management requirements are the most stringent yet seen from the card schemes. However, when we see the sophisticated attacks on RSA, Diginotar and the like then that is no bad thing.

I am looking for a new wallet. It must be leather, bi-fold, and have a space for notes...I abandoned carting around loose change a while ago! I have been wondering if in five years, or may be ten years the wallet as we know it will still exist! I only use my wallet to carry payment card, one or two loyalty cards, and a note or two just incase I have the misfortune to find somewhere that does not accept cards.

I am a big advocate of contactless payments. It makes life simple, and has meant that I no longer have to weigh my pockets down with coins. Working in the card payments industry, I of course always try to use a card over cash, and this has changed my requirements for my new wallet without a coin pocket.

The in store experience is changing fast. The typical till point is being replaced by a mobile point of sale, enabling staff to approach you to assist as well as convert a browser into a buyer than for you to decide and wait in line to pay. This is achieved by new technology in tablets PCs and wireless pin pad - an area that seems to be popular at the moment - and only a small extension to the existing payment infrastructure.

As I write this I am sitting in the car park of one of the UKs largest Telco’s. I am here to discuss the future of mobile payments both in store through wireless points of sales and wireless pin pads, as well as new and exciting ways to reach a mobile customer base. There are still many uncertainties in the space, but one thing is for sure, the customer experience should be the driver in the multichannel experience. We can no longer look at multichannel in a silo'ed fashion, but ensure that customers gets a service that will bring them back again and again - regardless if they are using their phone computer or are in store.

Mobile phones are now coming to market with contactless NFC technology. This means that in a couple of years I might be able to store card information in the phone and leave the wallet at home. So, the card has removed (nearly) the need for notes, contactless has removed the need for the change, and the phone will remove the need for cards! Were does that leave the need for my leather wallet?

Why was a much hyped retail experience, such a disappointment?

Working in the multichannel payments industry and having responsibility for the Point of Interaction, including the customer journey, I am always interested in improving the retail experience through new and existing technology.  I have been in a number of meetings where retailers have asked if they could replicate the experience received from a certain fruit based store!

This week I had reason to visit one of their stores, including purchasing something, and I had a great deal of expectation from the visit from a research point of view.  First, it may be worth explaining what I was expecting, before discussing why I feel that it was one of the most painful purchases in many months!

From previous conversations, I was led to believe that this store had removed the concept of a checkout, and allowed all their staff to perform a consultative selling role.  I wanted to discuss a product with a sales assistant, see alternative items, and get specific technical details from them.  This should have been possible through the mobile “point of sale” tablet they were carrying.  Once we had agreed the right item, I was expecting to be taken to where it was in the store, for the sales assistant to scan the item from the mobile PoS, and pay by card there and then – using a wireless PIN pad.  I was expecting an option to have the receipt printed or emailed to me.  The reason I thought that this would be how it would work, is because this is all available today through our current existing payment solutions!

So what did happen?
First, I had to find someone I could speak to.  Not having a fixed location, the sales assistants had the freedom to wonder away from busy areas, and I found myself walking in circles trying to find an assistant.  Once I had located a “target” I waited in a disorderly snaking queue, until I was at the front.  At this point, it appears that the person not only failed to answer a single question, but also had no inclination to use the lump of hardware to assist in responding!  I then disappointedly set off around the busy store to find the product, and assess their suitability through guesswork.

Product located, and selection made, I once again had to wonder aimlessly around the store to queue for a staff member while others in front were trying to get answers to their own questions!  After a painfully long wait, I made it to the payment process.  The item was scanned (as expected), confirmation of payment (Visa debit) made, only to be told that we would have to go over to a fixed location where the card reader was located!  We then stood side by side to queue for use of the reader.  More time later, there we were, card in hand hovering over the PIN pad while the assistant then told me that his connection had dropped, and he will just scan the item again!

I am a patient person, but this was almost too much for me!  We were ready; I inserted my card, entered my PIN and made the payment.  Done – or so I thought!  The assistant asked if I wanted a receipt – the options were “take it or leave it!” no email or Text options!  Feeling uncomfortable about walking out a store with no proof of purchase, I opted for a receipt.  To my amazement, the assistant told me he would be back in a minute while he went and got it.  A minute may have been fine, but he was gone for an eternity before appearing looking confused as to who the receipt belonged to!  I identified myself and I obtained the slip of paper.

“Do you want a bag?” he asked.

“Do you have one on you?”  I responded.

“No, but I can go and get one” he retorted.

This was the final straw for me.  Bag-less, and feeling cheated by the experience I left the store to watch my purchase get wet in the London rain as I dashed for cover.

I am not suggesting that I received the typical customer service, but for a company trading on its image (and a couple of sound products), I am amazed when I think back to being asked if we can replicate this experience!  I can, but I like to think that with some careful thought and business understanding as to the customer experience (rather than to crowbar technology in for the sake of it) many of the issues I faced would have been elevated or eliminated altogether.

The Payment experience is not about the speed though the till, but the manner in which we get there.  The right multichannel payment solution can dramatic help in the customer journey, especially as the final payment experience has the potential to leave a lasting impression on the customer.

As we have seen, contactless payments are beginning to move into the mainstream. As my colleague Mark Carpenter noted in his blog, support for contactless transactions is moving out from the metropolis, even to the rarefied environs of his country retreat.

According to Visa Europe, in 2010 it alone issued 10 million contactless cards throughout Europe, the bulk (over 8 million) to UK cardholders. The plan is to double that number in 2011. No doubt Mastercard have similar plans of growth over the coming period.

However, technology doesn’t stand still and only a couple of months ago Orange and Barclaycard announced the availability of their mobile payment solution “Quick Tap”, via a smartphone, which will also provide contactless payments. These payments can be made at exactly the same terminals as those for smartcard contactless terminals, so long as they display the Mastercard Paypass logo.

I thought it might be worthwhile considering the similarities and differences in the two models.

Firstly the similarities; both are permitted to pay for transactions of total value of less than £15 and both require the user to hold the device (card or phone) within close proximity of the reader. Both utilise a technology known as Near Field Communication (NFC).

From a security perspective, a contactless card can only be used a specific number of times without a PIN, before the user is prompted to go through a traditional Chip& PIN transaction. There is an internal counter which is incremented every time a contactless transaction is successful and every time the card is used in a traditional Chip & Pin transaction this counter is reset to zero. If the counter reaches a threshold, then the card is forced to perform a standard Chip & Pin transaction.

From the perspective of a smartphone this is where things differ as this is not possible.  – Getting the phone to fit into a card reader isn’t going to work. Consequently the phone is preloaded with an amount of money, upto £100 in the case of Quick Tap, which can then be used for contactless payments. Once these funds are exhausted a user is required to top up the phone using a phone application and a PIN. In addition it is possible to configure the phone such that a PIN needs to be entered (on the phone) before a contactless payment is made, although this does seem to negate the benefit of contactless and fast payments.

The nice feature of this smartphone system is that it is a zero-cost addition for merchants, if they already support contactless payments from Mastercard and Visa. The fact that the payment is made via a smartphone rather than a smartcard shouldn’t make any difference. In fact the only thing they may need to consider is to train their staff that this is coming along, so when someone does wave a phone at the reader and walks away, it isn’t fraud just the advance of technology.

This weekend I witnessed a major breakthrough in contactless payment acceptance.  Having spent a lazy sunny afternoon in a beer garden, we asked to close our tab.  I watched in disbelieve as the waiter started waving my debit card back and forth over the PIN Pad for a good minute, before inserting my card into the reader looking slightly disappointed.  Having noticed my quizzical look, he went on to explain that their PIN pad accepts contactless, and he had been waiting for the day that someone went to pay with a contactless card!  For me this was very encouraging – Contactless has migrated from focused busy London locations, all the way to a sleepy village pub 50 miles outside the capital!  This waiter not only knew that the PIN Pad supported contactless, but also must have recognised the symbol on my payment card!

The reason that this payment transaction was so unsatisfactory for the waiter was that after the initial excitement of being able to try this emerging technology – he did not realise that there was a £15.00 limit on contactless payment transactions – and my bill was far in excess of this limit.

On seeing his dissatisfaction with having to insert the card as normal, I explained about the limit for contactless.  Showing a level of knowledge on the matter, I was then bombarded with questions relating to contactless; How long does it take to process?  Do customers still need to enter their PIN?  How many people have cards?  Is it secure?

It appears that aside from waving the card at the reader, he had no idea what should happen next!  I wonder if the contactless transaction had been successful, whether the waiter would have been confident of this fact, and not had to double-check (supposing that someone else understood how it worked) – increasing my transaction time further!

After a two-minute education on both the process and the benefits of contactless with the waiter, I left him armed ready to take his first contactless transaction at a later point.  I hope that he will explain this to others so next time I visit, the queues at the bar will be dramatically reduced through speed and efficiency of contactless payments.

Since we started supporting contactless transactions in our payment solution over 3 years ago, it seems that the market is now ready to move forward.  I have always said that education is going to be one of the big obstacles to overcome, and this takes more than a rollercoaster advert on buying bananas!  That said, it appears that even the very passive approach to education is reaching some people (my waiter included), but still more needs to be done for mass consumer understanding.  Even if there are cards in the pockets of consumers, PIN Pads in the field, merchants still have to know how to use them, and to be able to explain the benefits.

If I had no understanding of contactless, what would I have thought while watching a waiter wave my card in the air!  One thing is for certain – without having to verify the payment transaction by PIN, I would have been a little concerned with the transaction, The lack of knowledge from the staff, would have frightened me more.  It has taken 10 years for PIN entry behaviour to be engrained in us – how long will it be before we stop worrying about it at all?

Today we hear confirmation about a breach of the Sony Playstation Network with the loss of millions of account names and personal details and potentially the loss of payment card details such as the payment card number and Expiry dates, but excluding the security code.

The type of data rumoured lost includes names, addresses, email addresses, account names, account passwords, relevant date of birth and answers to security questions. By security questions one presumes the questions would be of a similar type to: What is the name of your pet?

So should we be concerned?

Well if I was one of the potential victims of this theft I would be. Why? Because the amount of personal data which has been supposedly taken would allow a fraudster to start to take over my identity. Much of the rumoured stolen data can be used to authenticate and validate a user, particularly when that user claims to have forgotten the usual authentication tokens such as passwords and passphrases.

The problems arise because we humans are quite forgetful of our authentication details such as passwords. This means we tend to use the same passwords for multiple systems or at the very least similar passwords for similar systems. When we use random passwords then we tend to forget them. The systems we inter-operate with are aware of this and see this forgetfulness as a real inhibitor to them being able to validate and interact with us. They are also aware that the loss of authentication could lead to the loss of a sale or provision of a service. However they know that we remember personal details much better, so questions related to address, dates and favourite or personal facts become a fallback authentication process for the service provider. Unfortunately this also means this personal information becomes far more valuable to a hacker as well.

Only recently I was with a family member who was paying for some items on an ecommerce website. As often occurs these days, as part of the card authentication process she was taken to a 3D secure card authentication screen where she suddenly found she couldn’t remember her secure password.

Helpfully the bank in question gave her the option to select “Forgotten password?” and she was then validated by being asked for her date of birth. Once validated by this information, the password was permitted to be reset.

Similarly most on-line applications will provide the capability to retrieve forgotten or lost passwords by asking for personal information such as date of birth, address or some well-known security questions, such as name of pet, birth place etc. – which just happens to sound familiar. The problem is that much of this data can’t be changed - it’s easy to change a compromised password, but how do you change a compromised date of birth ?

So if I was one of the potentially compromised users in the Sony Playstation network I’d be working very hard today to change any account details which used the same or similar account names and passwords, thinking about changing my email address and I’d either kill the cat, or at least renaming her!

Every man and their dog has a smartphone these days. Whether an Android, Apple or Blackberry device, today's mobiles are as powerful as desktop PCs were only a decade or so ago. They can browse the internet and run a countless number of applications. As such is it inevitable that more and more people are starting to use them like they do with their main PCs – keeping increasing amounts of sensitive personal information on them and using them to make purchases and do personal banking. The problem is that unlike their PCs, most mobile phones are not currently adequately protected against viruses. But how many smartphones are there and do people actually use them in sufficient numbers for this to be an issue?

The potential scale of the issue

According to Gartner in Q3/10 88 million computers (desktop/laptop/netbook) and 80 million smartphones were shipped globally. Half a year later down the line, with mobile manufacturers bringing out new models with ever-increasing frequency and the proliferation of more and more tablet computers, the balance has probably tipped in favour of smartphones. So we know for sure that there are a lot of devices out there. But are they being used?

Well usage figures from Tecmark show that smartphone web traffic now accounts for over 8% of all web traffic in the UK and is growing exponentially. Business Insider tells us that the UK has the 5th biggest mobile market in the world after USA, Japan, Korea and Italy. Ofcom calculates that mobile internet usage rocketed by 240% between 2009 and 2010.

All of these stats point to the fact that the online market is already big and in continuing to increase at a dramatic rate. So where does the problem lie?

Consumer perceptions are at the heart of the issue

Over the recent years intensive media coverage has first alerted then educated the wider public to the threat posed from email scams and viruses/trojans as well as the importance of having a firewall and an up-to-date virus scanner installed.

The problem is that consumers don’t think of their smartphones as just another PC, even though modern smartphones can perform all the every day tasks a PC can.
Most consumers do not have virus scanning software installed on their smartphones and the key mobile operating systems (Android, iOS, Blackberry & Windows Phone 7) don’t contain such software by default.

Furthermore the proliferation of app stores and 1 click installation have made it easier for people to add new functionality to their phones. People add and remove apps in a much more casual manner than they would do with their home PC.

Proliferation of viruses onto mobile platforms and their impact

Virus writers have been quick to take advantage of the 3 above points and have started writing increasingly complex and capable viruses for these new platforms. A case in point is a virus dubbed Geinimi. Usually posing as a gaming app in unofficial Chinese Android app stores, once installed on a system, Geinimi is able to:

• Send personal information to a remote server
• Receive commands from remote servers enabling the infected mobile device to become part of a botnet
• Send SMS messages to premium rate phone numbers

All without the user’s knowledge. Whilst today such viruses are rare and their proliferation rate is relatively slow, if unchecked they could become mainstream very quickly indeed.

The importance of Android to this debate

You may have noticed that the Geinimi trojan (like most of the mobile viruses in the wild today) is written for the Android platform. Helped by its pseudo open-source status, and backing of the biggest internet company in the world (Google), Android is now both the largest and the fastest growing smartphone platform in the world. Due to this popularity Android has naturally become the virus writer’s favourite OS (in a similar way to how Windows became the favourite desktop OS for PC virus writers).

Another reason that virus writers focus on Android is its relative openness. Apple’s walled garden approach may be restrictive (to the point of being viewed as anti-competitive by some), but at least it allows for careful vetting of all applications sold through its app store. Of course with Apple’s iOS, unless you jailbreak your phone or tablet, you won’t be able to install applications from non-app store sources. On Android you can install applications from non-official sources, which gives rise to the possibility of rogue applications being installed.

So what can be done?

The proliferation of mobile payment fraud can be averted through concerted actions throughout the related industries. These actions will probably include:

1) Media
Education of the wider public in the importance of using mobile virus scanning software, being careful to only installing applications from official sources and generally being aware of security advice issued by the mobile industry

2) Mobile OS developers

OS developers such as Google, Apple, Blackberry and Microsoft need to put a big focus on making their platforms secure and supplying their end users with virus software. PC operating systems like Windows 7 already come with a pre-installed virus scanner software and the same should happen in the mobile space.

The Mobile OS developers also need to improve app security screening before apps make it onto official app stores and look at ways of minimising the possibility of apps from unofficial app stores infecting people’s smartphones (obviously without in the process limiting end-user choice).

3) Network Operators

Network operators need to ensure that the phones they issue are kept updated with the latest security patches. Automating this process will ensure that no phone is left on an older version of software which is vulnerable to infection. Network operators also need to look at the possibility of providing virus detection software either free of charge or as an added extra until mobile OS developers introduce such features into their OS’ by default.

4) Retailers and Financial Institutions

Retailers who want to sell through the mobile channel or banks who want to enable mobile banking services need to ensure that all development (whether through platform specific apps or platform agnostic mobile websites) is entirely PCI DSS compliant. On top of that they need to include extra security features to ensure that even if the security of the mobile device has been compromised, the account security cannot be breached.

Banks are already leading the way in this with the likes of First Direct making people enter three random characters from their password instead of the whole one whilst Barclays use an external Pincentry security token which uses 2 factor authentication. The aim of both of these approaches is to minimise (if not annul) the possibility of account security being compromised by logging in or initiating a transaction through a infected mobile device.

Retailers also need to look at similar ways of securing their points of interaction; perhaps by making us enter a random subset of our full passwords and periodically asking us for extra information such as security questions or information on their transaction history.

5) Individual Consumers

But at the end of the day no one is going to protect you the way you protect yourself and end users need to realise that “with great power comes great responsibility”. Or more accurately that as phones become more integral to our lives, they also become more dangerous if a malicious hacker takes control of them. Thus we all need to be more careful of how we use these small but increasingly powerful devices.

Should retail businesses invest in developing an app or stick to improving their website?

I recently attended a summit on multichannel retailing. As predicted, mobile was a topic that came up again and again. It seems to be a bit of a buzz word at the moment yet it was only a year ago that I could not make it through a day without out talking about end-to-end encryption. Now that The Logic Group has multiple solutions for reducing PCI through encryption and tokenisation, it seems that like the industry, my thoughts turn to ensuring our clients can capitalise on mobile transactions.

I have a number of Apple devices, so I am familiar with the enhanced user experience provided by an app, but web design is moving on in leaps and bounds. Sometimes optimised sites for smaller mobile screens can be as good as an app, yet have a wider reach than just Apple’s iOS. This brings me back around to the multichannel summit. Except those who have already invested heavily in app design, the priority of retailers, and confirmed by experts was to stick with enhancing the website rather than invest on an app!

At first I was surprised by this, but as I related this information back my own consumer behaviour, I realised that buying from the web - in any form factor - is the most familiar and identifiable method of searching and selecting items. I only use an app for purchases with one single-channel retailer - and that is more about customer experience, rather than getting the best deal. Most of the time I am researching across many websites before the final purchase. If I stick to only using apps to buy from my phone, I lose some of the ability to easily compare.

With a focus on optimising a website, the first advice to the audience at the multichannel summit, was to think about what is important to the potential shoppers. Do they want to check stock, reserve goods for collection, or complete full transaction from selection to payment? Many of the main websites we interact with from our computer have innovative and engaging ways to draw us in. Let's not forget that this has grown over more than 10 years of constant evolution. As the cliché goes, do not think that we can run before we can walk with mobile transactions, but there are many lessons and experience we can draw on from the web.

In the last year, the gap between the experience offered by a dedicated app and a well thought out website are narrowing, and I am beginning to come around the advice from the experts. Stick with the web, and if your CXO or Marketing department insist on an app - then just point it at the optimised website, and sleep easy that all bases are covered!

You are a retail business. You have spent a small fortune in time and money to upgrade your systems and have now achieved that holy grail – PCI DSS compliance. Do you sit back and relax, safe in the knowledge that you have achieved security nirvana and that fraud will never show its ugly face in your business again? Well not quite.

PCI DSS compliance has its limits

The issue is that PCI DSS compliance by its very nature can’t be all-encompassing. It deals with payment data (credit, debit, payment, pre-pay etc.) data and the flows of this information through your business. Anything not directly related to credit and debit card data is considered out-of-scope. After all, the PCI DSS standard was created by the likes of VISA, MasterCard, Amex, DiSCOver and JCB, so naturally their key priority is in keeping payment data safe and secure.

But recent technology developments demonstrate that fraud (like water) always seeks the least path of resistance and does not differentiate between in-scope and out-of-scope areas of a business. A recent story beautifully combines payment, loyalty and fraud with a dash of new technology and a pinch of sub-standard implementation to show us the limits of achieving PCI DSS compliance.

Starbucks Rewards

Starbucks have recently introduced iPhone and Blackberry Apps for their Starbucks Card Rewards loyalty program. All you do is launch the App in your smartphone, get the phone screen (showing a barcode) scanned by the StarBucks employee and enjoy your tall skinny extrawhip half-caf double caramel macchiato. The App does the rest, as it is matched to your account, which in turn is matched to your credit/debit card details. Thus money is taken out and loyalty points are added in automatically. Simples!!

The issue arises from the fact that the barcode in question is not of the dynamically generated variety, but is static and valid for the life of your Starbucks Card Rewards loyalty membership. This means that if someone else got hold of this barcode, they too could get free coffee on your account. But how is this done?

The Scam

The scam is technically reasonably simple to pull off. All the miscreant needs is you have access to an unsecured (i.e. not pin or pattern protected) smartphone of a mark for at least 90 seconds. All the fraudster then needs to do is:

• Launch the app
• Hit the mobile equivalent of “print screen”
• Send themselves the resulting screen grab via email or mms
• Delete the sent MMS or email from the sent folder to erase any trace of the subterfuge
• Replace the handset to where it was found

From then on, all the criminal needs to do is load the image onto their phone and get that image scanned at the till, so that they too get to enjoy watery coffee, cakes and whatever else Starbucks sells on the bill of the unaware victim.

Much a do about nothing

But wait I hear you cry, there are a lot of caveats to pulling off this ruse. The smartphone needs to be unprotected (e.g. no password), it needs to be left alone in a public place for at least 90 seconds, the ne’er-do-well needs to have a phone with an identical resolution screen….and all of this for some free coffee. Many of you will correctly point out that most fraudsters probably won’t bother to go to all of this effort for such a small reward.

And you may well be right. Yes the scam does have severe limitations, but it does demonstrate that companies do need to take care in introducing new technologies in order to minimise the chances of fraud. After all, as the above app does not store or disclose any payment information it does not contravene the PCI DSS compliance status of the company. But that does not make it fraud-proof.

Will mobile phones replace the card?

More people leave their wallet at home, than their phone. In the past, this may have caused the shopper some difficulty as they search their pockets at a checkout. This situation is set to change with the introduction of NFC contactless technology coupled with your mobile phone. The exact form factor is evolving from bank issued stickers attached to any item, NFC enabled SIM cards, to contactless enabled handsets. The timelines for mass adoption are still unclear, but we are firmly on the journey!

Security is always a question that gets raised when I discuss contactless with friends and family – and rightfully so! With the contactless card, I explain that every so often, the user will be asked to insert their card and enter their PIN to verify that the user does in fact have the credential to spend the money. Both the transaction limit and the frequency of PIN validation is a carful trade off between convenience and risk.

So, next time I leave my wallet at home, I can still use my contactless enabled phone – but only in the understanding that I may get asked to insert my card – at which point I would sheepishly apologise and put my item down, mourning the wasted time spent in the queue!

I think contactless is a great idea from both a solution provider and a consumer viewpoint, and looking at the behavioural impact, the idea of getting my phone instead of fiddling around with cards appeals to me. It is a neat solution, but I am still unsure about the idea of replacing the wallet with a sticker or enabled phone until it can whole-heartedly replace the card. This is coming, but there are still a few hurdles to overcome, and until then, I will try to remember my wallet, watch and mobile phone on every outing!

Having recently attended a breakfast briefing in London on the subject of micropayments, I was fascinated to learn that the market opportunity for micropayments is forecasted to grow to €15bn by 2015! A massive growth from today’s estimates of €6bn, considering that most other markets are either flat, or showing minimal growth. The reason for this unprecedented growth? Our insatiable demand for digital content, whether it is online news articles, music downloads, mobile applications or online gaming to name but a few.

So how are savvy businesses that operate in the digital world going to capture a large share of this growth? Simple. They need to ensure that they sell something of perceived value for next to nothing, sell it to millions of people, as often as they can, whilst ensuring that the economic and user experience problems that are present today are addressed.

For micropayments to really work well, from a user perspective, a decision to buy something must be of such insignificant value that no real thought process is taken toward the impact on the wallet. In doing so, the user experience for payment must be as slick as possible. Users must not be delayed by having to go through the time consuming process of entering (and therefore thinking about) payment card details and passwords in order to complete the payment. Obstacles in the way of making a payment will force the consumer to question their decision to buy in the first place and will have a negative impact on conversion rates.

As the user experience is key to the success of micropayments, businesses will need to provide widely accepted, secure and easy to use payment methods, in line with the product they offer and the buying preferences of the consumer.

As we are still in the early stages of the evolution of micropayments, the next five years will see many initiatives from content providers looking for the right business model driven by consumer payment preference to land them a large slice of the market.

We watch with interest.

In Dec 2007 the European Commission announced that MasterCard had breached Article 81(1) of the EC treaty, prohibiting agreements and practices that could affect trade between Member States, by setting multi-lateral interchange fees (MIF) for cross border and domestic credit and debit card transactions in 8 member states. Legal wrangling and intense negotiations over the past 3 years have resulted in MasterCard undertaking to adopt certain measures to enhance the transparency of its payment card scheme, enabling consumers and retailers to make better informed choices as to which payment cards they use and accept. As a consequence in 2009, both MasterCard and Visa introduced rules mandating that all EU acquiring banks offer “unbundled” merchant service charges (MSC) from January 2011.

But what does this all mean?

Traditionally, the MSC is made up of two components. The first is a charge for the acquiring service, covering marketing, selling, support, acquirer risk (fraud, chargebacks, bankruptcy, etc.), transaction processing fees and in some countries all (or part of) supply of PIN Entry Devices (PEDs), telecoms and terminal consumables. The second is the MIF, paid by the merchant acquiring bank to the card issuer, which typically represents 65%-80% of the MSC.

Historically these charges have all been bundled together into one (or possibly a few) composite rates, for all but the largest merchants. This approach not only reflected the banks’ limited ability to breakdown MSCs in to their individual component parts but also provided a ‘smoothing’ effect across the schemes (Visa and MasterCard), card programmes (consumer, commercial, debit cards, etc.) and borders (national and international) making charging simple and straight forward for merchants.

Moving forward, MasterCard and Visa’s agreement with the EC, effective from January 2011, mandates that acquiring banks must offer unbundled MSCs to merchants by default (unless specifically agreed otherwise with the merchant). This approach will ensure merchants are made aware of the exact costs of each transaction processed requiring the acquirers to identify, explain and justify the costs of other services (marketing, selling, support, acquirer risk transaction processing fees, terminal supply, telecoms and terminal consumables, etc) that used to make up the bundled MSC.

But surely greater transparency is a good thing, isn’t it?

It certainly offers merchants the opportunity to really understand the fees they have to pay in accepting the various card types allowing them to make informed decisions on which to accept, decline or even to apply a surcharge on. However, as a consequence a lot more thought and application will be required on behalf of the merchants to fully understand and interpret the intricacies of the new charging models and then to develop and implement appropriate card acceptance strategies across their various channels to market (retail stores, contact centre, internet, mobile, etc.).

From an acquirer perspective the implementation of finer cost detail and more informed pricing will allow them to look at increasing their profit margins by clarifying and externalising the costs of bundled services that may currently be subsidised or provided free of charge. However, acquirers are also likely to incur substantial costs in modifying systems and amending merchant contracts to enable unbundling, as well as in processing and communicating large volumes of additional data and detail to the merchant. This together with a more transparent view to the pricing mechanisms will no doubt add to the competitive pressure amongst the acquirer community.

Commentators following the developments in this space are under no illusions that greater transparency offered through unbundling will provide merchants with a greater choice not only of which cards to accept but potentially which acquirers provide better value services; but at what cost? At this point it’s too early to tell, as acquirers continue to adjust to these changes, existing merchant agreements are reviewed and new contracts and pricing structures are agreed and implemented during 2011. Once all the different costs are unbundled and new pricing models compared and assessed, the reality will be that merchants will have an enhanced ability to make informed decisions as to future MSC and related card transaction processing expenditure, but will they ultimately end up paying more for their acquiring services as a consequence?.

Sometimes “it will never happen to me” should not be the corporate line!

Last year I discovered that my credit card had been used for a number of rogue transactions. My first thought was to blame the wife…but on second glance, they were clearly fraudulent. My mood changed as I thought about all the phone calls and letters it would take to clear up this mess.

I knew instinctively that these transactions were through web channels as with the introduction of Chip and Pin card present fraud is more challenging, yet the web was still the easy target. A year on, the implementation of 3D Secure in the form of MasterCard SecureCode and Verified By Visa, although occasionally frustrating for consumers, has helped reduce the potential for online fraud. It has been the first step in closing down another route for criminals.

Once I had managed to report the fraudulent transaction, it got me thinking about how companies track the point of breach. The fraudster must have managed to get my details from somewhere! Speaking to our fraud team, pin pointing the location of the breach depends on how the stolen data is used, and the scale of the operation.

It is simple maths. Once a number of cards have been reported, then an issuer can cross reference previous transaction purchases to see if there is a common denominator. If a large percentage of the compromised cards had previously been used at a particular retailer, then there is the possibility that this is the source of the problem. With access to the necessary data, patterns quickly emerge, and merchants are informed about the suspicion of a breach.

For the retailer…it is time to call in the cavalry in the form of a Qualified Forensic Investigator (QFI). This group of individuals can identify potential weaknesses in systems, understand whether a breach has occurred – possibly by whom, and present information on how this can be addressed. Often this activity should be carried out as soon as possible to increase the possibility of identifying the perpetrator before the case goes cold.

QFI’s are able to react or to be proactive regarding security. Like a fire drill, it is important that companies have a plan just in case of a breach, but far too many believe that “this will never happen to me!” With the industry constantly trying to keep up with the cyber criminals, it is always important to have a plan in place, as well as keeping the phone number of a QFI in a company's back pocket. You never know when it might be needed needed.

As more brands adopt contactless technology, how many consumers and staff at the check-out really understand its benefits and how to use it?

Last month Neira Jones, Head of the Payment Security Team at Barclaycard, reported in an interview with Grocery Trader that there are now around eight million cards with contactless functionality across the Barclaycard Group, she also confirmed that Barclaycard “see contactless being as safe as cash, if not more so.”

Although the technology is undeniably useful and will save time at the point of payment, when you walk into a shop or cafe offering contactless payment technology, how many people have you actually seen using it? For example, adopting the guise of a secret shopper I went to pay for a coffee at a cafe which accepts contactless payments, I asked the attendant how to use the terminal. This caused a certain amount of consternation and as they struggled to come up with an answer. I was told to insert my card into the reader. It seems that outside of the payment industry (and tech savvy shoppers in the capital), people still have an inherent lack of understanding of the technology.

The UK Card Association has produced educational material on contactless technology, however I wonder how many people will actively read this. Other than that, it’s just down to the Barclaycard rollercoaster and waterslide ads, which branding-wise are excellent, but from an educational perspective, potentially less so. And that’s from the consumer perspective – educating staff is a different matter completely. However, Barclays is forging ahead and will be automatically upgrading customers with contactless cards, while other banks such as The Co-operative Bank, Egg, RBS and Lloyds Banking Group are set to follow suit and issue to selected customers.

Over a year ago, the head of business strategy for MasterCard UK and Ireland expressed the importance of education to support the use of contactless technology in a round table event. He cautioned that people should not “underestimate the amount of education that needs to be done". This refers to both the retail industry and the consumer, but a year on; there is only limited evidence of this for the “man in the street.” Education is still a passive process in this story, and it seems that there is a belief that as the number of cards issued, and outlets accepting contactless reaches a critical mass, the public will just accept the technology as common place. This is probably the case, but the widespread acceptance will take a great deal longer than with a little encouragement. Even with Chip and PIN I remember a proactive education campaign, and being told that “I ♥ (heart) PIN!”

It’s not just consumers and staff that are still in the dark on contactless – merchants too are still trying to understand what’s involved from conception to installation. The Logic Group’s solutions handles more than £135 billion worth of transactions and many of our clients are becoming increasingly interested in contactless technology. Indeed, some are either running pilot projects or using windfalls like an innovations budget to install contactless payment systems today. At the planning stage though, timescales need to be carefully considered when merchants are looking to install contactless technology because it can take a two to three month period, from the moment they make the decision to its launch in store. Many are forgetting that with most integrated systems, hardware must be replaced and software enhanced; a shift which must be carefully planned to avoid any disruptions to service.### The industry needs to effectively educate and engage with consumers to drive wide scale adoption and more importantly use of the technology. Within the payments industry contactless technology is becoming old news, but for everybody outside of the industry it is a new development and the focus must be on engaging and educating the masses on the security, ease and benefits of contactless payments to encourage use of the technology on a daily basis.

According to the January 2010 report from the National Fraud Authority, fraud now costs the UK an eye watering £30 billion a year. 58% of fraud is committed in the private sector with tax fraud hitting £15.2 billion, and, in the private sector, financial services companies and organisations are said to suffer yearly losses of £3.8 billion through crimes including mortgage and insurance fraud, online banking, cheque and card fraud.

According to CIFAS, the UK’s Fraud Prevention Service, nearly 60,000 proven frauds were identified in the first three months of 2010 alone. Identity threat, where fraudsters use the names and details of innocent victims to generate cash-flow, has also increased by almost 20% in the first quarter of 2010 compared to the same period in 2009.

In order to effectively combat fraud and security breaches, merchants across all sectors need a better understanding of their overall fraud and security landscape threat and exposure. Many merchants make the mistake of putting all their effort into preventing ecommerce fraud. This however is short-sighted as there are no boundaries to fraudulent activity. All channels are vulnerable.

Fraudsters can be first party, third party, ‘friendly’, opportunistic or part of an organised group of criminals - anything from an underage person trying to buy alcohol with a parental credit card to an organised gang of criminals performing a complex Denial of Service (DoS) attack designed to make a computer resource unavailable to its intended users. Fraud can also occur anywhere within a business – from externally generated activity to internal threats from one’s own staff.

Multichannel approach for a multichannel problem

The problem is vast, constant and evolving - as fast as merchants can detect fraudulent activity and shut it down, fraudsters remain one step ahead with new techniques for merchants and the payments industry to fight against across multichannel environments.

And, no matter how much an organisation works to protect or prevent security breaches, you can bet the persistent fraudster will be working diligently to find another channel to exploit. If they have been prevented from defrauding a merchant in a shop where the cardholder has to be present to make a purchase by Chip and Pin, they may then try to find gaps within a merchant’s ecommerce environment.

If that merchant has 3D Secure in place to limit ecommerce fraud, fraudsters may then see if they can exploit that merchant’s call centre channel. And, when a fraudster or gang of criminals succeeds in committing fraud in one particular channel, they will often extend their activity to other channels because it is easy for them to do so.

Certain sectors are also subject to particular types of targeted fraud and merchants should be aware of the types of fraud prevalent in their market.

In the Financial Services sector for example No Intention to Pay (NITPs) fraud is on the increase. Here fraudsters may sign up for car insurance (usually using a compromised credit card) for the first payment of the policy and then set up a direct debit to pay for the remaining 11 instalments. As soon as the insurance certificate is received the fraudster will cancel the direct debit facility. The insurance company generally writes this off as it’s deemed too expensive to follow through. Meanwhile the fraudster has the certificate if stopped by the police or needs to prove the vehicle is insured.

Charities are also well known for being used as test sites for fraudsters. As many of these charities take low value transactions, fraudsters use these sites to see if compromised cards can get through authorisation before going to other sites selling higher value goods.

Merchants that sell goods and services with an age restriction (e.g. alcohol, knives, games or betting services) are also regularly targeted by fraudsters. Underage children may try to make themselves older by changing their date of birth or use a parents credit card to buy restricted goods. Or someone may try to open up an account to access pornography using a nearest and dearest’s personal details. Without proper identity checks to catch them out, fraudsters can easily get around such restrictions.

How should merchants tackle fraud and security breaches?

The truth is that there is no silver bullet to combat fraud. A merchant can’t simply adopt 3D secure and presume they are safeguarded – fraudsters will find another way. There is also no ‘one size fits all’ solution, as every merchant is different with different fraud levels and exposure. One prevention technique will work for one and not the other.

Merchants need to look at their payment and loyalty environments as a whole, not just looking at fraud prevention in isolation.

Prevent

The first step is to take measures to prevent against fraud and detect areas of vulnerability before fraudsters can attack. This can be done by implementing correct procedures (and ensuring that the business is following those procedures), training staff to recognise fraudulent activity, adhering to industry initiatives such as PCI DSS, 3D Secure and CV2, and making use of expert fraud screening and prevention suppliers.

Protect

Merchants need to make sure their infrastructure is protected against security breaches. If infrastructure and networks are not protected, hackers will penetrate systems and steal consumer and business data. By complying with best-practice guidelines such as PCI DSS, organisations can protect their infrastructure, customer confidence, loyalty and ultimately retention.

Pursue

However, even if a merchant follows best practice guidelines and is PCI DSS compliant, it may still be the victim of a breach. At this stage it is important to have procedures in place to pursue. This allows merchants to rapidly respond to any external or internal breach and understand why it happened, who caused it, where and when it took place so the breach does not occur again. This can include calling in a Qualified Forensic Investigator (QFI) that uses ethical hackers and a dedicated forensics lab to identify and pursue attacks including website hacking, unauthorised access to critical systems, theft of financial or critical data, and unauthorised use of computer equipment.

While fraudsters are ever more resourceful and have been more active than ever during the peak of the recession, there is a continued effort on behalf of the industry to stay ahead of the fraud curve. As there is no one solution or approach to combat fraud, retailers, banks and security specialists must increasingly work together and pool expertise to help organisations to actively prevent fraud before it happens, protect against breaches that are likely to happen or are happening, and aggressively pursue fraudsters once a breach has taken place. In order to enhance customer confidence, interaction and reduce business risk, organisations too must step up and ensure they have the processes in place to ensure they are managing their information and transactions securely. Point solutions are available, but at the end of the day, it will be combined fraud and risk management expertise with an overall integrated approach that will keep fraudsters at bay.

100% security doesn’t exist.

The frustrating truth is that almost every organisation will suffer a security breach at some point. Whether it is the defacing of a website, loss of data through a Trojan horse or the corruption of a system by a virus or worm, most companies will experience some form of data breach. This includes merchants who have diligently put measures in place to prevent fraud by implementing the correct security processes and procedures, enlisted specialist third-party anti-fraud services, adhered to appropriate industry initiatives such as 3D Secure and CV2, and complied with PCI DSS to protect their infrastructure against attack.

While all of these measures form part of a comprehensive security plan - and PCI DSS is a good basis on which to build resilience to a breach - there simply is no foolproof solution. The level of fraud is staggering and always changing in scope. In 2008 for example, 19% of organisations who were subject to a security breach were, in fact, PCI compliant. Many organisations never even realise they are hacked. In 2008, 69% of credit card breaches reported were by third parties rather than the breached organisation.

Hackers use freely available company data to target and ‘footprint’ an organisation in preparation for an attack. They are creative, innovative and above all persistent; intent on stealing data from whatever channel they can, be it customer data, credit card numbers or corporate documents. No matter how much an organisation tries to prevent and protect against a breach, the persistent hacker may find a hole that a systems administrator hasn’t plugged. Merchants should therefore be ready for the eventuality of a security breach with procedures in place to pursue and rapidly respond should an external or internal breach occur.

Prepared for action

Once a breach becomes apparent, merchants must immediately contain and limit the exposure of the breach to minimise data loss. If the merchant is PCI DSS compliant they will have an incident response process in place which should be followed. If a merchant does not have an incident response process in place or are not PCI DSS compliant, they should engage the services of a forensic specialist to investigate the breach to determine the root cause and to pursue the perpetrators.

Merchants also need to notify their acquiring bank as soon as possible who may also request that they assign a Qualified Forensics Investigator (QFI), from a reputable fraud and payment security specialist like The Logic Group, to investigate the breach. The merchant can choose their own QFI from a list provided by VISA and/or MasterCard. Prompt action is critical when a breach occurs; if a merchant doesn’t already have relationships in place with a QFI valuable time can be lost. In some instances it can take as long as three to four weeks to get the legal agreements in place (such as NDA’s, contract for forensic services, pricing schedule etc). It therefore makes sense to already have a QFI assigned to the company. If the relationship already exists the QFI can be integrated into a merchant’s incident response plan so reaction to a breach would be immediate.

Pre-arranged service contracts with QFI’s are available providing a 24 x 7 call-out service to deal with any security incident. Such contracts are similar to a gas boiler maintenance contract with an on-call emergency service and an annual inspection to assess risks and exposure from external and internal threats.

Within three days the merchant must also provide a Compromised Entity Details report to the card scheme(s).

Investigating a breach

A forensic investigator will follow a structured forensic methodology using different tools to analyse the compromised environment. An investigator will first work to isolate the area of compromise to limit further compromise and also to maintain the integrity of the environment. This will allow them then to conduct forensic tests to identify the method of compromise and, where possible, identify evidence to support finding the identity of the perpetrator. Most importantly, the investigator will know how to preserve, extract and analyse evidence in a manner that can stand up in a court of law and that complies with the requirements of the card schemes.

Many security breaches are via SQL injection. Typically this is where an e-commerce website has not been security coded or hasn’t had the appropriate security penetration testing performed. This weakness allows a hacker to steal data directly from the customer database anonymously over the Internet. Many main high street brand names have a significant online presence in, for example, the estate agent, holiday travel, car insurance, electrical gadgets, auction and book selling market sectors. In these markets insecure websites can potentially leak customer and financial data.

In the majority of cases the method, area of breach and data at risk can be identified. In cases where the compromised card numbers are known, they can be searched for using e-discovery tools.

QFI’s can also use a Certified Ethical Hacker (CEH) to identify risks. Using the same tools as an unethical hacker, a CEH will have permission to hack a live system with the full cooperation of the client in order to identify where there are weaknesses in the environment. The CEH will then write a report on the weaknesses found and provide recommendations for remediation.

The evidence captured during an investigation will be analysed, logged and securely stored in a forensics lab which employs specialist tools to ensure all data is protected during the investigation so that evidence cannot be tampered with.### Knowing what to do and taking quick action in the event of a breach is critical. Using the service of a QFI and establishing the relationship early on will help to ensure that a breach will be identified and contained quickly. The resulting forensic analysis will also provide the best possible chance of pursuing the breach and shoring up an organisation’s defences to ensure a similar attack doesn’t happen again.

Security is not a quick fix. Organisations must evaluate and assess all parts of their business to identify the risks and potential of exposure. Comprehensive processes and procedures must be put in place to prevent breaches from happening in the first place, best-practice guidelines should be followed to protect an infrastructure from attack including compliance to PCI DSS, and organisations should be ready to pursue a breach should it occur by rapidly responding in the event of a compromise. While fraudulent activity can never be avoided completely, this is an organisation’s best defence.

PIN Entry Devices - Marketing campaigns at a consumer level

It’s been a while since I have been reminded to “insert my card into the chip and pin reader” by a retail assistant. Industry regulations have shaped consumer behaviour, and by now, many of us instinctively hover over the reader waiting for the moment of payment. Pin Entry Devices are becoming increasingly part of a retailer’s image, and price is not the only factor in device selection. PIN Pads must enable chip and pin transactions of course, but this is a commodity. What else can the PIN Pad do to convince a store that it merits the investment?

This year will see a flood of new devices in the market – all comparably with their EMV certificates freshly achieved. Many of these will be have bright, colourful displays, touch screens, and will come in a range of colours – but mainly black and silver! These devices are becoming more intuitive, have a very familiar feel and are benefiting from advances in both technology and client acceptance.

As these devices are becoming more consumer facing, so does the need to ensure that payment is a simple, clear and pain-free process. The whole sales process can be destroyed by a difficult or clunky payment experience. As well as improving the customer interaction, many retailers are seeing new opportunities brought about by the new devices.

I stare at the PIN Pad waiting for the screen to display "Please insert my card"– retailers realise this. While I gaze at the reader, why not let me know some of the fantastic offers available – from low interest rates on loans or store cards, new seasons ranges, or two for one offers in aisle three! Some of the time, this may go unnoticed, but retail marketing is all about increasing the possibility of that extra sale or return visit. At the point of sale, this advertising has the potential to link the offers to my basket data or loyalty card, making the advertising tailored to be both relevant and attractive to me personally.

Knowing that my favourite beer is on special will almost certainly encourage a return visit!

In the fast changing technology landscape a week does not pass by without a new game-changing social media app, a new service in the cloud or some other provocative evolution. What chance does a regulator, such as PCI SSC have in setting a standard that applies to all the technologies employed in payments? Two years since PCIDSS 1.2, PCI DSS 2.0 is now upon us and this was one of topics discussed at a recent QSA roundtable.

Changing Standards

Any standards that follow technology trends will be in a constant cycle of revisions for standard-followers to take on and plan for. Regularly moving the goal posts will create apathy and resentment amongst the parties trying to comply. So is PCIDSS a dead-in-the-water standard behind the times or an impossible, but living, set of rules? Luckily, the answer is neither and this is even truer of version 2.0 than the outgoing 1.2.

The PCI Security Standards Council (SSC) and the card schemes, fortunately, are not trying to ply rules and limits to every cumulus congestus that emerges into the world of payments. Instead, they are trying to lay a security foundation, and as such the foundation should not change every time a new technology comes along. The key discipline for the council is to avoid being prescriptive about the ‘right’ security methods, and instead focus on defining the intent of each guideline and risk in each area. For an example of the less-prescriptive direction of 2.0 here’s an example of the evolution of wireless local area network (WLAN) rules:

• In 1.2 the requirement was to along the lines of ‘Test for the presence of wireless access points by either doing WLAN Access Point scanning or using a Wireless Intrusion Detection System (IDS)’. WLAN Access Point scanning works great for some; but those that have many stores with a WLAN in each one find it tiresome to have a staff member waving a scanner around in each store every few months. IDS too suffers from being seen as prohibitively costly by many.
• In 2.0 the flexibility to choose other methods to achieve the same goal has been introduced: ‘Test for the presence of wireless access points’, and this is followed by a crucial note ‘methods include but are not limited to: WLAN Scanning; using a Wireless Intrusion Detection System; Physical Inspection or Network Access control.’

By PCI SSC becoming less prescriptive the industry is free to innovate to solve security problems and card acceptors are free to choose the most effective / future-proof / suitable solutions to meet their needs.

Contactless payment technology continues to develop; it is a hot topic of discussion as Barclaycard rolls out an update to its TV advert demonstrating the ease of contactless technology – but will its implementation become a rollercoaster ride for retailers and will hard currency become harder to find in the future?

Cash will always be necessary; it is something that we all carry in our pockets for quick and easy small-scale purchases and a whole industry exists purely to handle and transport it. Indeed, many supermarkets and retail chains offer their customers the opportunity to get ‘cash back’ as they buy produce via a debit card. Consumers view it as a convenience yet the reality is that it saves the retailer a considerable amount of ‘cash’ in money management fees.

Card fraud always makes the headlines, yet cash is equally, if not more vulnerable to theft and fraud. Consider just how many fake notes there are in circulation and the amount of money which is lost through theft or damage – The European Central Bank, which is responsible for identifying fake notes, reported that over 860,000 faked Euro notes were withdrawn from circulation in 2009, and the amount of faked Euro notes has been on the rise since 2004. When you compare this with the amount of transactions that huge retail chains process electronically, then the occurrence of card fraud is relatively low, aided by the enforcement of security schemes such as the Payment Card Industry Data Security Standard (PCI DSS), which is a set of comprehensive, mandated requirements designed to enhance the security of account data on a global basis.

The overriding incentive for retailers to embrace electronic payment methods is the low cost of processing card transactions. Consumers require a payment method which they are comfortable and familiar with using. Contactless technology is speed and convenience driven, if it is widely adopted could we see an end to fumbling for change in your pocket?

A contactless payment system allows consumers to use their card or payment device up to four or five times, before they will be prompted to input their PIN number. A transaction limit will be set, for example £15, then the consumer could purchase items of this value without needing to input their PIN, until the set number of transactions has been reached. If a consumer were to lose their card, then the bank could only lose a maximum of £75 working with this limit. However this does suggest that paying for high value items using contactless technology may not come to fruition, as should the card be lost or stolen then the bank would stand to lose more money. Trials have shown that consumers will tend to use a blend of transaction types, which means that cardholders will rarely have to input their PIN number for contactless transactions as their identity will be verified by regular Chip and PIN transactions.

Barclaycard reports that there are now 25,000 terminals, the majority being based in the capital which are able to accept contactless payments. Back in September 2007 it signed up more than 1,000 London outlets to accept its touch and pay credit card, which was inspired by the technology used in the Oyster card. Three years on the pick-up of the technology has been relatively slow, however this is more likely to be a result of the tough economic climate during that period rather than consumer resistance to the technology.

If the technology is to be widely adopted then many more businesses will need to invest in the system, but as the country rises out of the recession, the business case for investment in the technology is strong and with the potential to reduce transaction times and increase the average spend of more customers, we could see the technology being widely used in around 18 months; although the necessary infrastructure will take time and investment to set up. The Logic Group handles transactions across more than 250,000 points of sale and clients are already discussing the benefits of adopting the system now.

However, a surprising number of people still do not have access to credit or debit cards. The latest figures from the Financial Services Authority report that six out of 17 basic bank accounts – about a third – do not offer a debit card, in contrast it is estimated that over five billion people across the world have access to a mobile phone. Contactless technology therefore could be incorporated into a mobile phone cover or attached to the phone itself; allowing people that do not have a high credit rating to access the technology without having to use a bank card.

Many different ideas are being discussed regarding the most effective way of making contactless a mainstream technology. Barclaycard, the ostensible pioneer in this area, has made use of a system that people are familiar with, piggybacking on the success of the Oyster card, it launched its contactless system in London where there is less resistance to adopt technology that people are already comfortable using.

Although society will probably never be entirely cashless, by the time the next Olympics is underway people in the UK may well be actively making contactless payments and will certainly be using much less hard cash overall on a daily basis. Barclaycard is planting the seeds in consumers’ minds and by pioneering the technology it will inspire other companies to innovate ideas. The infrastructure to allow contactless payment to become widely adopted will be eventually put in place, but this will take considerable time and investment. So although cash is still king, for now at least, it may not be too long before we see contactless cashing in.

The first PCI DSS deadline has been widely discussed by both merchants and payment card industry specialists but what does this really mean, will Visa and Mastercard soon be knocking at your door?

The 30 September deadline only affects level one merchants – so a business which takes more than 6 million total Visa or MasterCard transactions a year, including eCommerce merchants. The requirements for PCI DSS compliance do at first appear to be daunting. If the merchant attempts to go through this process unassisted then it can take a huge amount of time and resource to achieve compliance - the documentation runs to over 70 pages alone. It should also be noted that once a merchant has absorbed the requirements, compliance is not simply a case of ticking boxes. Fraudsters will continue to find vulnerabilities, so merchants should view their business security as an ongoing process, and payment security should be viewed as a best practice solution for the entire business rather than one department alone, which helps to safe guard an organisation’s reputation and avoids severe fines.

The most effective way for merchants to become PCI DSS compliant is to outsource the entire process to a secure payment specialist. Companies like this have already adopted PCI DSS and as a result their customers reduce the scope of compliance drastically. When there are updates or changes to the requirements – take for example the fact that v2.0 is imminently being finalised – the merchant will also automatically be safeguarded. It should also be noted that differences between v2.0 and the current requirements will be minimal; further to this PCI has just changed the lifecycle of the update process, meaning that after v2.0 has been launched the next update will not happen for three years (however minor changes or new security risks may be addressed in the interim).

It should also be noted that the PCI DSS standards were not set up to cause a problem for merchants but to enhance the payment account data security. Ninety per cent of merchants already have a compliance date agreed with their acquirer. Merchants should remember that Visa and Mastercard don’t fine the merchants directly, they fine the acquirer and they have the ability to pass this on to the merchant, so the ominous shadows of card schemes and the PCI Security Standards Council will not be on merchant’s doorsteps just yet!