Mobile Point-of-Sale is no longer a novelty. More and more retailers are embracing this technology and the reason is simple. It increases sales! Here's how:
- It expands your sales territory, exposing you to new customers. Take your merchandise and your mobile P.O.S. system to vendor fairs, sidewalk sales, farmer's markets, and music and sporting events. Mobile P.O.S. is also perfect for pop-up stores!
- It makes it easier for customers to complete their purchases. Mobile P.O.S. is great for line-busting during peak selling seasons, and may also be a less expensive alternative than adding full P.O.S. stations to other departments in your store.
- In some cases, mobile P.O.S. allows you to spend more time with your customer, which can give you more influence over his or her buying decisions. For example, you could use it in a garden center when a new homeowner comes in looking for landscaping ideas, or to provide a "personal shopper" experience in a clothing store.
If you've been considering mobile point-of-sale but don't know where to begin, I'll offer some advice on that next week.
If you are like most retailers, you invest quite a bit of money in advertising, in order to get shoppers to come to your store. Once you get them there, you want them to purchase something, of course. Better yet, you'd like them to come back and purchase even more items from you in the future.
I recently came across a great article on how to keep those customers coming back:
Let me know what you think!
I've covered several different technologies related to credit card security over the last few weeks. Which ones should you implement and when?
I recommend implementing point-to-point / end-to-end encryption first. This virtually eliminates the potential for large-scale theft of credit card data from your system. It will likely require an update to your POS software and/or processing gateway and all new payment terminals, so it is not an inexpensive option, but it is well worth the investment. Check with your software provider to determine if and when the new technology will be available for your system.
The second most helpful technology is EMV / Smart Card technology. However, it only stops invalid card numbers from being used; it doesn't stop them from being stolen. So, it offers more protection for the consumer than the merchant. Also, it won't be generally available until sometime next year, and a lot can happen within a year.
I think tokenization is the least valuable of these technologies right now, although I believe it will become more important once point-to-point encryption becomes more widespread. Ideally, it will be implemented in conjunction with P2PE, for maximum protection.
As mentioned below, there are a couple of ways to prevent data breaches once the card numbers get to your point-of-sale software. The one hole that we haven't yet addressed is how to protect it before it gets to your software.
Point-to-Point Encryption (P2PE), also called End-to-End Encryption (E2EE), is the solution for that problem. With this technology, the payment terminal is no longer an independent device that exchanges data with the POS software. Instead, it is controlled by the POS software and/or credit card gateway, which allows it to encrypt the card number at the payment terminal and then maintain that encryption all the way through. Ideally, this encryption will be implemented for card data scanned through the credit card reader, as well as for card numbers manually entered through the payment terminal keypad.
The beauty of this technology is that it eliminates the potential for malware to grab credit card data between the time it is scanned or entered, and the time it reaches the POS software. In fact, it is so effective that it has the potential to actually reduce a merchant's scope for PCI compliance!
Next week, I'll go over how all of these technologies fit together and offer some advice on what to do with all of this information.
Tokenization is another technology you may be hearing more about. It is a more secure method of storing credit card numbers.
PCI-compliant systems are not allowed to store or transmit actual credit card numbers. These numbers have to be disguised somehow. The most common method of disguising credit card numbers is to encrypt them, but tokenizing them is even better.
Whereas encryption applies a mathematical formula to the original card number to get the encrypted card number, a token is a randomly generated number that points to the storage location of the card number instead of the card number itself. Ideally, that storage location would be a secure data vault managed by the credit card processor, the gateway provider or the point-of-sale provider. Since a mathematical formula is used to encrypt credit cards, it is theoretically possible that you could crack the encryption code if you could figure out the formula. Tokens are safer because there is no way to tie the token back to the original card number unless you have access to both the location that has the card number and the software that ties the card number to the token.
This technology is definitely an improvement over encryption, but most of the recent data breaches have not been caused by cracked encryption codes. It is much easier for hackers to install malware to catch card numbers before they get to the point of encryption or tokenization. I'll write about how to prevent that next week.
Since the Target breach last year, there has been a lot of talk about EMV or "Smart" cards. These are also called "Chip" cards. The biggest difference between these credit cards and magnetic stripe cards is that they have an embedded microprocessor in them. This allows the card to actually communicate with the payment terminal, instead of passively allowing its information to be read by a magnetic stripe reader.
The biggest advantage to these cards is that they can't be counterfeited, which reduces the incentive to steal credit card numbers in the first place.
Chip cards also contain information indicating the level of cardholder verification that is required for the card under different conditions. EMV payment terminals can then use this information to determine whether or not to authorize a transaction, even for transactions entered in offline mode.
EMV cards that require a pin number (Chip & Pin) are more secure than Chip & Signature cards, but both are a big improvement over traditional magnetic stripe cards. This technology is already in use in over 80 countries and many have seen a dramatic reduction in credit card fraud, as a result.
The current deadline for retailers to be able to accept smart cards is October of 2015. That is when credit card issuers plan to shift the liability for credit card fraud to merchants who don't use this technology. However, most smart cards will also have magnetic stripes, in case they need to be used in non-EMV payment terminals. That will probably be true for at least a few years because the deadline for gas stations to switch over is October of 2017.
This subject is back in the news again after P.F. Chang reported a possible breach yesterday. So, I thought it might be helpful to explain how this can happen.
Almost all retailers in the U.S. process credit cards by reading the magnetic stripe on the back of the card. There are four basic areas of vulnerability in this process:
- The card reader itself. Bad guys have been known to attach "skimmers" to these devices which record the data as it is being swiped. Since this requires physical access to the device in order to attach the skimmer, it is less common in a traditional retail store than it is in ATMs and gas stations, where the readers are unattended.
- The pathway between the card reader and the point-of-sale software. Although with most POS software, it looks like the card numbers go directly into the POS program, they don't really. Rather, they get there through the operating system device handlers. Recent breaches have occurred because someone was able to insert software into this pathway to capture credit card data as it goes by. This software is typically called "malware," which is short for malicious software. The scary thing about malware is that you don't necessarily have to have access to a computer in order to install it. Once it gets to the computer, it can install itself. So,it often arrives as an attachment to an email or an internet download. It can also be copied to a computer from another local or remote computer, a USB stick or a CD.
- POS software. Most reputable software packages store credit card numbers in a securely encrypted format; if they store the card numbers at all. If your software is PA-DSS compliant, you don't have to worry about this area of vulnerability.
- The credit card processing gateway. This is the route that your POS software uses to send credit card data through the internet to your credit card processor to authorize each charge. Any reputable gateway product is going to securely encrypt card data for transmission. If the gateway product you use is PA-DSS compliant or Visa-approved, then you don't have to worry about this vulnerability.
Happily, there are new technologies coming that will significantly reduce the potential for data breaches. Over the next few weeks, I'll provide more information on those technologies and also offer suggestions on how you can protect yourself in the meantime.
Wireless access gives you more flexibility, is a nice convenience for visiting suppliers, and can be a valuable service for your customers. It is not, however, an inherently secure method of access. So, you need to add protection to your wireless network if you decide to have one. Here are some tips:
- Establish a totally separate wireless network for suppliers and customers that can't access your business or POS system network. Configure this network for WPA or better (not WEP) encryption and change the password monthly to keep out the riff raff.
- If you are using a wireless network as part of your business system, it will likely need to be on the same network as your business and/or POS system. Configure it for WPA or better (not WEP) encryption and change the password at least every 90 days. In addition, you should configure this network to allow access only to specific devices. Each device has a MAC address. Restrict your wireless access points to only specific MAC addresses. Be sure to update those settings when devices or their owners leave, too.
- Make sure you change the default password on all of your wireless access points (and network modems, routers, and managed switches, too). Most default passwords are readily available online, so if you don't change yours, anyone could get in and change your settings.
Welcome to the launch of our new website - and our new blog!
I am looking forward to using this space to share information about new technologies and other issues of interest to retailers. I am also looking forward to hearing from you.
My goal is to post something here at least once a week, starting next week. So, stay tuned!