On a cards project that I’m currently working on, there is a lot of debate about how the organisation’s branches can be upgraded to accept credit cards. In near-monopoly market like Belgium, this can prove quite expensive. So the question was ‘is there a way to accept cards in a shop without an EMV terminal, or is there an electronic alternative’?
The current hype answer would be – of course! just plug a square into an iPhone and you’re done – to which the simple response is – this isn’t EMV and isn’t available outside the US (and a whole pile of other reasons why this remains just hype). There are, of course, viable phone plus reader EMV terminals – for example, the innovative WAY systems built one back in 2005 from a Siemens mobile and were subsequently purchased by Verifone last year to help create an integrated and secure offer together with Verifone’s mobile payment gateway. But clearly in providing this type of terminal, the acquirer link is still outside the loop and remains the major cost driver.
So in order to solve the POS-less acceptance conundrum, we need to look at the problem from the other side – i.e. from the point of view of the payment rather than the technology. In environments where the merchant needs an immediate guarantee of payment and goods are exchanged immediately, then invariably the answer is a standard EMV terminal that fulfills all needs. However, not every retailer has these needs, particularly those in the Low Volume, High Value segment. Take for example an insurance broker, or traditional furniture store, or even service providers such as plumbers and builders (if you can find one!). Their delivery is typically not immediate and so the immediacy and cost of a card terminal is not always necessary.
So how would you go about collecting money electronically as a retailer without EMV? There are a few options available to be honest. The first of these is a virtual terminal. Accessed via the web, virtual terminals have been used for a while in MOTO transactions to allow manual input of card data and therefore allow instant authorisation of card payments with only a standard PC and (mobile) web connection. Set up cost is generally very low – any PC will do and a mobile web connection is normally free or a few euro to start plus a monthly fee. However, the downside to this solution is that despite your face-to-face connection with the customer, your transaction is still processed as card-not-present (CNP), meaning that you will pay top interchange rates and each transaction carries a higher risk of repudiation – not exactly the guarantee that merchants might need.
Another way round this might be to try and leverage other secure card transactions to lower the repudiation risk, while maintaining a simple acceptance method. For example, card payments today accepted via the web can be fully authenticated using the 3D-Secure protocal coupled with dynamic one-time passcodes (OTPs) created by interaction of the card with a personal card reader. What if this same mechanism were deployed in a face-to-face environment rather than remotely. The rules of this transaction type would be respected and the effective authentication method is equivalent to EMV. What could be envisaged on the merchant side is a standard web payment screen. The merchant PC would be linked to a secure low-cost PCI-certified PIN Pad (obtainable for around 150 EUR) which would be loaded with a simple application to read the card data and also the same application for generating OTPs as used in the personal readers. Now when the merchant wants to take a payment, they ask the cardholder to insert their card – the first application loads the data into the payment screen and the merchant confirms, which triggers the 3D-secure screen. The PIN pad now activates the OTP application and requests the cardholder’s PIN. The generated OTP is fed directly into the 3D-secure screen and the payment is now finalised and authenticated.
However, SEPA and ideas from the German market gives us another option here in Europe. With the migration to SEPA Direct Debit and its creditor mandate flow (CMF) setup, the merchant can now accept a payment by gaining the authorisation of the customer to directly debit the funds from their account. Recording the customer details (BIC, IBAN, name, address) straight into a eMandate and using electronic ID (or print and sign) to authenticate would allow a mandate to be processed – possibly with a payment date to the merchant of only D+1. Although the debtor guarantees in the SEPA scheme would allow repudiation for unauthorised payments or incorrect amounts, generally this scheme would give the merchant a guarantee of payment and a quick arrival of funds. Of course, this wouldn’t be easy to set up in a standalone way and may require real education of the customer and upfront investment, but a face-to-face SDD with a fixed amount could be a simple and low maintenance cost method for certain merchants to collect payments. This could even be done with a smartphone or tablet device should bank interactivity be available.
All in all, I think it is entirely feasible to take POS terminals out of POS, and this fact alone should prompt banks to take a good look at their acquiring model.