Whether you like the term ‘omni-channel payments’ or not – indeed whether you even think of distinguishing between payments, the channels you offer to your customers and your overall retail proposition – it appears to have stuck, for now.
But what does it mean? I’d prefer not to get into a huge debate about this here, because it all seems to boil down to a personal point of view. For what it’s worth, I’ve refined my own definition to “any electronic payment, anywhere”.
However, I’ve spent the last 18 months looking at all the options in the market, distilling page after page of marketing information and product information down to the point where I’ve reached a conclusion: Omni-channel payments don’t exist.
I didn’t imagine when I started my voyage that I would be searching for Atlantis, but that’s the journey I find myself on – and I haven’t found it yet.
Yes, you can have solutions cross online and in-store . Yes, there are solutions which work in any country. But they all have their failings, and I was surprised at just how obvious some of these are; for example, why would I not be able to get the same token returned when a customer used the same card through different channels? What use is that? Similarly, global acceptance does not mean the same thing as support for Visa and MasterCard… there are other cards out there.
I’ve now reached a point in my journey – a nautical crossroads you might say – where I have to make some decisions. The easy option would be to make a U-turn and forget about having to support and integrate tens of different systems to get what I want. Alternatively, I could continue my search in the vain hope that I have missed the prize somewhere along the way, or simply not stumbled upon the solution provider out there who can give me all I need. Or I can think of a way to build it myself.
Before I decide, I thought I would make a plea: If you have stumbled upon a solution which demonstrably delivers omni-channel payments then please share it with me. If you provide such as solution then don’t be shy. I hate doing U-turns and I’m loath to try and build this myself.
 PayPal integration in store and online is integrated into the BT Expedite & Fresca solution through iStore and Fresca Commerce.
 A token is an alternative reference for a card number as part of a transaction, as provided by a tokenisation solution, used predominantly for online payment processing and recurring payments but increasingly more valuable in all electronic payments for retailers in their endeavour to keep track of customers whilst simplifying their PCI DSS.
By Kevin Burns, Head of Payments & PCI, BT Expedite & Fresca
New York’s National Retail Federation (NRF) 2012 conference theme was Retail’s New Rules, and it focused on how retailers and innovators are reshaping the conventional rules of the game.
My favourite town, my favourite show. New York’s National Retail Federation (NRF) 2012 conference theme was Retail’s New Rules, and it focused on how retailers and innovators are reshaping the conventional rules of the game.
It was bigger, better and busier than ever, with 400 exhibitors and over 25,000 attendees from 78 countries. And Bill Clinton headlining! And, for me, this year’s big ideas were:
Epicor’s booth showed that consumer devices reign supreme: Business Intelligence (BI) portals, assisted service, clienteling – all served up on shiny tablet devices. Equally exciting, was acceptance that customer engagement rules are changing and in response to this, our newly launched Clienteling app attracted lots of attention around the show.
At the conference, I asked US retailers for their views on the subject of centrally hosted versus distributed POS systems. In previous years, US retailers have shown little interest in this deployment model, in stark contrast to their UK counterparts.
But this year there was a definite shift in attitude; among the IT attendees, the key words were resilience, virtualisation and security. And their Business and Marketing colleague’s phrases like ‘customer experience’ and ‘cross-channel’ – or the new buzz phrase at the show – ‘omni-commerce’.
Overlaid on top of the cloud, security and PCI were also major themes. Network vendors promising the ‘elixir to PCI’ were around every corner; secure networks, secure wi-fi, secure platforms.
Clicks and mortar
A different perspective on Payment was provided by PayPal, whose booth was drawing in the crowds with their cross-channel vision and inexorable push into ‘bricks and mortar’. It’s part of a process that’s moving payment from the wallet to the smartphone, with personalised pricing and promotions, while consumers shop. PayPal’s new strapline ‘Now the Best in Both Worlds’ shows Great vision in a fast moving area. Watch this space!
My summary of this year’s show: Bigger than ever, lots of optimism. Technology is where it’s at. Not just technology to meet the fast moving shopping habits of consumers, but technology that supports global reach, because that’s where the growth is. By the end of the show I was exhausted but more enthused about the future of retail and the systems that underpin it than previous years. Roll on 2012.
Steve Thomas, CTO, BT Expedite
With clarification on Point to Point Encryption (P2PE) now out, it’s clearly a solution that could make compliance easier for most. But is there a sting in the tail?
Back in September 2011 we were eagerly awaiting the clarification from the PCI Security Standards Council (PCI SSC) on Point to Point Encryption (P2PE). At the time I asked whether it was time to get off the fence and set out a white paper outlining the potential benefits of implementing such a solution. Now that the clarification has been published it’s clear that our assumptions remain valid and the approach, assuming that you use a solution which includes external hosting, will make compliance easier for most. But is there perhaps a sting in the tail?
First we have to wait until the QSA training is completed. Then there is the further wait for solutions to be validated. Combine this with the need for most Chip and PIN retailers to complete a PIN entry device (PED) replacement programme and we might have an issue with timing – and then supply and demand.
QSA training expected to slip
Initially there was a belief that QSA training would be completed by March 2012, but this is expected to slip. And the number of QSAs who will be trained and certified to complete the solution validation is likely to be a subset of the total QSA community. If we assume that the validation process takes three months, which may be optimistic, then we could be looking at July or August before any certified solutions are formally available to implement.
If retailers wait for the listing to be published then their selection of a new solution is unlikely to be completed until October 2012 at the earliest, giving no time at all to implement the solution before the end of the year (unless you ignore the traditional Christmas freeze). Some might think that this is a pessimistic view, but even if you take the best case it’s unlikely that you can start a change programme before August.
Five key planning steps
So let’s take the optimistic view. In August you sit down to start planning the implementation of a P2PE solution. Here’s what you need to think about:
1. PED replacement – this goes hand in hand with the P2PE solution. Remember you’ll be limited to selecting a terminal which conforms to PCI-PTS version 3.x (this is not a long list in the UK or Eire).
2. Accreditation with your acquirer(s) – not all solutions are pre-accredited and, if you need to go through an accreditation, your plan will have to include this, which could easily add 12 weeks (assuming you don’t have to wait too long for a slot).
3. PED availability – demand will increase as the year progresses, lead times will therefore likely extend.
4. Integration – most P2PE solutions will need to be integrated with your POS. Do not lose sight of the effort that this will take in terms of development, testing and implementation.
5. Deployment – new PEDs will mean engineering visits and P2PE applications will require software upgrades.
Clearly timelines will vary and you’ll likely have a view on the considerations above. But if P2PE is your answer to solving your PCI DSS challenges then, as I said back in September 2011 – PLAN NOW. Get your budget in place and perhaps take a calculated gamble to start sooner rather than later. If you wait you might find that it leads to disappointment, with busy development and deployment teams, and long lead times on PEDs, not to mention stretched resources at the acquirers trying to deal with a host of accreditations in parallel.
You might find it useful to look at our Time to get off the fence? whitepaper to help with your planning or get in touch to discuss how BT might help.
PCI DSS consultant
With many UK retailers struggling to keep their heads above water and others stuck in a seemingly endless sale period, the need to plan and pay for compliance is slipping down the list of priorities.
Now there are also additional pressures as many of the first and some of the second phase Chip and PIN Entry Devices (PEDs) reach end of life.
If PCI DSS is a burden and PED replacement a challenge then combining the two may, on the surface, appear to be a total nonstarter but there may be some merit in taking both challenges head on.
Why, I hear you ask; well not least because not every retail IT team has enough people today to deal with business as usual, so finding two of the team to deal with PCI DSS is a problem before you start.
Then there is the need to continue to keep up to date with the standards and keep on top of the retail estate which is in scope for the PCI DSS.
Defining a cost-effective way to get and retain PCI DSS certification
Over the last couple of years I have been out into the market looking at how to find ways to reduce the PCI DSS burden and over the past six months I have been helping some of our retail customers come to terms with compliance in a number of ways, focussing on cost and ROI as much as ensuring that we find the best solution for their business.
Taking a step back from this process we have some lessons which apply generally to retail and some results which I think will surprise many including:
• Redesigning integration layers to ensure that Point of Sale environments no longer has full Primary Account Number (PAN) stored or used as a key to the transaction / customer.
• The same level of information can be derived truncated card data combined with tokenisation or hash values used
• Working with truncated data instead of using full details will satisfy most reporting requirements and analysis
• Moving to a hosted solution may be more cost effective in the short and the long term
And with the anticipated further clarification on emerging technologies (Point to Point Encryption) due in September you may find my new white paper an opener to the ensuing debate that I am sure many retailers are about to reignite within their businesses over the next three to six months.
The massive swell of public support for Lush following an announcement that its e-commerce site had been targeted by hackers shows how loyal its customers are to the brand. But the whole episode made it clearer than ever that retailers need to meet the PCI DSS compliance standards – or face the penalties when things go wrong. Not all brands will be able to weather the storm as well as Lush. And while Lush has to be applauded for making the attack public – in line with its values of transparency and honesty – the PCI security standards forum has already started an investigation and a fine seems inevitable.
So how do you avoid getting into the same situation?
The web site was using a payment gateway, as is common practise, so we’re struggling to see the benefit to either the business or its customers of holding such comprehensive customer information that included credit card numbers. We strongly encourage our customers not to do this.
Having worked on PCI DSS related projects over the past three years now, this hacking has reinforced my personal belief that the best way for retailers to be compliant is to start by removing all customer data which has no value. Regarding, card data that is we recommend simply removing all of it from all systems other than the payment gateway.
By doing this you simplify the PCI requirement on day one. The retailer’s payment gateway should then either be updated to include encryption or removed outside of the retailer environment altogether, into a managed / hosted data centre.
If there is a business need and business case to keep any card related data for audit or Customer Relationship Management (CRM) purposes then implement tokenisation. This will ensure that the business need can be met without the risk of keeping the card numbers. This costs money but makes retailing a much less risky business.
Keep it simple and you’ll avoid the pitfalls of card data security.
- Internet Retailing - Hacked Lush site seems to have been ‘riddled with vulnerabilities’
- Retail Week - Lush temporary website to open next week in response to cyber-attack
- BBC - BBC - Lush hackers cash in on stolen cards