One of the first points made during the biometrics discussion at the World Card Summit yesterday was that the user ‘doesn’t see the security at work’. This was framed in the context of convenience as the driving factor behind adoption of biometric authentication, though the concept also resonates with the technology that powers mPOS (mobile point-of-sale) transactions. If the customer is king, then customer experience reigns supreme.
As payment service providers (PSPs) begin to explore the largely untapped revenue stream of the micro merchant market, they are faced with a new challenge – responsibility for ensuring that merchants new to card acceptance remain out of scope for PCI DSS. These providers are looking to construct, configure and deliver an mPOS solution quickly, to reap the benefits of lower cost, simplified equipment supply and without compromising their established POS business.
To do this, they must be able to guarantee that the mobile device and merchant environment never ‘see’ sensitive cardholder data. The simplest and most cost effective way of meeting and demonstrating compliance with this requirement is to encrypt cardholder data at point of capture, using a hardware security module (HSM) to facilitate the key management process. This approach protects the PSP, reducing the risk of key or data compromise at the payment gateway and limiting their liability by isolating the merchant domain (often targeted by fraudsters) from the acquirer domain.
The merchants themselves are all too aware of the importance of customer experience at point of payment. As merchants look to their PSPs for mPOS offerings, they will be seeking providers who can not only provide the necessary security, but offer a range of interfaces and handsets, providing crucial flexibility when it comes to tailoring the customer interface.
There are a number of ‘customers’ in any value chain, though in the realm of payments, the true end customer is the consumer making the payment. Merchants rely on PSPs to enable secure card acceptance, who must in turn rely on the hardware security provider –keeping it simple by deploying the ultimate shield.