VeriFone Secure Retail Payments

News

Click here to access the main News page and view a listing of all available articles.

HED: Tighten Your Perimeter
Chain Store Age - 07/11/08

The following article will be published in the August issue of Chain Store Age

Should credit-card transactions move out of the POS?

It’s back-to-school season – the retail industry’s official kickoff to peak-season shopping frenzies. This year, more than any other in recent history, retailers are depending on vital fourth-quarter sales and there is no margin for error in retail operations.

For the payment-systems department, error-free operations mean that protecting transaction data is priority No. 1. However, protection is as much about strategy as security.

An emerging school of thought suggests that the widely accepted practice of processing and securing credit-card transactions through the POS system may not be the best strategy.

The debate is not about the need to secure the data that goes through the POS system – that’s a given and certainly credit-card and debit-card data that passes through the POS system to the payments processor must be encrypted, secured and compliant with the Payment Card Industry (PCI) data security standard (DSS) requirements.

Rather, the current discussion raises the more fundamental question of whether or not credit-card transactions should ever enter the POS system.

“One of the problems with passing the transaction through the cash register,” noted Jeff Wakefield, vice president of marketing at VeriFone, Clearwater, Fla., “is that the POS system then has all of the track data. In order for a retailer to be PCI/DSS compliant, any system that stores, transmits or processes credit-card data is within the scope of what has to be tested, audited and monitored.”

The alternative to passing transaction data through the POS system is quite simple. Essentially the retailer routes transaction data directly from the PIN-entry-device (PED) pad through an application server to the payments processor.

“One retailer came to us and said they wanted to take credit-card payments out of their POS system, because their security professionals and auditors had advised this would remove the POS systems from the scope of PCI/DSS requirements, which greatly reduces the perimeter that had to be secured in each store,” advised Wakefield.

Another VeriFone client, petroleum retailer BP, effectively moved card payments out of the POS by installing the VIPER payment software and V900 electronic payment server (EPS) across its entire portfolio. BP’s decision to move credit-card transactions out of the POS was motivated by a need to comply with PCI requirements as well as the fact that BP had a number of disparate POS systems running across the different brands it had acquired.

The VeriFone solutions enabled BP to achieve PCI compliance at its more than 10,000 locations across the United States in considerably less time and with less investment than would have been required to upgrade each of the POS platforms.

According to Avivah Litan, VP, distinguished analyst with Gartner Group, Potomac, Md., it is “too early to predict if moving credit-card payments out of the POS will become a trend. However, we are seeing a lot of interest in its potential and it is certainly worth a closer examination.”

Click here to access the main News page and view a listing of all available articles.