Making Sure Crime Doesn't Pay: How The Channel Is Key To Helping Retailers Modernize Payment Systems

Retailers, prompted by the incessant drumbeat of data breaches and a 2015 target date to modernize their payment systems, may finally be opening up their wallets to spend on new equipment and software, according to solution providers and payment industry experts.

Home Depot and Target, two companies still reeling from massive credit and debit card breaches, are spending millions on new payment terminals that support smartcard payments, encryption and other IT security improvements. The rest of the industry is expected to slowly begin the upgrade process to meet an October 2015 date when the credit card brands reward early adopters of modern point-of-sale (POS) system terminals by assuming fraud liability. Apple Pay, and the prospects for its mobile payment service, which requires modern contactless terminals, also is seen as an impetus to spend.

Merchants can no longer neglect IT spending, including security, which largely has been driven by the Payment Card Industry Data Security Standards, said Miya Knights, a senior research analyst for IDC Retail Insights. The data breaches and mobile payments are rapidly changing customer expectations when it comes to security and payment technology enablement, Knights said.

[Related: Will Retailers Get In Line For Mobile Payments?]

"There's real pent-up demand for retail, leisure and hospitality POS system overhauls in North America," Knights said. "These retailers have sweated their POS assets for too long in some cases -- hence, some of the woeful security breaches we’ve seen recently."

Despite the optimism for sales growth, merchants buying new smartcard and mobile payment terminals are expected to do so around normal equipment refresh cycles, which run between five and seven years, according to IDC. The research firm estimates the compound annual growth rate from these systems of 2.3 percent from 2013 to total $9.5 billion by 2017. Refresh cycles of investment are getting longer, according to the IDC analysis.

The high-profile data breaches have captured the attention of corporate boards of directors, said Kevin Grieve, a payment industry veteran and partner in consulting firm Strategy&, who leads the firm's payments consulting practice. Wall Street took notice when Target fired its senior executives, including its longtime CEO Gregg Steinhafel, for the security lapses that led to its massive breach, Grieve said. It's added to the favorable spending environment for solution providers, Grieve said.

"Because this has now become a fatal career event, you are going to see the upgrades," he said.

The liability and culpability are increasingly resting on the shoulders of senior-level executives, and consumer demands are adding pressure on them to move forward with security-related projects, said Alex Moss, a managing partner at Chicago-based security consultancy Conventus. Solution providers should be having a discussion with merchants about better securing their servers and POS devices, increasing host-based security on those devices and getting a handle on monitoring and alerting capabilities, Moss said.

"The costs for security improvements must be reasonable, with the priority leaning toward processing payments quickly," Moss said. "The days of checkmarks on a compliance checklist are over."

Next: Back To Basics

Moss, whose company has guided merchants to prioritize the recomme n dations contained in post-data-breach investigation and risk analysis reports, said the biggest challenge is to invest in security technology and process improvements that reduce the greatest amount of risk in the most cost-effective way. Projects can take 12 to 36 months to get fully implemented and need to be done without materially impacting business operations, Moss said.

Merchants will need help evaluating the different types of terminals and payment schemes they want to support and how sophisticated they want their back-end infrastructure to be, Grieve said. There will be a wide variety of terminals at different price points, but the upgrade process also impacts the back-end systems, he said.

"A careful calculation will happen to determine the cost benefit of my fraud exposure vs. upgrading and, if the merchant upgrades, whether or not it goes to contactless terminals to support mobile payments, which are more expensive," Grieve said.

The problems that cause breaches of all sizes could have been addressed if a solution provider worked more closely with merchants to implement basic security measures and address configuration weaknesses, said Tom Arnold, co-founder and principal at San Jose, Calif.-based PSC, which specializes in payment industry security incident investigations and compliance assessments. PSC is one of about two dozen digital forensics firms authorized by the credit card carriers to conduct independent forensics investigations through the Payment Card Industry Forensic Investigator Program. Most investigations uncover common problems, Arnold said.

"It's an entire litany of bad practices that can get retailers into trouble," Arnold said. "Most of these payment systems are running on older operating systems that are not properly patched and retailers do stupid things with them like browsing the Web or having Web access enabled on servers."

Europe, which was beleaguered by unreliable telecommunications infrastructure, was the first to shift to chip-and-PIN cards and readers. In the U.S. where security measures are the strongest, merchants and issuing banks balked at updating systems to support smartcards, Grieve said. "Merchants yawned and said we have real-time authentication and authorization, what do we need it for because we simply have no business case for it," he said.

Grieve and other experts agree that the payment industry has managed to drive down fraud in the U.S. market to reasonably manageable levels, slowing the move to more modern terminals that support smartcards and encryption. But if big retailers do open up their purse strings, expect the rest of the industry to follow, Grieve said. In the U.S., more than 90 percent of retail sales are done at physical, brick-and-mortar stores, he said. Sales at Amazon, Ebay and other e-commerce merchants account for about 8 percent of sales.

Next: Chip-And-PIN POS

Merchants will evaluate EMV (Europay, MasterCard and Visa) -- also known as chip-and-PIN POS -- systems, with most of the electronic POS terminals supporting near field communications (NFC), the mobile payment protocol being used in Apple and Google smartphones. Smaller electronic funds transfer terminals, used by small and midsize businesses, may need to be coupled with additional contactless terminals to support mobile payments. The newer hardware also supports encryption, but whether or not to turn it on will be a decision that the merchant will make, solution providers say.

Once the decision is made on the right hardware to adopt, retailers need assistance determining how to roll out the equipment. They may study whether high-traffic locations in urban centers should be upgraded first or whether the terminals should be placed at locations near higher-income communities where customers may be the first to be issued new smartcards.

Smaller merchants will have turnkey solutions pushed by payment processors. The software typically comes preconfigured and can deployed by solution providers right out of the box, Grieve said.

Despite the optimism behind retail spending, solution providers that have worked with retail clients say they are keeping realistic expectations due to previous industry spending patterns. Retailers are very sensitive to how all the security costs will impact every part of the customer experience and ultimately the bottom line, said Tom Richer, chief sales officer at New York-based managed service provider Computer Resources of America. These are careful calculations that retailers are very familiar with and have been measuring for a long time, Richer said.

"It's a unique space because you have to strike a balance between the clients and what they are demanding in a solution while reducing their risks and keeping it cost-effective enough to make sense," Richer said. "The financial sector spends the most money on security but in retail it goes into operational margins."

This article originally appeared as an exclusive on the CRN Tech News App for iOS and Windows 8.