Non PCI Compliant Software Based Mobile Payments Solutions Could Tarnish the Industry
In 2020, lockdown and COVID led to a significant increase in online shopping. And even though essential services like grocery remained open, people preferred to stay at home, be socially distanced and minimise exposure to COVID. Consequently, we’ve seen a significant increase in consumers shopping online, many for the first time.
In 2021, the level of digital commerce is only going to increase. As this new wave of online shoppers enjoy the convenience online channels bring, the shift in buying behaviours will likely continue. The recent study by Influence Central reported that 72% of consumers plan to increase the amount of online shopping they undertake.
But, with increasing levels of digital commerce comes increasing levels of fraud. Inexperienced, less savvy online shoppers are easy targets for sophisticated fraudsters, and there is already evidence of an explosion of fraud on the horizon with the dark web being flooded with card details available for purchase. Towards the middle to end of this year I expect to see industries such as travel, and airlines being hit with a slew of transitions made using stolen card details.
The demand for software-based payment technology will exponentially increase over the next five years
With such a dramatic shift to digital commerce that will only increase, never before has there been more of a need to provide a strong, trusted customer experience. Digital channels provide a necessary link between consumer and retailer, but it also opens up a world of choice, and therefore competition. Consequently, consumer facing brands have recognised the criticality of technology that can significantly improve the customer experience.
I’ve talked at length about the benefits of software-based payment technology and how it forms the missing piece of the puzzle in terms of innovating and improving the customer experience. The new set of challenges COVID brings with respect to hygiene, social distancing and the behavioural shift to digital commerce are nicely solved with software payment solutions, which enable this part of the customer experience to be completed on mobile devices. And therefore, the demand for these solutions is taking off.
Currently, completing a payment is different instore than it is online and there are different regulations and costs to the retailer depending on the channel utilised. Standardisation of the payment experience through software, across all channels (both online and offline) is where we are rapidly heading. This innovation will bring a myriad of benefits for both consumer and brand, but it absolutely must be built on a foundation of security. And that brings me to my next prediction.
Many of the software-based payment solutions coming to market won’t be secure enough
The Payment Card Industry Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide. It exists to ensure that any payment solution deployed to market is secure.
For a very long time, payment solutions were hardware-based and could not be deployed without PCI certification. But there were no PCI standards in place for software-based solutions and therefore no regulations to meet. PCI moved very quickly to put standards in place for Software Payments on Consumer off the shelf Devices (SPoC) and Contactless Payments on Consumer off the shelf Devices (CPoC), but there currently is no standard in place for CPoC + PIN and it won’t be ready for another year or two. To meet market demand for SPoC, CPoC and CPoC + PIN, the schemes have issued waivers, which enable these solutions to be deployed. The problem with this is that there’s no guarantee that the solutions under scheme waiver would meet PCI standards, and that’s a concern.
There’s real disparity in the quality and security of the software payment solutions we are seeing being deployed and until PCI releases its CPoC + PIN standard, there is no governing body to standardise these. So, the onus is on the businesses buying these solutions to vet and undertake thorough due diligence to ascertain if the solution is secure enough. And let’s be honest, unless you are PCI, you’re probably not going to know what “secure enough” looks like.
The businesses within the payments industry all seem to have the same value proposition and explain their tech in the same way, which makes it very hard to understand how the tech differs. But it certainly does. I believe that as an industry, we run the risk of having our reputations tarnished if any solutions deployed under scheme waiver are hacked or prove not to be secure – because all the tech sounds and looks the same it could be hard for those outside the industry to identify which are secure and which are not.
My advice to any business actively looking at a software payments solution is to look at how long the vendor has been in market for and how quickly they developed their tech. There are no shortcuts to creating truly secure, PCI certifiable software. If they are a new entrant and haven’t been around very long, that would be a red flag for me.
A large proportion of the software payments tech companies won’t survive past 2023
Following my last point about what’s involved in achieving PCI certification, many of the software payments solution providers probably won’t last long once PCI releases its CPoC + PIN standard. I think a lot of businesses underestimate the gravity behind achieving PCI certification – it’s very difficult (and expensive). As the only software-based payments solution provider in the world to have achieved PCI certification on SPoC and CPoC solutions, we know this to be the case.
Once the CPoC + PIN standard comes in, anyone without it won’t be able process payments anymore. And it won’t be a good look for our industry if retailers are left high and dry after investing in a solution that is taken off the market. So again, my advice to those shopping around is this – spend your money wisely and make a secure investment for the long-term. Choose a vendor like MYPINPAD that already has PCI certification, even though it is not required right now.
And finally, this will be a year of huge change
Regardless of whether my predictions come to fruition or not, like its predecessor, 2021 will be a year of massive change. The key thing for me is that regardless of how payment innovations take shape, they must be built on a foundation of security. Without it, no payment solution will stand the test of time. As an industry, it is on us to ensure we are developing solutions responsibly and securely. And in doing so, we will instigate massive and value-adding change that reshapes the customer experience and secures the longevity of our solutions and industry.