A Consultant's View
Prairie Trail Software, Inc. ............................................................. August 2005
Have you been wondering where payment terminals are headed in the future? The easiest way to see where things are going is to listen to the people who are unhappy with the way things are. Expectations are not being met.
There is a tension between the two groups of service providers who use countertop terminals: the intended users, those who have been paying for the terminals; and the unintended users, those who use the terminals in different ways.
The former are the credit card processors. Since they pay the bills for the equipments, their concerns are (quite naturally) addressed: VeriFone provides better security for multiple applications in the terminal, Nurit provides a simple upgrade path for the applications, and Hypercom provides a single application platform.
However, the latter group, those who want to use the terminal to provide new and different services to the merchants and consumers, don’t get their concerns addressed. They see the terminal as a natural extension of their own networks and are unhappy with what the manufacturers have provided.
Many of they try to make the old Tranz terminals act like a TTY dialing into a Unix system. They wonder why the terminals can’t send a “Return” character after the packet. They have had a difficult time adjusting their systems to match the way that the terminals behave. Sure, the terminal CAN do that, but not if the intended user’s software (credit card application) is running.
This tension will continue until these smaller companies purchase equipment in large enough numbers to get the terminal manufacturer’s attention.
Recently, the tension has revolved around TCP/IP capability. Adding TCP/IP has been a difficult process for terminal manufacturers. Then, there are the expectations that the term, “TCP/IP’ brings up. For the terminal manufacturers, simply adding the TCP/IP stack with security was difficult enough. However, many a service provider hearing that the terminals now do IP, assume that the term means that the terminal is a full internet capable device.
So, they ask if the terminal can handle XML pages properly. They ask about WAP protocol. They ask if the terminals can handle XSL rules. The expectation is that the terminals will be able to keep up with the rest of the Internet protocols. But just because something has got TCP/IP doesn’t mean that it has got HTTP, FTP, SMTP, etc. (So, just how to the terminals handle cascading style sheets, or Flash?)
At some point, the merchant will have the option of switching. As in the PC world, the cellular world, and the smart card world, eventually “standards” or a dominant OS will take over in the terminal world. (There are already Linux based terminals and even VeriFone is offering one in their multilane division.) At that point, the countertop terminal will just be another “Internet Device” able to process any kind of interaction that people want it to do. But at that point, will there even be terminals anymore?
Considering how many parts have to work together, payment processing systems are amazing.
When something goes wrong, many merchants blame the terminal. However, the terminal is just the gateway. Blaming the terminal is somewhat like blaming the fin in the water for the rest of the shark.
When a terminal starts dialing, the first outside company that gets involved is the local phone company. A different company may offer the long distance service, and a third company may provide the local line to the processor. That is three phone companies just to get to the first level of the processor.
But, wait, there’s more! For credit card processing, the company that accepts the phone call may not be the one of the credit card associations. So, that credit request is transferred onward. Although these transfers are not done over dialup lines, they are still done over phone company lines. So, again, multiple phone companies may be involved.
The request may then be transferred up to a regional processor, then on to a national processor, and then to an actual credit association such as Visa. The number of companies that one request may pass through to get approval is astonishing.
Transaction settlement is similar in complexity. In many cases, the merchant dials one number for the authorization and a different number for the settlement. That means even more compounding of different phone companies, switches, and processors.
The recent security breach at CardSystems Solutions, Inc. shows part of the system. Almost nobody knew that CardSystems was part of the system. Yet, this security breach exposed 40 million card numbers.
How did CardSystems get into the system? They were a regional processor. They had a number of merchants that were running transactions through them into the rest of the system. Where they went wrong was in having data that was able to be pulled from their systems out into the internet.
Credit card processing systems, as well as other processing systems, are complex. There are hundreds of companies in the credit card processing network and more joining them every day. It makes for a challenge in making the system work and making it secure.
.
Dave Randolph,
President, Prairie Trail Software