Are electronic payments a security risk?

Aug. 4, 2014
Massive credit card data breaches, card acceptors with monitoring devices and vending machines used by hackers to gain access to corporate systems – these news stories are spreading concern among locations about electronic payments. However, the reality is much more secure.

Security is a top concern for all companies. This is especially true as more businesses move to the cloud for data storage and use the Internet to connect employees in different locations. The media regularly reports on security failures, from the infamous Target data breach to the credit card sniffers on transit ticket terminals. As electronic payments gain traction in the marketplace, so too must the discussion on what it means for the industry and how we can reassure locations that their data is safe. In this article, we will focus mainly on the different types of electronic payments, security risks involved, and options for the future.

Credit cards and telemetry

Many operators who are deploying cashless solutions today are looking at two main areas of return on investment. First, using the telemetry data from the machine available with the addition of cashless to know when to fill it and what to bring. The second is using cashless to increase sales. Because both of these help an operator grow the bottom line, it is clear that connected vending machines are the future. The connection allows the vending machine DEX data to be sent back to the operator’s vending management system (VMS) and also allows for standard credit card processing. The connection can also be leveraged for video, nutritional info and better consumer engagement, though these have not been fully leveraged by our industry yet.

There are some security risks associated with taking cashless payments and using telemetry. The concern associated with credit cards is that a mechanic or someone at a location could get exposure to your payment hardware and install a monitoring device onto the machine that can capture credit card information. This has actually happened in gas pumps and at retail locations, and more recently it has been happening at automated retail machines. However, the limited space on the front of the vending machine makes adding a monitoring device that blends into the legitimate device difficult. Also, most credit card thieves these days are more focused on hacking into systems where credit card numbers are stored and getting multiple numbers at once. These types of hacking breaches have happened most recently to Target.

Operators can ensure consumer credit is protected and avoid liability issues by choosing cashless and telemetry providers who are PCI certified. PCI stands for Payment Card Industry and is a data security standard mandated by the credit card associations. It requires an “end to end” audit to ensure that credit card information is secure.

Stored value cards where consumers load money onto an account have similar security issues as credit cards. Operators should use providers that secure any credit card number used to load the card.

EMV® cards are also forthcoming to the U.S. These cards are credit or debit card with a chip that provides added security. There is a still a great deal of speculation about how and when these cards will be used in this country, but they are coming in the future.

Secure your online machine

Telemetry brings another concern for locations. An online vending machine or micro market kiosk might provide an entry point for hackers into a company’s system. An article from Business Solutions magazine suggested that third-party systems monitored remotely can be an entry point for hackers and cause a security breach. The theory is that if hackers are able to access one system, then they have the potential to access all other connected systems. This is only an issue if the vending machine or micro market kiosk is on the same network as the company’s data files. Usually, operators opt for a cellular signal to bring a machine or kiosk online. If an operator is using the internet, then they should opt for a dedicated digital subscriber line (DSL) which allows internet access through a local telephone network. The operator can also use a virtual private network (VPN) as most companies do to ensure a secure Internet connection across a public internet space. All of these options keep the vending machine or micro market kiosk Internet access separate from the company system.

Mobile payments are here

Today there are also new payment options available to vending operators that can enhance the consumer experience. As an industry, we are behind most other retail outlets, but we moving forward. Already many payment acceptors on vending machines and micro market kiosks take mobile payments using near field communication or NFC. This allows radio communication between devices and is available on many smartphones.

There are some concerns with NFC. There is a risk that the information could be sniffed and hacked while a consumer pays at a machine. However, while NFC is fairly new, the data is well encrypted and likely much more secure than current electronic payment technology. However, consumers may still have concerns. The technology providers have security information on their Websites which can be used to reassure the consumer.

Another NFC concern for operators is if it will be the mobile payment of the future. There seems to be ongoing and endless discussions in the payment industry if NFC will be viable long term. Apple never has put it into their phones, but most recent Android phones have it. Google Wallet, which has had many false starts, uses it, and so does ISIS. However, there are other options for mobile payments.

BLE is evolving mobile payments

In the past year a few vending-focused companies have announced or launched systems that use Bluetooth Low Energy (BLE) a new standard that started in the iPhone 4S as payment. BLE is wireless technology that consumes only a fraction of the power of Classic Bluetooth radios and also allows two Bluetooth devices (for example a smartphone and a vending machine) to quickly connect and communicate without the burdensome pairing process. Devices powered by BLE can run for much longer on less power and still communicate wirelessly as did the original Bluetooth devices.

BLE allows the vending machine to leverage a consumer’s smartphone data connection (rather than a cellular connection in the machine) to settle a purchase transaction. BLE solutions are very inexpensive to put in a vending machine making them a viable option. And Apple is putting its brand behind iBeacon, which allows a mobile device to communicate with another device and is based on BLE technology.

Adding money to a mobile device can be a concern if the device is lost or stolen, whether is uses NFC or BLE technologies. Therefore, it is important to protect the payment option with a PIN known only to the user.

Bringing down fees

One massive benefit to vending operators is that competition between new mobile wallets and the existing associations will drive fees down. At the same time, telemetry fees continue to go down, so it is becoming more feasible to equip most of your machines with cashless/telemetry.

The future is difficult to predict, but I have some theories. EMV is likely to be coming to the U.S. in the next 12 to 18 months. It is my bet that, long term, payments using BLE and smartphones are going to become the new standard – but the timeline for this would be hard to anticipate. What operators can do now is be ready. If you are installing cashless readers, include ones with NFC if the incremental cost is low. Also, new devices that include BLE are a good hedge on what the future may hold. And don’t forget to tell your locations about these extra payment options you offer and explain that confirming their data is secure is important to you.