Post image for New POS Security from Old System Topology

Anyone around technology for a couple of decades recognizes how old ideas tend to return. To those folks, using a browser to do data entry into an enterprise database looks a lot like a mini or mainframe system’s terminal application.

Back for another incarnation in payments is an old fashioned topology familiar to anyone who used or deployed stand-beside dial-up terminals. In that mode, the POS terminal is not connected to the merchant’s system in any way. It sits next to the cash register and the sole integration point between the two is the staple the clerk uses to connect the cash register receipt to the print receipt from the POS terminal. The data flow went directly from the terminal to the acquirer’s modem bank and front end system, never touching the merchant’s system.

Integration and its Risks

While that simple configuration is still out there in considerable numbers, the typical retailer has connected their point of sale system, the PC running the store, to the POS terminal that takes card payments. In other words, the PC, predominantly based on Windows, is inserted between the payment terminal and the acquirer.

What could go wrong with that? We already know – that connection is the major source of card data breaches today. Using the POS terminal simply as a payment acceptance peripheral means that the merchant’s POS system drives the payment interaction and sees the payment data as it flows through the merchant’s system to its acquirer or processor.


Direct Connection Returns

Back in the non-integrated, stand-beside days, the POS terminal drove the payment acceptance process. It was the master of the transaction at the merchant’s location. We are now seeing instances of that direct merchant-to-acquirer topology returning to the market, a shift made possible by IP connectivity, powerful and price competitive POS terminals, and safer integration between the POS terminal and the software running on the POS system.

Verifone’s Secure Commerce Architecture (SCA) is an example. Since we obviously can’t go back to stapler-driven integration, Verifone has begun promulgating a system layout and process flow that makes the POS terminal itself responsible for all payment-related data reading, formatting, and communications.

In its SCA, the terminal receives the payment amount from the POS system and then over IP, as a peer device, it sends the message within a standard SSL wrapper to the merchant acquirer’s front end system for authorization. The data is transmitted within an SSL encrypted communications link and, one hopes, the merchant and its acquirer have encrypted the payload itself

On the return trip, the terminal sends the AUTH message to the POS system’s software along with an acquiring token. Using this topology and the data protection stalwarts of encryption and tokenization, the merchant never sees card data. From a PCI point of view, this is a Good Thing.

ISV Relief

It could also be a very good thing for the independent software vendors who write the line of business software the merchant uses to automate the point of interaction. They’re the ones who have had to deal with PCI security concerns and the complexities of payment transaction management while most would prefer to just concentrate on how to better serve the business of, for example, their hair salon customers.

Using an API based on name value pairs to communicate non-payment data (with the obvious exception of sale amount data) simplifies the ISV developer’s work and could simplify device certification as well, now a daunting challenge given EMV’s complexities.

This shift is brought to you partly by Moore’s Law. In the past, the integrated configuration required the computing horsepower of the POS system. POS terminal hardware models now possess 32-bit processors running at 400MHz with 512MB of memory, enough to run the Linux operating system and payment applications. In a decade, the processor speed has nearly doubled and memory many times over that.

With encryption and tokenization, in its multiple forms, we’re seeing good moves for payment security. Returning all the payment logic to the POS terminal is another step forward, benefiting the ISV, its merchant customers, and the payment ecosystem itself.


Post image for A Different Type of Start Up: Payments in Afghanistan

Imagine a country where less than 10% of the adult population has a bank account and only about half of those account holders have a debit card. Credit cards are virtually non-existent. There are only a couple dozen banks in the whole country. Cash truly is king. Now imagine decades-long political and sectarian conflict that continues to wreak havoc throughout a vast geographic territory. This is Afghanistan.

By any stretch, I’m not an Afghanistan payments guru but I am always fascinated by societal transformation and that’s exactly what’s underway. Let me share my conversation at Sibos 2014 with representatives from the Afghanistan Banks Association. Against this turbulent background, Sibos might seem like an alien planet but for these bankers, it’s a chance to show the world that Afghanistan is open for business and see evolving international standards first hand.

Most personal and business payments in Afghanistan are still made in cash – checks have not taken hold. There’s no working ACH (it’s in development) but there is a same day electronic transfer system that processes from a location outside the national boundaries. Correspondent relationships are still a challenge for many Afghanistan banks – even as the country’s institutional capacity is being strengthened and a new banking regulation is now in place with AML and counter terrorist financing measure.

A few years ago, the country’s banking infrastructure consisted of only a handful of state-owned banks. Now there are 16 banks, including nine private, commercial banks. Telecom investment has improved the mobile phone network and banks are beginning to focus on branchless and mobile banking as well as the broad issue of financial inclusion. There’s a lot of work to do; some estimates are that 97% of Afghanis do not have access to banking services.

There are positive signs that the payments sector could evolve quickly. Even as hawala remains a trusted and prominent transfer method in Afghanistan, there are numerous initiatives underway. The World Bank is sponsoring payments system development programs alongside capacity building initiatives from other donors. M-Pesa has started operations there, and there is one payments processor operating in the country.

I was curious to know what are the questions that the global bankers at Sibos ask their Afghani counterparts? The first question is always the status of the political security situation. But then it’s on to the business of establishing correspondent relationships. Now that the new regulations are in place, global banks are interested in helping facilitate the large capital inflows and outflows. Answering my personal question, yes, there are women working in some banks today.

Another major theme is the rollout of card transaction infrastructure. According to the International Finance Corporation, there were only 183 ATMs and 272 POS terminals in the entire country in 2013. At that time there were only around 71,500 debit or credit cards issued. There are efforts underway to rapidly grow this footprint, most especially by Azizi bank.

This is an inspiring story of bankers striving towards greater financial inclusion for their country’s citizens while building the base for electronic payments. The pay off here will almost certainly require years to be realized. The political and security uncertainties in Afghanistan are enough to make cautious optimism a “best case” approach to today’s difficult reality. Nevertheless, the journey is now underway.

Representatives of the Afghanistan Banks Association in their booth at Sibos 2014 in Boston



Post image for PoF 14 – A Ground Level View on Tablet POS

Tablet-based ePOS cash registers are growing in popularity and capability. A boon to smaller retailers who have been laggards in store automation. But without technical support staff on hand, solving issues when they arrive, never mind securing systems, is an expensive proposition. Join Glenbrook’s George Peabody and payments industry veteran Chip Kahn, founder of Boomtown, a marketplace for merchant tech support pros, for a discussion on tablet POS trends, what SMB retailers needs, and the payments programmability.



Post image for PoF 13 – Lexis Nexis Risk Solutions on Mobile Fraud

Aaron Press of Lexis Nexis Risk Solutions joins Glenbrook’s George Peabody for a discussion on mobile fraud trends based on the firm’s True Cost of Fraud mCommerce report. While the mobile channel presents fraud and risk professionals with a wide variety of tools to mitigate losses, the report concludes that the mobile channel represents a disproportionately large loss vector. In this Payments on Fire podcast, we talk about why and what needs to happen to fix the problem.


Post image for PoF 12 – Risk Management, Remittances, and Innovation – A Conversation with CBW Bank’s Suresh Ramamurthi

Glenbrook’s Elizabeth McQuerry and George Peabody talk with CBW Bank’s Suresh Ramamurthi on payment innovation, risk management, and international remittances. Suresh is also founder of Yantra Financial Technologies. He and his wife Suchitra Padmanabhan were featured in this NY Times Dealbook article last month. Also quoted in the Dealbook post, Elizabeth found both Yantra’s technology and their use of the CBW Bank business as an innovation platform exciting.


I am writing this post sitting on the front steps of our house in San Francisco. I have locked myself out three times recently, more than I have in the past three decades. Is it dementia? No, I blame mobile payments.

Last summer I bought a case for my iPhone that had handy little pockets for a credit card. Initially I only used it for my Clipper Card (the mass transit payment smart card we use here in the Bay Area). It was great to simply tap my phone as I boarded the tram or bus rather than fumbling in my briefcase or purse for my wallet. And it had the added benefit of making me look cool – hey, she paid with her phone, how’d she do that? (I know, I know, Pathetic Payments Geek.)

My first-gen mobile payment setup:


Eventually I started putting my credit card in the other pocket. If I was in town, I’d slide in my primary personal card and when I was traveling for work I’d substitute my work card. I even started sticking my drivers license in it, so that I could scan my boarding pass QR code, hand over my license, all without pulling out my wallet. Because I travel so much, I’d squeeze in my hotel key card, too (or rather, substitute it for the Bay Area-specific Clipper Card). I hate carrying a purse, and would simply slip my phone in my pocket and head out. Absolutely bliss. Yes, I am that person who really needs a mobile wallet.

Over the last month or so, I haven’t been traveling as much. Which means that I have to actually use my keys rather than a hotel room key card. And that’s when I started locking myself out of the house. Repeatedly.

I recognize that, eventually, my phone will unlock the car and the front door of our house. But in the meantime, I am going to have to go back to carrying a purse. Getting locked out repeatedly is absurd.

(Afterword: I picked up an iPhone 6 yesterday and immediately started using ApplePay. I stuck my Clipper card between the case and the phone to address the inconvenience of digging through my purse at the tram stop. But am resigned to carrying a purse for the time being to hold my house keys…no more getting locked out.)


Dennis MoserOn a bright sunny New Year’s Day 2015, we lost our long-time friend and colleague Dennis Moser.

Dennis had been battling a recurrence of cancer – undergoing treatment to battle the disease following the appearance of new symptoms at Thanksgiving.

I remember seeing him in the office just before Christmas – as he was about to complete his last round of radiation therapy. While tired from the treatments, he was as optimistic as ever that this was just going to be a brief battle.

When we heard the news of his passing just a few days later, we were stunned.

Dennis and I have worked together for over 40 years – having first met as IBMers in San Francisco early in our working careers. We both ended up later at Visa – and, ultimately, working together more closely as partners at Glenbrook. Our wives have had a similarly lengthy friendship over these many years.

A good friend, upon learning of Dennis’ passing, commented: “Dennis was one of the truly nice people I’ve known.” Indeed, everyone who has known Dennis must share that feeling – he was an optimist, a very hard worker, one who wanted and did add real value to whatever he was doing.

I remember Dennis also for his passion for reading – he was always quick to ask: “Read any good books lately?” to which I’d typically stumble trying to come up with something I actually had read and could recommend. Mostly, I just said – not really, how about you? – to which he’d always have a couple of great recommendations! I remember him most recently recommending “The Martian” as a recent favorite of his. It’s now on my Kindle and I’m sure I’ll enjoy it based on his recommendation – his recommendations were always the best!

They say with age comes some modicum of wisdom – but it’s still so hard when death of a colleague comes so out of the blue. I know Dennis would want us to remember the good times – and we’ll do that for sure. Meanwhile, we keep Dennis, his wife and daughter in our hearts and minds.

If you knew Dennis, we’d welcome you sharing some of your memories of him in the comments below. He was a very special friend and colleague – and we’ll miss him dearly.


Post image for Regulation, the Blockchain and Programmable Money

One of the truly interesting presentations at this year’s Money2020 was the speech by Ben Lawsky, superintendent of New York’s Department of Financial Services. Lawsky’s remarks focused on his department’s BitLicense proposal and demonstrated the struggle Lawsky and his team face as they create regulation for Bitcoin and math-based currencies (MBCs) in general.

Released in July, the NYDFS proposed “BitLicense” regulatory framework requires comprehensive reporting, background checks and identity proofing of business leaders, as well as mandatory bonding for all BitLicense holders at rates specified by the NYDFS. The first version was roundly criticized by Bitcoin advocates as overbearing and costly, causing some to declare they’ll do business anywhere but the state of New York. Other stakeholders view the BitLicense as a set of necessary controls appropriate to entities handling citizen monies. But it’s not an easy binary choice. [click to continue…]


Post image for PoF 11 – Bitcoin, Banking, and Crypto 2.0 Approaches

Glenbrook’s George Peabody discusses Bitcoin and blockchain evolution with Sean Safahi, co-founder and CEO of Bold Financial Technologies, a provider of math-based currency services to the banking industry. Applications that make use of the bitcoin blockchain and consensus-based approaches are proliferating. We discuss these including the newly launched Stellar, a non-profit infrastructure provider for currency exchange and asset transfer.


Post image for Glenbrook’s Retailing Framework

I’ve been thinking a lot about how payments and payment-related technologies fit into the emerging world of multi-channel commerce or omni-commerce as some people call it. When a lot of companies describe their omni-commerce strategy, they are usually talking about recognizing customers across channels and being able support a sales cycle that starts in one channel and finishes in another.

Instead of parallel channels (store, online, call center) I think a better metaphor is to imagine a funnel where customers move through a wide area, near area, and localized experience right up to the point where it gets personal. At any point along the journey they can consummate the purchase and move on. But often times, one step leads to the next.

[click to continue…]


Post image for Adventures in Attribution – The Apple vs. MCX Dialog

Like many payments industry insiders, we have been following the recent impassioned industry dialog about the relative merits of Apple Pay and MCX’s CurrentC wallet with a combination of amusement and despair. The barbs and accusations being exchanged by the rival camps in this technological holy war between NFC and QR codes suddenly reminded me that many years ago I invested a big part of my academic career to the field in social psychology. I had a particular interest in the sub-discipline of Attribution Theory, which “deals with how the social perceiver uses information to arrive at causal explanations for events.”

In layman’s terms, attribution theory is concerned with how and why ordinary people explain events as they do. Two major areas of contention between Apple Pay and MCX reveal interesting lessons about the way information is released affects the perceptions of observers. Let me explain.

[click to continue…]


Post image for Let’s Just Skip Sig and Go to Chip and PIN

Last week I was in Victoria, British Columbia doing one of our Glenbrook Payments Assessments. In anticipation of my trip to the North American Land of Chip andPIN, I had both a Visa and an Amex card reissued in the chip format. Neither of my issuers supported PINs on my credit cards, so I was informed by both of the issuers that I’d be in chip and signature mode.

When in Canada, I used my cards many times and my main impression was that this chip and signature stuff was stupid, and it would have been so much easier to have been assigned and using a PIN!
[click to continue…]


Post image for PoF 10 – On Faster Payments in the US

In this interview with Glenbrook’s founding partner Carol Coye Benson, we discuss the prospects for a faster payments system in the US. Responding to the October 22 announcement by The Clearing House, Carol expresses her caution and hope for ways to accelerate replacement of today’s system for credit push payments.


Post image for Considering Bitcoin as a Payment Network

Wikipedia says, “Bitcoin is a software-based online payment system.” But what sort of payment system is it? We get this question all the time when we talk about Bitcoin in our workshops.

At Glenbrook we like to start each Payments Boot Camp talking about payments systems fundamentals and the common attributes that can be used to understand and position any payments system. In every workshop someone will raise their hand in the first ten minutes and ask about Bitcoin. They are always thinking that Bitcoin is so revolutionary it must somehow invalidate how to think about payments systems. We love this because Bitcoin doesn’t refute how payments systems work — it illustrates and reinforces how all payments systems work. Let’s look at some of the specifics: [click to continue…]


Post image for PoF 9 – Realtime Authorization and Messaging

Realtime, consumer-facing authorization of card payment transactions has been available for some time but few of us have it offered to us by our issuers. Today, there’s a number of technology providers selling truly realtime notifications and two-way approval requests based on the live authorization stream. Glenbrook’s Russ Jones takes us through what’s on offer while George gets grumpy over what he’s got today. As more consumers become thorougly alarmed over data and privacy breaches, this could be the time for issuers and independents to offer the “worried” consumer more control and a strong role in fraud management.

Companies mentioned in this episode include:

TSYS Spend Controls for consumers and corporate card administrators

MasterCard InControl

Vantiv MobiMoney

Red Giant Mobile


Clicky Web Analytics