The third and final chapter of our 7 Myths is here.
Myth #6 - Mobile Workflows Cannot be Rolled Out Incrementally
Rolling out a mobile workflow with consumer-based technology requires lots of changes to the environment. New software needs to be installed, MDM technology has to be added to the devices, security processes change as does payment processing. New retail accessories need to be purchased and installed since those devices in stores today are mostly Windows-driver based. Wireless networks have to be architected, installed and tested. New mobile retail software needs to be integrated into corporate databases. Plans must be put in place to deal with damage and theft of mobile devices. Lastly, training is needed for all these new pieces.There is so much to do just to prepare consumer devices to be adequate as a retail device before you can work on the actual mobile workflow. This means a lot of planning and designing of the overall system. It also means examining how to integrate these mobile devices into enterprise requirements. For example, many retailers have existing POS systems that can be used even if the network is down, this is part of disaster management plans.
After all is architected, planned and tested, you need a lot of coordination to bring this to a store. Virtually everything in the store has to change at once. Like a chain, if any link fails, everything fails. The simplest workflows require all of these changes.
There is an additional risk with so much change – resistance to change from your staff or customers. When so much is changing, the environment becomes disorienting for users. People get anxious, and they become less tolerant to overcoming issues. A huge change, done suddenly, can be resisted by the front-line personnel
A much safer and saner path is to introduce mobile technology incrementally with a tablet that supports your current software. With Windows-based, enterprise-designed tablet PCs, you can deploy a mobile device that runs your current software. Find a tablet that will connect to existing printers, credit card readers and cash drawers. Most everything remains the same, which is more comfortable for everyone. A retailer can actually design a staged rollout of capabilities. For example, first assisted selling can be introduced. Later, mPOS can be deployed, allowing associates to take payment anywhere in the store. As a next phase, you can introduce portable receipt printers. You can even move to P2PE if and when it makes sense.
Myth #7 - MPOS Requires a new PCI Security Process
Consumer devices such as iPods and iPads are available for use as a mobile POS platform, often with a dongle to read credit cards. To protect cardholder data as required by the credit card issuers, the card readers are required to encrypt the data before the mPOS software on the tablet sees it. This protected data is then sent to a payment gateway, where the data is decrypted and routed.
For many retailers, this requires a change in their processes. Retailers have implemented a successful security process that has been assessed and approved by a QSA at an audit for PCI Compliance. A key part of this may be the use of PA-DSS (Payment Application – Data Security Standard) software. The PCI Council has a list of approved applications, these are shown to protect cardholder data. Most retailers have successfully implemented these systems and they work – they have protected this data well.
However, a switch to consumer-based mobile devices mandates a change in these well-established processes. Often, a P2PE (Point to Point Encryption) method is used, where the card data is encrypted in the reader, and this encrypted data block is sent to the Payment Gateway. While this is an effective way to protect cardholder data, it does represent a change in the security processes. These changes oftentimes mean a change to a different payment gateway, and additional charges for encryption services.
Deploying mPOS can be done more simply with a Tablet that includes an MSR. These type of Tablets can host and run PA-DSS applications, securing the data and more importantly retaining the existing security processes - and it does not require any change with the payment gateway. If you do want to move to P2PE technology, you can usually do this when it makes sense for you. For example, Motion’s CL910 with SlateMate can be enabled to support P2PE, where the card data is encrypted in the MSR itself. And best of all, P2PE can easily be enabled after these systems are in your stores, remotely. They do not need to be removed to install the security key, Motion supports remote key loading.
By Bob Ashenbrenner
Mobile POS Architect