The Challenge of Delivering mPOS Services through Off-The-Shelf Mobile Devices


The last few months have been exciting if, like Consult Hyperion, you are attracted by the mobile POS (mPOS) sector. We’ve seen significant announcements from Mastercard and Worldpay and heard interesting rumours about the current work within the PCI Security Council, suggesting that the use of off-the-shelf mobile devices as card acceptance devices is likely to happen in the near future.

Targeted at small to medium sized and mobile merchants who do most of their business in cash or cheques, but have the occasional customer who prefers to transact by card, the mPOS dongle (card reading device) has been seen by these merchants as their first venture into the “expensive” world of credit and debit cards. However, the cost of the dongle and the power required to run it are often cited as barriers to the adoption of mPOS services.

Magnetic stripe dongles are effectively given away; their cost refunded through reductions in the fees levied against the initial transactions; their power derived from the phone, when inserted in the audio port. Chip & PIN dongles are more complex and so more expensive requiring their own power supply or battery. The business case to subsidize the additional cost of these devices through reductions in transaction fees is more challenging.

The higher cost and more power-hungry elements of a Chip & PIN dongle are the display and keypad. If we can replace these components with the capabilities of an off-the-shelf smartphone, can we bring down the cost and power requirements of the Chip & PIN dongle closer to that of the magnetic stripe version? If we can deliver the service entirely through a mobile application, can we simplify our distribution channels? These are the sort of questions that get the team at Consult Hyperion excited as they present big information security challenges, which we like.

Generic, off-the-shelf mobile devices have none of the physical and electronic countermeasures designed into a payment terminal to secure the personal and account information in the payment transaction. Nor do they have the specific assets required by the payment scheme such as the secure PIN entry capabilities. Equally, the Acquirer doesn’t have any control over the other applications loaded onto the phone or tablet, which could include malware designed to impact the performance of their mPOS service or monitor any communications to or from it.

So, the challenge is; can we develop applications for generic off-the-shelf mobile devices that deliver, as far as practical, similar levels of security to the hardware in the payment terminal, whilst withstanding repeated attack from hackers interested in capturing assets that they could use to attack the payment schemes’ international networks?

There are many companies delivering solutions which could protect the mPOS application against some of these threats and/or give the Acquirer a level of assurance about the identity of the individuals involved in the transaction. However, no one solution is likely to deliver against all of the PCI’s security standards, should they be published, and not every solution works on every mobile device.

So, the team designing your mPOS solution for off-the-shelf mobile devices must understand in detail the threats to which the application will be exposed, the most cost-effective countermeasures against those threats, how they work together and how they need to evolve in response to new fraudulent attacks. Experience would suggest that they will need to understand in detail the operation of the EMV payment application, transaction security and the smartphone operating system, whilst having considerable experience of implementing the best-of-breed information security tools.

People with such experience are few and far between. Many are my friends and colleagues, which makes my job interesting, exciting and rewarding. It looks like a busy end to the year!

World payments

Wow. One of my very favourite companies has always been Worldpay. They have a very special place in my heart because many years ago, when they were first starting out, I was sent up to Cambridge by a client to go and meet them and assess what they were doing. As a junior deputy assistant under-consultant, I went to take a look at the technology they had put together to see whether it worked as advertised. Which it did. I returned to our client and told them that the Worldpay had no future, because all they’d done was to plug a PC into the Internet on one side and to a NatWest Streamline acquiring service on the other side. This seemed like a fairly trivial integration to me so my assessment was that all the banks would do it and that WorldPay would not be able to sustain a margin. Last week, Worldpay agreed to a possible offer from Vantiv that would value the combined group at more than NINE BILLION QUID, proving conclusively that you shouldn’t listen to me about anything. Anything at all. Still, it was a useful lesson in banking strategy for me in those long ago days: just because all of the banks could have connected their acquiring services to the internet in about a day didn’t mean that they would, and when they did it didn’t mean they’d make a success of it. Worldpay have done that in spades.

Driven by the inexorable shift from cheques and cash to cards and digital payments, Worldpay’s revenues have risen over 50 per cent and its operating profits have more than trebled since it was sold for £2.5bn by Royal Bank of Scotland seven years ago. 

From Worldpay emerges as a winner in the war on cash

I remember visiting Vantiv in Cincinnati around twenty years ago when they were still Fifth Third Processing, the second biggest acquirer in the US (I can’t remember why I was there but it may have been something to do with smart cards). The combined group will be the biggest merchant acquirer in the world and will give Vantiv access to Worldpay’s global markets and e-commerce business, which is why it makes good business sense.

The deal marks a further step towards the industry’s consolidation. Last year, for example, Global Payments, the sixth-biggest American acquirer, bought Heartland, a smaller rival, for $4.3bn in cash and shares. TSYS bought TransFirst for $2.4bn. Vantiv snaffled Moneris USA, the American arm of a Canadian payments-processor, for $425m.

From An American payments firm goes online and buys British

Apart from being one of my favourite companies, Worldpay are also one of Consult Hyperion’s favourite clients. While the newspaper reports focused on Worldpay’s scope and scale, it is their R&D operation that is the focus of my attention. Worldpay have been making serious investments in the next generation of payment services, looking beyond the current card infrastructure into the future of immediate, invisible and invulnerable payments. Some of you may have seen the Internet of Things (IoT) demonstrator that we helped to build for them last year (we were one of the sponsors of the brilliant WorldPay IoT hackathon) and the virtual reality payments demonstrator that we helped to build for them this year.


In my opinion (and in the opinion of a great many other people as well) however, the most exciting project that we have been chosen to support and the most important new product to come out of their R&D lab for a long time was launched at Money 2020 in Copenhagen last month. It’s called My Business Mobile, and it means that merchants can download a POS terminal to the their mobile phones and start accepting contactless payments without any additional equipment. No plugs, no dongles, no fuss.

Nick Telford-Reed, director of technology innovation, at Worldpay comments: “The pilot scheme we’re running in London will give cash only businesses the opportunity to catapult themselves into the 21st Century by taking contactless card payments on the go. But this is really only the beginning.

From Worldpay pilots app-only mPOS for small retailers

When Nick presented at this year’s Tomorrow’s Transactions Forum (which WorldPay were kind enough to sponsor again) he painted a pretty compelling picture of the future of retail payments, talking about the “friction free” payment experience of the future. This is a definitely a step in that direction. Every coffee shop and kebab van that wants to take cards but either doesn’t want to, or can’t, rent and install a traditional point-of-sale terminal can now just use a smart phone. And customers can use the contactless cards in their pockets or the mobile phones in their hands (the phones will accept payments from ApplePay and AndroidPay) to pay quickly and conveniently. They can even use their Apple Watch, as you can see in this video featuring Consult Hyperion’s Gary Munro and Worldpay’s Kevin Gordon. As contactless payments continue to displace cash from the retail point of sale in the UK (my guess is that contactless transactions are currently about third of all retail transactions and the latest figures show that they account for more than half of all card transactions) this gives WorldPay a solution that can really scale.  

paying a phone 

As MasterCard said in their press release about this, making it easier for small and micro businesses to accept digital payments may spur additional growth for them and enable an additional 40 million of these merchants globally over the next four years and will undoubtedly generate significant volume and large numbers of smaller transactions.

So what’s so innovative about this? After all, we’ve been working on mobile contactless applications for years, using phones to read cards for a decade or so (here’s my favourite app: a demo of a nightclub ticket that you put your mobile phone number into). But it’s a long way from reading a card to having an operational service that complies with scheme rules, has a decent UK, has. It was really intellectually challenging to create a POS terminal running on a user device. Therefore the security architecture is absolutely critical to the success of the product. The guys and gals in Consult Hyperion’s Hyperlab have been building, testing (and breaking) secure mobile apps for a very long time. We know all about doing this efficiently and cost-effectively.

One more point. Helping these merchants to move from cash to cards means that they will have data that they never had before. The future, as I wrote after this year’s Merchant Payment Ecosystem conference in Berlin, is about replacing the fees from processing with the fees from value-added services. Most observers would agree that these value-added services are real and if the merchant acquirers can transform into Merchant Service Providers (MSPs, as Ron Kalifa, the vice-chairman of Worldpay, called them at MPE), are able to deliver them then there will be a ready market. But these kinds of value-added services based on data analysis and artificial intelligence and machine learning and all that sort of thing are voracious consumers of data, making this above all a scale business. The bigger players with more data at their fingertips ought to be out to deliver services that merchants value and this will be an area of vigorous competition in coming years, a competition that Vantiv/Worldpay look well placed to compete in.

Paying in the pub of the future

Dgwb blog white border

We went off to Britain’s first robopub to have a pie and a pint and to watch the Blues demolish West Ham. Oh, and to see next-generation hospitality retailing in action.

By happy coincidence, the evening that we decided to go and try out Britain’s first robopub – The Thirsty Bear in Southwark – solely in the pursuit of retail payments knowledge, and incurred certain entertainment expenses wholly and necessarily in connection with our principal business, was the evening that Manchester City were playing their League Cup semi-final second leg against West Ham. Perfect. We had a lovely pint or two, an excellent helping of haddock and chips with New Labour guacamole (or mushy peas, as the dish is known in the far North) and excellent company and conversation for the night. And as if we couldn’t have made the event even more English had we tried, the footie was live on the big screen in the upstairs lounge.

photo 2

The first thing that you will notice about The Thirsty Bear is that the tables have one iPad and two beer taps (one bitter, one lager) on them. The two are interconnected in an Internet of Grog, as will be revealed shortly. In the centre of the table is small credit-card sized recess. Here’s how it all works…

When you go in, you give them a payment card and they give you a contactless card, called a “Tab”. I assume they auth the card at that point but forgot to ask. You find a table and sit down and put your Tab in the recess in the centre of the table. At this point the table is activated and you can either pull your own pint from the on-table taps (the iPd displays as flow meter so you can see how much you are pouring) or you can use the iPad on a rotating mount in the centre of the table to order food, drinks and sundries. The iPad showed you customer ratings for the ales on offer and we could have punched up a couple of pints of wallop but we preferred the time-honoured method of asking me in host to recommend beverages. He suggested real ale for the men and white wine or a fruit-based cocktail for the ladies, so we went with the darker of Windsor & Eton Canberras on offer. I can personally attest to its quality.

If you go to another table, you can buy the drinks there by putting your Tab down. Similarly, if its someone else’s round at the table, you pick up your Tab and they put down theirs. Whatever is ordered/pumped at the table is added to the Tab. Simple. The table tablet has other functionality, aside from Facebook and Twitter access. A couple of twitter correspondents asked if there was a pub quiz or similar and there wasn’t, although I mentioned this to the software guys and they agreed this might be a good idea. It did have a jukebox app connected to the pub sound system but, oddly, it didn’t have any Hawkwind on it.

We then chose some food from the attractive and well-presented screens. A great system, especially because the menus are updated in real time so as they sell-out of various dishes the menu reflects this. I can see that, if properly handled, the use of differential pricing might be a very interesting development.

A great pub with great beer, great food and great technology. When we were chatting about it afterwards, a couple of people did wonder why they bothered with the Tab card, since everyone in the pub had a smartphone (so an HCE pub app would have done the trick) and most of them would have had a contactless card as well, so why not just use those? I expect they’re right and in time the tablets and the card will probably vanish. But for the time being, this is a pretty convenient way to order and pay.

I had the opportunity to chat to the manager of the pub and he told me that 55% of sales come through the tablets and 45% over the bar. He was very enthusiastic about the infrastructure. These are tough times for pubs in the UK but here they have year-on-year growth in sales. The manager attributed this to uplift at the tables (especially amongst groups after work or watching the football) and more room at the bar (since the bar is not as crowded there is more walk-in trade). I liked it a lot. We’ll be back.

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
Verified by MonsterInsights