• Milos Dunjic

Why Providing Safe In-Store Payment Experience Requires More Than Just Enabling Contactless EMV

It's been almost nine full months since the COVID-19 pandemic spread to the most of the world, and our modern, comfortable lives have been turned upside down. Many of our usual daily habits have been forced to change. Whenever possible, most of us have switched to online shopping and ordering. However, unfortunately it is not always possible, and occasionally we have to go to the neighbourhood store, restaurant, dentist or barber shop and complete shopping in-store. Payment scheme marketing departments and industry pundits, keep assuring us that 'contactless' payments are the only answer and that we shall already feel safe.

Unfortunately the POS terminals are PUBLIC devices, and they always display series of prompts for the merchant and customer, which must be answered, before familiar 'contactless' symbol is displayed, if transaction is below contactless limit, prompting customer to complete the purchase, by tapping their contactless device. That unfortunately means that customers are still required to physically touch POS terminal keypads, in most, except simplest purchase experiences. Clearly, contactless alone, is not definitive answer to having fully clean, hygienic and safe in-store payment experiences.

Ultimately, only merchant shall be touching the POS terminal keypad, and customers ideally shall only use their personal smart phone to answer the required prompts. Is that possible, you may wonder?

Great news is that recently couple of teams, where I work, have come up with innovative solution to address most of these challenges. How does it work?

Fully Touch-less POS Payment Experience

As a first step, merchant initiates 'touchless' purchase transaction on POS terminal, and as today, enters sale price and other required parameters. The POS terminal, recognizing the need for 'touchless experience', contacts secure Touchless POS backend service, and submits the required purchase details. The Touchless POS backend service now generates the QR code, unique for the ongoing transaction, which POS terminal displays for the customer to scan using their personal phone.

The QR code contains

  • the unique reference for the ongoing transaction session

  • URI of the Touchless POS backend service, where mobile phone browser session would be redirected when QR code is scanned by customer

  • necessary cryptographic protection for preventing man-in-the-middle and replay attacks, and ensuring full integrity of the message contents during redirection

After customer scans the QR code, the web browser app on their phone is launched, and redirected to the provided URI. The secure web session is established, between the customer's phone browser and Touchless POS backend service, after cryptographic verification confirms that this is non-duplicate POS transaction, which is not maliciously intercepted by fraudster and modified during redirection.

At this point, Touchless POS backend takes control of the secure customer session, while merchant and POS terminal application wait for user to complete answering all of the prompts on their personal device.

Typical prompts that customer may be required to answer are related to

  • optionally choosing between credit or debit (if this is considered customer prompt)

  • tipping ("do you want to tip", "choosing between $ or % tip", entering tip $ amount or % amount)

  • choosing between printed, email or no receipt

  • answering any marketing related prompts

  • etc.

After customer answers all of the required prompts on their phone, merchant continues with POS terminal session. The POS terminal application contacts the Touchless POS service to collect the

  • final price for the transaction (which includes tip)

  • optional card transaction type (credit or debit)

  • receipt type choice

  • any other info that may be relevant for the transaction

At this point, the POS terminal application is ready to continue with its regular flow, and engages the EMV software module, which displays the 'contactless' symbol and prompts the customer to tap their contactless device to complete the payment.

Conclusion And Next Steps

This is now clearly fully clean and safe transaction experience, since customer is not required to touch POS terminal keypad. It clearly stops the potential spread of the SARS-COV-2 or any future pandemic virus and also removes need for merchants to frequently disinfect POS terminal keypads with corrosive disinfectants, which helps prolonging the terminal lifetime.

The solution also offers fully assistive in-store payment experiences to visually impaired customers, by enabling them to use their phones enabled with Android TalkBack / iOS VoiceOver, and complete purchase transaction steps like everyone else, without need to ask merchants to answer prompts on their behalf

Of course, once the session is transferred to the customer mobile device, the flow can easily be extended with all kinds of other, value add payment experiences and functionalities, which go beyond simple COVID-19 protection ... and all I can say at this point is ... STAY TUNED.

176 views0 comments