But on August 31, Cimbal launched a contactless payment system that may finally crack that hardware dilemma—and it may reduce the PCI risk associated with those mobile payments by keeping that data out of retail files. Many retailers have tried contactless systems where a customer's smartphone displays a barcode that a cashier scans to complete the transaction. Cimbal flips that process: The retailer displays a barcode that the customer reads with his phone's camera. That switch means retailers don't need new barcode-reading hardware. It also means customers never show retailers their account information, so it can't be stored—or stolen. (StorefrontBacktalk Franchisee Columnist Todd Michaud suggested an approach like this in March.)
Cimbal's system works like this: Consumers download a smartphone app (available now for iPhone and by the end of the year for Android and BlackBerry) and register a bank account with Cimbal. When a purchase is made, the seller displays or prints out a 2D barcode that's the equivalent of an encrypted bill, identifying the seller and the amount. The consumer scans the barcode with the phone's camera and keys in a PIN to authorize payment of the bill. The transaction is sent to Cimbal, which sends immediate confirmation to the retailer.
Cimbal is already operating the system for consumer-to-consumer payments. It is also claiming multiple unidentified large retailers are trialing the system for a Q4 2010 retail rollout. Cimbal said its transaction fee will be about half of current payment-card merchant fees, with no fees at all on the consumer side. Although retailers won't need new barcode-scanning hardware, POS systems will need to be able to display a 2D barcode on a screen or print it out on paper for the customer to scan.
Those POS software changes may be cheaper than buying new hardware, but they're not a trivial proposition. Still, the biggest implications of Cimbal's approach for retail IT aren't in POS hardware or software. If retailers and customers begin using it, this could completely change how IT handles a whole category of transactions.
After all, the retailers that have tried 2D barcodes—Target and Starbucks are using 2D barcodes for gift cards, Sears, Polo Ralph Lauren, Best Buy, the Gap, Nordstrom and others—have treated them like conventional payment cards. The customer displays account information that goes into the retailer's systems, where it's processed and may or may not be retained.
Whatever else those conventional contactless approaches do, they don't reduce how much data needs to be protected.
To be clear, this approach wouldn't reduce any PCI headaches because all the data must still be accounted for. But by reducing the amount of stored data, it clearly will reduce the risk of data theft—albeit by a minuscule degree, at least until mobile payments become a significant share of revenue. That all said, it's a start.
With Cimbal's approach, the retailer never receives any account information from the customer. There's no payment card data to retain. The only thing the retailer receives is confirmation from Cimbal that funds have moved from the customer's bank account to the retailer's.
This approach is possible because Cimbal is positioning itself as a simple middleman. It doesn't need to partner with banks, card companies and the rest of the financial world. It's a utility—albeit a very small utility right now. Although Cimbal says it's lining up major retailers, it can't claim the customer base of Visa or MasterCard. Whether it can scale up—and whether it can reliably deliver payments to merchants in addition to handling disputes and fraud—has yet to be proven.
But in a crowded contactless field, where a wide variety of 2D barcodes and NFC chips have failed to break through, a simpler approach—for customers, cashiers and retail IT—sounds like it might actually work.