A Mobile Retail Quagmire: The Checkout

Nothing will kill a potential Mobile Commerce customer's enthusiasm faster than an onerous checkout process. But retailers have to balance security versus convenience in a way that is radically different from E-Commerce.

Going through the ritual of filling out shipping and payment forms on a regular E-Commerce site is annoying enough, but being forced to do that same dance on a mobile device can be downright cruel. But a true M-Commerce site must allow visitors to not only find products with their mobile devices but to also buy them.

Related Story: U.S. Retailers Tip-Toe Through Mobile Commerce Minefields

There are primarily four ways for a retailer to handle mobile transactions:

  • Force consumers to type in full payment card numbers, card verification value (CVV) [to be precise, the CVV-2 for Visa, the CID for American Express and CVC2 for MasterCard] and their full address for each and every time they checkout.
  • Allow for that data to be stored on the mobile device, presumably encrypted.
  • Allow for that data to be stored on the retailer's server, typically requiring a password and some other authentication.
  • Use a third-part financial service to store that data and make it available to participating retailers.

    All of these approaches have severe drawbacks. Forcing consumers to type their data into their phone with each and every purchase session is the safest route, but is also highly impractical. It's most likely to send transactions to a rival site that is more considerate of a user's time.

    Allowing for the data to be stored on a consumer's device has the advantages of being quick and easy for the consumer while keeping the data—and the associated legal and PCI protection responsibilities and costs—away from the retailer. But by placing the onus of data protection ultimately on the consumer, it may not be an acceptably secure approach. What if the phone gets stolen—a not unreasonable scenario—are a thief is able to crack into the password and make fraudulent purchases or perhaps access the card data directly?

    It's reasonable to conclude that a retail chain's IT department is in a much better position to properly protect the data than consumers.

    Then again, is it so reasonable to conclude? If the data is kept on tens of millions of consumer phones, each device only has one consumer's information, making it a fairly unattractive target, compared with a national retailer preserving millions of pieces of data for such cards. The security debates boils down to having a huge pile of card data in a well-protected server—where it's a target—or have it widely distributed, where it's less of a target but it's a much more soft target.

    Then there are those pesky PCI guidelines, which strongly frown on retailers retaining payment data after the transaction has been completed.

    The third-party route appears to be gaining little traction, as retailers have little incentive to share their already razor-thin profits with a contractor that offers what the retailer could do themselves. Some third-party services offer the argument that if such services handled data for many retailers, it could be more convenient for consumers. But that's an argument that only works after dozens of major chains have signed up for such a service. It doesn't offer a reason to join for the first retailers, which is a problem. Additionally, some users might balk at having their personal information entrusted to anyone other than themselves or their favorite retailer.

    There are also some basic mobile device technology issues that impact this part of M-Commerce site design. "Payment is a problem if you think of the phone as being just another browser," said Impact Mobile CEO Gary Schwartz. "It's not going to work." That's because much of the high-tech functionality on E-Commerce sites that (to an extent) can ease the pain of checkout and payment isn't available on mobile devices.

    "It begins to fall apart at the payment piece because of shipping and traditional forms of credit card payments," said Conrad Sheehan, founder and CEO of mPayy, a company that enables secure mobile payments through users' checking accounts. "Checkout in E-Commerce is typically multiple screens. It's quite difficult to get through that process (on a mobile device). We know of a few major retailers who are thinking through that. One, a very large electronics company, is saying they are not going to do credit cards over mobile devices."

    Sears Holdings, one of the few major retailers with M-Commerce sites that allow payments, makes first-time users of its Sears2Go and Kmart mobile sites go through a pretty routine E-Commerce series of steps including the filling out of forms that seek a ZIP code, shipping address, E-mail address, phone number and more.

    The system, though time-consuming for first-time users without a store username and password, seems to work and Tom Emmons, who heads Sears' mobile group, said it is a better idea than using third-party payment companies. "People don't want to sign up for anything first," he said. "They just want to" make a purchase.

    Sheehan and others whose companies offer alternative mobile payment technology, including Michael Dulong, SVP of business development at mobile payment platform provider Billing Revolution, contend the Sears approach is too cumbersome. They say mobile commerce must be handled as something significantly different than regular E-Commerce.

    "If the retailers want to sell products through mobile, the experience must be optimized for mobile," Dulong said. "Consumers demand a wide variety of purchase options. They do not want to 'sign up' online to have the ability to shop from a phone. The Sears mobile site, as do almost all examples today including Pizza Hut, Amazon, Overstock, Papa John’s, Tiger Direct and Barnes and Noble, requires that users first create an account on the traditional Web via PC or Mac. Then the credit card they provide during the online sign-up is leveraged for mobile product orders. And they still have to log-in with a user name and password from a phone. My mantra is: Don’t send me to the Web if you don’t understand mobile."

    Dulong said mobile shoppers should be allowed to buy things without being forced to enter passwords or PINs and without needing to create user accounts on the Web. "The only sign-up should be buying a product with a credit card or debit card," he said, adding that such convenience is possible with the latest third-party payment technology that can "remember the consumer" after that first mobile purchase.

    But for every upside, there's a downside: the system described by Dulong would allow everybody using the remembered phone to make a purchase whether they owned the device or not.