To host or not to host?

This article is brought to you by Retail Technology Review: To host or not to host?.

Speaking at the Vendorcom PCI & Payment Security Special Interest Group on 6 April, John Rozek, director of Polar Moment, a provider of business and technical consultancy to the payment industry, gave expert insight and advice into in-house payment systems versus outsourced, hosted solutions.  

During his presentation John discussed the impact of PCI DSS on both in-house and outsourced solutions, highlighting the benefits and challenges associated with both approaches. He explained how in-house solutions were the norm until 2004 when Chip & PIN was rolled out across the UK. The introduction of Chip and PIN increased the complexity of bank and card scheme accreditation and prompted many retailers to re-think their payment solution approach. He explained: "Pre-accredited systems were introduced to solve the issues introduced by Chip & PIN. Provided by hosted solution providers, the principle behind a pre-accredited system is that one large payment system has already been approved and can be shared by a number of retailers. The system is standardised to ensure that bank and card scheme accreditation is maintained". The introduction of PCI DSS had an even greater impact on the cost of running an in-house payment system; retailers were forced to bear the cost and effort of PCI DSS certification.

To counter these obstacles, John explained that; "Many hosted providers now claim to offer solutions that are almost PCI exempt. They do this by making sure that sensitive data is never processed by the retailer's system. Sensitive card data is encrypted, 'Point to Point', from the PIN pad to the managed service. Retailers do not need to store card numbers for future reference. Instead, the retailer identifies the card using a token or reference number, which can be used for implementing recurring payments, issuing refunds and accessing management information. This approach massively reduces the cost and impact of PCI DSS on a retailer".  The trend towards using hosted solutions is now even stronger, as a result of a number of drivers, which John outlined; "Firstly, many retailers simply need to accept payments in a reasonably fast, reliable manner, and a standard solution meets their needs. In addition, the removal of most of the implications of PCI DSS certification greatly reduces business risk, cost and impact on the organisation. Finally, the need for specialist payment technicians and IT support staff is practically removed and the total cost of ownership is significantly lower, especially for the smaller retailer".

"There are, however, still a number of factors that are driving retailers, especially the larger ones, toward in-house payment solutions. Large, multi-lane retailers need the fastest possible transaction speeds and in-house systems are typically faster. Every second added at the point of sale can lead to significant costs up to 1million per annum for the largest multi-lane supermarkets. In addition, retailers who run their own in-house payment systems are often seen as being the most innovative. By keeping their payment systems under their own control they can ensure that their USPs are not shared with other organisations".  

John concluded by advising that: "Although the industry trends are showing a definite move towards hosted services, retailers need to be mindful of their own individual business requirements before deciding which approach to opt for. The approach that will be the most sustainable in the long-term should be adhered to and not simply the industry trends".