Facebook and GDPR only underscore a key conundrum in payments: How to protect an individual’s data while delivering the best consumer experience. In the latest Topic TBD, Merchant Link CIO Scott Carcillo tells PYMNTS’ Karen Webster that the mobile order ahead phenomenon offers food for thought about innovation and data security for those who would bring food and drink to the masses through means done digitally.
At the intersection of data privacy and security and payments innovation lies friction, possibly, for the consumer experience. Tough to swallow, perhaps, for restaurateurs who are busy navigating the waters of the phenomenon that is remote order-ahead.
In the latest Topic TBD, PYMNTS’ Karen Webster and Merchant Link CIO Scott Carcillo delve into the larger issues that surround a successful transition to orders done digitally via devices.
Data is top of mind, of course, in the days following Facebook’s own privacy scandal that impacted 87 million users, and as the General Data Protection Regulation (GDPR) looms large over the payments landscape with a deadline only a month away.
In the case of the latter, of course, the EU’s online privacy laws have implications for firms far beyond Europe’s borders – to the tune of hefty fines for non-compliance.
Are merchants ready? Viewed from a high level, Carcillo stated that in a software-as-a-service multi-tenant environment, the ability to remove the individual consumer (remember, GDPR is opt-in) can be challenging.
“So that’s kind of the work we’ve had to be focused on,” he told Webster. “As the merchants go through the process, many of them are already using our tokenization, so that omnichannel tokenization puts them in a position where that [GDPR compliance] falls more to us than it does to them.”
Said Carcillo of firms that may be staring the upcoming GDPR deadline in the face: “If they’re not set up with a cloud provider, they have some real challenges – I imagine in the retail space, where they do their own settlements and have all of that data on file, GDPR introduces a ton of issues for them. That’s because they’ve got to be able to segment out the key customer information when requested.” That may be a knotty issue when, especially for retailers, online orders are coming from all over the world.
Generally speaking, and regardless of vertical, he said, “you need to be able to segment your systems fundamentally and keep your individual consumer data separate from the card data.”
In the restaurant space, where mobile order ahead is gathering steam, the inevitable and necessary conversation about data is second to the convenience for the consumer and the efficiency for the restauranteur or hotelier – or retailer, for that matter, Carcillo explained.
“In the retail environment, one can buy online and return in store,” he emphasized. “In restaurants you can order ahead, and if you are doing a to-go order, you can augment what you want to get. If you come into the restaurant, you can sit down and meet your waiter, but you may not want your waiter beyond the initial order,” Carcillo explained by way of illustrating convenience.
But even with the desire for convenience and efficiency, Carcillo said there’s been a bit of a wake-up call amid the Facebook controversy. The Internet of Things comes with a bit of a double-edged sword: the ability to extend commerce into a variety of connected endpoints while ensuring that merchants have the right security and privacy controls in place to avoid too much information falling into the wrong hands.
That, he said, sets up what is perhaps the eternal debate: the protection of the individual’s security vs. the friction-free consumer experience and giving up enough data to get value in return.
To reconcile convenience and data and the protection of that data in the restaurant arena, Carcillo’s firm works with a handful of mobile order-ahead providers. In those relationships, he explained, tokenization and point-to-point encryption are involved.
When managing PCI and payments routing during a token-to-card comparison, “we don’t even have that consumer’s first name or last name,” he noted. “We consciously keep them separate, so when the merchant now wants to come through and, let’s say, give a credit or a refund, they’re working off of a chip number or folio number or other qualifying criteria in order to reconcile to that card transaction.”
Such a setup, said Carcillo, means the merchant doesn’t even need the consumer information – but obviously, they’ll want it in their systems for the purposes of knowing the person who is seated at the restaurant or staying at the hotel, so some measure of personalization can be injected into the mix.
Merchant Link, he said, uses a core token, and there are inferred token changes that happen with the application. During transactions, “we’re segmenting out who they are from the card and token content, while the application that’s sitting out there on the mobile platform will have a correlation between the individual and the token.
“We try to secure on a transaction-by-transaction basis, with the idea that we’re limiting the exposure of the consumer data,” Carcillo continued, adding that “the restaurant system experience and security aren’t affected at this point, because they’re receiving the same information they’ve always received – the mobile order application needs to have the appropriate security on it.”
Integration between Merchant Link and the restaurant systems comes by way of TLS 1.2 and client certificates for authentication.
In the hospitality space, where dining is of course part of the hotel experience, the data conversation to which Webster alluded may not be as evolved as some might expect.
Carcillo noted that Merchant Link began its tokenization efforts in lodging back in 2005, and “in the hotel space, there are a ton of systems that talk to one another and talk to that hotel property management system – including point of sale systems, restaurant and retail space systems, convention center systems, eCommerce sites, web applications and mobile applications.”
With inroads into the restaurant space, he said, Merchant Link has noticed an evolution when it comes to joint efforts between the hotel industry and restaurateurs. In the past, most restauranteurs sought to do mobile order-ahead, but had perhaps misjudged what guests really want when it comes to dining within the hotel environment – and it’s all about incremental ordering.
“What [restauranteurs] didn’t realize at first was what the consumer really wanted was mobile ordering at the table … what they really wanted was the convenience of getting seated at the restaurant and doing all of their incremental ordering” – seamlessly.
In terms of technology, a tight integration to the point of sale also means that restaurant operators and hotels can bring imagery to the phones – perhaps prompting you to consider salads and drinks and treats that might be additionally enticing.
As Carcillo put it, “bringing down great imagery leads to more appealing choices … and incremental purchases.” Tight integration – and adding items to the tab – means there’s no need to present a credit card at the POS (thus keeping the consumer experience seamless).
Incremental ordering, he said, is likely to change how merchants handle their bar operations (picture ordering drink refills and even a new bowl of Chex Mix without ever interacting with the server verbally). The added efficiency means the experience improves for the guest, the server will do better and the number of tables serviced will increase.
Innovations in payments may indeed drive improvements in the guest experience, but as Carcillo stated, “with every point of integration, there’s a discussion to be had … you have to weigh that against what your consumer gets out of that experience, and the opportunity to create repeat business or a great experience for them.”