Why the POS Industry Will Consolidate

10 Aug

The worst kept secret is that POS has become commoditized. The cost and time to bring a POS solution to market is rapidly approaching a relative zero. There are the cloud entrants, the payments entrants, and the retailer’s nephew at Carnegie Mellon who needs to do something for his master’s program.

In the years since POS arrived, the market has grown into an absolute spattering of solutions. I’ll admit I’m not nearly as intelligent on the retail side of the market as I am in restaurants, but there are nearly 200 known restaurant POS softwares in the US. I venture there are hundreds – if not thousands – of others that are so obscure nobody has bothered to track them. And given that retail is much more stratified than food service, there are most assuredly thousands of retail POS softwares.

With so much fragmentation, one has to wonder if the market will ever see anything close to an 80/20. Constant churn (25% a year in SMB-world) means there are always new entrants looking for solutions; vast segmentation – from small pizza shops to large pet stores – mean fragmentation abounds.

But we don’t think that will last much longer.

The POS is becoming a connected device, as much as legacy POS vendors refuse to acknowledge this reality. Viewed a different way, it’s been said that POS – and really brick and mortar – is having its internet moment. Yes, it’s over two decades late to the party, but it’s finally showing up.

As a connected device, POS will follow the trends of other connected devices before it and consolidate. This happens to all commoditized business over time, really: he with the most of the commodity can suppress prices and force competitors out of business. For connected devices, it just happens faster.

The below chart from Statista that makes the point patently clear.

What started as a frothy mobile phone market has (relatively) quickly consolidated into the hands of two major players: Apple and Google. But the learning here isn’t that commoditized industries consolidate over time; rather, it’s why the POS industry is following suit.

At its core, what is a mobile phone? It’s a way to conveniently enable communication. Some communication is handled by the manufacturer – like the ability to make a call, or perhaps send text messages. More advanced forms of communication can be handled by third parties via integration to the phone’s operating system. In a win-win, Apple and Google don’t have to develop every feature set; consumers acquire the best and newest communication features; third parties gain access to new customers; and Apple and Google get to sell more phones by trumpeting advanced communication features (i.e. apps) available on their devices.

At the risk of strategic oversimplification, Apple and Google are leading the mobile phone market because they’ve spent considerable time fostering an ecosystem of partners built on symbiotic relationships. Consequently, consumers have come to expect a robust ecosystem that enhances the phone’s value.

As POS systems become more open, the same phenomena will catalyze consolidation. Let’s walk through an example:

We’ve already discussed online ordering becoming a significant part of a merchant’s revenues. Some estimates put that number as high as 30% in the next five years.

Now, in the mind of a legacy POS company, all that matters are “features”. They believe that the merchant will ignore the opportunity to drive 30% of their revenues with an open POS system in favor of a POS system that adds a custom, 30-second printing delay between pressing the send button on their register and their kitchen printer. Not only that, but the merchant will pay MORE for that privilege.

News flash: for tens of thousands in potential monthly revenues, that merchant will figure out how to deal with his feature request for a 30-second delay-print function.

Merchants that already use a POS system might find it harder to replace their clunky, expensive legacy machine since they’re so invested in their current solution. But the math says that, over four years, the market will have a complete turnover. And at every new business opening there’s an opportunity for that merchant to acquire a system that enables communication with the outside world, driving the merchant’s chances at success through marketing, analytics and a proverbial laundry list of solutions that closed, legacy systems cannot offer.

And this is the phenomenon that will drive consolidation: third party ecosystem connectivity, just as it occurred within the mobile phone industry. But those third parties will not work with everyone building a POS. For instance, if you’re a vendor trying to sell something to Wal-Mart, you need a universal product code (UPC); if you don’t have one, Wal-Mart and other retailers won’t take you seriously. Third parties are not going to work with POS systems that have proven inflexible or undersized.

As it becomes more widely-acknowledged that POS is a commoditized product, it’s the value of those third party integrations that will separate the systems – not core POS features. When a future merchant is being sold a POS, expect questions like, “Does this connect me to Google? What about Uber? Apple? Can I get analytics from IBM’s Watson? How are Yelp reviews gathered? Is there automated marketing? Who’s running that?”

In summary, you have two forces creating POS consolidation:

1) The third parties, who add the value to POS in a commoditized world, are going to be picky with whom they work. Meaning those unchosen POS companies will be on the outside looking in.

2) The merchants, who are already discovering the value of third party solutions, will be expecting third party ”features” to be standard attributes of their next POS purchase. Trust me, I’ve heard plenty of people lamenting deals lost on these dynamics already.

The POS industry is not paving some new road through fields of destiny: it’s simply following the path of industries before it. What I share, then, is not voodoo prognostication but observations and learnings from historical events applied to today’s POS market. Now you’re welcome to disagree all you want, just don’t do it from your Apple or Google device.

Note: I don’t accept random Linkedin connections. You can write me at Jordan [at] whatsbusy [dot] com if you need to reach me – thanks!

Are These the Most Important Takeaways from RSPA’s RetailNow?

10 Aug

Last week RSPA held its annual RetailNow conference in Dallas, Texas. In terms of brick and mortar technology, it’s probably THE conference to attend. It has a healthy mix of technology providers and their distribution channels. Lacking would be the end merchants themselves, though there are shows for that (and I truthfully lament anyone going direct).

Throughout the show I heard several rumblings, and now that the show’s over I can objectively attest that my own observations confirmed industry gossip.

The first observation is that there is no coming generation of POS reseller (VAR). There are a very small number of family dealerships that are transitioning ownership to the next-generation family member, but there are many more that could not find someone to take the reins. One VAR professed the amount of cajoling he lathered upon his son only to be rebuffed.

Tom Elliot of POSjobs.com, who places people in the POS industry, confirmed these observations at a broader scale. “It is financial…” Tom sees many of the next generation coming into the industry through payments and starting their own Independent Sales Organizations (ISOs). Which leads me to my next RetailNow observation.

POS is becoming payments. Last year there were ~10 processors that exhibited at the show. This year, by my count, there were 25. There may even be another handful that attended silently. Payments companies make substantially more money than POS companies, and one need only follow the money to see how this plays out.

Payments is dipping in the POS waters to reduce churn in its core processing business. They’re now either closely partnering with, buying or building their own POS systems.

If nothing else the sheer scale of the payment sales forces means that more merchants will first learn about POS from a payments provider rather than a traditional POS VAR.

How else do you think First Data’s Clover has grown into more than 40,000 merchants in under 4 years while legacy POS companies are lucky to grow 1,000 merchants per year? If you think the lines are blurring today, wait until data markets come to fruition.

What can we infer from these observations? Nothing that we haven’t discussed previously.

  • POS will be sold online via SEO with help from payment referrals.
  • VARs will become a rare sighting as the money in legacy POS dries up. The ones that survive will focus on larger accounts and consulting services.
  • POS software becomes more stable, allowing remote diagnosis and repair. Hardware can be drop-shipped and delivered in under 24 hours. Merchants that need faster/better support will pay for it but they will only be merchants that are less price sensitive (think revenues > $1M/year).
  • Payments will swallow POS over the next decade, especially when the unit economics of data get proven out. Follow the money!

Note: I don’t accept random Linkedin connections. You can write me at Jordan [at] whatsbusy [dot] com if you need to reach me – thanks!

What Revel’s Talks With IBM Mean for Cloud POS

10 Aug

While attending RSPA I learned that IBM was in talks to acquire Revel. It was a strange coincidence that the story broke at the exact same time Bill DraperBill Bradley and I held our RetailNow session where we openly discussed the impossibility of continued financing for the large, venture-backed cloud POS companies.

So what’s happening?

First, there’s a drastic change in “venture” capital. As I’ve opined before, “venture” has become growth equity (i.e. low-risk money) that’s simply fooling financially-naive founders otherwise. Where “venture” previously invested in small teams with big promise, they now look at mature companies with high profitability and high growth.

Cloud POS companies today are either not growing fast enough or are not profitable enough to continue raising private money. But we should step back to better understand their conundrum.

“Venture” capital requires large exits to make returns for their investors. The rule of thumb is that you need a clear path to reach $100 million in annual revenue in three years from the first day you take venture money or it’s simply not money worth taking. The $100M ARR might sound arbitrary, but it’s the revenue needed to IPO a company in today’s climate. Founders who think they can achieve this scale are frequently lured by increasingly higher valuations proposed by “venture” investors with little attention paid to the downside should expectations not be met.

The “venture” investors are competing against conventional growth equity funds so they’re driving up valuations to get founders excited. But reaching $100M in ARR in three years is basically impossible unless you’re a once-in-a-decade company like Google or Facebook. Therefore, the majority of founders are pretty much signing up to eat crow.

Now as it relates to cloud POS, investors watch for signs that their investments are not going to reach that magical $100M ARR mark. When those signals become clear, the “venture” investors start looking for an exit immediately. This averages out to a holding period of five years per venture investment: those that can reach IPO might be held for 6 or 7 years where the flailing startups are sold quickly.

What we see with the older – and larger – cloud POS companies is a history of big financings but an apparent lack of time to reach expectations. First money at Revel came in May of 2011 and has now totaled $127M. If we do some math we’ll see that Revel is past that five year average holding period. Is Revel earning close to $100M in ARR?

The most likely answer is no, and neither can it raise more private money. The odd timing of its last round of financing in August of 2015 tells us something strange is going on.

Revel isn’t alone in this either. Shopkeep, which has raised $72M since 2012, will find itself in the same boat over the next 18 months. My back-envelope math puts Revel at $40M ARR and Shopkeep at $30M. Caveat: processing revenues could impact these numbers by 50%.

Why IBM would want to buy Revel is a more confusing discussion. IBM is trying to get more into software, services and data, much like GE and every other company that realizes hardware is hosed. No idea why IBM sold its POS assets when it could have easily built data replication to turn that hardware business into a software, services and data opportunity on top of a much larger merchant footprint than Revel represents. What I do know is that 70% of M&A fail to achieve expectations, and should IBM buy Revel it will likely be mothballed to irrelevance. Watch what’s happening with Oracle and Micros and ask their customers and dealer channels if that’s been a good thing.

A lot of POS revenue woes could be fixed with cross sell and upsell, but “venture” investors – who have no idea how brick and mortar work or they wouldn’t put money here to begin with – are making their companies focus on the wrong things. I’m writing a few posts that detail the immense value in cross selling but don’t have time to squeeze it in here thoughtfully.

What we expect is a liquidity event for Revel in the next 12 months, with Shopkeep sometime in the following 12. It’s doubtful to be an IPO and will more likely be a sale, merger, or implosion of epic proportions.

How these go down will have massive impacts on the industry at-large.

Our calculus says that investors have had their fill of POS for the time being. The lack of growth and apparent struggles of any cloud POS company to reach IPO in a reasonable timeframe has the smarter investors squeamish (though one could argue the really smart investors never put money into brick and mortar to begin with). Any publicized outcome short of IPO will keep money away for a long time.

What this could mean for the POS industry is a (brief) return to increased POS prices. The legacy POS providers have long-argued that cloud POS prices are being suppressed by investors in a race to acquire market share at the expense of margins. No doubt there is some truth to this.

But it’s also wildly foolish. Technology is changing with or without external investment. Investment speeds up the process, sure, but you cannot deny the internet has had great impact. When was the last time you bought a computer at a local store, or used a paper map to route your way?

There is zero reason why brick and mortar should not benefit from the internet

The connectivity the internet brings will drop POS prices for a myriad of reasons: cheaper software, cheaper hardware, better service and support and new business models that create revenue elsewhere. Each one of these could merit its own article. That legacy POS providers refuse to give their customers this value will be harshly punished by the market in time.

When, or if, this comes to pass is a waiting game. Revel and Shopkeep will make it all clear in the next 24 months. Should they fail, Toast and Lightspeed will be the last bastions of first-gen cloud POS. With or without them, however, cloud will still arrive. Change is inevitable; you cannot fight the market.

Note: I don’t accept random Linkedin connections. You can write me at Jordan [at] whatsbusy [dot] com if you need to reach me – thanks!

The Huge Problem With Online Ordering That Nobody Talks About

10 Aug

The convenience engendered by the on-demand economy is here to stay. We’ve seen a small pullback in on-demand financings lately, but as millennials and future generations demand more convenience it’s hard to see the on-demand share of the pie shrinking.

In fact if we look at the general growth curve of on-demand businesses, it’s only going up. BIA/Kelsey estimated that 2015 saw revenues of $18.5B for the local on-demand economy, representing 3.9% of the addressable market. They also project a 13.5% annual growth rate through 2030, which looks like the below chart

This might even be more conservative than reality if we look at Postmates’ (an on-demand delivery provider) growth.

Part of the on-demand economy is driven by online orders: the ability to order something from your desktop or mobile device and have it delivered as needed. Naturally it’s no surprise that funding in restaurant online ordering has also seen the same growth trends over the past few years.

Now comes the rub

In the restaurant (and presumably retail) world of online ordering, the merchant foots the bill for the pleasure. Unlike delivery costs, which are sometimes transparently passed on to the consumer, our low-margin merchant bears the cost of online ordering.

How much is a merchant paying? It ultimately depends on the provider. However, the biggest distinction is whether the online ordering service is simply creating a plug-in to the restaurant’s own website, or if it’s doing demand generation.

In other words, if the online ordering service is also marketing your business on other platforms, you pay more.

I’ve compiled a table of providers and their pricing.

What I want to point out is a worrying trend with new, large entrants Uber and Amazon: namely, their fees are astoundingly high. To me, this is a trend that online ordering providers Grubhub and Seamless started, and it’s horrible for the operator. Let me explain with math.

If you remember the calculus we went through with Groupon, we made it abundantly clear that daily deals were terrible for operators. In summary, it would take a customer visiting 14 times at full price before a merchant would break even on their daily deal promotion.

The exact same thing is happening to merchants again with online ordering, only this time it’s even worse.

Online ordering is only growing as a percent of a merchant’s overall sales. The growth in on-demand convenience have analysts prognosticating that as much as 30% of a restaurant’s business will come from online orders in the next five years. According to Bob O’Brien of NPD, “Carry out represents 30% of consumer spend, with delivery comprising another 4% on aggregate.” Using these numbers it’s not hard to fathom how online ordering replaces the entire carry out category, and possibly grows beyond its volume of 30%.

This means, unlike the daily deal promotions, restaurants will have a hard time turning off the online ordering spigot – it’s 30% of their revenue!

Now here’s where the math comes back into play. Restauranteurs and retailers do not make much money. In fact, the relationship mirrors the relationship in credit card processing: the card network (Visa) makes all the money and the reseller (merchant acquirers) make nothing comparatively. A restaurant would be lucky to make 2% profit while their suppliers – InBev, Pernod Ricard, Hormel etc. – have a much higher profit margin (InBev’s profit margin hovers around 60%).

The problem, which should be clearer now, is that a restaurant is LOSING MONEY on every online order where the transaction fee is higher than their margin. And since the merchant is much less likely to turn off their online ordering than they are to continue running loser daily deals, they’re stuck between a rock and a hard place: lose 30% of their revenue immediately or lose the entire business over time.

To give the argument some teeth, let’s take a merchant that earns $1,000,000 in annual revenue with a profit margin of 5% (which is the high end of the spectrum). Assuming online orders account for 30% of their revenue, the below chart details how much money the merchant is losing with online ordering activity, and the impact that’s having to their bottom line.

It’s now obvious just how detrimental online ordering can be to a merchant. Considering most merchants don’t have a 5% profit margin, these numbers can get ugly really fast. To put it into more tangible numbers, this merchant is going to pay upwards of $10,000 per month for the privilege of online ordering.

Unless the rates change, what is a merchant to do?

The answer, we think, is coming soon enough.

The high cost of online ordering middle men stems from a few places.

1) Making merchant order data accurate. Merchants receive orders from a fax, email or tablet. Then the merchant must transpose the order information from the fax, email or tablet into the POS and make sure their menu and pricing is accurate on all the provider websites. More often than not, this means a merchant has to buy a stand-alone tablet to manage orders from a provider. If that merchant wants to use multiple providers, they have to buy and manage multiple tablets. Just imagine being a hostess who’s managing guests on a busy night while having to run five competing tablets to handle your online orders and deliveries.

2. Marketing. Another large expense for the middle men is marketing your business. Seamless and Grubhub spend millions buying TV time and getting consumers to download their application. They must also manage their own consumer applications. All of these costs are passed onto the merchant.

We see these two headaches disappearing with the progress being made by cloud POS.

Cloud POS already has data injection capabilities. Unlike legacy POS, where someone must deploy and maintain a software agent at the merchant’s site to collect and inject data (a process Micros and NCR gleefully charge $50,000 for), cloud POS can easily inject order data. This:

  • Eliminates fat-finger errors in transposing orders from a fax to the POS
  • Automatically updates POS pricing and menu changes
  • Significantly reduces time staff spends inputting data

Chowly, an online ordering POS integration company, has quantified this value already.

Cloud POS can also syndicate online ordering to a multitude of places that do NOT charge high amounts for orders but are still highly marketed. Google. Bing. Amazon. Connected cars. Yelp. The list is very long.

Over time, it will be really hard for a Grubhub to justify a 13.5% cut when the merchant can syndicate their online ordering on Google for far less.

That’s not to say these services are mutually exclusive either. A merchant can keep Grubhub and use their cloud POS provider to syndicate online ordering. Each time an order comes from Grubhub the merchant pays 13.5%, and each time it comes from their POS network they pay far less. This way the merchant doesn’t lose Grubhub orders by shutting them off completely, but slowly watches their Grubhub demand shift to other ordering platforms – all while paying less each time.

Cloud POS companies will naturally takes cuts of each transaction – creating new revenues for themselves – but this will be far less than the amounts charged by other online ordering providers since big costs (data consistency and marketing) are being eliminated.

Who knows what online ordering fees will look like in five years, but they will be a lot lower than they are today. That’s good for the merchant, their cloud POS provider, and the consumer. It’s only bad news if your business model revolves around gouging merchants today.

Cloud POS is Quietly Increasing Prices…

31 Jul

Lately I’ve noticed that cloud POS prices have been increasing. Wait, that’s a lie. I didn’t notice anything: resellers of cloud systems and noticed that merchant product costs are going up, but their payouts are staying flat. They told me this, so I investigated.

This had me wondering: are cloud POS prices going to continue rising? Are we at the end of a venture-subsidized bubble and do POS prices rebound? Or are the cloud ISVs simply fiddling with their business models because penetration isn’t happening as fast as they had hoped?

Any POS company worth their salt understands the revenue potential in having SKU data available. The clever cloud companies know this model to be the future of their survival. What they’re betting on is the time it takes them to get there.

If you’re taking venture capital money today, you need to be cranking out $100M in annual revenue very quickly. If not, investors are on to the next one. And if you can’t increase the number of accounts to reach those lofty revenue goals, you have to increase the average sales price to the existing accounts.

This is a press release announcing Shopkeep’s pricing at $50/mo, screenshot below.

But Shopkeep’s prices are no longer that low. Today, Shopkeep charges $69/month.That’s a 40% jump.

NCR has also raised prices on its cloud Silver product. What was once $59/mo has increased in various tiers. Here are some screenshots of their new pricing with #6 explaining how to handle subscribers of the original $59/mo plan.

Who knows what NCR is doing, considering they had a botched acquisition, are saddled with another billion dollars in debt on top of their existing $4B, and have cultural issues galore.

Are there other cloud systems that are following this trend? I’ve only spent a small amount of time pulling this data, but surely there’s more to be had…

Why Mobile Payments Won’t Take off in Brick and Mortar

31 Jul

People with a modicum of healthy scrutiny are definitely giving mobile payments a sideways glance. “It’s the next big thing!” we were told. Brands with household names like Google, Apple and Walmart were involved: surely this must be it.

But usage numbers are still trivial, even though we’re several years into mobile payments with multi-billion-dollar investments from huge corporations. Forrester Research hypothesized that only 1% of consumer spend would come from mobile by 2019 – that’s including online, in-person and peer-to-peer.

Current numbers for in-person, brick and mortar payments (i.e. proximity payments) are expected to be around $30 billion this year. This in a domestic universe of roughly $4 trillion in brick and mortar retail spend. For we mathematically lazy folk, that’s just three quarters of one percent: watch out!

For those who have been paying attention, there are two paths to skinning this cat: convince merchants to accept mobile payments, or convince consumers to adopt mobile payment applications and put pressure on merchants.

The last route was tried first – mostly because it’s a substantially cheaper option. Mobile payment apps abounded. Apple had a mobile payment method, as did Google. Then came phone companies, large retailers and even startups, all bumbling their way into the space.

The assumption with the consumer-driven approach is that you’re solving a problem painful enough for consumers to demand it. But that’s not the case at all. Proximity payments (those that occur in-person at the register) is a fabricated problem. My credit card is secure. It will not run out of battery. It’s waterproof. It weighs next to nothing and I can stick it in my sock.

That’s not to say that mobile payments aren’t growing elsewhere. If I want to pay for an Uber, buy something on eBay, or order something to-go, mobile payments are a great use case. But going to a retailer and paying with my phone in the checkout line? Seems trivial. Retailers have seen how slowly the uptick in consumer adoption for proximity payments has been and are doing things like giving associates an untethered iPad for card payments, or installing tablets at restaurant tables to eliminate register queuing.

The phone needs to fully replace the wallet if you want to make it the center of in-store payment. Right now my wallet carries my ID, which is not legally replaceable with my phone. It carries annoying receipts. It carries insurance cards and public transportation passes. What’s the hassle of carrying around a credit card if I already need a wallet to carry around all this other stuff?

On the other end of the stack you need to acquire merchants to accept mobile payments. As a consumer, this will need to be places I frequent at least weekly. Grocery is a good candidate, as are restaurants (good luck with that fragmentation problem). Retail is not an ideal candidate, since, at it’s current growth rate, the majority of spend will betransacted online in a little over a decade.

This is all well and good, but has anyone stopped to ask: where’s the value for the merchant?

In most cases the merchant needs to spend thousands on new credit card processing hardware to communicate with mobile devices. Apple has stated it won’t share any customer payments data with the merchant, so there goes a merchant’s entire marketing program. Google monopolizes data, so odds are that the merchant would pay for data insights or advertising products to see anything useful.

The simplest value, of course, is saving the merchant 3% on all purchases by eliminating interchange (the fees credit card networks, processors and the banks take from each transaction). If mobile payments is as great as is touted, there’s no reason for credit cards at all: consumers could use bitcoinVenmo or some analogue to pay for goods, where payment transfer costs are pushed to zero. I think just about every merchant would sign up for that: an instant 3% increase to top-line revenue by doing nothing.

But here’s the issue: the entire payments chain is incentivized NOT to let that happen. Visa and the other payment networks earn ridiculous margins. Visa has a near 50% profit margin. By comparison, Google (Alphabet, whatever) “only” earns a 21% profit margin. Card issuing banks (the banks that sponsor your credit cards) also earn healthy revenue on each transaction, as do the large processing companies like First Data – whose job is to ensure merchants accept card payments.

Now why would all these players in the payments network, who own the merchant relationships, push merchants into accepting mobile payments and risk the possibility of being disintermediated? The simple answer is they won’t. And if you were the CEO for any of these companies you’d arrive at the same conclusion too.

So ultimately I don’t care how many surveys mobile payments companies produce: the market is not moving. I don’t expect proximity payments (in-store payments) to be a “thing” in the near future until it solves a real problem. Consumers have said there’s little value, and merchants who think there is value are finding in-store workarounds.

Is PCI’s QIR the Achilles Heel for Cloud POS?

31 Jul

The Payment Card Industry Security Standards Council (PCI SSC) has established a program designed to mitigate card theft. At this juncture, most folks in the industry have surely heard of it: the Qualified Integrator and Reseller (QIR) program. The QIR effort is part of a larger initiative by Visa to mitigate cardholder data security breaches at small businesses – which typically do not have the same data security resources as larger organizations. Visa is relying on the PCI SSC to develop and maintain the QIR program.

The PCI SSC is uniquely situated to manage the QIR program standards since they also manage the Payment Application Data Security Standards (PA-DSS) program. The PA-DSS program “promotes the development and implementation of secure commercial payment applications that do not store prohibited data, and helps to ensure that payment applications support compliance with the PCI DSS.” It’s a verbose way of saying that the program is designed to minimize card theft and security breaches.

The QIR program was created in response to a belief that certifying installers of payment equipment would result in lower occurrences of theft. Protect the entire card environment, if you will. The QIR program explicitly lays out “guiding principles and procedures for the secure installation and maintenance of validated payment applications in a manner that supports PCI DSS compliance.” So if you install, support or maintain payment applications, QIR qualification ensures you’re educated to do so in a manner that conforms to PCI DSS.

Now this is where it gets interesting. According to Dustin Niglio, CEO of Payment Logistics and an expert on PCI, the QIR program implicitly defines its scope by stating that it applies to “secure installation and maintenance of validated payment applications”.  A validated payment application is one that has been reviewed by a PCI SSC Qualified Security Assessor (QSA) and found to be compliant with the Payment Application Data Security Standards (PA-DSS). The Payment Card Industry Data Security Standards (PCI DSS) require third party applications which process, store or transmit sensitive cardholder data to be PA-DSS validated. So in order for a merchant that uses a third party payment application that handles sensitive cardholder data to be compliant with the PCI DSS, the payment application they use has to be PA-DSS validated.

However, there exist payment solutions that isolate cardholder data to purpose-built payment devices and transmit that data directly to upstream payment processors. These payment devices fall outside of the scope of PA-DSS and ISVs (Independent Software Vendors) who utilize these devices for all handling of sensitive cardholder data within the merchant environment consequently place themselves, and their dealers, outside the scope of QIR.

Phew.

Acronyms aside, what does this mean in plain English?

The card networks (specifically Visa) think small businesses are not adequately protecting their data. To minimize data theft and losses that arise from said activity (as if they don’t already have insurance against such fraud) they decided to force a new program (QIR) onto the payments channel – the cost of which is ultimately footed by the merchant. The QIR program says “Hey, if your payments system sees any sensitive cardholder data that might be stolen, you, merchant, need someone who’s ‘QIR certified’ to install and maintain your payment systems.”

If there is a breach and it’s discovered that the merchant is using a validated payment application that hasn’t been installed and maintained by a QIR-certified agent, the card network will assess fines to the merchant’s payments provider… even though the cost gets passed to the merchant. Make sense?

Moreover, the real-life scenario creeping into my mind is this: what happens with cloud POS installs? Many cloud ISVs simply drop ship the hardware and software to the end merchant. The merchant puts the “blue plug in the blue port” and setup is done. But merchants are not QIR certified… now what?

The merchant/ISV will need to find a payments provider that offers a solution which removes them from the scope of QIR. That is, the solution isolates all handling of cardholder data; any data within the merchant’s environment must be ran on a purpose-built, plug-and-play device that does not allow for remote access into the cardholder data environment. Most ISVs and merchant acquirers offer such options, dependent on compatibility with upstream processing networks, costs, etc.

Visa went so far as to address the same question.

Q: What if a service provider ships POS terminals to a merchant? Is that service provider in scope for the QIR program?

A. If the service provider is configuring the application within the terminal for the merchant and will support or service the terminal via remote access after installation, the service provider is in scope for the QIR Program and should complete the certification process. A service provider providing a merchant with a simple plug-and-play device which will not allow for remote access into the POS environment is not in scope of the QIR program (i.e. QIR is irrelevant).

Dustin finds Visa’s terminology interesting. “Instead, Visa should have used the term ‘remote access into the cardholder data environment’” Dustin says. “Furthermore, in my opinion, it was not correct to focus on ‘remote access’ as the qualifier of being in-scope of QIR. But I understand why they did it.”

Dustin details that, “The number one issue Visa has seen with small merchant data breaches has been the use of insecure remote access configurations by POS dealers. Many POS dealers have a long running habit of setting up unattended support on merchant POS servers and then using the same remote access password in their unattended support solution for all of their sites. So once a hacker compromised the password for one site, they could locate other customers of the dealer and easily hack into those sites remotely by using the same or a similar password. It’s such an easy vulnerability to mitigate, yet there are so many instances of this happening that Visa finally had enough and now we have QIR. Of course, this is my opinion, but Visa shows their hand by the types of questions and answers they included in their FAQ.”

It only gets more complicated from here. “When it comes to Android and iOS POS systems or any POS application which is designed to run on a handheld consumer device, there is a another can of worms we can open surrounding PA-DSS and QIR. But that’s for another time.”

Dustin can be contacted in response to this article by phone at 858-200-9634 or by email at partnersmatter@paymentlogistics.com. I have found Dustin to possess unquestionable knowledge of this critical issue. A previous post of his on the same topic can be found here.

Dear Restaurants/Retailers, Nobody Wants Your App, and Why That’s Good

14 Jul

Monkey See, Monkey Do is an idiomatic expression popularized in the 1920′s, thought to have originated in Mali, West Africa. In less colloquial terms, it refers to people that follow the actions of another, even if they have no idea why they’re doing it.

Much merger and acquisition (M&A) activity can be explained by the Monkey See, Monkey Do phenomena: a competitor made a move, so we must do something too. After all, what if they know something we don’t? This conversation takes place in board rooms much more frequently than an outsider could ever imagine. Bankers get paid on the deal, not the outcome, so of course the money folks are going to prey on a CEO’s insecurities. It should come as no surprise then that at least 70% of M&A fails.

Retailers and restaurants are likewise not immune to Monkey See, Monkey Do. Retailers and restaurants saw airlines, hotels and grocers developing apps and thought they needed an app too. I cringe at thinking how many billions of dollars merchants paid to have their own apps developed.

Unlike consolidated industries, there are hundreds of thousands (600,000, to be exact) of restaurants in the US. I mention this to put the below in perspective: every time I fly, a US airline has a 20% chance I will book with them. If you’re a grocery brand, there’s a 50% chance to be graced with my patronage based upon my local geography. Given this frequency, an app makes sense to manage my flight status or loyalty points. But I’ve eaten at hundreds of local restaurants, and maybe only five of them more than once. And there are thousands of others in Houston. I’ve never downloaded a restaurant app because my behavior, based on inherent market fragmentation, just doesn’t justify it…

If we follow the teachings of Takichi Toyoda, we’d learn about the Five Why method: ask why five times and you will arrive at an actionable solution. If you practiced Mr. Toyoda’s method with a merchant bent on app-domination, I’d be impressed if you heard a cohesive answer on even the first why. Yes, a merchant might regurgitate buzzwords like “data”, “loyalty”, or “convenience”, but no cohesion ever came from a Jackson Pollock either. Merchants simply don’t know why they have an app, except everyone else has one too. Monkey See, Monkey Do

But having a stand-alone app will to be detrimental to merchants going forward. 

Let’s examine online (mobile) ordering for a second. The value of online ordering is less about the device but more about the convenience. Can I order something on my phone, watch, connected car, VR contact lens (whatever’s next?) in a fraction of the time I would spend driving to the location, finding the item, queuing at the register, paying, and driving back? Whatever becomes most convenient with current technology – with price obviously under consideration – is what consumers will want. To stay on top of technology changes will merchants spend ever-more resources developing apps for all these different platforms?

The true convenience of online ordering does not require you to download a merchant’s specific, and thus definitionally, limited application. In fact it’s the opposite: cull the largest list of possible options via one data layer to drastically improve convenience. Today this has manifested as YelpFoursquareGoogleOpentable and other local discovery platforms that let you sort across a number of filters to find what suits your needs. As much as merchants don’t want to believe it, the market is saturated, and products/services are very much fungible. If you’re not on Yelp, you don’t exist, and a prospective customer can easily find a substitute.

As is becoming clearer, the future will be even less about apps and more about bots. A bot, in it’s simplest explanation, is but an artificial intelligence (AI), natural language processing (NLP) layer on top of data that prevents the user from the first-world “problem” of opening, loading and interacting with a specific app. With better speech recognition and access to relevant data, Apple’s SiriMicrosoft’s Cortana and Google’s Now will render any and all other bots redundant and inferior. Are we to believe restaurants and retailers – who haven’t figured out the value of data science to manage the basics of their inventory and labor – are suddenly going to build bots with advanced NLP libraries and compete with Google?

The answer to all these questions comes to one, natural conclusion: Cloud POS. Smart POS companies will become the aggregate portal for all brick and mortar merchant needs. They’ll already be collecting the data necessary via Cloud to empower bots and useful extensions for their merchants. Through the value of middle market players and data aggregators – not unlike data co-ops in grocery and retail – POS companies will be able to connect merchants with all of the third party, demand-generating platforms to help merchants grow.

How does this benefit merchants?

1. Merchants won’t need to waste money developing apps/bots for perpetually-changing technology. The market will come to POS partner networks to onboard merchant data. Now, with merchant permission, consumers can order from businesses via a bevy of consumer platforms without the merchant worrying about it.

2. Merchants will access more data than their own loyalty efforts could ever imagine. Because POS partner networks will represent more locations than any merchant’s four walls (or any single POS company’s install base for that matter), the data being collected will paint a massively better picture of customer behavior. As payments and POS naturally merge, a stand-alone merchant app will be woefully behind.

3. Merchants will see increased customer revenues without increased marketing spend. Third parties will work with POS partner networks to invent new ways to generate eyeballs, and thus customers for the merchant. Who knows what sorts of future commerce this entails, but startups are much, much more creative than you might think.

Naturally, there will still be large, laggardly merchants that insist on maintaining their own apps and mismanaging investor dollars. But as data becomes democratized, small merchants will outcompete those who don’t have access to the data platforms being created.

That, of course, will eventually engender boardroom discussions of a new Monkey See, Monkey Do at the larger merchants – even if nobody in the meeting knows why they’re discussing the change.

Legacy POS Is Dead – It Just Doesn’t Know It Yet

12 Jul

You ever see those horror movies where a victim gets decapitated but still bobs from wall to wall like a gory game of Pong? Well the killer has already sliced the head off of legacy POS but the victim hasn’t quite realized it’s done for.

I’ll sum it up with a paraphrased but true story from a year ago.

A muli-hundred-unit restaurant chain asked it’s current POS provider (NCR) to access their data in a more useful and dynamic way. NCR would love to oblige, but for $50 per month per store. The restaurant concluded they could buy an entirely new POS system that would provide said data outputs for free, and summarily switched POS providers. “But we have a bazillion features!” NCR explained. “Who cares,” the merchant replied, “you don’t have the features that matter now.”

The end.

While POS companies love to evangelize their development prowess by counting features, as if the number of features is directionally proportional to the number of merchants queueing in line to buy your POS, this is going away. Hell, if a POS boasts 4,000 features, only 100 of them are actually ever used anyhow. Maybe one or two merchants want some obscure feature, and if you want to be in the POS business by building a custom product every time, good luck to you. But with all the hoopla about POS features being important it ends up being a pretty moot point in the scheme of things.

Indeed, you’ll start to see a winnowing of features as open POS platforms rely on other, third party providers to augment their POS offering, thus making the entire solution theoretically more complete. Clover, from First Data, has operated on this model for the past few years.

Now this isn’t without its caveats. Clover, for instance, lacks perhaps the basic 50 features needed to be relevant with restaurants/retailers that do more than $500k in annual revenue. And their app store (where I’ve publicly stated I’m no fan) is more window dressing than utility: it is a toolbox a payments provider, unfamiliar with selling POS, can point to and claim, “Yea, this app store has your solution for X.” Naturally, after a few weeks the merchant figures out they were sold a bill of goods.

But the ethos is what’s important here: Clover realized they could focus on a smaller nut and leave some of the more complicated development efforts to third parties who could build more complete features than Clover. Remember, POS is not some highly-profitable business with gratuitous funds for feature development. By letting someone else worry about building best-of-breed for X, POS companies can focus on the core product, merchant acquisition and support.

In fact, POS is going to follow the trails blazed by personal computers and mobile phones right into commoditization.

When you decide to buy a mobile phone, how do you decide what to buy? Are you buying an Apple phone because its camera is 0.5 megapixels higher than a Windows phone? Is it because the Windows phone lacks calling, email and text?

No.

Both devices are effectively the same, especially for the features that derive 99.5% of their value. The difference is the ecosystem and value that ecosystem provides the consumer. It’s the “features” that ecosystem is augmenting to that core product that make it so valuable. Apple doesn’t need to provide the best on-demand delivery service, it just needs to connect you to it. But Uber won’t bother making apps for phones that aren’t open, or show little willingness to cooperate.

Several “legacy” POS companies have started investing in the future of their business by making Cloud (the data connectivity functionality) their default solution and their most important feature. As discussed previously, Cloud is the THE commercial future of the POS industry, and if any feature is evangelized it should be this one. Here are some restaurant POS companies that deserve further notice.

Michael Paycher co-founded SoftTouch POS in 2000. By 2009, Mike realized he needed to develop cloud architecture. “If you want to deliver any multi-store product – loyalty, reporting, you name it – with a great experience you need cloud architecture. Building at the store-level limits functionality and hobbles your product.” Mike says. “Today,” Mike continues, “every operator we onboard is on our cloud system by default. This immediately increases my, and by extension my channel’s, ability to offer superior products that make our merchants more successful.” He further quips, “It doesn’t hurt that the future of our industry requires us to have data, either.”

Focus POS‘ COO, Mike Hamm, also shares the same vision. “Instead of going straight to cloud, where you lose the redundancy and stability of the local server,” he explains, “we’re taking Focus to cloud replication. The data still resides locally, which is what larger customers need, but we provide the opportunities Cloud POS does by copying local data to Azure in real-time. It’s the best of both worlds,” Mike attests. When asked how clients could access his new build-out, Mike said, “The cloud data replication is included in our SaaS pricing going-forward. For those customers who want to own their POS outright, we’re still figuring out how to best deliver the value of our Cloud replication.”

“Make no mistake about it,” Mike continues, “we’re going where the market is going. People want to order from Uber and we want to ensure we provide our restaurants that seamless flexibility through Cloud architecture.”

Lucky Thalas, EVP at SilverWare POS, is following suit. “We’ve found a great balance between traditional ‘client-server’ POS and ‘cloud’. The data resides at store-level but we communicate between the cloud and the store.” Lucky is taking it a step further. “All net new SaaS deployments of SilverWare POS include cloud real-time synchronization for reporting, alerts and analytics. The cloud also serves as a default backup.”  Silverware customers who prefer to purchase the system outright also have the option to add cloud functionality at a nominal fee for their benefit.

“Still”, he adds, “we recognized the need to make our POS ready for the next evolution, including integration to third party services and complimentary products that are hard to deliver without cloud data availability.”

The future of POS will be a commoditized product, just like your phone or computer is today. Ironically, as payments companies feel commoditization’s downward pressure on their own margins, they’ve dipped into POS to bolster revenues and decrease churn. Now they’re discovering that POS is becoming just as commoditized as the commoditized business they attempted to diversify.

At the end of it all, POS’ value will come from what it can connect you to, and how those connections can grow your business. POS companies that survive the next evolution will earn more money than they ever have before while doing less work by letting third parties augment their features – let not your heart be troubled. But the legacy POS companies that haven’t figured this out yet? They’ve been dead for a long time.

Why POS and Payments Companies Have Trouble Thinking Ahead

12 Jul

When we think of large companies struggling with innovation, we often ask ourselves how it happens. They have so much money, so many resources, a dominant market position, and yet they lose the war to a startup nobody even took seriously. WTF?

In defense of large industry incumbents that serve brick and mortar, I have a theory for why it doesn’t just happen, but rather why it’s commonplace.

Brick and mortar is a special market segment. Sales cycles are forever long. Contract values are tiny. And because there’s no market leader or 80/20 anywhere, it takes massive scale to make a dent in the market.

The solution for payments companies (merchant acquirers) and POS companies alike has been to create reseller networks. The reseller operates somewhat under the corporate banner but is ultimately its own entity. Translation: pushing initiatives through a channel can be like pushing a string and hoping it miraculously finds its way through the eye of a needle.

Further, merchant churn is crazy high in brick and mortar. Reported failure for restaurants is as high as 60% in the first year, with a full 80% dissolving after five.Statistic Brain says that only 47% of retail establishments make it to the five year mark. And these are businesses that will be lost even if they like your product – we haven’t yet considered the number of businesses that will boot you out in favor of a competitor! In aggregate it’s very high churn indeed…

The understanding becomes profound when you combine the above two brick and mortar phenomena with the desire to meet quarterly goals. Think about the number of merchants dumping your service and how hard it is to find a channel partner that can reclaim business someplace else. It’s more than a full time job just trying to keep the boat afloat, never mind beating quarterly expectations.

While Google is working on self-driving cars, POS and payments companies are just trying to acquire enough merchants before the end of the month. These companies are not money-printing enterprises; there isn’t a gluttonous amount of money for R&D like there is over at Facebook. So initiatives inherently take more time in brick and mortar.

Though none of this should be an excuse for not doing the right thing, or sprinting when it’s opportune. If you spend your life torpidly scouring the pavement for pennies, you’ll miss the benefactor across the street handing out dollars. It does pay to know when to look up and run.