Pay By Touch Installing at 18 Scotts

Marilyn Surfus realized last weekend that she’d forgotten her checkbook at home. But the slip didn’t stop her from buying groceries. She simply placed her finger on the scanner pad in the checkout lane at Scott’s Food & Pharmacy. The device compared hundreds of pre-selected points on her fingerprint for comparison with her data already on file. And the sale was approved.

Scott’s is piloting the Pay by Touch system at four of its Fort Wayne stores: the Dupont, Coventry, Georgetown and Stellhorn locations. Rick Zahm, Scott’s vice president of merchandising and operations, said the first units were installed last week. Company officials plan to install the devices in the chain’s 14 remaining northeast Indiana stores in about two weeks.

Krista Thomas, Pay by Touch spokeswoman, said Scott’s is the first company in northeast Indiana to adopt the high-tech payment system. Touch payments are accepted in 2,400 retail outlets in 44 states; 3.3 million people have enrolled in the system, Thomas said.

The technology allows consumers to enroll at a bright green kiosk near the front office. That process – which involves presenting a driver’s license, a voided check and making that initial finger scan – is all done electronically and takes about three or four minutes.

Afterward, the customer can simply touch the scanner at a checkout to have a purchase covered with money withdrawn from the customer’s checking account. The technology also allows for payments with debit and credit cards but, so far, Scott’s has opted to offer only Automatic Clearing House withdrawals from checking accounts. Such transactions have lower fees for merchants than debit purchases. Either way, the money is taken from the customer’s checking account.

After a person has enrolled in the system, he can use it to pay for purchases at any retailer that offers the option. Thomas said participating businesses include gas stations, convenience stores, banks and check-cashing companies.

Scott’s processed about 40 Pay by Touch transactions last weekend, including the one by Surfus, the company’s supervisor of bookkeeping and customer service. She previously enrolled in the system while visiting another grocery in Chicago. Scott’s has concentrated on signing up employees so that they can become familiar with the system and more easily explain it to curious customers.

Zahm, the Scott’s vice president, describes the system as the wave of the future – but one that will be quickly embraced in the present by customers who like to get in and out of stores quickly. “We can tell it’s going to be successful, based on signups,” Zahm said.

He declined to give exact numbers for competitive reasons. He also declined to put a dollar amount on installing the technology. Zahm said, however, that Pay by Touch shared the cost with the company.

Lindsay Hancock, spokeswoman for The Fresh Market, said the Greensboro, N.C.-based chain hasn’t adopted the technology and isn’t considering it, as far as she knows. Some consumers have been reluctant to embrace the high-tech process. Thomas, of San Francisco-based Pay by Touch, acknowledged that some people are hesitant to register because they don’t want their fingers scanned. But soon, even they realize how safe the transaction is compared to writing checks or using debit cards.

“There’s usually an initial concern about security and privacy,” she said. “And we respond that we have the most robust security that can exist.” (see Contactless Cards Provide Contacts and Numbers) to read about real flaws in privacy)

The company works with IBM and doesn’t store any of the data at retail locations. In fact, the cashier doesn’t even see the customer’s checking account number, adding a layer of security, Thomas said.

Pay by Touch has talked to participants and found that older adult women appreciate not having to carry their purses, which could be lost or stolen, Thomas said.

Pay By Touch Introduces New Kiosk

Introduces Rapid Enroll Kiosk to Improve Loyalty Program Enrollment
Internet-Enabled System Expedites Enrollment, Reduces Processing Costs, Improves Customer Experience

SAN FRANCISCO, Oct 24, 2006 /PRNewswire via COMTEX/ -- Pay By Touch, the leader in integrated biometric authentication, personalized marketing and payment solutions, today announced the immediate availability of its Rapid Enroll Kiosk(TM). The new Internet-enabled retail kiosks speed and streamline enrollment for loyalty and rewards programs. The system allows for quick and easy customer sign up, and reduces enrollment processing time and expense for grocers and retailers.

"Pay By Touch is committed to providing retailers with innovative solutions that improve the customer experience and make business sense," said John Rogers, founder, Chairman and Chief Executive Officer of Pay By Touch. "The new Pay By Touch Rapid Enroll Kiosk simplifies loyalty program enrollment for customers and reduces costs associated with enrollment for merchants."

The Rapid Enroll Kiosk was developed by Pay By Touch's Personalized Marketing division, which helps businesses manage loyalty and reward marketing programs with a full range of enrollment and database services.

"Virtually all of today's retailers have created a loyalty program because it has proven to be a valuable marketing and customer retention tool. However, paper enrollments are slow, error prone, and overwhelm customer service personnel," said Jeff Grider, vice president, Pay By Touch personalized marketing. "Pay By Touch Rapid Enroll Kiosks automate enrollment, thereby enabling stores to enroll customers into their programs faster and more accurately -- often reducing the store processing time from weeks to minutes."

With the new in-store, Internet-enabled enrollment kiosks, customers can sign up quickly, accurately and securely using an integrated 'phone number look-up' application. To use the system, customers simply enter their phone number and a secondary identifier -- such as the last three letters of their last name -- and their address information is populated automatically. Customers can also choose to manually enter their information through a simple touch-screen process.

The direct input of customer data using the Rapid Enroll Kiosks prevents common enrollment processing issues, including application handwriting legibility, false applications, forgotten stickers and application loss.

The Rapid Enroll Kiosk offers multiple financing options available for retailers of all sizes. Pay By Touch Personalized Marketing can create custom reward and loyalty programs for retailers with no established program or under-performing programs in need of revitalization. Future enhancements to the kiosk will enable consumers to enroll their biometric information, ultimately eliminating the need for a card.

For more information, go to www.paybytouch.com/cr.

Contactless Cards Provide Contacts (and Numbers)

From the NY Times

AMHERST, Mass. — They call it the “Johnny Carson attack,” for his comic pose as a psychic divining the contents of an envelope.

Tom Heydt-Benjamin tapped an envelope against a black plastic box connected to his computer. Within moments, the screen showed a garbled string of characters that included this: fu/kevine, along with some numbers.

Mr. Heydt-Benjamin then ripped open the envelope. Inside was a credit card, fresh from the issuing bank. The card bore the name of Kevin E. Fu, a computer science professor at the University of Massachusetts, Amherst, who was standing nearby. The card number and expiration date matched those numbers on the screen.

The demonstration revealed potential security and privacy holes in a new generation of credit cards — cards whose data is relayed by radio waves without need of a signature or physical swiping through a machine. Tens of millions of the cards have been issued, and equipment for their use is showing up at a growing number of locations, including CVS pharmacies, McDonald’s restaurants and many movie theaters.

The card companies have implied through their marketing that the data is encrypted to make sure that a digital eavesdropper cannot get any intelligible information. American Express has said its cards incorporate “128-bit encryption,” and J. P. Morgan Chase has said that its cards, which it calls Blink, use “the highest level of encryption allowed by the U.S. government.”

But in tests on 20 cards from Visa, MasterCard and American Express, the researchers here found that the cardholder’s name and other data was being transmitted without encryption and in plain text.

They could skim and store the information from a card with a device the size of a couple of paperback books, which they cobbled together from readily available computer and radio components for $150.

And because the cards can be read even through a wallet or an item of clothing, the security of the information, the researchers say, is startlingly weak. “Would you be comfortable wearing your name, your credit card number and your card expiration date on your T-shirt?” Mr. Heydt-Benjamin, a graduate student, asked.

Companies that make and issue the cards argue that what looks shocking in the lab could not lead to widespread abuse in the real world, and that additional data protection and antifraud measures in the payment system protect consumers from end to end.

The finding comes at a time of strong suspicion among privacy advocates and consumer groups about the security of the underlying technology, called radio frequency identification, or RFID. Though the systems are designed to allow a card to be read only in close proximity, researchers have found that they can extend the distance.

The actual distance is still a matter of debate, but the claims range from several inches to many feet. And even the shortest distance could allow a would-be card skimmer to mill about in a crowded place and pull data from the wallets of passersby, or to collect data from envelopes sitting in mailboxes.

“No one’s going to look at me funny if I walk down the street and put a flier in everybody’s mailbox,” Mr. Heydt-Benjamin said.

The experiment was conducted by researchers here working with RSA Labs, a part of EMC, an information management and storage company. The resulting paper, which has been submitted to a computer security conference, is the first fruit of a new consortium of industry and academic researchers financed by the National Science Foundation to study RFID.

Security experts who were not involved in the research have praised the paper, and said that they were startled by the findings. Aviel D. Rubin, a professor of computer security at Johns Hopkins University, said, “There is a certain amount of privacy that consumers expect, and I believe that credit card companies have crossed the line.”

The companies, however, argue that testing just 20 cards does not provide an accurate picture of the card market, which generally uses higher security standards than the cards that were tested. “It’s a small sample,” said Art Kranzley, an executive with MasterCard. “This is almost akin to somebody standing up in the theater and yelling, ‘Fire!’ because somebody lit a cigarette.”

Chips like those used by the credit card companies can encrypt the data they send, but that can slow down transactions and make building and maintaining the payment networks more expensive. Other systems, including the Speedpass keychain device offered by Exxon Mobil, encrypt the transmission — though Exxon came under fire for using encryption that experts said was weak.

Though information on the cards may be transmitted in plain text, the company representatives argued, the process of making purchases with the cards involves verification procedures based on powerful encryption that make each transaction unique. Most cards, they said, actually transmit a dummy number that does not match the number embossed on the card, and that number can be used only in connection with the verification “token,” or a small bit of code, that is encrypted before being sent.

“It’s basically useless information,” said David Bonalle, vice president and general manager for advanced payments at American Express. “You can’t steal that data and just play it back and expect that transaction to work.”

While the researchers found that these claims were true for some of the cards they tested, other cards gave up the actual credit card number and did not use a token or change data from one transaction to another. They also took data in from some cards and transmitted it to a card-reader in the lab and tricked it into accepting the transaction. Mr. Heydt-Benjamin, in fact, was able to purchase electronic equipment online using a number skimmed from a card he ordered for himself and which was sealed in an envelope.

(None of the cards transmits the additional number on the front or back, known as the card validation code, that some businesses require for online purchases; Mr. Heydt-Benjamin chose a store that does not require the code.)

Mr. Kranzley said the MasterCard-issuing banks decided how much security they wanted to implement, but said that with 10 million of the company’s chip-bearing cards on the market, some 98 percent of them used the highest standards.

“Today, there’s an extremely small percentage of cards that have the characteristics that RSA has looked at in this report,” he said. Visa and American Express representatives said all their cards conformed to the highest security standard.

Beyond the security on the cards themselves, the companies said, they have deployed fraud detection and prevention measures that block suspect purchases. And each company stressed that cardholders were not liable for fraud.

Dr. Fu acknowledged that the research involved a small sample, and added, “We would be happy to examine cards that have better security so that we can verify these claims.” He added, however, that all of the cards they tested were issued this year, and all were felled by at least one of the attacks that they attempted.

Tom O’Donnell, a senior vice president at Chase, the largest issuer of the new cards, said that the attacks described in the paper would be too cumbersome in the real world. And the researchers said that other kinds of fraud, like so-called phishing scams in which criminals trick people into revealing credit card information through misleading e-mail messages and Web sites, were currently more effective.

Still, John Pescatore, vice president for Internet security at Gartner, a technology market research firm, said he was surprised by the lack of security in transmitting personal data. He said it was a mistake that companies often made in rolling out early versions of a technology.

“It’s the classic ‘Let’s depend on security through obscurity — who’s going to look?’ ” he said. “Then, whoops! As soon as somebody does look, you roll out the security.”

All of the card companies said that they were in the process of deleting names from the stream of data transmitted to the card readers. “As a best practice, issuers are not including the cardholder name,” Mr. Triplett of Visa said.

Pay By Touch in Zagara's Marketplace

Here's a story from NewsChannel 5 in Cleveland Heights about the launch of Pay By Touch in Zagara's Marketplace....

CLEVELAND HEIGHTS, Ohio -- Say goodbye to your debit cards, credit cards and checks: purchasing power is now at our fingertips with new technology you could soon see everywhere.

One local grocery store is on the cutting edge of science, being the first to offer fingerprint scanning as a payment method, NewsChannel5 reported. Pay-by-touch is new to Zagara's Marketplace and to northeast Ohio. It is a free service that allows you to pay for your purchases by scanning your fingertip at checkout. When you register, your fingerprint is linked to your checking account, eliminating the need to carry cards, checks or cash. Store owner John Zagara researched the technology for two years before bringing the scanners to his Cleveland Heights store.

He said it's not only for customer convenience, it's to keep them safe.

"Shoppers are always looking away from their shopping cart, inside their shopping cart is their purse. Someone grabs their purse, they don't know who it was. This is way more secure," Zagara said. "You don't even need your purse."

I was talking to a police officer who was doing some shopping and he said, "this has got to be the safest transaction that he's seen out there". Criminals or ID thieves would shy away from this system all day long he said. "I've got to get my dad in here and get him signed up."

Pay By Touch Video Story - WKYC

Click Here or the Picture to Watch Pay By Touch Newstory from Cleveland

At the checkout line at one, local grocery store you can pay by cash, check, credit or index finger.

Channel 3's Paul Thomas shows us how this unique process works.At the checkout line, we dig, we swipe and sometimes, rummage around a little more. But customers at Zagara's Marketplace in Cleveland Heights are letting their finger do the walking to pay for their groceries.

Video Play Video

NRF CIO Hogan Likes Pay By Touch

Cleveland allows customers to Pay By Touch of a finger
Friday, October 20, 2006
Mary Vanac - Plain Dealer Reporter




The latest technology at Zagara's Marketplace definitely has "the cool factor," in the words of store manager Dan Gradijan.

This week, the Cleveland Heights grocer became the first retailer in Northeast Ohio to offer the Pay By Touch Wallet -- a point-of-sale system that enables customers to pay for groceries by scanning their index fingers and keying in a number. There's no need for checks, credit or debit cards, or cash, all of which can be stolen. "Nobody can steal your fingerprint," Gradijan said. The biometrics system that verifies your identity and enables you to write an electronic check on your account also is less costly to use -- for both consumers and retailers.

Store director John Zagara approached Pay By Touch about a year ago, Espinosa said. Zagara had read about the finger-scan technology. "He's an innovative guy," Espinosa said of Zagara, whose grandfather, Charles, opened the first Zagara's on Kinsman Road in 1936. Zagara was unavailable for comment on Thursday.

"I give them a lot of credit" for installing the Pay By Touch technology, said David Hogan, chief information officer for the National Retail Federation in Washington.

Convenience and speed are the likely reasons why customers at grocery stores, and perhaps convenience stores and gas stations, might adopt biometric checkout technology, Hogan said. "If you're a parent and you've got a toddler on your hip, you can scan your finger and punch in a number, and you're on your way," he said.

Pay By Touch, which bought its nearest competitor, BioPay, earlier this year, is the clear leader in biometric point-of-sale technology, the retail federation's Hogan said. In some form, biometrics probably is coming to a store near you. "A lot of retailers are finding payment solutions with biometrics very appealing," Hogan said.

About David Hogan

David Hogan was named Senior Vice President and Chief Information Officer for the National Retail Federation (NRF), the world's largest retail trade association, in 2002. He directs numerous internal and retail industry IT initiatives and manages NRF's CIO Council, a committee of retailing's most prominent chief information officers. Dave also provides oversight for the Association for Retail Technology Standards (ARTS), dedicated to creating an international, barrier-free technology environment for retailers.

Hogan is a former member of the NRF's CIO Council and has spent his entire career in retail. Prior to joining NRF, he served as Vice President and CIO of international retailer, Duty Free Americas. He has held senior level positions with The Limited Inc. serving as Business Unit CIO for their Lane Bryant division and Vice President of MIS for specialty footwear retailer, The Kobacker Company.

Back to the Story...

Security of private financial information also is an adoption factor, Espinosa said. Pay By Touch patrons don't use checks, or debit or credit cards, so their account numbers aren't visible to clerks or other shoppers. Patrons also don't use a personal identification number that is tied to their checking accounts.

Sophisticated technology underneath each checkout counter encrypts customers' digitized fingerprints and search numbers, Espinosa said. This information is sent to a high-security data center managed by IBM. Pay By Touch generally subtracts your grocery bill from your checking account overnight.

The Pay By Touch technology might help speed customers through Zagara's already speedy checkout lines. "Our wait time and checkout time is 1½ minutes," on average, store manager Gradijan said.

Zagara's customers can start their finger scans after the clerk scans their first grocery item. By the time all of the grocery items are scanned, the customer can approve the payment amount by hitting the "yes" button on the touch pad at the cashier's station.

The electronic check transaction that results is free to the customer, Espinosa said. The e-check transaction costs less than half of what a credit card transaction would for the retailer, Gradijan said.

The California company's system is installed in about a dozen stores in Ohio, including a few Sunflower Markets in Columbus and a Biggs Hypermarket in Cincinnati, Espinosa said.

Pay By Touch also makes other financial systems, including one that uses biometrics to authenticate people who cash their payroll checks at grocery stores, Espinosa said.

To reach this Plain Dealer reporter:
mvanac@plaind.com, 216-999-5302

Pay By Touch, Paypal & Google Pose Genuine Threat to Card Companies

CHICAGO, Oct 19, 2006

The days of merchant-subsidized credit card rewards programs, rapid increases in interchange fees, and confusing fee structures for credit card purchases are numbered, according to new research by Diamond Management & Technology Consultants, Inc.

Consumers are already seeing popular "cash back" and other reward programs being curtailed. Banks are fearful of losing a large fraction of their $19 billion in interchange fees that fund these programs. And if merchants successfully steer customers to competitive payment types, banks stand to lose a significant slice of the transaction volume that drives their card interest income, usually estimated as 70 percent of total credit card revenue.

"Merchants are unhappy with what they consider unreasonable credit card fees and are beginning to take serious steps to minimize their expenses," said Carl Hugener, a partner in Diamond's financial services practice.

"Left untreated, the landscape of the $150 billion card industry could be altered drastically in the next three to five years and end up costing issuing banks and card associations billions."

As for payment alternatives, Automated Clearing House (ACH) payments appear capable of siphoning payment volumes away from credit cards and instilling bargaining power with merchants at the expense of card issuers and associations.

Emerging competitors like Pay By Touch, PayPal, and Google Payments pose a genuine threat to dominant card operations.

At one level a credit card is simply an authentication device that proves who its user is and gives access to the consumer's account. The process through which the user is authenticated begins the routing of the transaction over the card network. But separating authentication from the card would allow merchants to drive consumer payments to low-cost avenues.

"History tells us that once models are taken apart this way, more and more alternatives arise, and the systems eventually fall apart," Hugener said.

The credit card business has been a bonanza for banks over the past several decades. It will continue to be a great business if the industry recognizes the coming change and adapts before emerging competitors do," Hugener said.