Ingenico's new card payment terminals make room for apps

20.11.2015
There's an app for everything, it seems, and increasingly an app on everything: phones, TVs, robots... and soon even the payment terminals used with chip-based bank cards.

Chip-based payment cards that require a PIN rather than a swipe and a signature are only just reaching the U.S., but they've been around for decades in Europe.

On gas pumps and at supermarket checkouts, it seems many of the payment terminals the cards slot into have barely changed in all that time: Their cramped displays and minimalist keypads do nothing but process payments.

French company Ingenico sees this as a missed opportunity for retailers, which could be using the ubiquitous terminals to show customers special offers, operate loyalty programs or take orders in a restaurant.

Its new 5000 series of payment terminals swap the classic two-line LCD for a full-color, touch-sensitive 320-by-480-pixel screen. Ingenico showed the terminals at the Cartes secure connections show near Paris this week, and is rolling them out to its first customers.

Behind the terminals' bigger display is a 600MHz ARM Cortex A5 processor with 512MB each of RAM and flash, running a webkit-based HTML5 browser on top of Ingenico's own Linux-based operating system. Hardware options include 3G, Wi-Fi or Bluetooth connections, and built-in cameras and printers.

The browser is used to run apps from an online store, and it can exchange information with the payment-processing side of the machine. With the state of web security today, what could possibly go wrong

Well, nothing much, say Ingenico's Yannick Menet, product manager for Telium Tetra, the payment terminal OS the company has built around Linux.

Security is tight in the devices. Apps come from Ingenico's own online marketplace and the code won't run unless signed by Ingenico. Developers assume unlimited liability for the apps they submit, and must package them with all necessary resources and a whitelist of external URLs that they might query over an SSL connection. The apps are strictly limited in what they can do through sandboxing, and although the terminal will run JavaScript, it does not allow the injection of downloaded code.

If apps try to break these barriers, "Exceptions are escalated to the marketplace. If there are doubts about an app, we can deactivate it," Menet said.

Web apps and payments run in separate processes with their own access rights and privileges, and can only communicate through a software bus that enforces those rights. The payment level can access card details or the payment kernel, Menet said, but the Web app can't access the card.

Ingenico already has a few proof-of-concept apps particularly suited to mobile payment terminals in its marketplace.

Logistics firms can use one to track parcels, scanning barcodes with the camera and collecting customer signatures on the touch-screen. The camera also enables customers to report or reject damaged parcels, while the card reader secures payment on delivery.

Another app, for restaurants, manages table reservations and takes orders, transmitting them to the kitchen. Customers wanting to split the check need only push the appropriate button, and then insert their payment cards in turn.

Some Ingenico partners demonstrated their own HTML5 apps for the 5000-series terminals at Cartes.

Izicap, for example, offers a white-label loyalty card and sales promotion program for small businesses, linking customer identities to a payment card rather than a specific store card. While this simplifies administration, it means it can only track customers' total spend per visit, not what they buy, said CEO Reda El Mejjad -- but that's not necessarily a problem for small retailers and independent restaurants, which want promotions that are simple to manage.

Through the payment terminal, retailers can enroll customers in the loyalty scheme, and track their performance and promotions, comparing them with anonymous data from similar Izicap users nearby. Izicap doesn't sell the service directly to retailers, but rather to banks and payment acquirers, who then offer it as a value-added service to their SME clients.

In the days before Cartes, Ingenico also ran a hack-a-thon to encourage developers to create apps for the Telium Tetra platform. The winner was Arthur Grandgerard with Project Louise, a service allowing stores, bars or restaurants to hire workers by the hour or day and pay them through the terminal.

Peter Sayer