Looking toward 2020 and beyond, the Japanese government has embarked on an initiative to align credit card payment security in Japan with international standards. Multifunctional Retail PINPAD JT-R600 series was developed to respond to this social issue by realizing secure cashless payments. Panasonic is the first payment terminal vendor in Japan to meet international security certification standards* for both the system and its manufacturing, and Multifunctional Retail PINPAD can accept magnetic, IC, and contactless IC cards. It also reduces installation costs for stores thanks to specifications that allow continued use of existing point-of-sale (POS) terminals. The product has been steadily adopted by major retailers, giving Panasonic a solid position in the payment terminal market.
*Certification standard "PCI Point-to-Point Encryption Solution Requirements," which defines technical and operational requirements for the safe handling of credit card information. It was created by the Payment Card Industry Security Standards Council (PCI SSC), which was founded by five international payment card companies.
Previously, payment data was accumulated at various transfer points before arriving at the credit card company. This increased the risk of information falling into the wrong hands. With the JT-R600 series however, a secure mechanism was created through Cross-Value Innovation to encrypt payment data at the point of payment and decrypt it only once it reached the payment processor.
Why is the JT-R600 series considered revolutionary?
Igarashi: It is revolutionary because it allows any retailer to meet international payment security standards with minimal difficulty. When a customer uses a card, their payment data passes through the IC payment terminal, POS terminal, store network, and payment processor before reaching the card company. Until now, the data was stored at each level along the way.
Kodama: The end-to-end concept was devised overseas in order to enhance the security of card information after a series of incidents. This security concept covers the path from "wallet to server." Data is encrypted at the start of the process, when the payment terminal reads the card information, and it is not decrypted until it reaches the final destination, the payment processor.
Igarashi: This is made possible by a solution based on the Payment Card Industry Point-to-Point Encryption (PCI P2PE)*1 standard and includes not only hardware such as the payment terminal, but also operational aspects. It is a comprehensive security system that enhances security both at the payment terminal and the payment processor.
Kodama: The Japanese government is promoting a complete transition to IC cards by 2020 under the revised Installment Sales Act. At the same time, it will mandate internationally recognized security measures and require that stores no longer keep card information or comply with the international Payment Card Industry Data Security Standard (PCI DSS).*2 The liability limit, which used to be covered by credit card companies, has now shifted to retailers, increasing the scope of responsibility for every store.
*1 A security standard for point-to-point encryption defined by the Payment Card Industry Security Standards Council
*2 Data security standard set by the Payment Card Industry Security Standards Council for companies handling cardholder data
Igarashi: To comply with the new law, stores needed to go through the process of adopting a new payment system from planning it to testing and implementing it in a limited amount of time. The scope of this task was overwhelming, and it posed a huge challenge for stores. Panasonic is the industry's leading vendor with expertise in payment terminals. We were confident that we could provide a next-generation payment system comprised of not only hardware but also an entire solution including the operating system, which would be advantageous to clients.
Kodama: Our product development began to meet this urgent need. That triggered the creation of the new industry standard led by Panasonic.
How was the operating structure created?
Kodama: The challenge to incorporate PCI P2PE began with a struggle to master a thick manual of requirements. Because PCI P2PE itself is a concept, it was difficult to imagine specific operation details, and there were many parts that seemed contradictory.
Igarashi: When we started working on the standard in 2015, there were no experts in Japan and we had to team up with an Australian consultant. When we encountered inconsistencies in the PCI P2PE requirements, we were able to move forward with their advice and gained insight into the specifications.
Kodama: By collaborating with a mid-sized payment processor, we rapidly pursued our project and obtained the first PCI P2PE certification in Japan. Encryption key management was the biggest hurdle in establishing a system for secure operation and management and for obtaining the certification.
Igarashi: After our operating rules documents were examined, an on-site audit was conducted to ensure the transparency of our manufacturing and delivery systems. At the Saga Plant, which manufactures the payment terminals, thorough area management is conducted for each part of the process, including the key injection room on the production line, the secure room for generating and managing encryption keys, and the storeroom for finished products. The plant operates under strict rules and conditions, including a personnel access management system that meets the requirements of PCI P2PE, monitoring with surveillance cameras, security measures taken for vent holes, and even security seals placed on computer ports.
The warehouse we use at Nittsu Panasonic Logistics needed to have huge locked cages and bars on the building windows. The actual certification audit took up to a week. In addition, the payment processor also underwent a similar audit. With the full cooperation of the Saga Plant, we were able to achieve the initial certification.
Kodama: The necessary software application had to be certified separately. There have only been a limited number of such certifications worldwide, and we were figuring everything out as we went along. In the implementation phase, there were many retailer requests for customization such as making the terminal compatible with their loyalty cards, and we increased the number of cards that could be used while still meeting the PCI P2PE requirements.
When the actual system implementation began, it was well received by many payment processors, thanks to the drastic reduction in the number of items to be monitored for the security of each store. We are so grateful to everyone now in charge of daily operations, such as those performing the painstaking production, shipping and repair.
Why was Panasonic's product so widely adopted by the market?
Kano: I think we were able to achieve a new industry standard because we didn't make it too customized. That's because as a payment terminal vendor, Panasonic has been doing business with a wide range of industry members.
Nambo: The credit card industry in Japan is multi-layered. There are payment terminal vendors, POS terminal vendors, retailers, payment processors, and card companies, and each role is clearly defined. In addition, many players have distinctive corporate affiliations.
Kano: Some major retailers and big-box supermarkets have their own payment processors and card companies, and their payment systems are linked to their accounting and loyalty systems. The circumstances differ greatly between each store and corporate affiliation, and past payment terminal development tended to be customized.
Nambo: We never questioned the practice of creating specific payment terminals and operating systems for each customer. The thing that completely changed the situation was the Japanese government's decision to enhance payment card security. Because we reacted quickly to this, we were able to seize the opportunity to create an industry standard.
Nakamura: Although our product was PCI P2PE certified, there were still hurdles for individual stores. We aimed for a mechanism that could flexibly meet individual needs. We strove to make the product ready for any kind of use whether alone or incorporated in a POS terminal.
For example, we delivered a modified version of the JT-R600 series to a major retailer as a component that can be incorporated in the casing of their POS terminals. This was possible because we originally designed the product mechanism in anticipation of such client needs. Further, we manufactured the terminal with the same resin used in the casing of their POS terminals and tested it for durability using the same detergents used in actual stores. We gained the client's trust through these efforts to meet its needs.
You also achieved Cross-Value Innovation with many partners as well as payment processors.
Nambo: We had a weekly progress meeting with a certain retail giant, and the level of attention was very high, as top management was always present. It employs tens of thousands of staff in its stores, ranging in age from teenagers to seniors, so their POS and payment terminals are operated by a diverse group of workers. It was crucial that we ensured a smooth introduction of our product.
Nakamura: Recently, the number of non-Japanese retail staff has also increased, so we put a lot of design emphasis on usability, making the system easy for anyone to use. That is why we only adopted USB for connection and eliminated overlap with POS terminal functions as much as possible.
Kano: In any case, we've made the terminals simple and easy to use. Our breakthrough was aided by retail giants moving away from keeping things in-house at their own data centers. Whenever we explain the reliability of our PCI P2PE-certified product that has become the new industry standard, the response is almost always positive.
Nambo: Some visitors from overseas used to express concerns about the typical Japanese practice of having customers hand over their credit cards for processing by the store clerk. Now that the JT-R600 series has been widely adopted and after operational discussions with clients, it is becoming routine in Japan for customers operate the card terminal themselves.
Kano: Credit card use in Japan has not kept pace with the rest of the world. While magnetic cards are still widely used in Japan, IC cards that can be encrypted have become the norm overseas. Although it is relatively easy to make a POS terminal compatible with magnetic cards, it is much more technically challenging to make it compatible with IC cards. This is another factor in the continued use of magnetic cards.
Nambo: Panasonic's sales scope has also expanded. Initially, nationwide retail giants were our major clients of the JT-R600 series. However, after a supermarket in the Chugoku region installed the product, local specialty shops in the region started adopting it as well. While experiencing the power of word-of-mouth advertising, we also started focusing on unique regional store services.
Kano: Regional stores really value their local customers. We have received various requests for system customization, such as making the terminal compatible with their loyalty cards. Going forward, we will continue to explore new areas for our product proposals based on new value creation.
Previously, external data connections were controlled through the management of telephone number information, ensuring the security of POS terminals. However, with customers now being able to purchase tickets in convenience stores, and other similar services, POS terminals are increasingly connected to the Internet. As the number of POS terminals running Windows increases and they are targeted by malicious software, data security breaches become inevitable.
The JT-R600 series has become the industry standard in Japan thanks to recent changes in the law and the trend toward a cashless society. We owe our success to being the first to tackle the new standard and to developing the terminal much more quickly than usual. Further, the biggest contributing factor was our persistence in tackling the complexity of the payment settlement chain.
Our product was adopted first by major retailers such as convenience stores, and is now being widely implemented by big-box supermarkets and similar nationwide retailers. The next phase will be small and medium-size chain stores. Although competitor products are being adopted in some cases, we are still very optimistic. Our confidence is based on the usability of the JT-R600 series and the appreciation shown to us by clients.
In addition to developing next-generation devices to be released 7 to 10 years from now, we are currently working on the application of this success to new product development. For example, we are now jointly developing a next-generation payment terminal with a bank-affiliated credit card company, and we utilized our JT-R600 development expertise to offer a solution that provides added value to payment settlement. We will venture into new areas to further contribute to our clients.
# # #
Copy and paste this code.x