Insights / Financial Services Law Advisor
Financial Services

A New Meaning to “Eat and Run”? Restaurants and Mobile Payments

By Jaymee T. Castrillo and James H. Mann
02.22.12
Print this page

Many mobile payment systems tailored for restaurants and other food vendors were introduced in 2011. Restaurant-industry insiders say 2012 could be a year of widespread adoption of these systems – and possibly a shakeout among them.

Set forth below is a brief overview of leading systems, followed by a discussion of key legal and network-rules issues from the restaurateur’s perspective. We would be pleased to address any questions or comments that you may have.

Systems

These include:

  • The Rail: This is a pay-at-the-table system, introduced in January 2012 by Viableware. When an electronic device that mimics the form of a traditional “bill folder” is opened, a digital touchscreen summarizes the bill and gives the consumer various payment options, including “self-swiping” a mag-stripe credit card, or using an NFC-enabled device, at the table. This system has obvious security advantages for the guest, as well as giving the restaurateur a new platform for customized communication with the guest, including advertising, surveys, etc. On the other hand, the system, while well-suited for family dining or fine dining, may not work well with other formats -- such as QSRs, fast casual restaurants, or food trucks -- that generally do not involve payment at a table using a bill folder.
  • Card Case: With this system, introduced by Square Inc., a guest arrives and provides her name to the cashier at the POS. The guest’s smartphone signals its presence to the POS and the cashier then locates the customer’s name and photo on a screen at the POS. Card Case then automatically charges the purchase to a credit card linked to the guest’s smartphone. While more broadly applicable than the Rail, Card Case would require restaurateurs to invest in terminal upgrades. Moreover, since it presents an interface to the cashier rather than the guest, it would not appear to provide a platform for customized guest communications.
  • Tabbedout: ATX Innovation’s Tabbedout allows the guest to open a tab when visiting a participating establishment. The guest shares her individual code with her waiter or bartender, and any item purchased is then automatically added to her “tab”. The guest pays using the credit card linked to the Tabbedout application, eliminating the need to wait for the bill. Tabbedout would appear to have pros and cons similar to those of Card Case – that is, it appears to offer broad applicability but lacks a guest-oriented interface.
  • Square: Square Inc.’s basic offering is a mobile card reader that permits an establishment to use smartphones as POSs. It has already been widely advertised and widely adopted among individuals and small businesses who wish to accept card payments. 
  • Chain-Specific Apps: Many chain-restaurant websites (e.g., those of Domino’s Pizza, Pizza Hut, Starbucks, etc.) offer apps that enable a guest to do one or more of the following: view menus, locations and nutritional data, receive coupons, as well as order and pay on-line. A key advantage of these apps from the perspective of the restaurateurs – and a key disadvantage from the guest’s perspective – is that each only works for a single restaurant chain.
  • Pago: Currently being tested in California, the Pago system permits a guest to view menus of multiple restaurants, receive custom offers and credits from participating restaurants, and order and pay on-line.

Also, VeriFone and Micros are each working on an NFC communication service for restaurants. VeriFone claims that, in addition to allowing smartphone payments, this new technology will help restaurants automate and integrate order-taking, the communication of orders to the kitchen, inventory-control, reporting and coupon-redemption. However, the details of these systems have yet to be made public.

Legal and Network Issues

Cutting across all these systems are key legal and payment network-rules issues. Perhaps the most important is data security, since data breaches can adversely impact brand equity, particularly if they lead to identity theft. Restaurants are typically subject to state laws requiring them to take certain actions in the event of a data breach. (DWT has collected these state laws here.) Further, by virtue of accepting credit card payments – whether in traditional or mobile form -- restaurateurs are subject to extensive payment-network rules regarding the security of payment card data. These rules are imposed on them via their agreements with their payment processors and are generally incorporated by reference without actually attaching the rules themselves. For example, a restaurant chain may be required by its processor to agree to requirements including the following:

  • It does not have access to any cardholder’s primary account number, expiration date, etc., or if it obtains such information, it will comply at all times and in all respects with the applicable network rules, including all applicable rules, standards and guidelines of the Payment Card Industry Security Standards Council (see here), which may include provisions of the Payment Card Industry Data Security Standards (“PCI DSS” discussed further below); Visa’s Cardholder Information Security Program; Discover’s Information Security & Compliance Program; American Express’ Data Security Operating Policy; MasterCard’s Site Data Protection Program; Visa’s Payment Application Best Practices; the Payment Card Industry’s Payment Application Data Security Standard (“PA-DSS”); MasterCard’s POS Terminal Security program; and the Payment Card Industry PIN Entry Device Standard, in each case as in effect from time to time.
    • For example, PCI DSS establishes detailed requirements for, among other things, building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability measurement program, implementing strong access controls, regularly monitoring and testing networks, and maintaining an information security policy. For the largest chains (processing approximately 16,500 card transactions/day or more), annual on-site compliance assessments are required.
    • An example of a specific PCI DSS rule that affects restaurants is Rule 1.3.5, which requires the restriction of outbound traffic from the cardholder data environment to the internet. Typically, compliance requires the use not only of a firewall between the restaurant’s back-of-the-house server and its processor’s payment gateway, but also routing data through a proxy server in the “DMZ” (i.e., the perimeter network just outside the local area network).
  • It will take specified steps in the event it believes that card information has been compromised, including notification of the processor and assistance in the processor’s notification of other parties.
  • It will use any card information it obtains solely for purposes of effecting the applicable transaction.

For the restaurateur who accepts mobile payments, these requirements may become still more complex and sometimes ambiguous. For example, last year the PCI Security Standards Council indicated that certain types of mobile-payment applications were more consistent with PA-DSS than others; the disfavored applications were those that operate “on any consumer electronic handheld device (e.g., smart phone, tablet or PDA) that is not solely dedicated to payment acceptance for transaction processing.” The Council went on to state that “entities wishing to use such solutions would need to make their own risk assessments . . . in consultation with their acquirers and applicable payment brands.” PCI SSC “Mobile Payment Acceptance Applications and PA-DSS: Frequently Asked Questions” (June 22, 2011).

A restaurateur’s failure to comply with these obligations, and thus with its processing agreement, can have severe consequences, including fines and potentially the suspension of its card-acceptance rights. A pending lawsuit that illustrates -- and challenges -- this arrangement has been brought by Cisero’s Ristorante and Nightclub, of Park City, Utah, against Elavon, Inc., which is the number-two hospitality processor in the United States, and its parent U.S. Bancorp. Cisero’s is challenging their assessment of funds from a Cisero’s account after Visa and MasterCard levied fines for alleged violations of PCI data-security requirements.

Another key issue for restaurateurs arising under the network rules is whether accepting mobile payments will cost the restaurateur materially more in interchange than accepting traditional payment card payments, and whether the likely sales lift justifies the added expense. This issue will need to be resolved establishment by establishment, taking into account factors such as the average ticket size and the existing and likely future mix of tender types (i.e., the manner in which the consumer chooses to pay). Advice can be obtained from a number of sources, including the applicable state restaurant association, the restaurant’s independent sales organization (which typically acts as liaison between a smaller establishment and its processor) or, for larger establishments or chains, the processor itself. There are also many cards and payments consultancies that specialize in addressing these types of questions.

As the foregoing indicates, this is a time of rapid transition in the technology, economics and law of restaurant payments. We will report further on this transition as events warrant.

Related Insights