Ingenico's new card payment terminals make room for apps

Peter Sayer

A selection of apps from Ingenico's app store for payment terminals
Ingenico's 5000-series payment terminals, seen here at the Cartes show near Paris on Nov. 19, 2015, have a large touch-screen and can run web apps to perform functions in addition to taking payments. Credit: Peter Sayer

There's an app for everything, it seems, and increasingly an app on everything: phones, TVs, robots... and soon even the payment terminals used with chip-based bank cards.

Chip-based payment cards that require a PIN rather than a swipe and a signature are only just reaching the U.S., but they've been around for decades in Europe.

On gas pumps and at supermarket checkouts, it seems many of the payment terminals the cards slot into have barely changed in all that time: Their cramped displays and minimalist keypads do nothing but process payments.

French company Ingenico sees this as a missed opportunity for retailers, which could be using the ubiquitous terminals to show customers special offers, operate loyalty programs or take orders in a restaurant.

Its new 5000 series of payment terminals swap the classic two-line LCD for a full-color, touch-sensitive 320-by-480-pixel screen. Ingenico showed the terminals at the Cartes secure connections show near Paris this week, and is rolling them out to its first customers.

Behind the terminals' bigger display is a 600MHz ARM Cortex A5 processor with 512MB each of RAM and flash, running a webkit-based HTML5 browser on top of Ingenico's own Linux-based operating system. Hardware options include 3G, Wi-Fi or Bluetooth connections, and built-in cameras and printers.

The browser is used to run apps from an online store, and it can exchange information with the payment-processing side of the machine. With the state of web security today, what could possibly go wrong?

Well, nothing much, say Ingenico's Yannick Menet, product manager for Telium Tetra, the payment terminal OS the company has built around Linux.

Security is tight in the devices. Apps come from Ingenico's own online marketplace and the code won't run unless signed by Ingenico. Developers assume unlimited liability for the apps they submit, and must package them with all necessary resources and a whitelist of external URLs that they might query over an SSL connection. The apps are strictly limited in what they can do through sandboxing, and although the terminal will run JavaScript, it does not allow the injection of downloaded code.

If apps try to break these barriers, "Exceptions are escalated to the marketplace. If there are doubts about an app, we can deactivate it," Menet said.

Web apps and payments run in separate processes with their own access rights and privileges, and can only communicate through a software bus that enforces those rights. The payment level can access card details or the payment kernel, Menet said, but the Web app can't access the card.

1  2  Next Page