

Poynt – Smart payment terminal - valanto
http://www.getpoynt.com/

======
bravo22
Interesting merchant terminal -- but it seems to be little more than a pretty
rendering and physical mock-up right now.

I like how the first guy puts his card in, takes it out AND THEN punches in
his PIN, which is exactly how PIN & Chip doesn't work. I would have hoped
they'd at least be familiar with the process.

It looks to me like a mobile computer strapped to a terminal. I'm not sure why
this is better than having a terminal + iPad or something similar but I'm not
the target demographic.

I see many other issues with it:

\- Hardware development is hard and long. This looks to be little more than a
physical mock-up. For example datasheet lists "Ethernet" is connectivity
options but there is no ethernet port visible on the body.

\- BLE & GSM antennas are exactly where you wouldn't put either of those. Here
is tip: You can't put an antenna behind an LCD. They have metal backings.

\- Shouldn't QR & Barcode Scanner be pointing UP? You have very limited field
of view when it is pointing down.

\- Getting EMV and FIPS certified are going to take a long long time. Granted
they could buy that firmware off the shelf to accelerate the process.

~~~
Siecje
Some ATMs require you to take your card out before entering your PIN. Or are
they using the magnetic strip?

~~~
bravo22
If you are using magnetic strip you're correct. For PIN & chip the PIN is sent
to the card and verified by the card and the resulting "signature" is sent to
the bank. The card has to be in for PIN entry.

An employee, above, said that it is for entering tip. Which would make more
sense, but then the card would have to be inserted after the total amount I
imagine but I can see how they would have a slightly different flow.
Personally, I would want any terminal that I use to show me the final amount
that I am going to pay before I put in my card. Lest I pay, walk away and the
cashier adds her own tip.

------
ctz
This is the first EMV payments terminal I've seen that allows PIN entry using
a touch screen. Is that really allowed by EMV, as a tamper-evident PIN pad?

~~~
caissy
I've seen a few merchants using a touch screen, including a few Gap stores in
Montreal.

~~~
notatoad
Yeah, the touchscreen terminal that GAP uses is pretty common. Canada Post
uses it too, and i know i've seen it in some other places.

------
johladam
If someone from Poynt is on, what are the features that make this better than
competing products? I've used Shopify for doing some PoS setups, but I'm
having a hard time looking at where Poynt fits in. Other than being cheaper,
it lacks some of the things that make Shopify great, namely cash handling and
connecting to a back office system.

~~~
ppalavilli
Hi, I work for Poynt on the PoyntOS and applications. First thing first, Poynt
Smart Terminal is a Secure Payment Terminal at the core that provides credit
card payment processing functionality to any merchant that needs to accept
payments in their stores. This is analogous to the traditional payment
terminals that you might probably notice every day at a lot of merchant stores
(cafes, salons, grocery stores, etc.). Poynt Smart Terminal enhances the
credit card payment processing functionality by supporting more payment
methods (MSR/NFC/EMV/QR Code/etc.) so the merchant doesn't need to worry about
carrying multiple devices in the store and be able to serve more customers. In
addition to that, Poynt Smart Terminal runs on Secure PoyntOS (powered by
Android) to provide an application platform and framework for developers to
build apps and solutions for the merchants and distribute through Poynt.
Developers can take advantage of the PoyntOS to build unified solutions for
the merchants that run on the same device where they are used to process
payments (unlike various solutions today in the market that require additional
hardware like ipads, dongles, etc.). Shopify is an online platform that allows
developers to build solutions for their merchants hosted online or on devices.
Now with Poynt Smart Terminal, developers can build PoS apps using Shopify
platform that run on Poynt Smart Terminal too. So I would probably say they
are complementary, not competing.

Cheers!

~~~
mrmch
Should definitely highlight (at least to the HN crowd) that this is an Android
device and you're exposing some APIs that can be built on. This is _really_
cool.

------
luisbebop
This device is insecure. It is going to take a long time to get the PCI/EMV
certifications. Besides that how do you handle the certification of new
applications running side by side with your payment application? Everytime you
deploy a new application you should re certificate the entire stack, by the
PCI standards. Nice concept, but you have a long road ahead before competing
with VeriFone, Ingenico, PAX, Miura shuttle and others.

~~~
ppalavilli
Hi - I work for Poynt on the PoyntOS and Payment interfaces - so maybe I can
provide some clarity without going into too much of our IP. As mentioned on
our site ([https://getpoynt.com/specs](https://getpoynt.com/specs)), we have
two separate subsystems - one for Android and the other for secure payment
processing.

All the payments (EMV/NFC/MSR), secure key (including acquirer keys)
management, P2PE encryption, EMV/PCI, etc. are handled by the secure
processor. There are no other applications that can run on this secure
processor other than the signed and certified applications.

On the Android side, Poynt's Secure service is the only service that's capable
of communicating with the Payment Processor to initiate card reading
(EMV/NFC/MSR/others) and pass through the encrypted data it receives to the
merchant's acquirer. All the 3rd party applications run independent of the
Poynt's Secure Service and when they need to collect a payment, they do so
through our Poynt Payment Fragments to facilitate the Payment flows. (See here
for information on how it works:
[https://getpoynt.com/developers/terminal#2.3](https://getpoynt.com/developers/terminal#2.3)
Poynt Payment Fragments).

So as you can see, we are able to keep the security domains separate and
thereby able to handle PCI certification in a much more graceful way.
Obviously they are some complexities but choosing a certifiable payment
processor board was one of many ways we are able to deliver a secure solution.

Cheers!

~~~
notatoad
How are you securing the PIN entry? It looks like that happens on the same
screen as the random 3rd-party apps get to run on, leaving open the potential
for an app to intercept the PIN. As i understand the PCI stuff, anything that
the PIN hits is fully in-scope.

~~~
luisbebop
The same question here. Anyone can develop and 3rd-party app to capture the
PIN on the same screen from the payment app.

~~~
ppalavilli
A rogue app asking for PIN on the merchant facing screen ? not sure there's
anything much we can do about that other than making sure we catch that during
the review process. Whenever there is a need for the consumer PIN entry, it's
driven by the second payment processor - not from the android side.

~~~
ThrustVectoring
Should be able to prevent PIN information from getting accepted by any means
other than your locked-down PIN entry screen. So, any app that wants to grab
people's PIN entry would either require them to enter their PIN twice, or
block the transaction from going through, which should be _very_ visible.

------
bravo22
Interesting to see Osama Bedier listed as one of the people. He is the guy who
ran PayPal's merchant terminal integration efforts, left for Google Wallet,
and then left Wallet.

I think there was a lawsuit filed against him and Google by PayPal the day of
Wallet's launch, claiming Google stole their secrets. No idea how that turned
out; though I imagine it was a PR move on PayPal's part.

------
deweller
Apple Pay is supported.

> Does the Smart Terminal accept payments by Apple Pay?

> Yes, the terminal accepts Apple Pay since the iPhone securely communicates
> with the terminal through NFC. We here at Poynt made our first Apple Pay
> payment with our Smart Terminal on the morning the software was released to
> the world. It was a very exciting moment for us!

------
Mikeb85
And here I thought the other Poynt was pivoting or reinventing itself.
[http://www.poynt.com/](http://www.poynt.com/)

Probably not the best idea to launch with a name identical to another start-up
that also has apps on all major platforms...

------
freehunter
Poynt already exists. Can I use Poynt to find retailers who are using Poynt?

[https://play.google.com/store/apps/details?id=com.poynt.andr...](https://play.google.com/store/apps/details?id=com.poynt.android)

~~~
ppalavilli
Hi - they are not related to each other in any way. Poynt.co or GetPoynt.com
is the new Smart Payment Terminal that was announced today.

[https://getpoynt.com/about](https://getpoynt.com/about)

------
cbhl
One of my concerns is that it appears the door to change the receipt roll is
on the bottom of the device. Does this mean I have to shut the device off and
flip it over if it runs out of receipt paper to print a receipt for a
customer?

~~~
ppalavilli
it's actually in the front of the device as you see on the website
([https://getpoynt.com/](https://getpoynt.com/)) and the button to open the
printer door is on the side. The door opens forward and you can load the paper
from the front (no need to turn it upside down). We will try to post videos of
the paper loading as soon as we can.

------
glifchits
It seems like a good time for this product. Payments feel like the wild west
right now. A reader that can potentially handle all protocols is a safe
investment in the future.

------
tylercubell
What's to stop somebody from stealing this right off the counter and gaining
access to customers' data?

~~~
rtanaka
A very valid concern.

To begin with, while our terminal is Android based we have taken numerous
steps to lock this device down. Side loading apks is not possible nor is
arbitrary access via adb. On top of that, we take great lengths to protect
consumer data. In addition to full PCI compliance data is fully encrypted on
the device. And if that's not enough, there are several anti-tamper mechanisms
that will trigger and lock down the device even further upon physical
instrusion.

In terms of physical theft we are actively looking into an option to
physically secure the device (think kensington). Our plan is to have a good
solution for this before our merchants go live.

~~~
bravo22
Well, here is my big question: _WHY ARE YOU STORING CARD DATA AT ALL_? (sorry
for the caps). You are a pass-through entity, merchant terminals do not store
card data. They keep the authorization number from upstream provider to allow
void/refunds but there is no need for them to store the number.

With respect to anti-tamper mechanism, are you FIPS-140-2 certified or plan to
be?

~~~
rtanaka
We aren't storing actual card data encrypted or otherwise. As you said, we are
a passthrough as far as the payment portion is concerned. We do store a hashed
representation of the card for things like refunds (referenced credits).

Our security subsystem is being built to be FIPS 140-2 Level 3. Complete with
tampers seals, switches and a security mesh that will destroy sensitive keys
when triggered.

------
tomheg
Is Poynt classified as a 'handheld' terminal to address the privacy shield
requirement in PCI PTS?

------
shayanbahal
I would love to have one to code a nice bitcoin payment gateway on it :)
anyone interested to collaborate?

~~~
fayez
If you decide to build something on our platform, please fill out the form at
[http://goo.gl/forms/dgwMwDysAv](http://goo.gl/forms/dgwMwDysAv) to start a
conversation with us. Good luck!

------
cbhl
I'm unable to watch the video from my Android phone.

~~~
fenguin
Hi, thanks for letting us know -- are you still having problems? We enabled
the embedded video on mobile devices a little while ago.

~~~
cbhl
It works fine when I open the page with my phone held vertically. When I hold
the phone horizontally the button doesn't seem to work though.

Opening the video with the phone held vertically and then rotating the phone
once the video loads works fine, however.

------
sitnik
Looks cool to me.

------
Plough_Jogger
No wifi?

~~~
el_benhameen
[https://getpoynt.com/specs](https://getpoynt.com/specs)

Yes wifi.

------
headgasket
Anything to keep the mass from ditching the plastic, cause when that happens,
VISA, MC and co are in jeopardy.

~~~
saosebastiao
The credit card processors do far more than just issue magic pieces of
plastic. The plastic itself is probably the least significant aspect of their
business model.

~~~
headgasket
The business model relies on a monopoly, an information monopoly. If the
mass's interaction at POS is with a software or a hardware that potentially
allows id-ing the patron, preferential pricing becomes possible, security is
anon issue -- it seriously damages the value of the middleman.

So that the secure element(yeah right) that's on your plastic or your phone
only communicates with OSes and HW that limits the ID-ing of the cx and
provides the strict minimum of info to your POS is the critical part, in my
view.

~~~
saosebastiao
If privacy were really the concern, people would pay with cash. They always
have, and always will. It is accepted everywhere, is the definition of
liquidity, and is virtually untraceable. At best, in-person swiping of
physical credit cards is a compromise that people make that gives away some of
that privacy (your card provides your name, and can be used to verify your
address) in exchange for something more valuable:

1) near immediate payment resolution

2) fraud protection

3) insurance against bad products and vendors - you can almost always get your
money back if something goes wrong

4) credit accounts

5) points/miles/cash-back, at the expense of the vendor

~~~
headgasket
How many different merchants to do you deal with on a regular basis?

What is the risk of fraud or of bad product and or bad vendors when both ends
know each other? Why introduce a 3rd party in those transactions that gives
back a fraction of its fee to the payer? (5) Instead why not reward repeat
business with preferential pricing? (not directly possible but attempted via
loyalty programs that cost a lot to deploy)

The credit is provided by the issuing bank (4). It can exist independently of
the credit card network.

And with any electronic means, 1 is pretty much a given.

Credit 3rd parties still have a reason d'être if a solution that shortcuts
VISA and MC when both ends know each other catches on. A Credit 3rd party is
needed as an insurance policy when two unknown parties do a transaction; that
insurance is bound to cost more than today given less volume; but it could be
efficient if pricing would be market driven instead of diluted in 100-1 day to
day transactions.

Thanks to the down voters, BTW. Again HN is showing openness to look at things
from a totally non conventional angle. I think I'll log off for good. So long,
and thanks for all the fish!

