Health food chain Holland & Barrett has installed i-attached chip-and-PIN card payment systems in over 500 UK shops.

Every store has its own model 170 running the EFT/400 card payment solution from Colwyn Bay-based 3X Software. EFT/400's chip-and-PIN module allows pinpads to connect directly to each 170. The 170s are all linked to two mirrored 810s at Holland & Barrett's head office in Burton-on-Trent for payment card authorisation and settlement.

3X Software's Dave Jones says: "Their requirement was for a payment transaction to be processed in under twelve seconds from card insertion through PIN entry, authorisation at the acquiring bank and then card removal, and we were able to provide a solution which completed in under eight seconds while still utilising their current hardware."

Do retail i users know that there are solutions that preclude the need for a PC-attached pinpad at their points of sale?

"Many probably don't," says Jones. "We were asked by Holland & Barrett to provide a chip- and-PIN solution for System i and after talking to many hardware suppliers and testing their pinpads, we were able to successfully communicate with the devices via secure sockets from the i. The majority of pinpads in the marketplace use serial port connectivity and we overcame this by attaching them to a serial/IP converter switch connected to the System i network hub. We have recently assisted a company in the USA, Blinds-To-Go Inc., to develop this technology on System i and this is now implemented in both the US and Canada."

3X claims that EFT/400 is the UK's leading credit, debit and purchasing card payment software for the i. Over 30 companies use EFT/400 for both internet and chip-and-PIN payments in over 1,000 outlets. The solution uses true-Blue technology such as IBM Encryption Key Manager, IBM encryption APIs, WebSphere Application Server and SFTP within OpenSSL. It has been accredited with all major banks and can process all major cards. It also includes CVS and AVS-checking and complies with APACS 29, 30 and 70.

Jones says that with the current pressure on retailers to be PCI-compliant, EFT/400 comes into its own. PCI compliance is assured by incorporating AES-256 data encryption and controlled access. Continuous authorisation and settlement is performed in accordance with the data security regulations of the acquiring banks, including SFTP from the i when required. Full audit trails and enquiries enable detailed interrogation of the status of all payments processed. But, surely, UK firms have got PCI-compliance covered by now?

"All enquiries we receive insist on PCI compliancy," says Jones. "PA-DSS [Payment Application Data Security Standard] is the standard for software vendors to ensure that card data is secure and encrypted and EFT/400 follows that standard to the letter. While many companies are put off by the many requirements of PCI and are delaying implementation, consumers are increasingly more concerned about the security of their payment cards and PIN numbers and are becoming the driving force in implementation of the standard."

Indeed, UK consumers could soon be getting used to an entirely new card payment model as firms like Visa experiment with payments made by waving a card over a reader that dispenses with the PIN.

"Due to continuing change in card payment options -- contactless payment cards are already being piloted -- companies cannot afford to fall behind in offering up-to-date payment services and potentially lose business," says Jones.