Why CommBank’s Albert took so long

Three years is a long time to spend developing a new technology, especially in the cut-throat financial services market.

Albert

The Commonwealth Bank first announced its intention to release Albert - an Android-based, touchscreen tablet terminal for merchants, developed in partnership with Wincor Nixdorf and Ideo - in 2012, as part of the wider Pi payments platform ecosystem.

But while Pi and the iPhone-based merchant terminal Leo launched in the months following the announcement in 2012, Albert remained in the testing room.

CommBank executives over the years have hinted at complexities in the build and spoken of their desire for quality over speed to market, but declined to give detail or provide a firm launch date for the device.

Yesterday, during an event at the bank’s Sydney innovation lab, CBA head of payments Gary Roach revealed “we are now ready”.

"It's a very complex challenge to build a very secure piece of hardware, a secure operating system to sit on that, and a payments application to sit on top of that," he said.

"You need to solve all three concurrently, which is complex, then you need to get all of that through quite challenging industry certifications that are required."

In an interview with iTnews, CBA general manager of merchant solutions Andrew Cheesman said while making sure the glass was hardened enough to survive in a retail environment, there had been no single factor behind Albert’s delayed arrival.

“It went through a whole series of drop tests - they dropped it off a two-meter high bench onto a concrete floor, which is what will happen in a busy cafe,” he said.

“But the glass was not the major challenge - it was really about optimising all the different elements. You’ve got a touchschreen, NFC chip, mag strip and chip reader, the printer - all these security features that need to be able to meet PCI and EMV standards, and it was about getting them all to work together in a way that made it a usable device.

“There wasn’t one particular issue. So, we might have had a problem with optimising the NFC field, and when you fix that, that caused something else to get out of kilter. There wasn’t one thing that you could say ‘this is the reason it took 18 months longer than we expected’.”

The result of this lengthy period of testing has been a device that Cheesman says is effectively tamper-proof - if interfered with it will essentially self-destruct.

“[The device contains] a single integrated board that handles the touchscreen and security elements, and that board is constructed in such a way that it is tamper-proof,” he said.

“As soon as anyone tries to do anything with it, certain alarms and switches will go off that will then fry the whole board so a criminal can’t get in there and understand the security software and how it works.”

CommBank has similarly built Albert in such a way that if any element of the device breaks - apart from the printer, battery or 3G unit, which are all replaceable - the unit will be scrapped entirely.

“We don’t fix it,” Cheesman said.

“If it is broken, it goes back to the factory, and they basically scavenge the parts they can and then build a new device.

“But since there are very few mechanical parts in the device - apart from the printer, everything is electronic - it will break much less often.”

Locking down the app store

Albert offers merchants the option to use eight free CommBank apps bundled with the device, work with a third-party developer to build their own custom application, or choose from approved apps within a CBA app store.

Social media analytics firm Local Measure and cloud-based point-of-sale vendor Kounta are two examples of companies which have partnered with the bank to bring their products to Albert.

In the interests of security, developers interested in joining the app store will need to hand over the source code for their application to CommBank.

It’s part of a three-stage vetting process for third-party apps, which covers security, sociability, and brand alignment, Cheesman said.

“We ask developers to give us their souce code, which we keep in a secure location where only a few people can look at it. We inspect the source code and make sure there’s nothing untowards in there.

“All apps needs to have a key provided by the bank, meaning only authorised apps can sit on the device,” he said.

“We also vet on sociability - we don’t want an app coming onto the device that’s going to chew all the memory, burn the CPU and send loads of data down on 3G. And we also vet for brand alignment - things we wouldn’t be happy to associated with our brand or the merchant’s brand.”

Cheesman admitted it was a challenge to get developers to hand over their tightly-held source code.

“We’ve been very clear, and our contract with them very much stipulates that this is only for the use of vetting and that there’s a very limited number of people who have access,” he said.

“We don’t expect everyone to be happy about it, but we need to make sure the app is secure. So it’s about finding a balance.”

The CBA-built apps on offer include a split bill app, in which retailers can allow their customers to split their bills in chosen amounts; a cash count app for merchants to tally up their daily earnings; and an open tab app to keep track of customers wanting to add a transaction to their tab, among others.

Added security

The bank is planning to soon introduce extra security features to the device's touchscreen glass, with a light control filter to block out prying eyes currently in testing with partner Wincor Nixdorf.

“There is a version that we don’t have in the market which has a light control filter that narrows the field of vision, so from the side you can’t see what someone is doing,” Cheesman said.

“There’s another version where you have software that changes the configuration of that light filter, but that technology is not quite there yet. We’re still working through optimising that capability.”

Albert has been on sale for the past two weeks. CommBank has signed up a number of customers including retailer Foot Locker, Event Cinemas, David Jones, hotel chain Rydges and the parent of petrol distributors Mogas and EasyFuel.

The tablet sells from $37.50 per month for merchants.