Procuring point-of-sale systems - the legal issues

An electronic point-of-sale (EPOS) solution provides the direct interface with the consumer, but behind this sits a series of interfaces and touch points with other vital IT systems, all of which must work together to deliver the bottom line by processing the payment made by the consumer at the cash register. In short, the operation of an EPOS solution is crucial to the successful operation of a consumer-facing business.

So what are the issues that an EPOS provider is likely to face when negotiating a contract with a potential purchaser?

Integration risks
A new EPOS solution must function within the host computing environment; the hardware, software and network connections. The purchaser will want the EPOS provider to take the interoperability risk, it does not want a solution that works perfectly in isolation but falls down when operating in its live environment. Conversely, the EPOS provider will believe that the customer should ultimately take responsibility for the choice it has made. Typically there will be a halfway house between these two polar positions. If the provider is given the opportunity to survey or undertake due diligence on the customer environment during the design or blue print phase then it will feel more able to accept all or part of the integration risk. Similarly, the parties may agree a minimum specification which the customer must maintain within its IT environment to ensure continued interoperability.

Unavailability
This is perhaps the purchaser's greatest concern. Imagine the scenario, the busiest shopping weekend of the year and no transactions can be processed because the EPOS is not available for whatever reason. This scenario has a direct impact on the balance sheet. The probability of prolonged periods of unavailability may be remote in practice. The solution should be designed with the necessary resiliency to mitigate the likelihood of this occurring. Some EPOS solutions may allow the processing of transactions offline. Such assurances may or may not be sufficient for the purchaser, who may seek further contractual protection including, for instance, the right to recover direct loss of profits.

Data loss
The EPOS will processes data which is vital to the customer's business. From the sales transaction data to data relating to store or reward cards, returns and stock balances. As with periods of unavailability, any data loss will impact the bottom line. There will also be heightened concern in relation to the processing of personal data relating to end consumers, the consequences of any loss of personal data will be costly both on a reputational and financial level. The purchaser will want to know where the data is being processed and by whom and crucially what security measures are in place to safeguard this data.

Service levels
The operation of the EPOS must be underpinned by robust and meaningful service levels covering not only the provision of support (response and fix times, first/ second level etc) but also availability of the service desk and, where relevant, the hosted platform. Purchasers will expect failure to achieve agreed service levels to give rise to some form of contractual remedy such as service credits or ultimately a right to terminate.

PCI DSS
The purchaser will expect the solution provided to be PCI DSS "compliant". The question for debate will be what is meant by compliance. The EPOS is a single piece in the PCI DSS puzzle, the processes and procedures and other systems operated by the purchaser must fit together in order to achieve a fully compliant solution. EPOS providers will argue that this end-to-end responsibility ultimately rests with the purchaser.

IPR ownership
Typically, the EPOS solution will be "vanilla", and some configuration work may be required to fit the solution within the customer's IT environment. However, beyond that, a customer may ask for particular modifications that it believes will give it a competitive advantage. In such circumstances, the customer may look for ways in which it can restrict the ability of the EPOS provider from re-using or replicating that adaption for competitors in the market. The EPOS provider will not want to have its hand tied so as to prevent the re-use of any generic coding comprised within the adaption.

Amanda Pilkington is legal director at DLA Piper