Mobile Payment Security: An Essential Factor for Mass Adoption

by Chris Preimesberger

The industry has been talking about the arrival of mobile payments for almost a decade, and positive steps are being taken toward mass adoption. Some big players in the retail market have invested a considerable amount in mobile payment platforms, including Starbucks, which invested $25 million in a mobile payment venture, and Square, which last August enabled its customers to use a Pay with Square smartphone app.

Visa and MasterCard have invested heavily in pilots for mobile NFC secure element solutions. Business model and technical challenges are making it difficult for banks to go to live rollouts, especially when the cost of provisioning the phone is greater than a plastic payment card. Plus, the industry is still a long way off from having one universally accepted model; too many business issues are still unresolved. Those include global interoperability, revenue split, risk/liability and consumer perception of inadequate security.

The “trust in the phone” model, the most broadly standardized approach to mobile payments, focuses on effectively turning the phone itself into a mobile wallet. In this evolutionary model, card issuers/card schemes/acquirers collectively depend on the presence of a specialized security chip within the phone to protect the critical payment keys that enable the consumer to initiate a contactless mobile transaction at a point of sale terminal.

The evolutionary model makes use of the existing four-party model payments infrastructure and is the mobile payment mechanism of choice for the card schemes. The cost to issue the payment application is higher than a chip card, and the interchange revenue for the bank could be lower if the customer pays by mobile compared to a magnetic stripe signature transaction. This calls to questions why banks would rush to spend more and get less.

The alternative revolutionary model focuses on “trust in the cloud”; new market players such as PayPal, Google, Apple and innovative startups such as Square favor this. In this approach, trust lies not in the phone itself, but in the cloud; the phone is simply a way of connecting to the cloud. The biggest technical difference between this approach and the trust in the phone model centers on consumer authentication, with user credentials stored in the cloud.

With high-assurance data protection at the top of the agenda in the mobile payments arena, one of the key arguments in favor of this approach is that it is much easier to secure a common cloud service than millions of individual phones. Mobile phones offer little or no physical security and can be maliciously modified to access sensitive information, if not stored inside a secure element.

The cloud-based approach is certainly not immune to security concerns, however. It is only a matter of time before fraudsters set their sights on mobile, and when they do, they will no doubt start with attacks on the cloud databases. This will bring a range of challenges, as payment providers will need to develop rigorous encryption strategies. This increased focus on secure user credential registration and storage will need to be accompanied by comprehensive operating rules to cover security, risk and liability.

These include: 1) the promise of a complete commerce experience and potentially lower processing fees for merchants (the Merchant Customer Exchange retailer-led mobile wallet initiative is a good example of work toward this goal); 2) a desire to move away from the complexity of NFC, meaning the establishment of end-to-end trust throughout the ecosystem; and 3) the number of new payment providers who want to disrupt the status quo—essentially challenging why we need the existing payment rails and the legacy structure.

Consumer trust lies at the core of mass adoption. The importance of common look and feel (not just when it comes to the security aspects) cannot be underestimated. Neither merchants nor consumers will tolerate hundreds of differing proprietary solutions.

Right now it’s too close to call. Cloud is clearly a disruption, while a contactless mobile payment—using the NFC secure element in the phone—is closer to the traditional point-of-sale experience. Any solution that brings with it a significant change in consumer and merchant behavior is harder to scale quickly. However, if the mobile consumer begins to demand alternative mobile payments from new players in sufficiently large numbers, this will present a significant threat in terms of both market share and revenue for the banks.