Standards Will Bring Mobile Payment Security

Tuesday, August 09, 2011

Robert Siciliano


Mobile payment has been around for years in numerous forms for purchases such as downloading music, ringtones and various other services and is now gaining traction for retail purchases in the U.S.

But its implementation in the U.S. is a bit slower due to a lack of standardization of payment methods and the overall security concerns of mCommerce.

Some consumers in the U.S. have had bad experiences with criminal hacking and data breaches and are concerned about their security and are waiting for the various handset manufacturers (those who make the phones), mobile carriers (those who provide mobile service) and third party technology providers (those who make the technology facilitating financial transactions) to agree on standardization leading to more secure transactions.

However, for many years in Japan and South Korea for example, mobile penetration has been much higher and many people don’t and have never owned PCs (or have been hacked) as they function purely from mobile devices. Security hasn’t been as much a concern.

It’s a perfect example of “ignorance is bliss.”

Consumers in the U.S. overwhelmingly want mobile payment. A recent study by Mobio showed “49 percent of Americans said they’ve used their mobile phones to make a payment or purchase in the past three months."

"And 77 percent of the 1,085 respondents in North America said they would be interested in using their mobile phones to make a payment or purchase. The response was higher — 84 percent — in the 35 to 44 year old age group and among Canadians (86 percent versus 72 percent of U.S. respondents).”

Near Field Communications (NFC), the engine behind mobile payments comes in a variety of forms and there are multiple players trying to makes theirs a standard.

Bank Systems Technology reports the disagreements involve banks, credit card companies and the third party technologies all coming together with mobile carriers.

The mobile carriers want to control near-field communication and mobile payment fees by maintaining control over the phones payment technology containing their users’ credentials.

Mobile carriers see the devices they support as revenue generators that should grant them mobile payment per transaction fees.

Meanwhile, consumers crave mobile payment and must adapt until the big guys fight it out to see who ends up top dog.

However, because there is a relatively low security risk in mobile payment, consumers stand to benefit by trying out and adopting the various methods presented.

I’m frequently using 2-3 methods such as the Paypal App which allows me to send and receive payments and Square which allows me to make and receive credit card payments on the spot. I find both convenient and fun!

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Possibly Related Articles:
PDAs/Smart Phones
Information Security
Mobile Devices Security Standards Mobile Payments Consumers mCommerce
Post Rating I Like this!
Melissa Wood What are "mobile payments?" Mobile payments is too broad of a topic these days. The fact that the PCI SSC can't wrap their heads around a simple app running on a phone and treat it similarly to a standard payment application running on a PC is still beyond me. Use PA DSS standards. There are been apps for mobile phones that clearly fall under those guidelines but those apps were pulled from the PA DSS listings last year when the Council realized innovation was occurring.

Not to get off on a rant here, since this trend in the payments industry is booming, there is a need to get the security standards for mobile apps fully defined and implemented. More apps are being released and data is not being protected as it should be. Go download some of the apps on the multiple app stores. You'll find sensitive data in the clear as well as CVV and other sensitive data stored. Many payment apps are developed properly but there are some that are not. In a world where electronic payments are confusing enough for the everyday merchant, it's time for the PCI SSC to step up and protect cardholders and merchants and lay down the guidelines necessary for innovation to carry on and security to be top priority.

Of course that's just my opinion. I could be wrong.
Robert Siciliano Melissa, you're spot on.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.