Mobile payments aren't necessarily prevalent now, but that will likely change over the next few years as EMV overtakes retailers and consumers look for an easier and faster way to check out.
According to a report from BI Intelligence, usage rates of in-store mobile payments are expected to grow 80 percent year-over-year between now and 2020. Based on this study, mobile wallets may be ubiquitous in three short years.
But what are the repercussions of integrating mobile payments into a merchant's operations? Specifically, what security concerns does this technology introduce?
The mobile payment process
With every technology comes a set of protocols people must follow in order to use it. Understanding the risks of mobile payments involves analyzing how PIN pads accept, validate and transmit the data associated with mobile wallets.
Let's take a look at near-field communication - the enabler of mobile payments. This is what happens when a consumer uses his or her phone to pay for something:
- The cashier rings up the order and asks for payment.
- The customer either scans his or her fingerprint or enters a passcode to authenticate the transaction.
- The customer taps the smartphone to the NFC-supporting PIN pad.
- A chip within the smartphone exchanges data with the PIN pad, completing the purchase.
In this case, one of the most pressing concerns is how the mobile wallet transmits information to the PIN pad. In addition, how do smartphones store customer card data, if at all?
The severity of data storage risks largely depend on the product. For example, Android Pay never transmits users' credit or debit card information, but rather uses tokens to represent their card numbers. In fact, the app doesn't even store credit card numbers and creates a token for each card a user submits.
Android Pay explained: How it works and where it's supported https://t.co/WDS4f6HQr5 via @Pocketlint
— Chip & PIN Solutions (@Chip_and_PIN) September 28, 2016
Apple Pay uses a similar process. When a customer enters a payment card into Apple Pay, the app encrypts the data and sends it to Apple's servers. Apple decrypts the data to identify the card's payment network, and re-encrypts it with a key that only the card issuer and authorized providers can unlock. It then sends that information to the bank, which generates a Device Account Number and sends it to Apple. Apple doesn't decrypt the DAN, and sends it to the Secure Element on the customer's phone. Apple maintained that it doesn't store the DAN or payment card information in its entirety.
The risks of mobile payment
Much of the risks regarding mobile payments lie in how customers use them. For example, nonprofit ISACA surveyed 900 cybersecurity experts last year to identify mobile wallet security threats. The respondents named use on public Wi-Fi, stolen devices and phishing as the three greatest threats to mobile payment security. So consumers will have to be more cognizant of how they use their devices.
Meanwhile, the infrastructure behind mobile payments must become more robust, and right now, most systems are inherently secure largely due to tokenization. For example, entrepreneur noted that Samsung Pay avoided a cyberattack by leveraging tokenization, the KNOX security framework and fingerprint authentication.
Misconceptions around the security of mobile payments is whats hampered much of the growth in the segment, but as that perception changes, expect to see more and more consumers reaching for their smartphone for faster checkout.