Facebook recently joined a growing list of companies when it announced that it was entering the mobile payments arena. As more organizations embrace mobile payments, there is clearly a huge market opportunity to move away from traditional credit card structures and simplify payment options for users.
Yet along with this opportunity in mobile commerce, come huge security challenges. One company addressing such challenges is Thales e-Security, a global provider of data protection solutions with more than 40 years experience securing the world’s most sensitive information. Jose Diaz is director of Technical and Strategic Business Development with Thales, and an expert in the security challenges that come along with mobile payments.
TMC recently reached out to him for his insights on this nascent market, and to discuss some of the advantages and risks the mobile payment market presents:
TMC: Mobile payments are becoming more and more popular as a part of e-commerce. What are some of the benefits of mobile payments to today's Web-savvy consumers?
Jose Diaz: The major benefit of mobile payments is the portability, together with constant connectivity associated with the mobile device. Consumers are not tied to a laptop or desktop PC that needs a hard-wired Internet connection to communicate, or a Wi-Fi hotspot when on the move. The mobile phone is almost always connected to the mobile network and hence transactions are always possible. Mobile device applications are generally faster to launch, with an optimized user interface (eliminating clutter) and that means transactions can be performed very quickly, anytime and anywhere.Mobile devices can also provide a separate channel, out-of-band, for payment authorization when used in conjunction with traditional Web sites or even physical store purchases, thus enabling stronger security for payments. In some cases, it is more about the use of mobile devices as part of the payment process, for stronger security, than using the mobile device for the payment itself.
TMC: On the flip side, what are some of the dangers and concerns they face?
JD: The biggest danger is that the mobile device itself is not a trusted device, since it is designed for flexibility and ease of use rather than security. The industry is still very immature in developing, providing and supporting types of anti-virus, anti-malware, firewall technology for mobile phones, things that are very sophisticated and we take for granted today when using Windows-based computers. When a consumer uses a PC to buy goods from a website or is using online banking, there are lots of things that can assist with knowing whether or not the site is genuine and secure (URLs, padlocks, look and feel, etc.) With mobile, assessing whether a site is genuine is not something that users have been educated on. Therefore, the primary danger and concern is using a mobile device to enter or provide sensitive information such as payment card numbers, PINs for debit cards, or any other personal information which could be utilized for financial or personal harm unless specific technology is being utilized for protection.
TMC: What steps can consumers take to reduce or mitigate the possibility of e-theft or identity theft, when paying online and/or via mobile?
JD: First and foremost, consumers need to recognize that mobile phones are not natively secure environments. Unless specific technology is utilized to protect the communications and the data being entered, there is risk of data compromise resulting in e-theft or identify theft. Consumers should ensure they are connected to a legitimate and preferably “known” service provider. The small lock, indicating a secure https connection, and “green” highlight of the Web site URL (indicating a verified identity), are good signs from a security perspective. Caution should be taken as to the information provided to lesser known websites or service providers. The use of payment services, such as PayPal, that do not share user payment card information with merchants can help mitigate risk.
TMC: What challenges do online companies face in assuring that their sites are secure?
JD: The PCI-DSS (Payment Card Data Security Standard) provides some good general security requirements and guidelines for protection of sensitive information, access to the information, and overall security of environments. The Web is a very powerful tool to reach consumers everywhere, but it also provides the ability for fraudsters everywhere to carry out attacks. The challenge is to balance security and convenience in developing a security position based on standards of due care. Segmentation of the environment with strong controls can be a significant aid in protecting sensitive information and implementing a multi-layered approach to security. For many organizations, even identifying where sensitive information is stored can be problematic. Technologies such as Encryption and Tokenization are commonly used to protect sensitive information and help isolate storage of -- and access to -- the critical data.
TMC: How has the cloud helped or hindered e-commerce?
JD: The cloud is definitely a positive evolution/innovation for e-commerce because it offers the opportunity for more merchants to participate securely in payments, often at lower cost and with a much simpler infrastructure to support in-house, and with greatly reduced PCI DSS scope. The cloud is well-suited to the new disruptive type of mobile payments (that do not rely on a physical payment card) where there is no need for the traditional payment rails. The cloud also offers high availability, scalability, high security and a more user-friendly method of transaction initiation (an example being the recent Apple fingerprint-biometric payment option).
However, it needs to be understood that outsourcing services or data does not relieve the e-commerce provider of the data-protection responsibilities under PCI-DSS or other regulations. Merchants, or other entities outsourcing their infrastructure (or parts of their infrastructure) to cloud service providers, need to be cognizant of the security implications and either be in control of protecting sensitive data outside of the cloud service or work with the cloud service provider on implementing the needed security. Encryption of the data is the common approach to providing the needed security with key management being under control of the merchant or entity utilizing the service. This enables the leveraging of cloud services for efficiency while keeping control of data security as part of risk management.
TMC: Are there any other tips or hints you can offer either consumers or sellers in cyberspace?
JD: Once again, the realization that cyberspace is not a natively secure environment, and that security of sensitive data has to be considered when deploying services as well as utilizing services on the various mediums in cyberspace. From a seller/service-provider perspective, it should be understood that customers expect their personal and payment information to be kept confidential and secure. Breaches can not only cause financial damage but also harm a company’s reputation and business outlook. Using PCI-DSS as a general guideline for security and sensitive data protection can be very helpful in managing risk.Consumers travel a much more complex road and need to be somewhat technology “aware” in order to avoid potential pitfalls. If it looks too good to be true, it should raise a flag. Don’t assume everything you see is true, and take time to validate a merchant (references, reviews, etc.) the first time you use them as well as being cautious about the personal or payment information you share with them.
Finally, there are some other, more specific items, in no particular order of importance, for consumers:
- Avoid downloading apps to your phone unless you are confident of the source;
- Always have your PC firewall and anti-virus software up to date and make sure you apply all security patches;
- Avoid clicking on links in an email unless you are confident of the source;
- Consider registering your credit cards under the 3-D Secure scheme, if the merchant supports it;
- Avoid using debit cards online since you have much better consumer protection with credit cards.
It all boils down to caution and common sense. Like any other business transactions, only deal with reputable companies. You wouldn’t hand over your ID to a total stranger without checking them out first, so why do it online?
Edited by Stefania Viscusi