How can consumers embrace mobile payments without the risks?

Payment industry experts have long been discussing the rise of mobile payments, claiming for many years that the ease of use of mobile payments will mean that the technology is widely adopted among consumers.

After a lot of speculation and discussion, it is safe to say that 2015 was the year that consumer interest in mobile payments increased significantly. Many major tech players such as Google and Samsung have launched or enhanced mobile payment services but it was the earlier launch of Apple Pay that proved to be a game changer, pushing mobile payments to the forefront of many people’s minds.

Mobile has found itself at the centre of a lot of FinTech innovation in 2015, with many consumers not blinking an eye at using online banking and peer to peer payments on their mobiles. The simple user experience and effective design of mobile payment apps is likely behind their increase in popularity, with many consumers finding the idea of being able to pay for products with a tap far simpler than having to search for the wallet, pull out a card and type in a PIN.

This is evidenced in the 81 per cent of users that rated the general experience as “good to excellent” in a recent TSYS report. This positive reception has opened up a world of opportunities for banks and retailers who, after significant investment, can provide tailored services that keep up with the changing needs of their customers. Now that consumers have become accustomed to simply ‘tapping and going’ and the limit has increased to £30, Visa predicts this will impact over 3 million Visa transactions per day, a total of £70 million, demonstrating the extent to which contactless payment using cards and mobile devices has become ingrained in the way we make our purchases.

Innovation brings new security requirements

Innovation often arises suspicion and can lead to questions around security issues - a mobile payment is no different. Even though mobile payments adoption has increased significantly, some users still have to overcome the fact that they are using a phone, a device they normally just text or call with, to make a payment.

Mobile payment users often feel apprehensive regarding their security when making a transaction, and this could be due to the link between security and consumer trust. Any business has to ensure they build and maintain their customers’ trust and this is particularly true within the payments industry. The payments sector faces the pressure of innovation whilst needing to balance a sense of security that means that consumers won’t feel that their personal or financial data is in jeopardy. The industry now faces the challenge of convincing consumers that their mobile has the same level of security as the bank card that they are accustomed to using.

How can this be done? Mobile has expanded the payments ecosystem in an unprecedented way, with untrusted devices now communicating over untrusted networks. This has resulted in a whole new challenge for security professionals. Mobile payments providers are looking to emulate the EMV cryptographic security of an EMV chip that can be found in payments cards, in a virtual environment. A recent arrival on the scene, Host Card Emulation (HCE) is making it simpler for banks to provide sacontactless mobile payments without the need to depend on mobile network operators (MNOs) or Trusted Service Managers (TSMs).

What solutions are out there?

In the past, tokenisation has mainly been used by acquirers to help merchants reduce their PCI DSS scope and devalue data stolen by criminals. Many solutions have come on to the market to assist issuers with isolating sensitive account data between various payments channels, such as the EMVCo tokenisation standard, which is being actively promoted by the global card schemes as part of their mobile payment initiatives.

The process of tokenisation means that the 16 digit number used for the transaction process has different values for a mobile payment transaction or an ecommerce transaction, but there is one constant aspect in the process - the real PAN (primary account number) is maintained and held by the issuer. Tokenisation makes it practically infeasible for criminals to create counterfeit magnetic stripe cards from stolen data.

Tokenisation not only protects the user but it also protects the back end infrastructure that communicates with the phone to set up payment accounts and approve transactions. Apple is an example of a major household name that has made tokenisation an integral part of its security infrastructure. The company ensures that only temporary ‘tokens’ are stored on a phone, and these tokens are rendered useless for hackers when they are stolen as they are only used in transactions to represent a user’s account. These same tokens can be easily deleted without impacting a user’s bank account or credit card.

Even though many companies have realised the positives of tokenisation, there is the one challenge that security professionals will have to concentrate on to ensure it is a success - the storage of the tokens. The security team that handles the tokenisation service will have to focus on storing the tokens and their correspondent PANs, in a ‘token vault’ and they will have to guarantee that the vault is secure at all times to prevent it from becoming an easy target for criminals.

Mobile payments vs bank cards

One of the main barriers preventing mobile payments from becoming completely mainstream is that credit and debit cards are still king. We are familiar with bank cards and when it comes to our finances, many would prefer to stick with the tried and tested than take what seems to be a potential risk. The efficiency of mobile payments is also competing against the ease of contactless card payments, with some consumers wondering why the need to make the switch, when their trusted cards are just as quick whilst maintaining a sense of security.

However, if payments providers would like mobile payments adoption to continue grow, they should steer away from comparing the technology to bank cards.

Instead, by concentrating on which payment method is best for each individual transaction environment, payments providers will be able to deliver services that are appropriate for different scenarios whilst guaranteeing that they satisfy their customers’ requirements for efficiency and security.

Ian Hermon, mobile payments expert at Thales e-Security

Image Credit: Shutterstock / gpointstudio