As the likelihood grows of consumers making mobile payments from phone devices, it is becoming more important for providers to ensure secure processing as transactions involve multiple networks. Problems already have occurred in the automated payment industry over the last decade.
Resistance to web credit card payments increased in the wake of the hacking of the computers of T.J. Maxx and Heartland Payment Systems, placing consumers at risk of identity fraud with the accessing of customer transaction data and theft of credit and debit card numbers.
A prevalent concern now is exposing sensitive consumer information with the number of parties involved in the payment industry: cardholders, banks and other issuers, merchants, and acquirers who process payments. Those who accept payments also have a new level of service provider responsibility given the different networks: broadband, cell phones, and wireless.
Renewed emphasis on data being collected
To address mobile security issues when collecting payments, focus on the data and understand what information is being collected, said Rob Harvey, lead security analyst in information technology at NIC, Inc., a developer of web postings and applications for federal, state, and local government agencies. "You need to know how that information is being transmitted and who has access to it," he told the Secure Enterprise Mobility Conference and Expo in Washington, D.C.
Cardholder data typically are account numbers and any supporting or identifying information related to an account.
In taking payments merchants have the responsibility to maintain security and states participating in this process must ensure they are not storing cardholder information from across networks, said another conference speaker, Sloan Wright, general manager at Indiana.gov, a NIC customer.
His state, Indiana, is using portable devices to accept payments at state parks (to reserve camp sites or rent golf carts) and at museums. A projected later use will be to provide offline trail maps for people camping in Indiana parks.
But the need to secure payments on networks can't stop business from going on, Wright said. Working with developers on a system should only entail collection of information necessary for payment processing and limiting potential fraud exposure, he added.
Mobile payments off of smartphones
The coming of mobile payment processing is expected to entail the use of mobile devices as a credit card and- more on the purchase side- as a payment terminal. In this second use, merchants will be accepting payments using a mobile device to swipe the payments, Harvey said.
Use of smartphones for making payments should become more common. Mobile transactions at the point of sale would be using iPhones, Blackberries, and Android phones.
Some mobile payments systems only can be used in stores with compatible card readers. Web application functionality may be built later into a mobile app.
The battle over the so-called digital wallet already is under way.
Apple has credit cards stored in its iTunes stores but has not added mobile payment technology to its iPhones.
In addition, Verizon plans to join with rivals AT&T and T-Mobile USA on a mobile payments network called Isis which would compete with Google Wallet. As a result, Verizon Wireless told Google to remove its Google Wallet from the Google Nexus smartphone. Google's mobile payment technology only functions on Sprint phones with Citibank MasterCards.
"Google claims Verizon is blocking its Google Wallet mobile payments app from being preloaded on its newest smartphone or being downloaded by consumers themselves. The new phone, the Galaxy Nexus, is powered by Google's Android software and is being marketed as a 'pure Google' phone," said Amir Efrati and Anton Troianovski in "War Over the Digital Wallet," in the Wall Street Journal of December 7, 2011.
Starbucks has started mobile payments on smartphones on a proprietary application and established accounts to identify its users.
Visa is developing mobile payments as well.
Development of security standard
In response to past problems including, in some cases, servers in restaurants being paid by organized crime and given a small tool to capture customer credit card data off the magnetic strip, the credit card industry came together and created a data security standard. All the players- Visa, MasterCard, Discover, American Express, Discover, and JCB- at the same time were trying to stave off federal government regulation, Harvey said.
Visa announced it would offer financial incentives for merchants and transaction service providers to comply with credit card industry security rules, called the Payment Card Industry Data Security Standard. As part of those rules, merchants have to limit data storage and use encryption. The standards apply to service providers too.
All merchants and service providers that store, process, or transmit cardholder data must comply with the standards.
Validation requirements are enforced by the card brands themselves. Unlike MasterCard, Visa and the other card brands have required a higher level of validation from certain level merchants, Harvey noted. All must do quarterly security scans and notify consumers about account breaches and offer them credit monitoring.
Software developers selling payment swipe applications, separate from in-house developers, must conform to PCI standards as well. Most swipes now are not encrypted but a requirement to do that is coming for all swipe devices, Harvey said.
Another helpful step would be to truncate data like Social Security numbers and other personal information, Wright pointed out.
However future mobile payments materialize, the objective of the PCI standards is to reduce risk. The standards don't consider what device is used as they are promoting secure transactions. The issues are the same whether a PC or a smartphone is being used.
Sources:
- Secure Enterprise Mobility Conference and Expo, Walter E. Washington Convention Center, Washington, D.C., December 8, 2011
- Amir Efrati and Anton Troianovski, "War Over the Digital Wallet," Wall Street Journal, December 7, 2011
John Seidenberg - John Seidenberg has worked on newspapers, newsletters, radio news, and produced specialized news publications as well as freelance ...
