Mobile Payments Security

Henry Helgeson |

November 27, 2012

Mobile Payments Security

As the mobile payments’ media spotlight shines on who will ‘win’ the digital wallet race or when near-field communication (NFC) will evolve to a mainstream technology, another critical topic is security and how digital wallets work to protect consumer data. Interestingly enough, there are various form factors of digital or mobile wallets and each operates differently, so it’s critical that we begin with a look at each type of digital wallet and how it operates. 

Cloud based wallets, such as those offered by Starbucks, LevelUp, and Pay with Square, store sensitive data in the cloud with nothing being stored on the smartphone or tablet itself. Most cloud based wallet providers vault the card data in a centralized, PCI compliant hosting environment with none of the card data ever passing through the point-of-sale (POS) system, which is where most breaches typically occur. The vulnerabilities in these systems occur where the consumer enters their card number and that can be on their mobile device or via an online account management service. For the most part, digital wallet providers are well aware of how to secure the entry points and lock down the card data as it flows through to their secure servers, thus reducing consumer security concerns.

While one can certainly argue that we are still using track data in NFC based wallets like ISIS and the NFC/Sprint version of the Google Wallet and that the system is very much like what is widely used today, it is our belief that EMV and dynamic data elements will see widespread adoption within NFC based wallets before we see them in the traditional plastic form factor. NFC wallets also offer enhanced protection, as consumers are more likely to realize that they have lost their phone far before they notice a missing card. Additionally, NFC wallets offer an additional layer of security through a PIN-based access. One challenge with NFC based wallets is that they pass track data ‘over the air’ which may be susceptible to ‘sniffers’, but EMV and other encryption techniques embedded in device firmware should mitigate that risk. A second potential challenge is that track data is still passing through a POS system. Right now, our own Genius™ Customer Engagement Platform™ is the only solution I know of that offers point-to-point encryption.

Mobile swipe devices have continued to penetrate the payments space over the past several years and fortunately, the industry is now moving almost exclusively to readers that offer point-to-point encryption and ‘scramble’ card data before it passes through the phone and the airwaves. Vulnerabilities with original devices, such as the Square dongle, were quickly exposed, as those devices did not offer point-to-point encryption, presenting significant risk to consumers and merchants alike. Today’s providers of mobile swipe devices, including Square, VeriFone, and Intuit, all offer encrypted readers.

Security is key for consumer adoption of mobile payments and it’s evident that the industry is taking note. Over time, consumer adoption will be dependent on security as well as the extended value proposition around mobile commerce, or m-commerce, context aware marketing and overall satisfaction with the mobile shopping experience.