More and more mobile device users are buying products and services in the cloud—whether it’s through a Web-based application or a natively installed one. Thus, the U.S. mobile payment software market is on schedule to reach $90 billion in 2017, according to a 2013 report from Forrester. Mobile payments are changing business models for banks and credit card issuers and introducing huge new opportunities for many startups. However, these new models also introduce security challenges that must be addressed by all stakeholders, including consumers.
This slide show looks at the two different models for new-gen mobile payments: “trust in the phone,” which relies on a secure chip inside a mobile phone accessed via near field communications (NFC); and “trust in the cloud,” which relies on user credentials stored in the cloud. It addresses the differing security approaches of each model, as well as the factors that are pushing payments into the cloud. One common theme is the need for high-assurance data protection. Finally, it explains why a universally accepted model will be key to revolutionizing the mobile payments landscape—and winning consumer trust. Resources for this slide show include Jose Diaz, director of Technical and Strategic Business Development with Thales e-Security; Forrester Research; and eWEEK reporting.
Mobile Payment Security: An Essential Factor for Mass Adoption
by Chris Preimesberger
Mass Adoption of Mobile Payments Getting Closer
The industry has been talking about the arrival of mobile payments for almost a decade, and positive steps are being taken toward mass adoption. Some big players in the retail market have invested a considerable amount in mobile payment platforms, including Starbucks, which invested $25 million in a mobile payment venture, and Square, which last August enabled its customers to use a Pay with Square smartphone app.
But Some Problems Must Be Solved First
Visa and MasterCard have invested heavily in pilots for mobile NFC secure element solutions. Business model and technical challenges are making it difficult for banks to go to live rollouts, especially when the cost of provisioning the phone is greater than a plastic payment card. Plus, the industry is still a long way off from having one universally accepted model; too many business issues are still unresolved. Those include global interoperability, revenue split, risk/liability and consumer perception of inadequate security.
The Evolutionary Model
The “trust in the phone” model, the most broadly standardized approach to mobile payments, focuses on effectively turning the phone itself into a mobile wallet. In this evolutionary model, card issuers/card schemes/acquirers collectively depend on the presence of a specialized security chip within the phone to protect the critical payment keys that enable the consumer to initiate a contactless mobile transaction at a point of sale terminal.
The Evolutionary Model Precursor
The evolutionary model makes use of the existing four-party model payments infrastructure and is the mobile payment mechanism of choice for the card schemes.
The cost to issue the payment application is higher than a chip card, and the interchange revenue for the bank could be lower if the customer pays by mobile compared to a magnetic stripe signature transaction.
This calls to questions why banks would rush to spend more and get less.
The Revolutionary Model
The alternative revolutionary model focuses on “trust in the cloud”; new market players such as PayPal, Google, Apple and innovative startups such as Square favor this. In this approach, trust lies not in the phone itself, but in the cloud; the phone is simply a way of connecting to the cloud.
The biggest technical difference between this approach and the trust in the phone model centers on consumer authentication, with user credentials stored in the cloud.
Benefits of the Revolutionary Model
With high-assurance data protection at the top of the agenda in the mobile payments arena, one of the key arguments in favor of this approach is that it is much easier to secure a common cloud service than millions of individual phones. Mobile phones offer little or no physical security and can be maliciously modified to access sensitive information, if not stored inside a secure element.
Inherent Challenges in the Revolutionary Model
The cloud-based approach is certainly not immune to security concerns, however. It is only a matter of time before fraudsters set their sights on mobile, and when they do, they will no doubt start with attacks on the cloud databases.
This will bring a range of challenges, as payment providers will need to develop rigorous encryption strategies.
This increased focus on secure user credential registration and storage will need to be accompanied by comprehensive operating rules to cover security, risk and liability.
Key Factors Pushing Mobile Payments to the Cloud
These include: 1) the promise of a complete commerce experience and potentially lower processing fees for merchants (the Merchant Customer Exchange retailer-led mobile wallet initiative is a good example of work toward this goal); 2) a desire to move away from the complexity of NFC, meaning the establishment of end-to-end trust throughout the ecosystem; and 3) the number of new payment providers who want to disrupt the status quoessentially challenging why we need the existing payment rails and the legacy structure.
Consumer trust lies at the core of mass adoption.
The importance of common look and feel (not just when it comes to the security aspects) cannot be underestimated. Neither merchants nor consumers will tolerate hundreds of differing proprietary solutions.
Which of These Models Is Likely to Prevail?
Right now it’s too close to call. Cloud is clearly a disruption, while a contactless mobile paymentusing the NFC secure element in the phoneis closer to the traditional point-of-sale experience.
Any solution that brings with it a significant change in consumer and merchant behavior is harder to scale quickly. However, if the mobile consumer begins to demand alternative mobile payments from new players in sufficiently large numbers, this will present a significant threat in terms of both market share and revenue for the banks.