How to Keep Mobile Payments Secure

By Rob Clyde

According to media reports, Walmart, CVS, 7-Eleven and other major retailers are about to enter a competitive space that’s currently dominated by tech giants. Through a consortium known as Merchant Customer Exchange (MCX), big-name shops are readying to test their own app-based mobile payment option called CurrentC, which is set to rival those of Google, Apple and Samsung.

Although they have been around for a decade as a financial transaction medium, mobile payments have long been a solution that retailers accept, rather than provide. But entering the mobile payment space has become crucial to maintaining a competitive edge and a strong link to customers, who increasingly expect very fast and convenient shopping experiences.   

The Case for the Security of Mobile Payments

It’s no secret that people across all cultures and age groups have grown so accustomed to smartphones that they are being used for more than just communication. By giving smartphones purchasing power, mobile payments allow consumers to buy goods and services through digital methods of transferring funds, including contactless near-field communication (NFC) like Apple Pay, peer-to-peer platforms like Venmo and even SMS-based payments.

The high-profile data breaches reported in the news showcase the risks associated with a hacker accessing and utilizing personal information that can be transmitted through a mobile payment. This understandably elicits consumer fear. Even cyber-security professionals are wary of the security of mobile payments.

A recent survey by global cyber-security association ISACA on mobile payments revealed that half of U.S. respondents believe mobile payments are not secure, citing the use of public WiFi as the most significant security vulnerability associated with them.  Of course, many of these respondents are responsible for security at their organization and are concerned about potential risks to their company.

The good news—both for companies offering mobile payments and for IT departments managing them—is that these payments are more secure than commonly believed. On a day-to-day basis, mobile payments can be both the most convenient and the safest form of payment, while other methods pose unique disadvantages.

That said, the developers creating mobile payment apps, along with security and audit professionals, must lead the charge on mobile payment security. As the most tech-savvy players in the mobile payment ecosystem, these professionals have a unique responsibility.

To ensure the security of mobile payments, the tech community has proactively addressed potential vulnerabilities. Tokenization built into NFC is one great example. Through an NFC mobile payment, a person’s mobile device communicates a payment from their mobile wallet to the retailer just by being within close proximity to a terminal near the cash register.

However, in order to function securely, NFC is backed by tokenization, a technology that decreases the value of network-transmitted sensitive data—like a 16-digit credit card number—by substituting it with coded or different information in its place. This is the key to limiting the impact of a breach, and it’s an important defence against fraud when, for instance, paying for coffee at Starbucks through a mobile app.

Additionally, if consumers use major credit cards as the underlying payment mechanism registered for their mobile payments, charges due to fraud will be written off by the card issuer.

Continuing to address mobile payment security is essential to spurring consumer adoption, and the major responsibility falls on the tech community.

Knowledge Sharing and Risk Evaluation

A 2015 IBM study reports that almost 40 percent of large companies, including some in the Fortune 500, are not taking the right precautions to secure the mobile apps they build for customers. This is both a people and a process issue.

In the fast-changing field of information security and data breaches, it’s important for people to keep up to date on new technologies, vulnerabilities and regulations. Resources such as Cybersecurity Nexus (CSX) provide security professionals with skills-based credentialing, training, conferences, publications and career management, as well as opportunities to network with peers in the security industry.  

On the process side, mobile app developers, as well as security and audit professionals, will want to consider relevant risk, security and assurance issues when developing or evaluating mobile payment services. Some of these issues include:

Ensure that the transaction is being carried out by the authorized person.  If possible, use two-factor authentication to increase identity protection for the consumer and higher identity assurance to the merchant.  For example, use fingerprint for phones that support that biometric.

Any personal identifying information (PII) should be appropriately protected in accordance with industry or country regulations, such as PCI.

Evaluate point-of-sale (POS) systems in the case of proximity payments. Organizations should ensure that the third parties with which they interact have robust security governance in place.

Pay specific attention to the originating point of a mobile transaction—the customer device and the user.

Ensure appropriate encryption and tokenization methods are used for the transaction.

It’s up to those with the knowledge of mobile payment technology to keep informed and share knowledge with their peers to ensure that it continues to be a safe form of payment for consumers. This is especially urgent as more sectors, such as the retail industry, join the game.

Rob Clyde is the international vice president of ISACA and the managing director of Clyde Consulting.