By Christos Dimitriadis
Given the steady diet of data breaches and identity thefts in the news, businesses and consumers are rightfully concerned about protecting data during transactions. Recent advances in mobile payment security should help ease some of that trepidation.
Global IT association ISACA is challenging perceptions about mobile payment security with its recent white paper, “Is Mobile the Winner in Payment Security?” In comparison to plastic payment cards and online shopping websites, mobile payments have the potential to be more secure and provide substantial advantages for both consumers and businesses.
Mobile payment technology has improved dramatically in recent years, with tokenization playing an especially significant role. Secure mobile payment applications—mobile wallets—do not transmit a card’s primary account number (PAN), instead sending a randomly generated token to the point-of-sale (POS) terminal and payment network. The token safeguards the consumer’s data while in transit.
Contrast this with plastic payment cards—with the PAN stamped onto them and the vulnerable magnetic stripe on the back of the cards—and it is clear that mobile technology lessens the opportunity for fraud.
Other components that have strengthened mobile payment security include device-specific cryptograms (ensuring that the payment originated from the cardholder’s device) and two-factor authentication (providing an additional layer to guard against fraud).
Mobile payment technology also carries security benefits when a device containing a mobile wallet is lost or stolen. The mobile device can be remotely erased, and since the consumer’s payment card information is not on the mobile device, no payment cards need to be replaced. Even if the device is not erased, the small number of stored tokens would not enable the level of fraud of a stolen PAN.
How Security Can Act as a Business Enabler
Mobile payments, with embedded, improved and transparent security controls, provide an example of how security can act as a business enabler, contributing to the creation of user trust.
From a business perspective, support of mobile payments can directly add value. Enterprises stand to benefit from the adoption of mobile payments in numerous ways, including:
· The ability to support customer satisfaction and potentially expand the customer base
· The reduction of fraud (thereby lowering costs)
· An opportunity for more streamlined operations and integrated recordkeeping
· The capability of offering more robust customer loyalty programs.
Yet, perceptions in the marketplace—as well as among security experts—lag behind this promising reality. ISACA’s “2015 Mobile Payment Security Study” shows that only 23 percent of IT and cyber-security professionals said they believe mobile payments keep personal information safe.
Considering the tremendous global impact of mobile payments, it is important to dispel these misconceptions. By 2019, the number of mobile payment users worldwide is expected to exceed 1 billion, according to Ovum. How high might that total rise once the security benefits of mobile payments become more widely recognized?
While mobile payments can potentially add substantial value to enterprises, the possible risks must also be understood and addressed. This should not dissuade organizations from considering mobile payments; virtually all forms of technology come with elements of risk. Evaluating the control measures needed to address potential threats will enable organizations to make holistic decisions about whether—and how— to proceed with mobile payment adoption.
Payment security will be an ongoing challenge as criminals continue to explore new ways to compromise consumer data and steal identities. But individuals and organizations should be mindful that recent strides in mobile payment technology offer many security advantages compared to traditional payment methods.
Advances in the security of mobile payments provide a prime example of the positive potential of technology. The sooner that awareness spreads, the sooner businesses and their customers can benefit from this important progress.
Christos Dimitriadis, Ph.D., CISA, CISM, CRISC, is chair of ISACA’s board of directors and group director of information security for INTRALOT.