Mobile Payments - Is the Risk Worth it?

Mobile Payments – Is the risk worth it?

The number of channels businesses must use to bring convenience and ease of payment for their customers has moved into mobile payment processing. Your smart device is now a cash fixture. With NFC (Near Field Communications) functionality finding its way across all smart devices, the retail environment has a new arena to secure. In Africa in 2013, there were over $20 billion dollars in mobile transactions. Starbucks processed over 6 million transactions in the 3rd quarter, alone, this year. The trend and the immense amount of money transacted in mobile, dictates a mandatory solution for businesses who want to compete in the modern payment space. Do mobile payments create more risk and compliance? We will look at some of the issues, both positive and negative, that merchants and individuals must face to truly allow for an Omni-Channel (Accepting Payments across multiple mediums –ex. E-Commerce, ACH, etc…) processing environment for its customers.

Does turning smart devices into cash fixtures cause security issues? 

This depends completely on security integration. Mobile devices are not designed with the security of payments in mind. However, swiping a card into an encryption device is great. The challenge is what happens when the card doesn’t swipe or the hardware device fails. Then the user enters into the screen of the smart phone/tablet.  Most cyber-attackers disable the hardware device or otherwise render it to fail as to force the user to enter the card number on the screen, therefor bypassing any security you otherwise had.

For merchants, at the moment, developing a mobile application to take payments depends on the type of mobile app that you're developing.  For the most part, that mobile app, no matter how you're developing it, is breached, or if there is a significant vulnerability that somebody's able to take advantage of to take all the payment card data that you're accepting, that actually does present a significant risk to the merchant.  

Does the mobile trend help/hurt data security?

The mobile trend is a very different risk profile than what we've seen.  With the mobile trend, you're actually dealing with someone's personal device, and trying to secure that personal device is challenging because in today's world, you can secure a web server, you can secure a POS, you can secure any number of different payment acceptance channels.

However, whenever you are trying to secure a mobile transaction, there are things that you can do as a merchant. Taking payments through a tablet, or a mobile application within your store.  Going mobile, or using mobile devices for payments, as a merchant, you can design technologies and payment infrastructure around taking payments very securely.

As long as you are developing a secure application, whether it be a browser based app, or whether it be more of a thick client app, developing an application using very sound coding techniques can certainly reduce the amount of risk that a merchant introduces to their overall customer population who use their device to purchase things 

What type of PCI compliance issues does this produce? 

For merchants, or people who are developing mobile applications, the PCI Security Standards Council has released the PCI Mobile Payment Acceptance Security Guidelines for Developers.  They are actually heading down the path of developing guidelines and standards for people developing mobile apps to help secure payments through mobile applications.

However, there is a “grey area” in how the council assesses these mobile applications, and how they're in scope, because at the end of the day the biggest issue is "I download a mobile app to use.  Well, that's on my hand held device, so how is a merchant's PCI scope supposed to include somebody's personal hand held device?" That’s impossible.

Where the council is aiming their efforts at is "Go and develop a secure app for mobile payments", requiring merchants to develop secure apps for mobile payments.

Is protecting 5 billion payments on mobile devices feasible? 

Much like what PCI did to the traditional POS systems they need to do to mobile.  It won’t eliminate the problem, but will greatly improve the mobile payment systems. Again, the big, the crown jewel here that they're going for is much like the Target breach.  If you're able to breach an app, find a vulnerability with an app that is widely used, then at that point you can attack a multitude of customers out there that may have stored their credit card number within that mobile app. 

What PCI is doing is pushing the guidelines and the requirements for developing secure mobile apps down to the merchants and the service providers.  Merchants and service providers are, if they're going to furnish an app that's going to be widely used by a population, it doesn't even need to be sold to be subject to PCI guidelines, much like PA-DSS Certified Applications are.

These merchants and service providers will need to, by pushing the requirements and the responsibility developing secure apps down to the merchants and service providers, it is a very feasible task to secure 5 billion in payments, or 5 billion transactions, or 5 billion payments on an annual basis. 

What are the security hurdles company face in acquiescing to mobile trends?

The security hurdles that companies face, whether a merchant or a service provider, it's still the risk of handling payment card data, and it's still the burden of PCI compliance.  If you're going to have a mobile application, you can't just go out and hire someone off of guru.com to develop your mobile app anymore.  You need to hire someone who's experienced in developing mobile apps securely, or understands the security technologies that can be baked into mobile applications that you're going to be developing for your customers.

Again, like the Target breach, where somebody was able to hack in and breach the POS firmware server that pushes all the firmware out to the different card swipes that Target was using.  Very much the same thing can happen with these mobile apps.  If you are actually able to hack in and augment the mobile app code that is being developed for a merchant or service provider, then it's very much the same kind of scenario.

Most importantly, you have to maintain a layered model of security, but now you have to bring mobile apps into play, which securing those is very similar to securing your web presence, because, whether it is a thick app or a browser based app. You still have to develop code securely, so it cannot be breached.

What role does Tokenization have on mobile payments?

That's where tokenization solves the problem on the device, and mobile apps side.  Tokenization, once you get back to the merchant's headquarters, where all that credit card data is stored, that token that's generated and stored on the mobile device can now be stored within headquarters, and a solution like TokenEx that maintains a data vault of those tokens and credit cards is what reduces the risk overall to the merchants.

Looking at it from a device standpoint, you definitely want to store a token on the device within the mobile app for the consumer, then at your headquarters, that big barrel full of data that you're storing of customer credit card data, is where the risk actually resides. 

You want to get rid of that from the merchant or service provider's side, and the organization side. You want to get rid of that risk that you bring on your own company. You're protecting the consumer, you're protecting your own company, you're getting rid of that toxic data in your environment and giving it to someone else. 

Mobile Payments demand security Solutions

If you want to be a player in the new Omni-Channel environment, then you must have a mobile payment solution. Cloud tokenization removes the toxic data from your environment, while extending you unlimited flexibility in how you store, secure, and access your information. In Lehman’s terms, you have access to your data whenever you need it and it does not matter what payment processor you use. You also reduce up to 95% of your PCI compliance and scope. To learn more about how most of the TokenEx customers are able to save enough in auditing experiences to pay for the service, visit TokenEx.com. Please visit us on Twitter and LinkedIn.

Topic(s): payments , data security , PCI DSS , tokenization

Keep Up With Our PCI & Privacy Blog