Forget EMV. The next battleground for payment security is in consumers’ pockets and hands.
Business Insider reported that “2016 will be a watershed year for the payments industry,” as mobile payments take center stage, and issuers, acquirers, and merchants start to figure out how they can meet their customer demands without risking payment card data privacy and protection. Reporting that around 148 million shoppers around the world will use contactless payment solutions in 2016, the source explained that consumers are eager to start using Apple Pay, Samsung Pay, and many other mobile payment apps.
Adoption rates rise along with security concerns
While that prediction might sound too optimistic given that the uptake of mobile payments was lagging in 2015, experts forecast a turnaround this year. According to a report from Packaged Facts, use of those apps will rise 54 percent in 2016 in the United States, and up through 2019, adoption rates will climb even higher. Researchers said that smartphone ubiquity is responsible.
“Use of mobile payments apps will rise 54% in 2016 in the U.S.”
Beyond that, all signs point to millennials and Generation Z adoption of mobile payments as a major factor influencing the global popularity of this new transactional method. GfK found that those aged between 18 and 24 years will use mobile payment apps twice as frequent as other generations combined. In the past six months, 53 percent of Gen Zers have paid with a mobile device, compared to 37 percent of millennials, 27 percent of Gen Xers and 14 percent of baby boomers.
While there is clearly interest in mobile payments, it goes without saying that the security of these transactional methods is questioned by many. Fifty-two percent of all generations fear the security of their private data when paying with a smartphone or wearable, according to GfK, and only 20 percent of those surveyed think that mobile payments are “100 percent secure.”
It is no wonder that consumers are worried about payment card data protection: Organizations aren’t confident in their abilities to secure that sensitive information. A report from Gemalto stated that 72 percent of businesses think mobile and contactless payments are putting their payment data systems at risk of experiencing a data breach.
Making mobile payments more secure
Simply put, merchants need to overcome mobile payment security challenges. As explained above, the industry is moving toward mobility and the bandwagon isn’t stopping anytime soon. In that regard, businesses must either step up or get out, as consumers slowly but surely abandon brands that do not keep up with the time and accept mobile payments. It’s harsh, yet true.
But there is some relief.
Let’s go over 3 of the biggest mobile payment security challenges and how to solve them.
Challenge 1: Stolen information and devices
Finding a way to protect information and prevent fraud when payment information or smartphones are lost or stolen will likely be the biggest hurdle to clear for merchants. Take a recent article on Forbes for example. Contributor Thomas Fox-Brewster reported on a group of researchers from Pindrop, who put Apple Pay to the test in the case of stolen credit card information. David Dewey of Pindrop added his co-workers’ payment data into the mobile app and discovered that it is way easier than some may think to steal account information and commit fraud. Some banks and issuers asked Dewey to verify some information, which he found online in just a few minutes of searching on Google, on the payment card itself or could simply guess – with only 3-digit CVV numbers, it would only take 1,000 attempts, Fox-Brewster explained.
“Doing so, [Dewey] effectively proved controversial claims made by mobile payments consultant Cherian Abraham a year ago that Apple Pay could be used for such fraudulent purposes,” Fox-Brewster wrote. “Though it’s unclear if it’s as ‘rampant’ as Abraham suggested, it’s also doubtful banks have expended additional effort to prevent stolen credit card use on the platform since early 2015.”
The solution: New processes
It’s clear that in order to prevent payment cards from being used maliciously, organizations need to improve their processes. Beyond that, Dewey suggested that mobile payment app makers put up brute force protections. For retailers, there isn’t much they can do other than flag strange transactions.
Challenge 2: Compromised biometric data
Many security experts cite biometric security solutions as a way to combat fraud. Some proponents include VISA and MasterCard, but IT Pro Portal’s Andre Malinowski brought up a great point: Biometric data can be stolen. In fact, Malinowski reported that the new General Data Protection Regulation, which is expected to go into effect in 2018, will enforce rules regarding the protection of that type of information.
The solution: Forgo biometrics
Google just introduced the world to a new mobile payment solution that could solve the biometrics data theft problem called “Hands Free”. With it, consumers won’t even need to pull out their smartphones to complete mobile payment-enabled transactions. Instead, users will say, “I’ll pay with Google,” and the app will use Bluetooth, Wi-Fi, and other location services to detect if the correct individual is at the right place. Then, the sales representative will compare shoppers to a photograph. Time will tell if this approach to mobile payment security works.
“Cyberattacks are probably the biggest concern for merchants today.”
Challenge 3: Sophisticated cyberattacks
Cyberattacks are probably the biggest concern for merchants today. Whether it’s point-of-sale malware or a man-in-the-middle attack, retailers payment processing environments are at risk. Hackers are able to compromise payment card data as it travels from one system to another, and unless companies can do something to obfuscate this information, breaches will continue to occur.
The solution: Tokenization
Enter tokenization. This data security technique essentially turns payment card data into useless information, ensuring that even when breached, sensitive data will stay out of hackers’ hands. Some mobile payment apps are already leveraging tokenization to protect payment card information, such as Samsung Pay, but if merchants really want to offer secure ways to pay with mobile devices, they too must take advantage of technologies that use tokens in replacement of sensitive data.
At the end of the day, merchants need to find whatever payment processing solution works for them. Often that means tokenization, but by leveraging other security practices in conjunction with tokens, they can truly secure their customers’ data.