Securing Mobile Payments – It’s Still Early

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base and former E-Commerce and Security analyst with Gartner.

Mobile payments are exciting, no question about it. The very idea of allowing consumers to buy stuff anywhere, at any time, with the touch of a button, gets retail, banking and communications executives to the point where you almost have to hose them down. So, what better way to ruin the party than to bring up security and compliance issues?

Actually, the need for this emerging payment “channel” and the specific payment platforms, software and services to be PCI compliant should be obvious. After all, the PCI standards have been around for about 5 years, so one would assume that PCI compliance would be “built in” to mobile payment products and services.

However, if you assumed that, you'd be wrong. We’re still far more focused on selling mobile payment to merchants, and much less focused on securing mobile payment and ensuring that the approaches are PCI compliant.

  • Is Everyone Doing a Mobile Payment Pilot?
    Mobile payment is all about pilots. There are currently hundreds, perhaps thousands of them. It makes sense. Between technical viability, transaction management and consumer usability there are a ton of issues that have to be resolved. There are also myriad ways to do mobile payment: contactless smart cards, RFID stickers on mobile phones, payment-capable chips for phones and next generation PDAs. It’s difficult for a retailer to decide which of the dozen possible mobile payment pilots are worth pursuing.

    It’s not my place to help select one platform over another. However, I believe it is very reasonable for merchants to add PCI compliance to the requirements for mobile payment pilots. While that may seem obvious to some, it isn’t.

  • PCI Compliance Isn’t Built-In to Most Mobile Payment Platforms
    We started work on mobile payment security for a restaurant industry project and we were surprised that two recent, and otherwise comprehensive, reports on mobile payments and security either didn’t mention PCI compliance at all, or mentioned it only in passing.

    In April 2009, Global Platform (“the standard for the smart card infrastructure”) wrote a 35-page report on Near Field Communication (NFC) Mobile Payment and Secure Element Management that doesn’t mention PCI compliance whatsoever. A May 2009 paper from the Smartcard Alliance on the Security of Proximity Mobile Payments says only that NFC payment platforms should be designed to address “industry best practices, such as PCI DSS, dynamic cryptograms and multi-factor authentication.”My point is: If we are still at the point where we’re saying that mobile payment security and compliance is a “good idea,” are these mobile payment offerings really ready for prime time? Or is mobile payment just another example of a hot technology that winds up in “perpetual pilot” because it cannot be made secure enough to prevent fraud in a production environment?

  • Mobile PCI Compliance and the Trusted Service Manager
    Actually, we’re pretty positive that mobile payment will provide a secure, PCI compliant payments ecosystem. Maybe not in 2009, but possibly by 2010 or 2011. That's because one of the most common mobile payments models fits right in with a major trend we see in our research – the outsourcing of payment processing and management, to the greatest extent possible.

    The model we’re referring to relies on a Trusted Service Manager (TSM), which is the entity in the mobile payment value chain that provides end-to-end payment security, manages the payment application and the interface to the merchant, the financial institution and is responsible for service delivery and the user interface. In short, the TSM is the one to blame if the mobile payment system doesn’t work, the payment device (phone) is lost or a fraudulent transaction is detected.

    But who are the TSMs? Logical candidates are phone companies, credit card networks, and banks – most likely locked together in partnership. I suspect it will take several years before all this shakes out. In the meantime, when is it safe for retailers to move beyond pilots and begin investing in new contactless POS devices?

  • The Bottom Line
    I believe mobile payment investment is justifiable for those merchants who target the youth market or have a substantial presence in Asia and the parts of Europe where mobile payment is accepted already and large numbers of people carry mobile devices capable of secure payments. In North America, I would look to university pilots to be most successful. The demographics are right for both consumer-to-business and consumer-to-consumer payments.

    In any case, retailers need to be very careful that their pilots are run in a restricted environment, so that their overall PCI compliance will not be affected, and they need to be very dogmatic in their insistence on proof of PCI compliance on the part of the providers of the components of the pilots.

    Again, it’s early yet, and we expect mobile payment security will be a very hot issue in 2010 and 2011. We’d love to speak with anyone involved in the sector, to broaden our mobile PCI best practices research. Please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about PCI and mobile payment issues, just send me an E-Mail at [email protected].