Advances in Mobile Payment Security

Repeatedly, security concerns are cited as the primary reason why consumers are not wholeheartedly embracing mobile payment services. That makes sense, since no one wants to hand over financial data to a provider or service they don’t trust. Establishing trust, then, is paramount to the success of the mobile payment arena. Encrypting this sensitive data can go a long way toward gaining that trust. The EMV card, with its secure microchip for transmitting data, is a physical asset; how can we mimic this level of security virtually?

The answer is here: HCE (host card emulation). Until HCE came along, mobile payment providers’ organizations had to either store credentials in a specialist security chip (Secure Element (SE)) in the phone or use Card On File credentials in the cloud. The first model effectively turns the phone into a mobile wallet, with the SE performing the same function as the chip on an EMV card. The ‘”cloud” option, however, was simply a case of storing basic payment information, such as Card Number and Expiry Date or Sort Code and Account Number on the Internet.

HCE enables merchants to offer payment card solutions more easily through mobile, closed-loop payment solutions and real-time distribution of payment cards. Importantly, HCE allows for easy deployment that does not require a change of software within the terminal. HCE eliminates the need for SE because the full payment card data no longer needs to reside on a physical chip. Organizations that desire to use mobile payments can now do so without high up-front costs and complicated partner relationships.

The steps required to move the storage of credit card data from the chip to a secure cloud environment present problems. In order to complete a transaction, your phone will have to connect to the Internet, wait for the crypto to be carried out, and receive a response. Even under the best circumstances, this will be difficult to complete in the time required by card schemes. Of course, with no signal, it would be impossible. The solution that is being proposed to combat this utilises a concept called “tokenization.” Instead of having to connect to the Internet every time you spend, limited-use virtual cards would be stored on your phone.

Storing this information creates yet more security issues. Now thieves won’t have to steal your wallet, or even your phone, to access your money. There is the potential for criminals to clone the phone and request the card information, or even write malware to reside on the phone that will send the virtual card to the thief instantly.

Exploiting Smartphone Features

The choice of authentication method will prove central to the security of mobile payments.

We must be able to bind the identity of the user to the authorization of the transaction. While banks are extremely familiar with data protection requirements, challengers with less data handling experience will need to be extremely mindful of authentication and risk assessment.

To assist with authenticating the user and determining risk assessment for each transaction, certain features of smartphones can be exploited. GPS data, 3G location, proximity to wifi locations and the number and type of applications on the device build a unique fingerprint for each phone. Although not bullet proof, they can constitute a valuable asset to determine the likelihood of a fraudulent transaction. This also brings the potential to streamline the consumer experience in-store, lowering authentication barriers ifthe likelihood that it’s the approved user is high and introducing barriers to disrupt the payment journey if in doubt.

Security challenges regarding the creation of a risk-based authentication picture exist as well. All this analysis depends on data – reams of personal data that represents an attractive target for malicious hackers, and must be protected against attack. Protecting all this stored personal data goes well beyond the usual password database problem in terms of both volume and sensitivity – authentication is moving from being a “password problem” to a “big data problem.” Information must be carefully encrypted, to neutralize it and minimize the impact of its loss or theft.

HCE has been benefited the mobile payments industry immensely and will continue to advance the mobilepayment ecosystem as more providers, freed from the constraints of SE-based services, hop on the bandwagon. Savvy consumers demand ease of use, but they also demand security of their sensitive data before they will entrust it to providers. That’s why it’s necessary to use every possible resource to provide a safe mobile payment experience and thereby ensure the success of the industry.