Cashless payments and eWallets have boomed in the past two years, but they pose some interesting new challenges to retailers trying to protect themselves and their customers. Jose Diaz, director of payment strategy, Thales e-Security, explains
It’s been almost two years since cashless payments overtook the use of notes and coins in the UK, and that alternative payments, such as eWallets, and bank transfers, overtook card payments globally in the eCommerce space. With mobile solutions such as Apple Pay promising to revolutionise the way we pay when making purchases, and with consumers developing a fondness for contactless payment and the convenience it offers, it can’t be long until we find ourselves in a completely cashless society.
As a result, retailers find themselves having to meet increasing customer demand for faster, easier and more convenient methods of paying in-store.
But convenience doesn’t necessarily go hand in hand with security, and concerns are rife.
Alongside the adoption of digital payments, a significant rise in data breaches and cyber-attacks has led consumers to be fearful that their most valuable financial and personal data might fall into the wrong hands.
Payment service providers, banks and retailers are, therefore, under growing pressure to provide underlying security measures while, at the same time, ensuring customers face as few barriers as possible to a satisfying, friction-free purchasing experience.
A culture of fear
Gartner predicted a 35 percent rise in the volume of global mobile transactions between 2012 and 2017, with almost half of all digital commerce in the US and 38 percent in the UK likely to be made through a mobile device by 2020.
However, a recent survey of UK and US consumers revealed that more than two thirds of shoppers worry about making purchases using contactless technology; the theft of personal financial data being their primary fear. What’s more, two in five UK consumers said they felt more at risk when paying for items and services on their smartphone than they did a year ago.
So, while lip service is certainly being paid to the uptake of mobile payments, these fears mean that actual uptake of the technology has been somewhat slow. In the US, for example, only 12 per cent of consumers said they planned to use mobile wallet technology within the next six months.
And this consumer fear may not be unfounded. Indeed, a survey found that almost half of cybersecurity professionals believed mobile payments to be insecure, with the majority claiming that mobile-related breaches are only set to increase in the near future.
The importance of encryption
As with any new technology, new processes will create new security vulnerabilities and possible attack vectors. The theft and misuse of payment data has the potential to very quickly kill off any emerging mobile payment methods.
That said, John Pironti, risk advisor for ISACA, suggested this fear shouldn’t necessarily slow down the adoption of mobile payments, “as long as risk is properly managed, and effective and appropriate security features are in place.
However, by not implementing appropriately robust security measures, payment security providers put their retail customers at risk of cybercrime and data breaches – both of which can also have a negative effect on brand loyalty.
It’s important, therefore, that retailers recognise the importance of encryption in digital payments.
Strong encryption, underpinned by hardware security modules (HSMs), has been proven time and time again to be the most preferred means of securing payments. HSMs are able to provide organisations offering mobile payments with the trust anchor needed to ensure the highest standards of data protection and management of cryptographic keys, while complying with best practices and the latest pertinent regulations.
With mobile payments in particular, this trust relies on a mixture of a secure registration process, a secure delivery of credentials to the user’s phone, and ensuring that the regular replenishment of keys in the phone is always protected. Conversely, on a plastic debit or credit card, the information that needs to be secured is static, and the same keys remain on the card for its entire lifetime.
It’s essential for payment application providers and retailers to recognise differences such as these if innovative new methods such as mobile payments are to succeed. The challenge now is to ensure that any security measures in place address multiple mobile payment solutions in order to guarantee that they cover all the types of payment methods used by a retailer’s customers. Taking time to acknowledge the fact that each solution will have its own unique security threats, and then creating an appropriate risk management approach to address these, is the ideal starting point for retailers hoping to prevent any security concerns in the future.
Mobile payments are growing in popularity but, if they are to become mainstream, payment application providers and retailers need to take action now to ensure that their customers’ data is protected from those with malicious intent.
They must work with banks and payment services providers to ensure that robust encryption, supported by HSMs, is in place, to protect payment data from the moment of capture, safeguarding their customers’ information, and keeping the bad guys at bay.