Peter Caparso, Adyen’s North American President takes a look at how smart mobile payment protocols balance security, compliance and fraud detection, making them increasingly attractive to retailers looking to offer proper m-commerce
Merchants are eager to lay claim to their piece of the $240 billion (and growing) m-commerce market. The justification is certainly compelling. More than 75% of the world’s population – that’s 5 billion people – has a mobile phone subscription, nearly 90% of the global population has access to a mobile network, and within five years, people will more frequently choose a mobile device over a PC to access the Internet. With such widespread acceptance of wireless technology, m-commerce is moving quickly into the heart of the mainstream.
For merchants, however, the transition to wireless payments is uncharted territory. In order to minimize risk, smart merchants are developing mobile payment protocols that balance security, innovative wireless technologies and a robust fraud detection capability.
Even established e-commerce merchants have struggled to extend their payment protocols to the mobile realm, where every wireless transaction is an opportunity to compromise customer data. Wireless payments unite players along the entire payment value chain—customers, merchants, mobile network providers, financial institutions, payment processors, even mobile device makers. This convergence creates a complex equation where each payment is, quite literally, a moving target.
Like e-commerce protocols, mobile protocols must fully address identification, access control, and data encryption. Customer authentication and non-repudiation are even more essential with mobile payments. Yet, the mobile devices themselves are a key hurdle for mobile security. The limited memory capacity that today’s mobile devices offer makes strong authentication and encryption features difficult. Despite a growing threat of loss, malware and viruses, only 4% of smartphones and tablets are protected with security software. The bottom line is that wireless payment protocols must accommodate a diverse and ever changing set of device security conventions.
With e-commerce, PCI standards were the game changer that enabled mainstream acceptance of online payments. Mobile payment standards are somewhat more difficult because consumers rely on such a wide range of mobile devices and networks. At this point there are no cohesive m-commerce standards in place. The PCI Standards Council is in the early stage of developing its mobile security standards and market leaders are still building their payment models. Until standards are in place, each merchant will be responsible for ensuring the security of their transactions.
The recommended course of action is to adopt mobile payment protocols that are, at a minimum, fully compliant with existing e-commerce PCI standards. Larger players may be able to develop this level of compliance in-house, however, many merchants are realizing that a ‘go it alone’ mobile development is a high-risk strategy. These merchants often choose to partner with a payment intermediary that has already developed a fully PCI compliant payment process.
Conventional mobile payment transactions rely on a mobile network to link the merchant, customer and payment intermediaries. But this has proven to be a costly scenario that prevents many merchants from entering the m-commerce arena. To resolve this, one innovative technology—a mobile skin—has eliminated the need to use mobile networks to complete wireless payments. This new “mobile skin” framework was developed by Adyen, a leading payment processing intermediary. Using their mobile skin, wireless payments are rerouted from the mobile network to the merchant’s mobile web payment page, simply removing the network from the payment equation.
When customers use their phones to make a purchase, the network server recognizes the connection to a mobile payment page and reroutes to the merchant’s mobile payment skin. This framework is not only proving to be more cost-effective than conventional solutions, but also seamlessly extends the merchant’s existing e-commerce security standards to the mobile realm.
Mobile fraud is not yet commonplace, but there is no doubt that mobile transactions will be the next target for cybercriminals. After all, a mobile device can be hacked into as easily as a computer and in the future, sensitive credit data will almost certainly be stored on each mobile device.
There are a variety of fraud detection tools available to both mitigate merchant risk and better protect customer data. Three state-of-the-art technologies—device fingerprinting, extremely persistent cookies and cross-browser technologies—were designed to directly minimize the risk of mobile fraud. Device fingerprinting uniquely ties each mobile device to the shopper making the purchase. This fingerprint allows the merchant to track fraudsters, even when they use false names, addresses or bot nets to hide their IP addresses. Similarly, Extremely Persistent Cookies are more difficult to remove from mobile devices, adding a new hurdle for fraudsters to avoid detection.
And because wireless transactions are more complex (in that there is not one stationary endpoint), cross-browser identification tools make it possible to identify fraudsters even when they change browsers.
Next-generation payment providers also offer real-time, dynamic risk mitigation tools that allow each merchant to adjust their fraud settings based on their unique market situation. By taking advantage of real-time fraud detection access, merchants can shape a risk detection strategy that specifically fits their business, product and customer demographics, while also allowing for maximum market penetration.
Merchants are learning that there is a fundamental tradeoff between transaction security and customer convenience. The mobile payment field is in the midst of a major transition where a large number of players are being pared down as wireless technologies are being tested and proven. The major players—Visa, Mastercard, Amex, Paypal, Google and Apple—will ultimately have a role in mobile payments; in the end, however, the mobile payment market will be defined by the customer, who demands flexibility and choice. Merchants should be careful not to limit themselves too closely to a small number of payment options.
Within the next 18 months, the mobile payment industry will settle around the most effective mobile payment solutions. Merchants that fully understand the vulnerabilities throughout their payment equation will be able to establish an effective wireless protocol that protects both their customer and themselves.