Mobile payments are starting to gain a foothold in the U.S. More and more retailers are enabling customers to use technologies such as Android Pay, Apple Pay and Samsung Pay. However, these payment apps are still relatively unknown and highly underutilized.
When I discuss mobile payments with friends and colleagues — people including IT and security professionals, a bank chairman and close relatives — the conversation is very predictable. It goes something like this: “Oh, I don’t know about that. It seems risky.” There’s a general lack of trust and people aren’t willing to take that chance with their credit cards — but why?
Times Are Changing for Retailers and Consumers
For many consumers, the fear of having their credit card information exposed outweighs the benefits of mobile payments. I don’t fully understand why, but I believe it’s related to change. Humans are, by and large, averse to change. Due to the data breaches against U.S. companies and the fact that the typical consumer doesn’t understand how mobile payments work, the acceptance of this technology in the U.S. has been lukewarm at best.
That’s going to change over the next few years because MasterCard and Visa are mandating contactless payments in all retailers by 2020. In the meantime, what can retailers, processors and banks do to promote this amazing technology?
It’s really all about education — simplifying what appears to be a mysterious payment feature into something that everyday people understand. To summarize, both Android Pay and Apple Pay use near-field communication (NFC) to send payment data from the phone to the reader at the checkout counter. This short-range wireless communication method is supported in the iPhone 6 and newer models, as well as most flagship Android phones since the release of KitKat. Android Pay and Apple Pay require the checkout line’s personal identification number (PIN) pad to have NFC built in and enabled. Samsung Pay uses NFC as well, but also has magnetic secure transmission (MST) technology, which emulates a typical credit card swipe.
Rather than using the actual cardholder data, all three of these mobile payment technologies use tokenization to represent the credit card number rather than using the actual number. This helps prevent the cardholder’s data from being exposed. None of these technologies will work unless the device’s screen locking capability is enabled and the device is unlocked when the payment occurs. Apple Pay and Samsung Pay keep the tokens in a secure chip on the device. Android Pay gets its tokens from the cloud but keeps a small number offline to allow it to work when the device is offline.
Securing Mobile Payments
As for exploitability, at least in today’s terms, criminals could access the cards by finding a way to authenticate the device on both iOS and Android. This requires the phone to be held within inches of the reader. Remote tracking and wipe controls found in Android’s Find My Device feature and Apple’s Find My Phone tool can add an extra layer of security in the event a device is compromised.
Enabling these technologies just takes a few seconds: Simply open the app, snap a picture of your credit card and off you go. An additional authentication or verification step may be required, depending on the card issuer. It’s that easy.
To further ensure the security of mobile payments, Google offers a set of services and application program interfaces (APIs) called SafetyNet, which is built into Google Play Services. SafetyNet checks whether a mobile device has been rooted, has had the bootloader unlocked, is running a custom ROM or is infected with malware. For Android Pay to work on a device, it must pass the Compatibility Test Suite (CTS). When you root or install a custom ROM, the device is no longer CTS-compatible. If your device meets one of the criteria that SafetyNet checks for, Android Pay will no longer run. This measure is designed to protect you from an outside source that could potentially read Android Pay data.
I’ve been using Android Pay for over a year now, and it’s been an interesting journey. Most retailers lack training in mobile payment technology, which certainly isn’t helping its current and future growth. They have no idea what it means to pay with a phone, even when their company supports mobile payment. Many don’t even know which buttons to push on the register when someone asks to pay via mobile. Some retail employees insist they don’t have mobile payment capabilities even when the contactless logo is displayed on the terminal. It blows their minds when it works! In fact, on several occasions, my teenage son and I were suspected of hacking into the register by paying via mobile phone, even though the transaction was closed out and a receipt printed. There’s even a story of a shopper at a Florida Publix who was told that he couldn’t use that form of payment because the cashier and store manager thought he was committing fraud.
The Myth of Mobile Insecurity
To me, mobile payment technologies are much more secure than consumers carrying physical cards in their wallets, purses or pockets. If a breach does occur, many banks offer zero-liability protection if cards are then used fraudulently. There’s really nothing to lose. It could be argued that even enterprise security as a whole can benefit from employees running more modern (and more secure) phones with screen locking enabled.
Economics of mobile payment transactions aside, retailers and everyone up and down the food chain, including mobile terminal manufacturers such as Square and Clover, should embrace this technology. Training is crucial. Educating merchants about mobile payments can go a long way. Displaying decals, which Google, Apple and Samsung provide for free, on storefronts and at registers can help as well. From the perspective of this consumer, mobile payments seem like a no-brainer, especially given the potential boost in checkout line efficiency.
Embracing Change
Just because mobile payment technologies and processes are secure doesn’t mean that everything behind the scenes is rosy. You have to look at the bigger picture of mobile payments in the enterprise and consider the security of systems, network communication and business workflows after these transactions are made.
Still, the technology is proven. Ditto for its security — at least for now. Large corporations that have suffered high-profile breaches haven’t let security get in the way of business. Furthermore, most people are willing to use web browsers and random mobile apps without thinking twice about privacy or security concerns.
So what’s the holdup with Android Pay, Apple Pay, Samsung Pay and whatever’s next? With innovations in mobile payment technologies and the move to eliminate signatures at the checkout counter, we’re not only moving on to a new level of technology, but also a new level of trust that’s simply expected.
People, especially younger generations, look for and want to use this type of modern technology. It’s helpful and there’s a bit of a wow factor. With the proper training, this technology can help retailers gain significant efficiencies. Everyone wins.
As of now, there’s no real reason for security concern over mobile payments. As I’ve said before, if we’re looking to truly eliminate the low-hanging fruit that really gets businesses into trouble, we’ve got much bigger fish to fry.
Independent Information Security Consultant