Mobile card acceptance is seeing tremendous growth. The total value of mobile payment transactions in the U.S. alone will grow 210 percent in 2016, according to the latest forecast from eMarketer. The research firm expects that 37.5 million people in the U.S. will use proximity mobile payments in 2016, a 61.8 percent increase over last year. That translates to just over $27 billion total mobile payment transactions, a $19 billion increase over 2015.
However, the card acceptance network has typically only catered to established businesses. That means there is huge potential to penetrate the SMB market, taking card payments on the move in street markets, pop-up shops, restaurants and food trucks, or when making home deliveries.
This would essentially enable a cashless society. Going cashless holds many benefits, including safety and convenience. Rather than riffling through a wallet full of cash, a mobile payment is quick and discreet – and is less likely to attract the attention of thieves. Once cash is lost or stolen, it’s gone for good, but card payment methods—including both physical cards and mobile wallets—can be cancelled or switched off quickly. Lending and borrowing money between users becomes as easy as a tap or a wave of a smartphone.
All purchases on payment cards are recorded, allowing consumers to prove their payments were made if need be and to dispute or stop an unauthorized transaction. In addition, this record of all digital payment transactions makes it almost impossible to sustain black market or underground economies, which often undermine national economies. A cashless society makes criminal activity and tax evasion much more risky and difficult, so going cashless increases government revenue and reduces crime. Sweden, Israel and Thailand are already considering the move to cashless societies.
Requirements for Secure Mobile Payments
The creation of cashless societies requires high levels of security in the mobile world. Cyber criminals, spurred on by the promise of huge financial reward, create increasingly sophisticated attack vectors, including attacks on payment devices themselves. mPOS uses a low-cost card reader connected to a mobile phone or tablet to accept payments from both EMV and magnetic stripe payment cards. As with traditional POS, it is critical that the card reader encrypt the sensitive payment data it receives.
One of today’s best practices for keeping sensitive card data safe is deploying P2PE. Organizations and governments can reduce their risk and fear if the sensitive cardholder data in their possession is unusable nonsense to hackers. This is why P2PE is so pivotal in reducing fraud. Another best practice is using HSMs in the processing environment to protect keys, manage risk on payment credentials and provide a secure and compliant trust environment. Why? Read on.
HCE, P2PE and HSMs
Host Card Emulation (HCE) holds significant market advantages over other methods used for making payments via mobile devices. HCE has much broader applicability because the security of the payment data and transaction are not dependent on hardware embedded in the phone. Any smartphone could use the HCE approach by loading payment credentials on the device and using it in place of a physical card.
HCE-based applications use the NFC (near field communications) controller on mobile devices to interact with a contactless POS terminal. Yet because the application cannot rely on secure hardware embedded in the phone for protection of the payment credentials, alternative approaches have to be used – including tokenizing payment credential numbers as well as actively managing and rotating keys used for transaction authorization. This enables issuers to manage the risk of having a less secure mobile device environment for payment credential data.
Alternative approaches like these require hardware security modules (HSMs) in the issuer environment to create the rotating keys as well as send them securely to the mobile device. HSMs are also a crucial factor in the tokenization and transaction authorization process. The HCE infrastructure does not actually introduce any new security processes or procedures for retailers and processors; it just enables issuers to combine their existing strong security practices—comprising key generation/distribution, data encryption and message authentication—into a cohesive offering to enable payments with mobile devices.
Making Cashless Payments Work
An innovative payment technology company created a mobile point of sale (mPOS) solution, the first Visa Ready and MasterCard self-certified mobile card payment acceptance solution for merchants and acquirers throughout the United Arab Emirates (UAE). The company needed to secure the solution, which allows merchants of all sizes to accept payments using just a standard smartphone or tablet and a low-cost mobile card reader.
The company deployed HSMs to support end-to-end encryption of the payment data, making their mPOS a highly secure solution. It integrates payShield HSMs with mobile card readers to enable a point-to-point encryption (P2PE) zone to be established between the card acceptance point and the internet-based payment gateway. The solution enables affordable, on-the-go payments for merchants of any size and transactions for home delivery drivers who require payment on delivery.
Securing the Cashless Society
As the world adopts a mobile-first mindset, consumers are demanding greater payment convenience. At the same time, governments are recognizing the benefits—both to the governments and their citizens—of converting to a cashless society. For this to work, security must be ironclad. P2PE is critical, and HSMs are a necessary partner in making security viable in mobile environments. HSMs enable those who take cashless payments to defend against data extraction threats, instilling consumer confidence in the idea of a society without paper money.
About the author:
Peter Galvin is a product and marketing strategist for Thales e-Security with over two decades of experience in the high tech industry. He has worked for Oracle, Inktomi, Openwave, Proofpoint, and SOASTA.