Adobe’s Digital Index revealed that Cyber Monday 2015 was the largest online sales day in history. More than $514 million in sales were attributed to mobile, including $313 million from smartphones and $201 million from tablets. That trend is predicted to continue throughout the holiday shopping season, as will the increased use of mobile payment methods like Apple Pay, Samsung Pay and Google Wallet.
While this development is welcomed by retailers, payment providers and financial institutions, recent research from ISACA suggests that an overwhelming number of cybersecurity experts (87 percent) expect to see a boost in mobile payment-related cybersecurity breaches over the next year. Disturbingly, the report indicates that these experts are resigned to breaches as an acceptable trade-off for greater adoption rates.
Though this data may make some reluctant to be involved in mobile payment methods, there’s more than one side to this story. The greatest advantage of mobile payments is that they can bring more security into the payment landscape with more dynamic data for transactions rather than the static data that payment systems used to deal with.
Changes in the Payment Landscape
The 2015 holiday shopping season comes on the heels of the EMV liability shift in the U.S. There are several factors at play right now: consumers are still trying to get used to EMV, and merchants are still trying to get used to EMV and mobile. One of the biggest advantages, however, for mobile in the holiday season is in-app payments, and their contribution to an increase in online purchasing.
Greater purchasing simplicity, from the consumer’s perspective, is becoming a priority.
Using a mobile device, a consumer can buy a gift at a large online retailer, for instance, and pay directly from the app using cards in the consumer’s mobile wallet. Uber is an example of mobile simplicity. Uber has integrated payment in its app, with a choice of payment methods. There is no payment process to go through with an Uber driver; everything has already been agreed upon and payment is automatically made. The simplicity that mobile can bring into the equation for purchasing either goods or services is sure to have a positive impact on the holiday shopping season.
Time will tell whether mobile payment options will help streamline purchasing, from a sales and checkout perspective, at a brick-and-mortar store. Success will depend on the level of integration. If a retailer is using mobile devices for payment acceptance, or perhaps a consumer has a mobile app for that retailer, the mobile device could be used to handle the payment right there in the store – no more waiting in line. This gives merchants greater flexibility in assisting customers and better leveraging the standard seasonal staff additions. In-store purchases could be handled by a few roaming check-out clerks supplementing regular check-out stations.
The greatest advantage of mobile payments is the security they can bring to the transaction. While several methods exist for enabling the use of mobile devices for making payments, host card emulation (HCE) has distinct market advantages. Because the security of the payment data and transaction is not dependent on hardware embedded in the phone, it has much broader applicability. Any smartphone could use the HCE approach by loading payment credentials on the device and using it in place of a physical card.
To interact with a contactless POS terminal, HCE-based applications leverage the near field communications (NFC) controller on mobile devices. However, since the application cannot rely on secure hardware embedded in the phone for protection of the payment credentials, alternative approaches for protecting sensitive data and transaction security have to be used. These approaches include tokenizing payment credential numbers as well as actively managing and rotating keys used for transaction authorization. This enables issuers to manage the risk introduced by having a less secure mobile device environment for payment credential data.
To create the rotating keys and send them securely to the mobile device, these alternative approaches rely on HSMs in the issuer environment. In addition, the HSMs are also a critical part of the tokenization and transaction authorization process. The HCE infrastructure does not actually introduce any new security processes or procedures for retailers and processors; it just enables issuers to combine their existing strong security practices—comprising key generation/distribution, data encryption and message authentication—into a cohesive offering to enable payments with mobile devices.
Reason to Rejoice This Season
Shoppers are increasingly choosing the ease and convenience of mobile payments during this busy gift-buying season. Hackers are out in force as well, looking for any vulnerability they can exploit. EMV’s transaction authentication and mobile’s HCE approach, backed by HSMs, offer merchants greater levels of security and protection from cyber criminals. Though security experts see an increase in mobile payment-related security breaches on the horizon, service providers and merchants who properly and consistently use these methods can enjoy the season a bit more as they watch their mobile sales rise.
About the author:
Jose Diaz, director of payment strategy, has worked with the Thales group for over 35 years and is currently responsible for payment solutions strategy at Thales e-Security. He also works with payment application providers in developing solutions and roadmaps for securing the payments ecosystem. During his tenure at Thales, Jose has worked in Product Development, Systems Design, Sales in Latin America and the Caribbean, as well as Business Development.