The Green Sheet Online Edition
October 13, 2014 • Issue 14:10:01
Growing mobile adoption puts security center stage
F resh from its success pulling off the world's largest initial public offering, Alibaba Group Holding Ltd. – the e-commerce giant and jewel of China's capitalist experiment – has taken a stand on the direction of mobile payment security. In September 2014, the company revealed plans to use fingerprint readers to authenticate mobile shoppers. Alibaba said it has an arrangement with Chinese technology firm Huawei Technologies Co. Ltd. to integrate fingerprint scanners into its Alipay mobile wallet app.
As smartphone adoption has proliferated so, too, has the use of mobile devices for financial services, along with concerns about user and transaction security. According to the LexisNexis 2013 True Cost of Fraud Mobile Study, merchant acceptance of mobile payments has been growing at a rate of 50 percent a year since 2011, and in 2013, nearly 10 percent of merchants were accepting mobile payments. Acceptance is expected to continue growing at a rate of 25 percent a year going forward, as more nonmobile merchants, especially smaller merchants, begin accepting payments initiated through mobile devices.
A survey of small merchants, undertaken for the acquirer Vantiv Inc., revealed 48 percent of merchants expect mobile payments to be widespread within the next few years. Forrester Research Inc. puts the U.S. growth rate at 31 percent a year through 2017; mobile payments are expected to top $25 billion in 2014, according to Forrester's projections.
But with increased use comes increased risks. AuthenticID, a company that specializes in identity verification technologies, recently surveyed 1,000 businesses and found that 32 percent think mobile payments are a riskier proposition than e-commerce payments, up from 24 percent in 2013. The bottom line: most merchants believe a need exists for enhanced security around mobile payments.
"Given the continued rise in mobile channel usage, as well as the increasingly high-risk transaction capabilities that banks and merchants are pushing through the channel, it is imperative that financial services organizations defend against rapidly emerging threats," said Julie Conroy, Research Director at the consultancy Aite Group LLC. Those threats are multifaceted and include data hackers, as well as the fraudulent transactions that typically ensue using hacked information.
Lack of security isn't cheap. The total (all-in) cost of dealing with fraudulent mobile payments is $2.83 for every dollar actually lost to fraud, according to LexisNexis. A "sizable portion" of that cost (about 27 percent) consists of fees and interest payments to card issuers. The biggest money losers are small merchants. "Small merchants are increasingly attracted to the mobile channel," the report noted. "Card acceptance may help generate sales for small merchants, but opens them up to the largest payment channel for fraud as well."
The report recommends small businesses invest more in solutions that help identify potentially fraudulent transactions. The technologies underlying these solutions include geolocation analysis, device identification, velocity checks, rules and predictive modeling.
Biometric technologies, such as fingerprint readers, are considered highly secure and convenient methods of authentication. Biometrics has gained some success in corporate settings, but hasn't been embraced in the consumer market.
The notion of using fingerprints to secure payments was pioneered in the United States in the early 2000s by a company named Pay By Touch. A handful of merchants, including Whole Foods Market, installed the technology, which enabled consumers to pay for goods simply by swiping their fingers at a POS device. But the payment option met with limited success, and Pay By Touch shut down operations in 2008.
Executives at Alibaba believe the time is now right for fingerprint security. The company certainly has size on its side; it already controls 80 percent of e-commerce in China. Its U.S. IPO raised nearly $22 billion, making it the ninth largest technology company in the world, according to the Wall Street Journal. Alibaba's gross merchandising revenue is four times that of eBay Inc.
Alibaba isn't alone among proponents of biometric payment security. Apple Inc. has also made a big splash, selling over 10 million of its new iPhone 6 line of devices within two days of debuting the new devices, which sport a TouchID fingerprint sensor. TouchID isn't new; the technology was introduced with the iPhone 5 for use in lieu of PINs to log into the phone. The iPhone 6, however, relies on a new operating system that was designed to work with third-party apps, like mobile payment apps.
Apple also heralded its own mobile wallet technology, Apple Pay, which leverages near field communication (NFC) technology, a Visa-approved tokenization technology, and TouchID. Apple Pay works with new iPhone models, as well as with the newly announced Apple Watch.
"Security and privacy is at the core of Apple Pay," said Eddy Cue, Apple's Senior Vice President for Internet Software and Services. He noted that with fingerprint authentication, there is no need to divulge personal information to a cashier or automated system to complete a purchase. No identifiable information is stored on the device either. Each device has a unique account number that is encrypted and stored on a chip in the device, which generates one-time codes to securely validate individual transactions. "And if your iPhone is lost or stolen, you can use Find My iPhone to quickly suspend payments from that device," Cue added.
Apple Pay enters the mobile payment market with a huge potential user base: the hundreds of millions of consumers who already have credit and debit cards on file with their iTunes Store accounts. It also has the support of major card issuers, including American Express Co., Bank of America, Capital One Bank, JPMorgan Chase & Co. and Wells Fargo & Co. Plus, it has acceptance agreements with leading retailers like Bloomingdales, Disney stores, Macy's, McDonalds, Walgreens and Whole Foods.
NFC and tokenization
Noticeably absent from the list of Apple Pay merchant partners are big-name retailers Target Corp. and Wal-Mart Stores Inc. Both hold ownership stakes in MCX (Merchant Customer Exchange), a retailer-driven mobile wallet that has yet to debut. Dozens of other large retail chains (from big-box stores to gasoline stations and fast food chains) also back MCX, which has branded its mobile wallet app CurrentC.
The CurrentC app incorporates PINs and quick response (QR) codes for security and utilizes the cloud to store sensitive card information. Backers note that CurrentC requires no retailer investments in retooling or retraining, as PIN pads and QR code scanners are well-entrenched at physical points of sale.
In touting the new brand – and a plan to go live in 2015 – MCX said the app will enable consumers to pay with their mobile devices at more than 110,000 U.S. merchant locations. Consumers will be able to download the CurrentC app from online app stores such as Google Play, as well as through participating merchants' mobile apps. "It will also offer innovative features and benefits, such as merchant loyalty programs and instant coupon savings," said Dekkers Davidson, CEO of MCX.
NFC has been slow to catch on with retailers in large part because of the investments in new equipment and integration routines that are required. And retailers already are spending big to accommodate Europay/MasterCard/Visa (EMV) security. The National Retail Federation has put a price tag of between $26 billion and $30 billion on industry-wide migration to EMV.
That, apparently, hasn't deterred leading mobile carriers, which like Apple are betting a case can be made for NFC-enabled mobile payments. Softcard (formerly Isis) is a mobile wallet app that uses NFC (like Apple Pay) and incorporates rewards and other marketing features (like CurrentC). It has financial backing from AT&T Mobility, T-Mobile USA and Verizon Wireless. Subway, the quick-service restaurant chain, recently began accepting Softcard payments at 26,000 U.S. locations. Subway has also signed on to accept Apple Pay.
Visa Inc. has put a lot of research and development into NFC, and worked closely with Apple on its Apple Pay NFC platform. "We need to grow NFC acceptance in the United States," Bill Gajda, Visa Senior Vice President for Innovation and Strategic Partnerships, told a group of analysts during a recent call. (A transcript of the call was provided by research platform Seeking Alpha.)
Gajda said he hoped Apple would provide the necessary push to broader NFC adoption, adding he expected one result was that CurrentC was "rethinking their strategy" of not using NFC. Gajda said all major merchant acquirers are on board with tokenization, "and literally thousands of issuers are now working on the slight changes they have to make to their back-end to accommodate tokenization."
Gajda used the call with analysts to describe Visa's work in support of Apple Pay. "In essence, we brought together our tokenization solution, which is a token vault, and that's essentially a database that matches a Visa card number with a 16-digit, 4 BIN token that could be placed on an Apple 6 or 6 Plus," he said. To encourage issuers and others to move to NFC and tokenization, Visa is waiving fees for the solution through the end of 2015. "We want to do this for the good of the industry," Gajda said.
Tokenization enhances the ability to protect payment information in both card-present and card-not-present transactions by cloaking personal financial information not only in transit but also while it is at rest (in a database). Equally important, with tokenization there is no need for merchants to store sensitive payment information in their systems, thereby reducing chances for data breaches and potentially minimizing the need to deal with Payment Card Industry Data Security Standard compliance.
One drawback to tokenization is that several models are being developed. The Federal Reserve's Mobile Payments Industry Workgroup addressed this and other obstacles during a meeting with stakeholders in June 2014. "A key consideration is what is required to change consumer behavior," the workgroup stated in a report on the meeting. "If the consumer links multiple wallets or solutions, and the tokenization schemes are not connected or interoperable, what will happen?" the report asked.
A balancing act
So what is consumer sentiment around mobile payments and security? Statista Inc., an online statistics portal, reported in September 2014 that 46 percent of U.S. consumers who do not use mobile payments cite security concerns as the drawback.
The prevailing sentiment seems to be that consumers like the idea of using their mobile devices to make payments, and security is paramount. But they also want balance, the consultancy Edgar Dunn and Co. noted in its recently released Advanced Payments Report 2014. Among consumers polled by the firm, 88 percent said there should be a balance between customer experience and security; 83 percent agreed with the statement that "no payments can be 100% secure."
According to the Federal Reserve, as of 2013, 17 percent of U.S. smartphone users had made at least one POS payment using their smartphones, up from 6 percent in 2012. Thirty-nine percent of those who used their smartphones for POS payments did so by scanning a barcode or QR code displayed on their phone's screen at the checkout; 14 percent used NFC technology.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.