The pace of innovation in payments today is almost staggering. Companies striving to keep up with the changing consumer behaviors have found themselves changing the way they market and the way they sell and even the way that they accept payments. One of the most discussed, yet probably least understood topics, today is the notion of social payments. The concept has been variously dubbed “social media payments,” “social payments,” or “social mobile payments.” The important concepts for the sake of security are “social” and “payments.” These are not, at first blush, “two great things that go great together.” However, they could be.
In looking at the two concepts independently, they would appear to be inherently at odds. Social platforms are supposed to be open and encourage sharing. People tend to treat social platforms as a “trusted” network, assuming a level of security and privacy simply because they may know the people to whom they are “connected.” Certainly, there are downsides to this apparent naïveté, not the least of which is a laissez-faire attitude with information that most would usually be hesitant to share. When we are going on vacation, for example, and for how long are things that most people typically wouldn’t broadcast. Suddenly people know more about their high school classmates than they ever imagined or ever wanted to know.
Additionally, privacy settings on social network sites are still evolving, as the boundaries of this new technology are still being tested. Many consumers find the management of privacy settings on social networks to be confusing. The result is that sometimes, people are more open than they really intend. Further, while payment industry stakeholders (merchants and service providers, for example) are explicitly regulated in terms of data security and consumer privacy, social networks are still relatively unregulated.
On the other hand, the payment environment is one in which robust protections and confidentiality are expected, from both a regulatory and a reputational standpoint. Industry regulation demands that specific, stringent protections be in place to protect consumers against any accidental, or intentional, disclosure of their personal information. It is a necessity, in fact, for the smooth functioning of the payment system itself. Consumers must trust that their data will not be stolen, at least not on a regular basis. In the event that a compromise does occur, consumers must be able to rely on the protections in place that limit consumer liability for any fraudulent actions.
Despite the apparent contradictions, however, there is a growing trend towards combining the two. Social Mobile payments are gaining such traction that there is a conference scheduled for next spring that is dedicated solely to the discussion of the issue. This is an interesting development in that, much like early discussions around mobile payment, different companies seem to have different notions around exactly what Social Mobile payments are. Is it a virtual currency type of application that allows people to buy credits or virtual goods? Is it a payment platform that allows for integration into social network platforms? On the other hand, it could be something entirely different, in which multiple parties are involved in the payment transaction and no social platforms are involved at all.
The issue is ripe for debate, but what is not in question is that regardless of the form of the payment, the payment data must still be protected according to state, federal and industry regulations. Therefore, the new question becomes, “how does one enable social payments (whatever that might be) with the same level of security that is required by more traditional payment methods?”
Just as there are differing opinions on the form that Social Mobile payments will take, there are a myriad of opinions on how to secure those payments. Will the Social Mobile payments be facilitated through NFC in the handset or through web-based applications on the phone? This question alone has major implications for the manner in which the data will be secured. Most frequently when NFC is discussed, security is centered on the notion of the “Secure Element.”
The secure element is defined by EuroSmart as “a tamper-proof Smart Card chip capable to embed smart card-grade applications (e.g., payment, transport …) with the required level of security and features. In the NFC architecture, the Secure Element will embed contactless and NFC-related applications and is connected to the NFC chip acting as the contactless front end.” In the Secure Element scenario, the sensitive data is stored on the NFC chip embedded in the handset, though it can also be SIM based or even placed on a removable Secure Element Card. The question, from a practical security standpoint, is “who owns the Secure Element?” The answer to that question can vary considerably, but has very real implications with respect to who is responsible for ensuring the security of the data stored on that element.
The other prominent implementation of social mobile payments is the use of a web-based application. Some providers will store the data in the application on the user’s Smartphone. The rationale behind this storage scheme is that one person’s data is far less of a target than a bank of servers might be. Therefore, they reason, the service provider that actually does not store the data on the phone, but rather stores them on hardened server, in a secure location, poses a greater risk to the consumer, because they present a greater target to data thieves. This reasoning does not consider the possibility of a targeted, mass attack on application users, though. Nor does it consider the necessity of transmitting the payment data between the merchant and the consumer, leaving the merchant vulnerable to an attack on the data in its environment.
Conversely, the use of an application also lends itself to the possibility of allowing the user to store the data securely at a PCI DSS compliant, validated service provider. In this scenario, the user sets up a profile, including payment information, but that information is stored securely at the service provider’s location. When a payment is initiated, the application sends a message to the service provider, who facilitates the transactions by passing the merchant a “token.” No data is stored on the consumer’s phone, nor is it stored in the merchant environment. The onus for protecting the data rests with the service provider, and both the merchant and the consumer can significantly mitigate, if not remove, any liability associated with a potential breach.
The idea of social payments also opens the door to the idea of exchanging virtual currencies. A previous article detailed some of the issues associated with virtual currencies, irrespective of security. It should be said, however, that if the virtual currency does have value then it is likely deserving of the same level of data security as “real” currency. Companies seeking to circumvent the regulations facing these “real-world” payment methods by using virtual currencies face a variety of legal issues regarding gift cards and money laundering. In addition, they will not be able to escape the duty to protect this data. Precedent is being set to create an obligation to protect sensitive data in general. Clever plaintiffs’ attorneys will surely be able to make the argument that, because virtual currency can be exchanged for goods, it should be considered a “financial account” and therefore subject to the same data protection and breach notification requirements of actual currency.
Social Mobile payments present significant opportunity to companies in the payments space. The crux of the matter, though, is whether companies will be able to successfully marry the seemingly different objectives of social networks and payment platforms. Providing the ability to connect to friends and merchants, to make payments while also providing adequate security sufficient to meet government and industry regulation, will be the determining factor for success among social mobile payment providers.