There is an interesting juxtaposition emerging in the payments industry. You can call it “old school vs. new school,” or just a natural evolution of payment technology. The media is abuzz with the notion of going mobile, going cashless and creating value for the stakeholders in the ecosystem. Mobile payments and mobile commerce, are, it seems, going to launch us into a new level of spending, as they further abstract the idea of money. That’s great for retailers and for the payments industry, but it may have some ramifications on the debt posture of many consumers. Further, it has led to a debate regarding which is more secure; the decades old infrastructure that the industry is retro-fitting with security or the new technology that is still largely in a nascent, untested phase.
In looking at the traditional infrastructure, it is easy to simply label it as insecure. The constant barrage of data breach stories in the media, not just of payment data but of healthcare data, SSNs and other personally identifiable information, would easily lead one to believe that the system is insecure. The last ten years however, have been characterized by significant changes to the way that security is conceived and implemented in the payment ecosystem. Testament to that fact was the relatively rapid development and deployment of point-to-point encryption and tokenization solutions, which help to remove sensitive cardholder data from large portions of the payment chain. That is not to say that the system is infallible, witness the latest processor breach, but it is to say that it is not exactly the sieve that many might believe, leaking payment data everywhere.
It should be noted that much of the infrastructure over which we now process payments was put in place well before the concept of the Internet or eCommerce. With that in mind, one might applaud the system for its flexibility and scalability, while recognizing that those traits can sometimes bring with it challenges. Security will never be an easy fit on an old model, but neither is it entirely lacking. Much vigilance and resource must be dedicated to ensuring that the “old school” infrastructure can stand up to new school threats. However, this old model is not alone in having to face sophisticated threats from data thieves.
In examining the “new school” technologies for their security impact, it is necessary to address each type of mobile payment that is being developed. These mobile technologies include Near Field Communication (NFC), smartphone card readers and the cloud-based payment application. Each of these represents a different take on the mobile question and, as such, should be addressed separately in the question of their security impact.
NFC is a prominent technology largely because a number of major companies have bought into that model. Visa, Inc., MasterCard Worldwide, Google, ISIS and others have thrown their weight behind the NFC payment model. Leaving aside the debate as to whether or not NFC really qualifies as a mobile payment technology, it is clear that these companies have invested significant resources in making it a viable and a secure technology.
In February of this year, a report surfaced that security researchers were able to expose cardholder data on an individual Smartphone equipped with an NFC chip. The phone in questions had been “rooted,” meaning that the user had unlocked the administrator level access. This type of configuration is not standard and is something that most users wouldn’t do; assuming they even knew how to do it. Nonetheless the report generated a bit of a tempest in a teapot, creating confusion and fear among consumers.
In essence, the ability of a data thief to unlock a digital wallet to extract payment data is akin to a pickpocket stealing a physical wallet and using the victim’s payment cards. It is a lot of effort for little return.
Another prominent “mobile” payment technology is the Smartphone card reader. Users plug a card reader into the audio jack of an Android or iOS Smartphone (or tablet) and essentially create a mobile POS. Most major providers of mobile payment solutions are now shipping encrypting card readers – meaning that the card data is encrypted at the point-of-swipe and the mobile device never touches clear text payment data. However, at least one prominent provider did not start to ship encrypting devices until early this year. Merchants should be advised to update their devices if they are not currently using an encrypting device. If a merchant is using an unsecured device, their customers’ payment data should be considered at risk. Mobile phones are simply small computers and have the same vulnerabilities. If a phone is compromised and it has unencrypted cardholder data, a data thief can easily extract the data. The rise of the Zombiephone (really, that’s not a bad B-movie reference) means that thieves can compromise a vulnerability in a phone’s operating system and essentially create an army of drone phones that will send payment data wherever the thief directs it. Again, most major providers are providing encrypted readers, but merchants should confirm with their provider that their devices are secure.
The third model that is gaining in prominence is the cloud-based payment application. ProPay’s “Link” serves as an example. The consumer downloads an application and can create a profile that includes payment information. Merchants, on the other hand, can access a console using a secure internet connection that allows them to connect with the customers that have the application. The merchant can send a payment request to the consumer’s smartphone. The consumer can then approve and authorize the transaction. The most secure implementation of this model is built on a point-to-point encryption and tokenization model. For instance, the consumers’ payment data is not stored on their phone, but is securely stored with the payment processor. When a payment is processed the merchant would receive only a token – not the actual cardholder data. Neither the merchant nor the consumers are in possession of the sensitive data. Some providers of cloud-based payment believe it is safer to store the cardholder data on the phone itself, rather than in the secure, PCI DSS validated environment of the processor. The argument is that card thieves won’t busy themselves going after one card at a time, but would be more likely to attempt to compromise a processor. This is certainly ground for fertile debate and won’t be settled here.
In looking closely, it almost becomes a case of “the devil you know…” The industry knows what the limitations are in the existing infrastructure, but these new technologies still contain a lot of unknowns. Merchants have been slow to adopt, which slows consumer adoption. Since mobile payment technology has not been “in the wild” for long, it is difficult to say that the industry has a complete grasp on what the vulnerabilities might be. On the other hand, the mobile payment pioneers have the benefit of lesson-drawing – looking back at the experience of security on the traditional rails and knowing those same security principles must be baked into the new technologies. The notion of building cloud-based mobile payment applications on a foundation of P2P encryption and tokenization is a great example of that lesson-drawing.
Transition is always challenging and evolution can sometimes be painful. The trick lies in being able to merge the best qualities from the old and the new models. We are seeing some of this in action today in the payments industry. Neither model is impervious to security threats and each has benefits and drawbacks. Consumers are not going to throw over their purchasing behavior overnight – switching from swiping to tapping, or to texting depending on the model. These two models, the old and new, will have plenty of time to cohabitate. It would be wise of the industry as a whole to use the time to draw lessons from both, and see how we can use those lessons to prevent a replay of the security retro-fit growing pains we saw in the last several years.