- PROJECT HELP
By Robert Brodie, co-founder and CTO, SUMO Heavy
Every big technology player wants a mobile payment system. But, mobile payments aren't good enough to supplant traditional payment methods completely. Here's why.
There are tons of different mobile payment apps and systems. Some run by banks, some built into devices and use hardware-based encryption, and others coming from companies that may have good intentions but lack the expertise to mitigate user mistakes or process loopholes. More than that, mobile pay systems require a lot of upkeep. Minimum security standards change constantly as black-hats hack or reverse engineer the old ones. For example, in June of 2016, SSL will no longer be suitable for e-commerce security, and all sites that need to be PCI compliant will move to TLS for their secure certificates.
There are simple process issues as well. Let's say a company decides users needs to login every time they open the app, and protects login with a pin or thumbprint. Even with this protection, there are workarounds via password reset options. Historically, password reset processes include easily obtainable user information. It's not just a consumer problem either. The likes of Apple, Comcast, eBay, Target, and Evernote have been hacked over the last few years, leaking significant consumer data.
Storing raw credit card data necessitates an incredible amount of security and process to maintain. This is where tokenization comes in. Companies use APIs to create payment profiles at their payment processor and are returned a token. This token maps to the card profile, and can be used and reused by the service for the token's lifetime.
Tokenization isn't entirely secure, however, because companies might save tokens in a place where they can be stolen or used by someone with bad intentions. If someone steals tokens and your API information, they could theoretically use that information to make API requests. If tokens are kept in one database and someone with malicious intent breaks into the server that accesses those tokens, requests could be made with those tokens en masse and all at once.
Some companies understand the nuances of minimizing risk of social engineering and automation to steal customer information. Others don't. Processes like custom password reset questions, multi-factor authentication, or dynamic fraud detection using machine learning algorithms, contribute to platform security. Apple Pay, for example, uses a secure NFC connection, protected by a fingerprint, which is encrypted and only stored on-chip. But not all mobile payment platforms are safe. And consider: the larger the platform, the greater the target.
Right now, there's no standard procedure for mobile payments. Apple Pay and Google Wallet are two major players, but there's also SMS, websites, custom apps, and other processes. And none of these systems really make paying easier. Almost anything is more secure than a swipe, but nothing yet is more convenient.
Payment service providers must have a deep understanding of the architecture they deploy their platform to. Every piece needs to be carefully planned, and the data architecture needs many layers of failover and separation. Microservice architecture is becoming increasingly popular. Instead of one large application with all of its parts accessible, many companies break out each part of their application into a smaller application that others talk to. It's possible to have one service to handle logins, another for payments, another for password resets, and one more to handle logging. Separating each application means multiple layers of security and failover.
The first thing all payment system creators must consider is how to make things safe and easy for the user. On the server side, fraud is a huge problem. Over the past year, machine learning has become more widely available and its cost has dropped significantly. Machine learning algorithms can be a great asset for combatting fraud. These algorithms can prompt immediate user alerts and provide an easy path for user-cardholder mitigation.
Payment systems should think about other ways to help users shop intelligently. Imagine a system that could understand the costs and benefits of each card and payment method. A system like this could suggest the best card for each purchase, based on, APR, cashback, rewards points, etc.
Getting hacked happens. The PCI Security Standards Council determines a standard set of regulations that any vendor or merchant handling payments must implement. The complexity of these regulations varies based on the number of yearly transactions a company processes. Essentially, a company with thousands of yearly transactions has more relaxed rules than a company with millions.
The PCI's rules dictate that any company processing payments must have: secure infrastructure, data storage, and business processes; they must formally document and maintain it; and, procedures are subject to review with all holes patched within a limited time frame. When a hack occurs, strict rules outline when and how companies must notify users.
So mobile payment systems won't yet replace the wallet. The lacks—of security, ease of use, and intelligence—mean that the ubiquity of mobile wallets is not quite here.
Topics: Bank Customer Experience Summit, CONNECT Mobile Innovation Summit, Contactless / NFC, Direct Carrier Billing, Handsets / Devices, HCE, In-App Payments, Mobile Banking, Mobile/Digital Wallet, Security, Trends / Statistics