Mobile Payment Security in the Store
By Jeff Wakefield, Verifone
Mobility. It is such a broad concept, meaning different things to merchants and consumers. Mobile acceptance, mobile payments, mobile POS, mobile shopping – each plays a distinct part in the overall mobile experience and each has different risks and rewards.
Within this larger mobile arena, the security of the mobile payment device offers the greatest risk for both merchants and consumers alike.
Mobile payments, or its more technical term, “mobile acceptance,” is simply the process of accepting payment using a mobile device. There are three primary categories of mobile acceptance products on the market, each with a different set of capabilities. They include:
1. Purpose-built mobile payment devices: actual payment terminals with wireless capability.
2. Secure mobile acceptance peripheral devices that connect to payment applications on mobile handsets. These are the cradle-like units that mold around the mobile device.
3. Simple audio jack type devices that attach to another consumer device
While ANY payment device should provide for some minimal level of payment security, the first two categories fall under the realm of governance by PCI PTS standards. But regardless of the type of device in use, the questions we must ask and answer, as merchants, includes the balance of risk vs. reward. First, what are the risks with accepting any type of mobile payment? And secondly, what level of risk are we willing to accept in return for the ability to offer our customers an enhanced consumer experience?
The First Area of Risk
Most mobile payment solutions in use today — smartphones and tablets — aren’t purpose — built for accepting payments, so there are peripherals that connect to them to facilitate that. Usually, a mobile point of sale application is also running on the mobile device itself. These applications vary in complexity, from simple barcode scanning and payments to full — fledged inventory management and CRM. A simple scenario for this kind of mobile payment transaction might look like this:
The consumer finalizes her selection and approaches a store clerk who is either carrying around the mPOS device or has access to one at the counter. Once all items have been scanned, using the built — in barcode scanner, the total appears on the screen of the mobile device and depending on the type of payment acceptance available (swipe, tap, keyed or dipped) either the clerk or customer inputs payment information. This payment information is transmitted through the actual payment — acceptance peripheral (the cradle, audio jack attachment, etc.) to the mobile application. The payment information then leaves the mobile application and is sent to an authorization system.
There are a number of potential intervening systems here that process the payment information in some way, but for the sake of simplicity, we will say that in this scenario, the capture device sees the payment information first. Simply put, when you swipe, tap or manually input your card information, it first interacts with the payment device before being transmitted through the store and out to the payment processor.
This is the first area of risk; without protecting the payment data at the initial point of capture, before if flows through the peripheral and through the mobile payment application, merchants are exposing themselves to some level of risk. As such, ANY payment — accepting consumer electronic device should be considered unsafe — period. Both iOS and Android devices have the potential for malware intrusions, either due to “jailbreaking” or via legitimate applications that have security holes in their code.
Once you are in a habit of assuming that each device is unsafe, you become better attuned to ensuring that proper security precautions are being met.
The most effective form of payment security on any kind of payment device — be it a mobile device, a countertop device, or a simple acceptance unit built into a vending machine or fuel pump — is encryption. The PCI Standards Security Council (SSC), hardware and software vendors, security practitioners, and even informed consumers agree that encrypting data immediately at the point of capture and before it traverses the mobile operating system, is an effective deterrent to transaction data interception and theft.
Encrypting payment data after it has moved through the peripheral, and into the payment application is a polite gesture, but hardly effective. It is a bit like running an encrypted network inside your home, but then not password— protecting your PC login. You must encrypt the data at the point of capture, with no exceptions.
This can be accomplished in different ways, but enterprise — class deployments should follow best practices and use only those devices that been tested and approved as PCI PTS compliant.
From a customer interaction perspective, mobile devices are being used to engage customers on a much deeper level. Consider the other types of information merchants collect — email addresses, phone numbers, loyalty rewards numbers and purchase history.
It’s possible that some information, while not considered sensitive from a PCI and payments perspective, is still sensitive. Separately these bits of personal information don’t mean much, but together, a customer’s personal information and shopping preferences can be used by attackers to leverage more information.
Building “Big Data” profiles of consumers — as part of a CRM program — is becoming more common and merchants need to consider the backlash they could face customer information be used by attackers to gain access to parts of their digital lives.
So, what’s the solution? Encryption of payment data is possible. Encryption of addresses, ZIP codes, pet names, and birthdays places a much larger burden on merchants as encrypting this information introduces a host of additional processes. But as custodians for this information, merchants should treat it with care and be responsible for its safe-keeping.
Securing the mobile acceptance and point of sale environment is not simple, but as an industry we need to tighten up our security controls and practices. The worst thing that can happen to the “mobility” rage right now is a rash of well‐publicized merchant breaches using mobile acceptance systems.
Jeff Wakefield is VP of new business development & strategic initiatives, vertical & global, security solutions, VeriFone.
WestStar names former SkyMall chief as COO
PHOENIX — WestStar MultiMedia Entertainment, parent company to the nationally syndicated “Kim Komando Show,” has appointed longtime SkyMall president Christine Aguilera as chief operating officer of WestStar MultiMedia and president of WestStar Merchandising.
"Christine’s vast marketing, business development, operations, legal and financial expertise ideally positions her to help guide our rapidly-expanding organization to the next level," said WestStar chair and co-founder Kim Komando. "We are thrilled to have her on board to oversee key growth areas including network advertising, digital sales, marketing and business development, as well as our legal, human resources and communications teams."
As SkyMall president for more than 10 years, Aguilera led all aspects of the iconic airline catalog seen by more than 650 million passengers each year as well as skymall.com. During her 16-year tenure at SkyMall, Aguilera also held other leadership roles, including CFO and general counsel.
"We’re thrilled to welcome Christine to WestStar and the Kim Komando Show and look forward to maximizing her expertise as we expand our multimedia conglomerate," said Barry Young, WestStar’s president and CEO. "Teaming the industry-leading vision, business expertise and the entrepreneurial drives of Kim Komando and Christine Aguilera is an exciting leap forward for our company."
"The digital world can be overwhelming for consumers and Kim is a trusted resource with a loyal following for advice, information and news about everything digital," said Aguilera. "Her deep knowledge of technology and ability to make complicated concepts easy to understand is remarkable. I’m so excited about the opportunity to help further grow America’s go-to-digital resource into a household name."
Prior to joining SkyMall, Aguilera was a corporate and securities attorney in private practice. Previously she practiced at the international law firm of Squire Sanders. From 1986 to 1989, she practiced as a certified public accountant for Coopers & Lybrand (now PricewaterhouseCoopers).
Aguilera earned bachelor’s degrees in accounting and finance with honors from New Mexico State University in 1986 and is a Hall of Fame honoree at the NMSU College of Business. She earned her law degree with Order of the Coif honors from the University of Texas School of Law in 1992. Aguilera is a member of the State Bar of Arizona and has practiced as a certified public accountant.
No comments found
Webtrends appoints CEO
Webtrends, a global leader in digital marketing soluctions, has appointed David Mitchell as the company’s CEO. Mitchell has more than 25 years of executive management experience in the software industry, and will lead the company’s business strategy and worldwide operations.
"Webtrends has spent the last two decades as a digital marketing leader and I see tremendous growth opportunities for the business," said Mitchell. "I look forward to building on the innovation that Alex Yoder brought to the organization and I’m honored to work with the Webtrends leadership team to enter the next phase of growth."
Mitchell was previously the president and CEO of Spring Mobile Solutions, a mobile applications SaaS start-up, president and CEO of Global 360, an enterprise BPM solutions provider and COO of Software AG webMethods. He will maintain his role as operating partner at Francisco Partners.
Webtrends’ clients include Lloyds Banking Group, Barclays, HSBC, ASOS, Orange, T-Mobile, Microsoft, BMW, Toyota, Play.com, AllSaints and the Telegraph.
No comments found