January 14, 2013

Security, and specifically security measures taken by consumers, may be the final hurdle to widespread adoption of mobile payments, according to a recent paper authored by the Federal Reserve Bank of Boston.

[See Also: Rise of the Mobile Wallet]

The paper, titled “Mobile Phone Technology: ‘Smarter Than We Thought," found that the ultimate broad adoption of mobile payments will be largely correlated with the security of each mobile platform; and that consumer education and stakeholder collaboration will be equally crucial to promoting widespread adoption.

Since consumers tend to apply the minimum protections on their mobile devices, security providers need to anticipate problems and incorporate risk mitigation tools where feasible, says the Boston Fed. The Fed cites a recent Javelin report, which states that 66% of smartphone owners do not password protect their phone, and concludes that poor user security practices, such as saving log-on credentials, increase potential risk when credentials are authorized to access payment applications.

"Cooperation among industry stakeholders is vital to enhancing mobile payment security," Marianne Crowe, VP of payment strategies for the Boston Fed and author of the report, told Bank Systems & Technology "Financial institutions, mobile carriers, regulators, card networks, technology providers and merchants need to work together to develop a combination of best practices and robust standards. Proposed steps include developing a standard certification process for mobile wallets and phones, a uniform process for making mobile payments across all wallets and phones, and clear guidelines identifying security features and disclosing risks to consumers."

The paper also looks at the difference between cloud and hardware-based mobile payments solutions.

According to the author, both approaches offer ways to protect mobile payments, but the Boston Fed believes using an encrypted secure element in the mobile phone is a proven technology for safely storing and executing payment applications.

"Cloud computing is used to store enterprise data, but has only recently been used to store mobile payment credentials," says Crowe. "Compared to a mobile wallet, the digital (cloud) wallet still has many unknowns related to securing a mobile payment, and lacks the standards to ensure that all merchants and vendors offering digital wallets are applying appropriate security controls, such as end-to-end encryption of the data, or tokenization. There may also a greater risk of mobile payments data stored in the cloud being compromised."

Ultimately, while the paper found that the culprit of mobile and digital wallet security risks may be the consumer, not the technology, payments stakeholders are still on the hook for staying ahead of threats; and need to share responsibility and work cooperatively to enhance mobile payment security and protect consumer privacy.

Bryan Yurcan is associate editor for Bank Systems and Technology. He has worked in various editorial capacities for newspapers and magazines for the past 8 years. After beginning his career as ...