Today, mobile phones are becoming as essential as a wallet for purchasing goods and services. Developments with mobile payments are quickly growing and different service providers are competing for their piece of the pie. Last year, the world was presented with MasterCard’s PayPass, Google’s launch of its Android-based eWallet and Starbuck’s trial of its Quick Tap PayPass service.
Juniper Research recently forecasted that contactless mobile payment transactions would reach $50 billion worldwide by 2014. Within the next 18 months, they also estimated that NFC solutions would be launched in 20 countries.
Before the adoption of mobile payments reaches these numbers, there is a debate over the type of scheme that works best in practice and which mobile payment security method is the most robust.
Mobile Payment Standards
Like traditional payments, standardization is critical for bringing time and resource benefits to the industry. In securing the mobile payments ecosystem, several successful standards are already in place:
The SIM Alliance Open Mobile API: Applications that use the Secure Element, a piece of hardware on new mobile devices that is cryptographically protected, for securing critical operations like transport tickets, payments or banking, are able to have a component running in the mobile device’s operating system.
Managing Mobile NFC Services: The Trusted Service Manager (TSM) performs as an intermediary for third party service providers and Mobile Network Operators (MNOs) that want to add a service to mobile devices. GlobalPlatform’s ‘System Messaging Specification for Management of Mobile-NFC Services’ defines the messaging between the three parties to guarantee secure ‘provisioning’ of services to the mobile device.
Trusted Execution Environment (TEE): The Secure Element safeguards critical data on mobile handsets but cannot simply host applications with a cutting edge user interface. Applications that must have complex user interactions are required to run on the phone’s main processor. Designed to secure these applications, the Trusted Execution Environment and GlobalPlatform are leading the standardization and interoperability in this area to guarantee data and applications are appropriately secured.
While these standards have shaped the industry and developed best practices, they have also become a fundamental element contributing to successful mobile payment security. To build much needed consumer confidence, it is necessary for technology to make the security of provisioning mobile payment applications as secure as issuing cards.
Consumers are hesitant to use mobile payments because of rising security issues. This reservation with adopting mobile payments derives from the potential risk of intercepted data during a transaction. However, threats live in all stages of the mobile payment lifecycle, including how to get a payment app on a phone safely and efficiently. Developing the data necessary for issuing a payment application and creating the messages securely to personalize a handset can take up a significant amount of time as an inefficient process. The numerous cryptographic functions pose a risk of exposing sensitive data.
This initial set-up process or ‘provisioning’ generally occurs over-the-air (OTA) as a step that increases risks because of the number of involved parties – often, the payment application provider (frequently a bank), the Mobile Network Operator, a Trusted Service Manager and the end-user. Successful provisioning uses unique personalization keys to protect the loading of information onto a device as well as the subsequent transactions created by the application.
The application of the latest cryptography methods ensures users that ‘provisioning’ happens as safely as possible and on the same level as issuing traditional payment cards. Physical card providers often prefer Hardware Security Modules (HSMs), which create and protect the encryption keys necessary for managing issuance risk. This approach is also important for provisioning services to a mobile device and can simplify the process while avoiding the vulnerabilities from keys stored in software. The primary benefit of an HSM is to secure encryption keys and sensitive data in a process that guarantees the data is never exposed. This way, the service provider’s risk is significantly reduced.
Reducing security risks
While mobile payments continue to evolve, the industry is far from agreement on best practices, with operators and additional parties still unsure on who should be in control of the mobile wallet. But unarguable is the fact that security remains as the primary barrier to adoption for most consumers.
To eliminate these concerns require a combination of best practice and robust standards, grouped with the appropriate technical path assures that the experience is safe from the second that a user chooses to download a payment app. If any organization wants to take full advantage of mobile payments, security needs to be top of mind in order to minimize risk and encourage widespread adoption amongst consumers.
Ian Hermon is the product marketing manager for Thales e-Security.