By Michael Orlando, CEO, Fit Pay, Inc.
Less than a year ago, ISACA (Information Systems Audit and Control Association) released the results of their 2015 Mobile Payment Security Study. This study surveyed roughly 900 “cybersecurity experts” and asked them about mobile payment security. Seventy seven percent of the respondents were either unsure or thought mobile payments were not secure, and 87 percent said that they expected to see an increase in mobile payment data breaches in 2016.
Last month, ISACA released another report countering that very finding and describing mobile payment security measures like tokenization and two-factor authentication as the safest option in payments.
The first report prompted a flurry of articles about how mobile payments were slow to catch on because of these security concerns. The second report has not generated nearly as much attention. I hope that will change and perceptions about mobile payment security will more closely match the reality, which is that contactless mobile payments are much more secure than traditional magnetic stripe transactions.
It’s worth noting that ISACA didn’t release a study of actual mobile payment security, nor did they claim to. They conducted a survey of people’s feelings about mobile payment security. So, in reality, these are perceptions—from cyber security experts. And if the experts feel that way, you can bet consumers and merchants do as well.
So, if we are to gain broad acceptance of mobile payments, as an industry we need to work hard to continually change perceptions and educate consumers about how mobile payment providers keep their data safe.
The truth is mobile payments, especially contactless mobile payments, are among the safest forms of payment currently available.
The vulnerability of magnetic stripe transactions is well documented. What makes this technology, which is by far the most-widely used, susceptible to a breach is that the stored data, the actual card number and expiration date, is static and shared at the point of sale, exposing it to malware in the local machine.
EMV chip cards, affectionately known as chip-and-pin, have significantly improved this security situation. EMV cards use encryption to protect data, and require either a PIN or signature. Using this two-factor authentication is much safer than swiping a magnetic stripe. However, if you’re swiping your chip-and-pin card – as many retailers still have customers do – you have just negated these security measures. And, as researchers from NCR demonstrated at the annual Black Hat hacker conference in Las Vegas in August, even EMV technology can be compromised.
Contactless mobile payments uses two-factor authentication and tokenization, which does not expose card data at the point of sale, making it more difficult to hack. Tokenized contactless transactions are fundamentally more secure, than traditional mag-stripe swiped transactions. If fact, the NCR researchers at Black Hat recommended that consumers pay with contactless mobile payment systems like Apple Pay, which uses the same tokenization technology that Android Pay and FitPay have implemented.
Does that mean mobile payments are “The Winner in Payment Security” as ISACA’s report suggested? I think so, but data security threats are constantly evolving. There is no one-time solution for payment security. We must be continually finding new ways to keep payment transactions and consumers’ card data safe from attack.
Ultimately, I believe that wider adoption of contactless payments will make paying for things faster, more convenient… and much safer for consumers and merchants. The challenge for the industry is to stay ahead of the latest threats and to help separate perception from reality when it comes to mobile payment security.
Michael Orlando is Co-founder and CEO of Fit Pay, Inc., a white-label technology platform that adds contactless payment capabilities to wearable devices—with very little start up time, no investment in software development and instant access to the leading card networks. FitPay was named a Gartner “Cool Vendor” in consumer financial services for 2016. Learn more at www.fit-pay.com, or follow FitPay on Twitter.