Advancements in mobile payment security technology are curbing risks and improving consumer trust beyond levels traditionally related with plastic payment cards, says a study by global IT association ISACA.
In a guide titled “Is Mobile the Winner in Payment Security?” released on Friday, the ISACA has outlined several advantages of mobile payments relative to physical and e-commerce transactions, the organization said in a statement.
It has described Tokenization, device-specific cryptograms and two-factor authentication as key improvements positioning mobile payments appeal to both consumers and vendors.
“Mobile payments, with embedded, improved and transparent security controls, are a great example of how security can act as a business enabler, contributing to the creation of end-user trust,” said Christos Dimitriadis, who is ISACA Board chair and group director of information security for INTRALOT.
The report also notes integrating mobile payments into a merchant’s business creates opportunities for more robust customer loyalty programmes and allows for purchases in circumstances when customers do not have access to their physical payment card.
ISACA’s 2015 Mobile Payment Security Study shows only 23 percent of IT and cybersecurity professionals said they believe mobile payments keep personal information safe. Still, the global number of mobile payment users is expected to reach 1.09 billion by 2019, according to Ovum. It was 44.55 million in 2014.
While modern mobile payment methods offer many benefits, the guide also notes some potential vulnerabilities, including during the one-time enrollment when users register a payment card in the mobile wallet application.
The guide encourages vendors that adopt mobile payment options to regularly re-evaluate risk control measures.
Some of the mechanisms empowering advancements in mobile payment technology include tokenization, device-specific cryptograms, and two-factor authentication.
Tokenization. Secure mobile payment applications—or mobile wallets—do not transmit a card’s primary account number (PAN), instead sending a randomly generated token to the point of sale (POS) terminal and payment network. This token safeguards the consumer’s data while in transit.
Device-specific cryptograms. The cryptogram ensures that the payment originated from the card-holder’s device. If a hacker obtains mobile payment transaction data, the cryptogram that is sent to the POS terminal with the token is unable to be used on another mobile device. This helps render any stolen data unforgeable and useless.
Two-factor authentication. This provides an additional layer to guard against mobile payment fraud by utilizing two independent mechanisms for authentication. Among the common credentials used are something the user knows (such as a password), something physical that the user has (such as a payment card or phone) and a biometric such as a fingerprint, voice print or facial recognition.
If a mobile device containing a mobile wallet is lost, the mobile device can be remotely erased. And since the consumer’s payment card information is not on the mobile device, the payment cards do not need to be replaced, the guide suggests.
Like consumers, merchants stand to benefit from mobile payments in many instances.
“A key benefit for merchants is that enhanced security should lower fraud and thereby lower costs,” according to the guide.