Analysis: The security concerns surrounding mobile payments

While some retailers are still catching up with the ecommerce revolution, a whole new challenge is emerging. The big step in omnichannel at the moment is m-commerce. While the opportunity is likely to be as big as internet shopping was 10 years ago, the security implications could be tricky.

Smartphones have become ubiquitous, their users are becoming experts, and the applications they run are more and more advanced. Some retailers are setting the agenda in mobile, coming up with innovative ideas and services, but others are slower - and perhaps with good reason.

Improving convenience for shoppers is something every retailer wants to do, but in this instance it comes with a host of new threats to security. Retailers know if they are going to get people shopping with their phones, security is one of the first things they need to get right. So what are the risks and how should retailers approach security in a world of mobile payments and apps?

Ed Lea, founder of mobile payment app Paddle, says: “Most retailers are aware that mobile payments are taking off. They’re thinking about mobile but they’re being cautious because at the moment for a lot of them it doesn’t make sense yet.”

Never one to miss a trick, Starbucks has proved how popular - and lucrative - mobile payment can be. At the end of April the coffee giant announced its mobile payment app had 10 million active users, making 4 million transactions a week.

Moving to mobile payments

Footwear retailer Schuh is a more accurate reflection of the market, however. The retailer has focused hard on its ecommerce division in recent years and its online channel is growing, but it is holding back on mobile payments for now.

Schuh head of ecommerce and customer service Sean McKee says: “For a retailer like us it’s important to be early arrivals but not first movers. The first movers need to be the players like Tesco that can change behaviour.

“Clearly there is a change happening and there’s a swing towards mobile payment, and there are going to be winners, but it’s not remotely clear yet who will be those winners. Security is a part of it, people are naturally less confident about mobile. The challenge of any new payment type is that you’ve got to build trust.”

There are currently few standardised security practices or laws in place, making McKee’s view a common one.

M&S’s payment app

Some retailers are experimenting, but so far it has tended to be on a small scale. Marks & Spencer is one of the
few retailers to have put its hat into the ring.

The first big piece of news since its Digital Lab launched in February, M&S is trialling an app on a small scale for web and mobile purchases. It might be a small step, but it is a welcome move in an industry in which mobile payment news is relatively scarce.

During the trial - and beyond if itis successful - shoppers will be able to use Lea’s Paddle app to pay for items with a pre-authorised bank account linked to the app. M&S is not the only retailer to trial mobile payments - Aurora is using PayPal’s app and Sainsbury’s is trying its own service.

Lea says there is plenty of interest from retailers cautiously keen to get to grips with mobile payments. But given the security issues involved, he says, caution is wise.

“It’s a good thing rather than them implementing mobile for the sake of it,” says Lea. “It should be done properly when it’s justifiable. Mobile opens up a whole range of security issues as well as customer experience issues.”

So what exactly are the security concerns? Retailers will be familiar with the PCI Security Standards Council, which offers best practice guidance and sets down Data Security Standard requirements. What they might not be as familiar with are the more recent PCI Mobile Payment Acceptance Security Guidelines, released last September.

In the guidelines the PCI identifies the areas where customers are most at risk, and how retailers could alter their practices. Several aspects of mobile payment - including ineffective encryption, third-party access, malware, or even simple theft of a device, - make users vulnerable. Finding the keys to keep the whole system secure is the next big opportunity.

Keeping devices secure

Thales e-Security product marketing manager Ian Hermon says that, as smartphone technology advances, there will be more ways to keep devices secure. Using a phone’s GPS, for instance, could make a transaction more secure by confirming the user is present. He says: “Features like location authentication will provide better security. At the moment it’s all in a state of flux.”

Raja Ray, director of solutions at payment solutions provider Verifone, which works with M&S, says the fragmented nature of security standards is a challenge for retailers. “It’s not a mature area yet,” says Ray.

“Retailers often make assumptions about the standards, and many of them have quite a fragmented infrastructure at the moment. When it comes to security of retail systems the standards are in place but where they are falling foul is the interpretation of them.”

He adds retailers should use a qualified security assessor to help them make sense of the data security
standards and how they apply to their own business.

Mobile phone technology is moving rapidly onwards. There are already smartphones with near field communication technology, which bypasses the need for an app or a QR code scanner, turning the phone into a payment device itself, built in and ready to go.

And, as Starbucks proves, customers are happy to use contactless payment, at least for small transactions.

But taking mobile payment to the next level will be difficult unless customers feel secure.

While McKee and many others are rightly taking a circumspect approach, sooner or later mobile payment will
be as established as ecommerce, and opportunities will need to be grabbed. However, security needs as much thought as any other part of the process.