As more merchants and consumers adopt mobile payments, many cybersecurity experts warn a boost in mobile payment-related breaches will result, though in some cases providers are sacrificing vulnerability for easier use and more adoption.
Thales e-Security does not consider itself amongst those naysayers. As the 2015 holiday shopping season nears, Thales sees mobile as a better way to protect more transactions, and the more adoption, the greater the security.
"A mobile platform or device itself gives you a lot more flexibility to manage risk and fraud than you have in a static card environment," said Jose Diaz, director of payments strategy for Plantation, Fla.-based Thales.
Whether a mobile system operates on Host Card Emulation or uses the phone's secure element to initiate contactless payments, both options actively manage keys that are used for cryptograms, Diaz said. The Host Card Emulation process bypasses the secure element in a phone to initiate a contactless Near Field Communication payment.
"We already know utilizing tokenization in mobile can segment the fraud by channel," Diaz added. "If a token is stolen from mobile, it can't be used anywhere else."
Mobile pay systems have the potential to be more secure, if banks and merchants pay attention to all aspects of the system to set up mobile pay, said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"We saw how quickly criminals figured out in the early days of mobile payments with Apple Pay that the gap was on the registration and provisioning side of things," Conroy said. "It highlights the complexity of this process."
A proper level of encryption and tokenization has to be in place if a merchant is not using Apple Pay or Android Pay and instead using a cloud-based or QR code-based wallet, Conroy said.
"There are so many different flavors out there," Conroy said. "You have to look at the entire lifecycle and make sure you have people who understand the complexity of the security."
Citing statistics from recent Information Systems Audit and Control Association [ISACA] reports, Peter Galvin, vice president of strategy and marketing for Thales, said 87% of cybersecurity experts feel breaches into mobile systems will increase significantly in the next year.
"This is kind of like what they said about e-commerce fraud going up at 30% a year, but that was because e-commerce transactions overall were going up at a similar rate," Galvin said. "It's all in how you look at things."
Companies and financial institutions can stay ahead of the breach curve by understanding the potential vulnerabilities in their systems, Galvin said. "There will be certain amount of fraud and there will be people trying to hack in. But we don't agree there is an acceptable level."
It will be important for merchants to fully understand the positive aspects of mobile adoption as holiday shopping triggers more transactions.
But U.S. merchants already have much to juggle on the payments side of the business during that time, particularly with the EMV liability shift in place and an uneven playing field regarding what technology a merchant has in place or lacks.
EMV is migrating slow because many banks put risk management systems onto the back end of their networks in an attempt to get a handle on the security threats unfolding, Galvin said.
"They already had systems in place, so they are taking their time to switch to chip cards [from mag-stripe cards]," Galvin added. For the merchants, it was EMV and then also NFC, and then the Merchant Customer Exchange comes along with a focus on QR codes, Galvin said. "Now, merchants want to make sure an upgrade includes everything out there, and that also slows things down," Galvin said.
In that setting, it is easier to understand why not all merchants have embraced the security potential of mobile or deployed NFC readers to accept Apple Pay and other mobile payment services, Galvin said.
Phoenix Marketing reported last week that Apple Pay adoption has grown to only 14% of iPhone 6 owners in its first year on the market, after a fast start out of the gate at 11% after only four months. A significant factor, Phoenix surmised, is the reluctance of merchants to add the technology and fully train staff about how to accept the mobile payments.
Merchants' uncertainty over what to deploy is creating a fractured payment acceptance structure in the U.S., Galvin said. "It's not about the payment method and how exciting it can be," he added. "But if the consumer has to think about how they are going to pay at any given store, it is more confusing from an adoption perspective."
As mobile in-app payments grow, security will become stronger in the process, Diaz said.
"When doing in-app payments on a phone or tablet, the card is secure in your device, rather than entering numbers online," he added.
Mobile will also prove to be a more effective way to keep gift cards safe during the holiday season, if wallet developers can create an easy way for the card buyer to pass the digital product over to the recipient.
Gift cards have a long way to go as far being a part of a secure infrastructure, Diaz said.
Yet, the movement of e-gift cards through different delivery channels and social networks continues to be a hot topic in the payments and technology industries.
"Gift cards are sitting on racks in stores now, making it easy for someone to go and get all of those numbers if they wanted to," Diaz added. "If we could get gift cards on mobile devices, a lot of this provisioning process could be improved."