Big banks are developing a system to make mobile wallets more secure by walling off customer account information from merchants and other third parties.
Citigroup, U.S. Bancorp and other members of The Clearing House, an industry trade group, are jointly working on the technology. Their aim is to address some of the rampant data-security concerns surrounding digital payments. The system, dubbed Secure Cloud, essentially aims to provide a protective layer to customers who use the mobile wallets that have been developed by banks and non-banks, like Google.
"We want to see this type of innovation [digital payments] continue, and it needs to be built on a foundation that's sustainable," Paul Galant, the head of Citigroup's enterprise payments unit, said in an interview Friday. "In this era of cyberattacks and fraud and data breaches, the banking industry really can do a lot better."
The technology, which The Clearing House will start testing later this year, will keep customers' credit and debit card information from leaking beyond the banking system into the less-regulated databases operated by merchants and technology vendors.
Secure Cloud is designed for people who want to pay for things by waving their smartphones near digital readers, rather than by swiping plastic cards. It seeks to replace the account information in a phone's mobile wallets with what Galant calls a "token," which is a randomly-generated sequence of numbers that can be used to authorize a purchase.
The mobile wallet sends that token, instead of the customer's card number, to the merchant to authorize the transaction. When the merchant or its processor sends the token on to its acquirer bank, that bank then processes the data and helps match it to the customer's original account information.
"There's really no reason in this day and age for me to have to save my card number on the phone," Galant says.
Banks themselves are vulnerable to data breaches and direct cyberattacks. However, hackers have launched some of their most wide-ranging recent attacks on bank account information by breaching the defenses of the merchants or third parties that store customer names and card information. In May, thieves managed to drain $45 million from ATMs by attacking two card processors.
"We all know that at some point mobile payments will proliferate and grow in the industry, and we all know that we'd like to see more safety and soundness around those transactions," Pamela Joseph, vice chairman of payments services for U.S. Bancorp, said in a separate interview on Friday.
The Clearing House plans to run pilot tests of the program from the fourth quarter through next summer. Executives declined to disclose details and which banks will be participating; Galant said the trade group has signed up one non-bank provider of a third-party wallet, though he would not be more specific. U.S. Bancorp will be handling the merchant end of transactions via its Elavon acquiring unit. Citigroup would not discuss its specific participation in the pilot.
The Clearing House will initially test how the technology works at physical store locations, when customers wave their smartphones close to checkout readers, but executives said that it could eventually be used for e-commerce or other types of digital payments.
Joseph and Galant emphasized that the technology will be "open standard" and eventually available for use by banks of any size, as well as by non-banks like Google.
"We're very open to any variety of wallet providers, any variety of card brands," Joseph said.
The executives and The Clearing House would not discuss the investment involved in creating the technology, or how they expect to charge the banks and non-banks that eventually use it. Galant said the Secure Cloud system could help banks reduce their costs for other anti-fraud measures, but "clearly we understand that adding friction to the cost of consumer payments is the best way to ensure that it never gets adopted."