As wearable computing transitions from fantasy to fashion, developers are starting to consider the distinct risks that arise when payments migrate away from smartphones.
"I don't think the industry has figured that out yet and I don't think there are standards on how to secure the 'Internet of Things,'" said Steve Tateosian, global product marketing manager for Freescale, an Austin, Texas-based company that develops embedded technology for Web processing.
Freescale has introduced a suite of what it calls PIN-compatible terminal security products, branded as Kinetis KL8x, to secure the mobile apps that power mobile point of sale terminals. Part of this suite includes microcontrollers that address mobile payment acceptance devices through tamper detection and ultra-low power capabilities.
The technology can be managed to maintain security for smaller devices that don't have the same computing power needs as tablets or PCs, Tateosian said, adding a larger device with a display would need more memory or added CPU horsepower, but a lot of mobile point of sale devices are displayless.
Freescale's suite includes security for mobile acceptance devices, and it's also developing systems to protect connected devices.
"In most of these point of sale terminals the highest level of security is for PIN protection," Tateosian said. "If people are entering that PIN into a watch, you would expect the same level of protection."
Freescale may seem out in front, given that most payment companies are still grappling with the EMV migration and its impact on desktop-based e-commerce, and Tateosian said there are still basic models and standards that have to emerge before wearable payments and the attached security can be addressed in the mainstream.
But even at this early stage, there is a risk to be addressed.
“Where there is an exchange of value, crime is soon to follow, but this seems to be way ahead of the curve, which is a nice thing to see, for a change,” said Al Pascual, director of fraud and strategy for Javelin Strategy & Research.
Wearables have unique risks, since the use cases often involve in a mix of unconventional but sensitive information, Tateosian said.
"For example, if you are collecting fitness information, maybe you don't care that people know you ran a ten minute mile instead of a nine minute mile. But if there's health data, how do you secure that?" he said, adding the same concept pertains to using wearables to pay.
"Encrypting data at the point of acceptance is probably the best data protection method that can be undertaken and this is important for any acceptance device, whether it is mobile or fixed," said Avivah Litan, a vice president and security expert at Gartner.
Many wearable security concepts are under consideration, Tateosian said. "There are lots of people looking at other ways to do that, which may not be at the end device or the mobile device."
The challenge comes in part from the variety of connected device types, Tateosian said. There isn't a standard for wearable payment security because there still aren't best practices for the technology that powers the transaction, which would impact how the transactions are secured.
For example, Apple Pay uses Near Field Communication to make payments from the Apple Watch, but most Android Wear watches don't have NFC built in.
RBC has experimented with using heartbeat patterns to authenticate users of a payments wristband, while Barclays has applied traditional contactless payment technology and security to unconventional form factors such as gloves and jackets.
PNC has built an application programming interface to develop payments technology for different devices.
And Visa has partnered with non-technical fashion designers to spot opportunities to embed payments in clothing.
The variety of technology and authentication methods has ramifications for compliance with PCI and other security standards, as well as risk models, Tateosian said. "The technology capability will be there, but there will challenges in terms of transferring fraud risk between the consumer and the retailer and the bank."