QR codes, the two-dimensional bar codes used in many mobile wallets, are easy to deploy but can vary in their level of security.
A QR code contains data, such as a website address or a card account number, that can be read by a camera on a phone or other device. The security of this process depends entirely on how much of the customer's data is shared.
"There are distinctions between QR codes. Are you showing information about the transaction, or is it anonymous?" says Doug Brown, senior vice president of mobile for FIS, a core banking vendor. "Our transactions are anonymous, and that's not true of all companies that use QR codes for payments."
FIS has developed protection for QR code transactions that uses the company's internal cloud to store and match the user's credentialseliminating the need for the QR code to store actual account credentials.
FIS is leaning toward QR codes as the mobile payment model of choice, though it still supports Near Field Communication, a hardware-based approach, Brown says. NFC technology is still not widely available, and NFC adoption for mobile payments has been sluggish.
"We use a downloadable mobile app that runs on an iOS or Android device," says Brown. "It's a model that encourages use and broader scale because it's not dependent on the hardware or the terminal on the merchant side by virtue of that, we are seeing a deep level of interest form the bank and card issuer side."
FIS has 16 financial services clients and a number of merchants in various stages of deployment. FIS would not name these clients.
Starbucks boasts success with its QR code approach 10% of its U.S. payments come via mobile devices but it was also the subject of an early challenge to this technology.
In 2011, a mobile application consultant named Jonathan Stark posted his Starbucks app's bar code online and gave it a Twitter account that broadcast changes to the account's balance. With this information, anyone could load or spend the account's funds, but they could not view bank account information or other personal details.
"There's virtually no information" transmitted to the cardholder when someone reloads the card from a bank or credit card account, he said at the time. "All I know, when someone loads the card, is it was loaded either in-store or online."
Starbucks was initially supportive of Stark's decision, since it was confident that his credit-card details could not be exposed. However, Starbucks soon changed its mind and shut down Stark's account out of fraud concerns.
"We have a number of safeguards to protect our customers. Credit card information is not stored on the app or the smartphone, and customers can add an additional layer of security by setting up password protection on their mobile device," said Linda Mills, a Starbucks spokesperson, in an email to PaymentsSource this week.
If a customer loses a phone, he or she can report the Starbucks card as lost and will receive full balance protection, Mill says.
Merchant Customer Exchange (MCX), a retailer-backed mobile payments initiative, also plans to use QR codes to drive its mobile wallet when released. MCX did not return a request for comment by deadline.
QR codes are prone to security risks, says July Conroy, a research director for Aite Group.
"They can be copied, and QR codes are also susceptible to malware. A QR code can be used to redirect someone to a malware-laden site," she says. "All a QR code really is is another form of a redirect."
A hardware-based approach like NFC poses fewer security concerns, Conroy says.
"You have the secure element that protects information and it's not as easy to deploy as a QR code. There's equipment at the point of sale that's a bit of a hassle for crooks," she says.
FIS is out in front in providing security for QR codes, Conroy says. Security programs for QR codes aren't widely used since mobile payments aren't yet widely adopted. "[Companies] aren't incentivized to spend on security solutions until they are actually bleeding," she says.