Facebook Connect, which lets Internet users log into other websites by typing their Facebook credentials, seems to be everywhere. But perhaps it should not be in mobile payments, SCVNGR's LevelUp has decided.
LevelUp attributes much of its success to its integration with Facebook, but it removed Facebook Connect this month as a security concern. It notified consumers of the change in an email sent last week.
"The Facebook login is simply a login process that we have no control over," says Matt Kiernan, marketing manager at LevelUp. "As we continue to expand and grow with more partners and users, security it always of the upmost importance to us."
The LevelUp app allows consumers to make payments at participating merchants through a linked payment card account. The app displays a QR code on the phone's screen, which the merchant scans at the point of sale.
LevelUp grew concerned that Facebook could at any point change the code behind Facebook Connect to fit its needs as a social network, in turn undermining LevelUp's needs as a payment network, Kiernan says.
While Kiernan says there hasn't been any history of security issues with Facebook Connect, "it only takes once for your platform to be vulnerable and then you are compromising all your partners and customers."
The change comes on the heels of the Target Corp. data breach, which left at least 70 million people affected with potentially stolen names, home and email addresses. The breach also exposed the information of 40 million credit and debit card accounts. The large discount retailer faces nearly two dozen lawsuits after the security breach.
LevelUp's move seems inconsistent with the trend today. Many prominent applications allow users to login through their social media profiles, such as Facebook, Twitter or Google +. Social media logins simplify the enrollment and login process for the consumer, as well as provide app developers and merchants with rich data about the consumers' preferences.
Amazon.com offers a service called "Login and Pay with Amazon," which allows consumers to access any payment accounts stored with their Amazon.com profile for use at other online merchants.
Several companies, including American Express Co., Dwolla and Chirpify have even allowed users to transact directly over social media sites such as Twitter and Facebook. And recent mockups leaked by Fancy.com show that Twitter may soon support a similar function directly.
However, other companies that have tried to mix payments with social media have failed. And then there's Blippy, which let users broadcast their purchase activity over its own social networking site, but also temporarily exposed users' sensitive card details due to a technical oversight.
At LevelUp, we "don't necessarily know that payments are something that people want to be a social thing," Kiernan says.
LevelUp users will still be able to publish offers or rewards they've redeemed via Facebook and Twitter, which works as indirect marketing for the payments provider. Outside of the promotional benefit, "social isn't a crucial function of making payments," he says.
LevelUp changed its login process at a time when many payments companies are under scrutiny for their security practices, says Jordan McKee, an analyst at The Yankee Group.
"In the aftermath of the Target breach, security has moved front and center on the radar of companies across all facets of the payment ecosystem," McKee says. "Generally speaking, companies don't like the thought of another entity having direct influence on the security of their system. Being held liable for a security breach that is 100% out of your control is an unsettling thought."
Consumers may also use less secure passwords when connecting to social media sites than they do when connecting to bank sites or mobile wallet apps, he says. As more companies rely on Facebook for authentication, Facebook Connect may grow as a target for fraud.
"Bottom line is that the security risks associated with Facebook Connect will increase in parallel with its popularity," McKee says. "This will especially be the case if Facebook Connect continues to be leveraged as a means of accessing payment credentials."
LevelUp has been aggressive in changing its technology and its business model to respond to user habits and broader trends. Its current QR code reader replaces an earlier version based on a smartphone, which had issues with battery life and data connectivity. The company also recently changed its pricing model, reinstating a 2% transaction fee after merchants expressed dissatisfaction with its Interchange Zero model.