Why wearable payments need one-size-fits-all security
Because wearable payments technology is still considered experimental, it is important to address security before the market for such products gets much bigger.
Part of the issue is the inconsistent use cases for wearables on the market today. Major card networks and small startups alike have tested payments in wristbands, rings, watches and other jewelry, sunglasses, gloves, coats and even hockey jerseys.
The risks with wearable payments are reminiscent of those with early mobile wallets. Even major mobile payments brands like Google and Starbucks faced security issues early in the development of their mobile wallets, and these issues could easily resurface with wearables.
With so much variety in form factor, it's vital that the security woven into wearables is consistent and clear, according to the the Secure Technology Alliance, a membership organization representing key players in the payments ecosystem.
Over-the-air provisioning technology developed to tokenize account numbers and enable phones to carry payment credentials through an application has been well-established, but it all has to change in the context of wearables, said Randy Vanderhoof, executive director of the Secure Technology Alliance, which has been in place since March of 2017 after changing its name from the previous Smart Card Alliance.
"Wearables typically don't have the ability to store and operate their own apps or communicate to that app without having a mobile device in place," Vanderhoof said. "There had to be a bridge to the personalization of the wearable technology that was different than how we provision cards and made them contactless and how mobile phones and mobile apps interact."
The Alliance issued a report this month to guide manufacturers and merchants on how to best keep contactless payment wearables secure.
The guidelines differentiate between passive and active wearables. Passive wearables rely on the point of sale terminal to acknowledge a transaction, whereas active wearables can carry Near Field Communication chips or other technologies to initiate transactions and, in the future, communicate other information to merchants. Active wearables don't rely on another mobile device to be present to initiate transactions.
"We are seeing some security gaps that are filling in now," Vanderhoof added. "The payment brands can't be in a position to evaluate and set up provisioning for every manufacturer of wearable technology, so they are relying on digital security companies like Gemalto and Idemia (formerly OT-Morpho) to step in and perform some of those services."
To best represent the marketplace and use cases, the Secure Technology Alliance operates through councils or sub-groups that study industry trends from payments, mobile, transportation, healthcare, Internet of Things, identity and access control. When a specific group agrees on a topic to focus on, it can prepare best-practices guidance, as was the case with payments wearables.
The Alliance is providing a valuable service to the payments industry by "getting out in front of a topic and suggesting what higher level requirements might be needed," said Steve Mott, principal of BetterBuyDesign, a Stamford, Conn.-based consulting firm.
That type of guidance is a far better approach than "letting everyone who is not involved in security jump into the market and maybe spoil it because they do something really dumb," Mott said. "In the case of wearables, those kinds of things might [include] not being aware of the interception of a signal, or not providing a full payload of data that authenticates the use of an account."
The card brands and financial institutions are especially interested in any support the payments industry can provide for itself.
"What you find out in going forward is that the brands and banks don't particularly want to figure this stuff out by themselves or for themselves, because then if something goes wrong, they are the ones responsible," Mott said.
Merchants are going to want to know when a customer wearing a payments watch is in the store and be able to communicate with them, he added.
"There are very rare instances of that kind of responsiveness to knowing a customer in the card world," Mott said. "But it can eventually be common in any kind of NFC mobile environment."
Industry researcher Gartner has estimated that more than 310 million wearable devices will be sold in 2017, and that trend will grow to more than 504 million by 2021.
As such, the Alliance felt it important to get its guidance in place to cover the ISO 14443 standard that supports contactless transactions, how the hardware secure element comes into play, and the provisioning models for WiFi, Bluetooth, over-the-wire, through trusted service managers and other processes.
The guidance covers in-app payments on the wearable, geofencing or beacon-based authentication, and QR code implementations.
The Alliance outlines stakeholders in the wearable ecosystem as the device manufacturer, chip vendor, antennae vendor, card/tag/sticker/SIM vendor, the issuing bank, program manager, payment network, certification laboratory, personalization bureau, token service provider and wallet service provider.