Uncategorised
The security of mobile payments - a way forward through the regulations

A recent paper by Juniper Research has assessed the regulations and standards which might affect the development of mobile payment security in the near future.
Mobile payments have become a vital channel for both eCommerce and POS (point-of-sale) payments, as the smartphone has become a means both of access to the Internet and of making various short-range radio communications. Smartphones have become a common platform for remote (i.e. not face-to-face) eCommerce, with 71% of American users and 61% of British users saying telling Juniper that they buy items remotely through their phones. In addition, P2P (person-to-person) payments have gained traction in recent years, along with contactless mobile payment methods entering the mainstream through OEM-Pay initiatives (OEM = original equipment manufacturer).
At the same time, according to Juniper's paper on "the impact of regulation on securing mobile payments," regulators are ensuring that the need to keep personal and payment-related data secure is ceasing to be a mere cost of business and becoming a necessary part of it.
This wide range of payment options, in turn, calls for mechanisms
that can secure both the transactions that these devices generate
and the identities of the payers. People use many methods for
this purpose, with a particular emphasis on securing information
that relates to users' identities and personal accounts. One such
is a mobile payment, i.e. any payment made through a mobile
computing device that is small enough to be held in the hand
(e.g. a smartphone, tablet or smartwatch).
The GDPR
The European Union's General Data Protection Regulation hampers the efforts of financial firms to process personal data without the consent of the people involved. Instead of trying to work out whether the cost of reducing this-or-that fraud is higher or lower than the fraud itself, the fines that the law imposes makes it necessary for banks to protect data well.
The GDPR can also limit the uses of any payment-related data, even when no regulator imposes a fine. Payment processors can claim a legitimate interest in the processing of personal data for anti-fraud purposes, but the advent of AI-based (AI = artificial intelligence) fraud may be problematic. Article 22 section 2 states that the data subject (the person whose data the bank is processing) has "the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."
There might be some room here because section 2(a) allows a
decision based solely on automated processing as long as the data
"is necessary for entering into, or performance of, a contract
between the data subject and a data controller." As many forms of
payment services are not necessarily accompanied by legal
contracts, they may not qualify for this exemption. Companies,
however, might circumvent this through the loophole provided by
the word ‘solely.’ AI processes that are, or can be, subject to
human review might not be subject to this rule. However, as one
of the goals of AI in payment processing is to reduce human
involvement, companies have to strike a balance between using IT
to save money and involving humans enough to comply with the
GDPR.
Article 5(1) of the GDPR dictates that personal data must be
"collected for specified, explicit and legitimate purposes and
not further processed in a manner that is incompatible with those
purposes." It is probably hard for a bank to process data only
for those "purposes," especially where AI is concerned. If its
algorithms give it fresh insights when they analyse
payment-related data, the bank cannot use them.
PSD2 and SCA
The SCA (Strong Consumer Authentication) requirements of PSD2 (the EU's second Payment Services Directive) were due to come into force on 14th September last year but 31 governments delayed their deadlines, mostly with no timeline for implementation.
Juniper wrote on the subject in November: "With little in the way
of guidance for when these regulations will actually apply,
merchants will become reliant on payment providers and other
third party platforms for their regulatory compliance. This is
behind moves from those platform players to expand their scope,
such as Stripe’s acquisition of Touchtech in April 2019, which
allow the processor to offer services to banks.
"These requirements will help mobile commerce and mobile-first
platforms become more prominent, as 2FA (Two-Factor
Authentication) mandated through PSD2 are [sic] potentially more
intuitive on a mobile device, particularly when biometrics are
employed. Other elements can be introduced through mobile devices
as well, particularly where 3D Secure 2.0 platforms are
involved.
We also expect PSD2 to function as a template for other countries
to implement 2FA beyond Europe. Companies in the US already need
to comply with PSD2 regulations in order to do business in
Europe, and so only those areas that are more dependent on
non-European trade (such as Australia’s relationship with the US
and China) will not be concerned..."
PSD2 has encountered many problems, according to Juniper, so the
road to full compliance is likely to be slow and 3D Secure 2.0’s
requirements will act as a de facto standard before anyone passes
any formal legislation.
Because 2FA is required by the SCA rules of PSD2, Juniper expects plenty of firms to use text messaging as a security measure, as it is a fairly simple method. SMS (short messaging services) have security-relaed problems, however, and it therefore expects this to make it unsatisfactory in the long run. This will present opportunities for a range of IAM (Identity and Access Management) and other authentication providers to offer up their own hardware and software for SCA purposes, although it will take several years to become truly established.
Web standards
As well as regulation, various standards are in widespread usage for web and mobile commerce. These are bound to have an effect on mobile payments as well.
The appliance of bio-science
Juniper predicts that banks will use biometric authentication to secure US$2.5 trillions' worth of mobile payment transactions by 2024 - an increase of almost 1,000% on today's figure. The availability of dedicated biometric hardware will not be an obstacle to biometric usage, as it will be present on an estimated 90% of smartphones by 2024. However, Juniper expects less than 30% of these phones to be used to authenticate contactless payments, thanks to the presence of contactless cards.