A recent paper by Juniper Research has assessed the regulations and standards which might affect the development of mobile payment security in the near future.

Mobile payments have become a vital channel for both eCommerce and POS (point-of-sale) payments, as the smartphone has become a means both of access to the Internet and of making various short-range radio communications. Smartphones have become a common platform for remote (i.e. not face-to-face) eCommerce, with 71% of American users and 61% of British users saying telling Juniper that they buy items remotely through their phones. In addition, P2P (person-to-person) payments have gained traction in recent years, along with contactless mobile payment methods entering the mainstream through OEM-Pay initiatives (OEM = original equipment manufacturer).

At the same time, according to Juniper's paper on "the impact of regulation on securing mobile payments," regulators are ensuring that the need to keep personal and payment-related data secure is ceasing to be a mere cost of business and becoming a necessary part of it.

This wide range of payment options, in turn, calls for mechanisms that can secure both the transactions that these devices generate and the identities of the payers. People use many methods for this purpose, with a particular emphasis on securing information that relates to users' identities and personal accounts. One such is a mobile payment, i.e. any payment made through a mobile computing device that is small enough to be held in the hand (e.g. a smartphone, tablet or smartwatch).

The GDPR

The European Union's General Data Protection Regulation hampers the efforts of financial firms to process personal data without the consent of the people involved. Instead of trying to work out whether the cost of reducing this-or-that fraud is higher or lower than the fraud itself, the fines that the law imposes makes it necessary for banks to protect data well.

The GDPR can also limit the uses of any payment-related data, even when no regulator imposes a fine. Payment processors can claim a legitimate interest in the processing of personal data for anti-fraud purposes, but the advent of AI-based (AI = artificial intelligence) fraud may be problematic. Article 22 section 2 states that the data subject (the person whose data the bank is processing) has "the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her."

There might be some room here because section 2(a) allows a decision based solely on automated processing as long as the data "is necessary for entering into, or performance of, a contract between the data subject and a data controller." As many forms of payment services are not necessarily accompanied by legal contracts, they may not qualify for this exemption. Companies, however, might circumvent this through the loophole provided by the word ‘solely.’ AI processes that are, or can be, subject to human review might not be subject to this rule. However, as one of the goals of AI in payment processing is to reduce human involvement, companies have to strike a balance between using IT to save money and involving humans enough to comply with the GDPR.
 
Article 5(1) of the GDPR dictates that personal data must be "collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." It is probably hard for a bank to process data only for those "purposes," especially where AI is concerned. If its algorithms give it fresh insights when they analyse payment-related data, the bank cannot use them.

PSD2 and SCA

The SCA (Strong Consumer Authentication) requirements of PSD2 (the EU's second Payment Services Directive) were due to come into force on 14th September last year but 31 governments delayed their deadlines, mostly with no timeline for implementation.

Juniper wrote on the subject in November: "With little in the way of guidance for when these regulations will actually apply, merchants will become reliant on payment providers and other third party platforms for their regulatory compliance. This is behind moves from those platform players to expand their scope, such as Stripe’s acquisition of Touchtech in April 2019, which allow the processor to offer services to banks.
 
"These requirements will help mobile commerce and mobile-first platforms become more prominent, as 2FA (Two-Factor Authentication) mandated through PSD2 are [sic] potentially more intuitive on a mobile device, particularly when biometrics are employed. Other elements can be introduced through mobile devices as well, particularly where 3D Secure 2.0 platforms are involved.
We also expect PSD2 to function as a template for other countries to implement 2FA beyond Europe. Companies in the US already need to comply with PSD2 regulations in order to do business in Europe, and so only those areas that are more dependent on non-European trade (such as Australia’s relationship with the US and China) will not be concerned..."
 
PSD2 has encountered many problems, according to Juniper, so the road to full compliance is likely to be slow and 3D Secure 2.0’s requirements will act as a de facto standard before anyone passes any formal legislation.

Because 2FA is required by the SCA rules of PSD2, Juniper expects plenty of firms to use text messaging as a security measure, as it is a fairly simple method. SMS (short messaging services) have security-relaed problems, however, and it therefore expects this to make it unsatisfactory in the long run. This will present opportunities for a range of IAM (Identity and Access Management) and other authentication providers to offer up their own hardware and software for SCA purposes, although it will take several years to become truly established.

Web standards

As well as regulation, various standards are in widespread usage for web and mobile commerce. These are bound to have an effect on mobile payments as well.

The appliance of bio-science

Juniper predicts that banks will use biometric authentication to secure US$2.5 trillions' worth of mobile payment transactions by 2024 - an increase of almost 1,000% on today's figure. The availability of dedicated biometric hardware will not be an obstacle to biometric usage, as it will be present on an estimated 90% of smartphones by 2024. However, Juniper expects less than 30% of these phones to be used to authenticate contactless payments, thanks to the presence of contactless cards.