Mobile Commerce Daily is now Retail Dive: Mobile Commerce! Click here to learn more!

How secure are mobile payments?

While mobile payment technologies offer a convenient way to pay for goods and services, consumers could be at risk of losing money when mistakes are made by merchants and processors or as a result of fraud, according to Consumers Union, the nonprofit publisher of Consumer Reports.

Consumers in the United States soon will be able to pay for products and services with a wave of their smartphones via Near Field Communication and RFID technology. However, there is a raging debate among players throughout the financial services ecosystem about how secure mobile payments really are.

“Depending on the mobile payment architecture, there does exist the potential for significant fraud loss for the merchant and likewise for the consumer,” said Conrad Sheehan, founder/CEO of mPayy Inc., Chicago.

“If the mobile payment scheme is architected on the back of legacy credit card networks, that will extend the same fraud weakness that exists in ecommerce to traditional bricks-and-mortar because there is no way to capture an authorization, that is, a signature,” he said.

“This is a structural flaw that is inherent in the complex patchwork of systems that make up what we know of as Visa, MasterCard and AmEx.”

Mr. Sheehan said that pretty much every single retailer would go out of business if they experienced the same levels of fraud that ecommerce merchants experience. It would turn every transaction into a “Card Not Present” transaction.

With credit or debit card data resident on the phone and embedded in a chip, the phone would become more valuable to a potential fraudster.

A criminal could either simply steal the handset to buy a fence-able product or to hack into it and use the card data for ecommerce transactions.

“Basically every time you misplace your phone, you will have the same panic attack that you have when you lose your wallet,” Mr. Sheehan said. “This architecture will also drive up the cost of phones.

“This mobile architecture incorporating legacy networks may also require the phone to be on, driving down battery life and simply not working when the battery is dead,” he said. “A superior architecture is one where no sensitive financial data is on or in the phone and the phone does not require power to make payment—this is done by having an account-centric versus card-centric mobile payment system.

“Today’s cards were designed decades ago in a mechanical offline world…think three-paper carbon imprints.”

The onus is on state and federal regulators to reign in fraud, whether in be online or via mobile devices.

As mobile payments systems come to the U.S., product providers and regulators need to make sure that they are at least as safe for consumers to use as traditional credit card and debit card payments, per Consumers Union.

It is critical that mobile payment systems are covered by strong rules to protect consumers from losing money because of fraud, processor error or a dispute with a retailer.

The bottom line is that consumers need a level of confidence in their payment provider and not feel they are fighting a leviathan, but merchants are customers too, per Mr. Sheehan.

A full zero percent liability for consumers would be key to inspiring that confidence, as long it is not just a marketing slogan.

“MPayy created a very simple policy: on the Internet, we collect authorization, don’t pass fraud onto the merchant, and have full protection against unauthorized transactions and provide chargeback rights,” Mr. Conrad said.

“For our contactless bricks-and-mortar cards and RFID chips, we also offer the same protections,” he said. “Payment providers should exceed regulatory expectations and not exploit regulatory ambiguity.”

Is this a mobile problem?
If mobile payment transactions are backed by a credit card and appear on the credit card bill, then consumers are entitled to all available protections.

If the transaction amount is deducted from the consumer’s deposit account with a financial institution like with a debit card, it should receive the same protections as any other electronic fund transfer.

This means consumers receive a legal right to get back money for errors and theft, but not for a dispute with a merchant about the goods and services.

However, if the transaction is funded by a prepaid card, even the protections for unauthorized use may be missing, and there also will be no legal guarantee of protection in the event of a dispute with a merchant.

If the payment service is provided directly by the wireless carrier and the charges appear on the customer’s mobile phone bill, the way it is done in Japan and South Korea, the product might escape consumer protections entirely, according to Consumers Union.

If the carrier asks the consumer to make a prepaid deposit to the phone company to cover future charges, protections also will be missing unless the contract provides them.

While security threats are inherent to financial services in general and payment processing in particular, the Consumers Union’s concerns are not unique to mobile payments.

“It never ceases to amaze me how people love to get up on their soap box and just take things to negative town before anything has even happened,” said Drew Sievers, cofounder/CEO of mFoundry, Larkspur, CA. “These issues have nothing to do with mobility in payments—they have everything to do with debit, credit and prepaid cards.

“The one legitimate argument that is a mobility issue is payments on the carrier bill—that is legitimately uncharted territory,” he said. “I agree that if the carriers are going to get into this business, they are going to have to think that through.”

However, if a credit card account gets put on a mobile phone, it is the exact same process for contactless payments via plastic credit cards.

Consumer have been paying with contactless credit card for some time now.

Contactless payments technology has been in market for a while, and it has been proven and tested with an eye toward security issues.

“It is interesting that people are raising the specter of fear and fraud around mobile payments,” Mr. Sievers said. “If they need to change the level of security for payments, it has nothing to do with mobility—it has to do with the rules and regulations and their enforcement.”

Will the Feds step in?
Consumers Union has called on companies offering mobile payment systems to include in their contracts the full consumer rights provided under existing federal law for both debit and credit cards, and to provide true voluntary “zero liability” assurance for consumers without loopholes.

The consumer group also noted that regulators need to use their current statutory authority to ensure that existing consumer protections are applied to all new payment methods.

For example, the Federal Reserve Board should apply full debit card protections to payments backed via a prepaid card through a simple interpretation of Regulation E.

If the Federal Reserve Board fails to act, Consumers Union noted that the new Consumer Financial Protection Bureau created under the recently passed financial reform legislation has the authority to address unfair payment practices.

“The argument made by the Consumers Union is quite valid, because even though the form factor may change from plastic cards to mobile phones, the underlying source of funds—credit, debit or prepaid—will still be the same,” said Red Gillen, senior analyst at Celent, Boston.

“Although consumers may behave with merchants in different ways with mobile phones—for example, tapping a phone at a check-out line—the heart of the transaction, the money, will still come from the same place as it currently does with plastic cards,” he said. “As such, there should be no distinction between consumer protection for plastic card payments and mobile phone payments.

“It is my sense that the banking and payments industries understand this—I have not seen any indication that they are looking to create differing consumer protection rules based on form factor.”

Final Take
Dan Butcher, associate editor, Mobile Commerce Daily