Improving Security of Mobile Payments

A couple of weeks ago the European Central Bank (ECB) published a draft document for public consultation on Recommendations for Security on Mobile Payments. These recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay. This document follows similar recommendations for internet payments, and for payment account access services. Creation of standards and guidelines around payments is always a good thing, and that applies to security in mobile payments. However, the ECB is careful not to “set specific security of technical solutions. Nor does it redefine, or suggest amendments to, existing industry technical standards.” In my view, this is absolutely correct – mobile payments remains an incredibly diverse and rapidly developing landscape, and to attempt to impose specific security requirements on all of them would be a mistake. Instead, ECB focuses on five guiding principles for mobile payment service providers:

1. Identifying, assessing and mitigating the specific risks associated with providing mobile payment services.
2. Using strong customer authentication and registration controls.
3. Implementing a robust data protection mechanism to protect sensitive data wherever it is transmitted, processed or stored.
4. Implementing secure processes for authorising transactions, as well as robust processes for monitoring transactions and systems
5. Engaging in enhancing customer understanding and providing information on security issues related to the use of mobile payment services with a view to enabling customers to use such services in a safe and secure manner.

Most banks already have policies and processes to manage operational risk, conduct risk assessments, monitor and report incidents, etc., so for most it shouldn’t too challenging to incorporate these requirements into existing practices. The biggest challenge for them is likely to be ensuring that their partners also follow these guidelines and take appropriate security measures. However, again, banks are already responsible for managing risk emanating from third party relationships. On the other hand, the risk management framework and requirements set out in these recommendations is likely to require investment from start-ups and other new PSPs over and above what they might be doing today around security. At least on the surface, one of the potentially more onerous provisions appears to be the requirement that PSPs and mobile payment services providers implement a notification procedure in the event of security incidents. In reality, it will depend how this will be implemented. Somebody needs to be aware of all security incidents, but most providers have or will develop escalation mechanisms and reporting structures to determine who needs to get what information when. So, could these measures be the key to widespread uptake of mobile payments? I don’t think so – security is a must have rather than a positive incentive. In other words, lack of security would be a significant barrier to customer adoption, but security alone will not lead to an increased adoption – you need more tangible elements of customer and merchant value proposition and a workable business model across providers for that. To the extent that these proposals will help educate consumers and address their concerns around security, they will be useful. And if they are effective, they will play an “invisible role” by helping to prevent and manage security incidents, thus minimizing the barriers for customer adoption. I think most mobile payments providers are already taking security seriously. However, as we at Celent always say, there is usually a tradeoff between security and usability. And even the best security will not be able to prevent incidents entirely. Hence, the ECB is absolutely correct to focus not just on ensuring that incidents are minimized, but also on risk management framework and on what needs to be done when bad things do happen, as they inevitably will.