With a forecast of 15 billion new devices as part of the Internet of Things potentially coming online as payments devices by 2021, securing these devices, whether they are cars, wearables, or appliances, is emerging as a top concern.
“We are seeing a huge increase in inadequately protected devices,” Graeme Bradford, vice president of marketing at Multos International, which provides chips for card manufacturers, said last month at the Secure Technology Alliance’s 2017 Payments Summit in Orlando, Fla. The alliance was formerly known as the Smart Card Alliance.
These devices with newly enabled payments capability are becoming more popular among consumers even as new product categories come online. Connecting formerly unconnected technology to the mature payments industry requires a considered plan, Bradford said.
For many companies providing IoT devices, securing the payments connection often is not the first priority. “Securing the run time is usually not top of mind,” Bradford said. “Getting something to the market usually is.”
Another issue is that payments companies can’t assume an IoT-capable device has built-in payments capabilities, Bradford said. That means it’s “about deploying payment-facility capability when they’re in the field,” he added.
Doing that, however, would be aided by some standardization, of which there is none for IoT payments right now. To address that, UL, the Northbrook, Ill.-based testing provider, announced UL 2900, a set of standards for testing various aspects of network-connected devices to root out problems such as software vulnerabilities and known malware, said Srinath Sitaraman, UL principal advisor and lead of its payments-advisory team. “Payments security is all about risk mitigation,” Sitaraman said.
Tokenization, spurred by the debut of mobile wallets, also has a role in securing IoT payments.
“Every single transaction in the Internet of Things should be tokenized,” said Stephane Wyper, vice president of startup engagement and acceleration at Mastercard Inc. Mastercard, along with the other card brands, is a token provider. “We can’t sacrifice the safety and trust that exists with consumers.” With tokenization, actual card information, such as account numbers, is replaced with randomly generated strings of characters that are useless to hackers if stolen.
Whatever form securing the Internet of Things takes, it shouldn’t restrict the types of devices consumers want to use, Wyper said. “We want to build things that people actually want to use,” he said.