Digital Transactions Authoritative, insightful and timely information for payments professionals
Data Insecurity
Part 8
Few payment innovations have produced the stark schizophrenia that we are experiencing with mobile commerce. Normally somber business types are rubbing their hands together at the prospects of reaching consumers on a one-to-one basis, online, all the time, anywhere they happen to be. Meanwhile, typically apprehensive risk managers and security experts are wringing their hands at the potential for serious data incursions. Maybe risk managers know that, as often happens with payment innovations, the temptation is to get the new product into the marketplace as quickly as possible, then step up the security as needed to ward off attacks. One case in point could now be emerging among so-called smart phones, where the underlying programming is proving to be more vulnerable to hackers than some business types thought. Mobile commerce, however, raises the stakes for this risky self-indulgence because many observers are projecting that cell phones and PDAs will soon replace wallets and pocketbooks. Consumers, who almost never leave home without their mobile devices, are being prepared for the day when all the payment and loyalty information they need will be loaded on and/or accessed by the device. So a data incursion, should it happen, could be just as damaging as losing a wallet or pocketbook. Maybe more so, if the mobile device's ability to authenticate the consumer is hacked. Already, four business models for mobile commerce have emerged. One is the simple mobile Web site, which can be accessed for product purchases through now-conventional online payment options. Another is a dedicated application from a mobile commerce provider that provides end-to-end payment functionality from the device. A third is simply doing a short-message service (SMS) text message transaction exchange. The fourth is loading an “m-wallet” on the device, and using those payment options to do everything from buying a ring tone to paying a bill. This option could be enhanced by the use of near-field communication (NFC), which uses radio frequency identification, or RFID, to tap and go for physical-world digital interactions. In this case, the mobile device actually becomes the payment instrument?replacing cash, paper checks, and cards. And there is growing acknowledgment that today's absence of a productive dialog between the two major players in mobile commerce?wireless carriers and banks–could turn into a confrontation down the road. Both claim the mobile customer who wants to transact wirelessly as their own, and both want a sizable portion of any fees garnered from enabling those transactions to happen. A key element of this contention is: Who is liable for data incursions in this new environment? If the bank is, then they want to be paid for bearing that risk. Moreover, the big banks are determined not to give away this new channel for free, as they did with the online channel. If the carriers have to bear the risk, as is the case in most countries overseas, they're likely to favor prepaid options, or dumping the transactions to their monthly billing mechanisms. Either way, a logical resolution is nowhere close at hand. So we have the strange situation of wireless redux, wherein all the initial enthusiasm for m-commerce that arose during the Internet bubble years (1998-2000) times two or three has hit the transaction world in 2007. Just about everyone is working on some sort of mobile-commerce play; some of the carriers and some of the banks are hedging their bets and working on support for all the business models mentioned previously! Yet we have relatively few assurances that all the necessary testing across applications, platforms, networks, and payment/risk configurations has been performed to date. Lots of studies and reports are documenting the theoretical risks, and some of the industry leaders pushing forward with payment applications are visibly crossing their fingers and hoping for the best. And still the rush goes on… Consumers have picked up on that, opting in much greater numbers for the relatively simple process of accessing mobile banking functions online rather than taking the deeper plunge into payments with their mobiles devices. Privately, a number of security experts are lobbying to slow the business rush down just long enough to work out the kinks first. For example, the Financial Services Technology Consortium (FSTC), a membership group focusing on making the marketplace safe and workable for all types of electronic payments, is now working with The Clearing House Payments Co. LLC, a consortium of large banks, to make sure that they don't run off and make this plunge without adequate standards for security and interoperability in place. And there's reason to be at least a little optimistic that the forces-that-be will carve a safe path to the mobile-commerce future. Back in the early part of this decade, everyone knew about the “WAP gap.” This was the nasty situation with the Wireless Access Protocol “box” where private credentials were momentarily left in the clear before passing to and from the Internet. And everyone understood that was a non-starter. That's been fixed, and just in time. Hundreds of millions of potential users (billions worldwide) make marketers of every stripe salivate at the business prospects. They, and their ever-innovative device-makers, won't wait long for a viable solution. —Steve Mott
