goodluz - Fotolia

Mobile payments get Isaca’s security approval

Mobile contactless payments enable three key security controls that make them more secure than physical and e-commerce payments, according to a report by Isaca

mobile payments have been given security approval in a report by Isaca, a global association of IT audit, information security risk and IT governance professionals.

According to the report, industry perception is shifting to favour mobile or contactless payments over plastic payment cards due to advances in security technology.

Isaca researchers have identified several advantages of mobile payments relative to physical and e-commerce transactions.

However, this does not include legacy payment systems that use mobile devices but do not have all of the modern mobile payment features, described the report.

These legacy systems include quick response (QR) codes, SMS (Short Message Service)-based payments, stored value applications on the mobile device and Wireless Access Protocol (WAP) forms that use a WAP proxy to pre-fill online e-commerce payment forms.

In physical payments, cards can be compromised through theft or loss of the card, card tampering, transaction spoofing, capturing authentication data, such as the card verification code, and skimming the magnetic track data. 

In the e-commerce world, card data can be compromised or fraudulent transactions can be initiated in a number of ways, including transaction replay, session stealing and data capture.

Key security improvements such as tokenisation, device-specific cryptograms and two-factor authentication, however, could make mobile payments more appealing to both consumers and merchants.

Mobile payments a ‘business enabler’

With the proper controls in place, the report said security advances in mobile payment technology can reduce risk for an enterprise dealing with payments, especially retail.

Integrating mobile payments into a merchant’s business also creates opportunities for more robust customer loyalty programmes and allows for purchases in circumstances when customers do not have access to their physical payment card.

During a mobile payment transaction, the report said, a merchant can optimise customer loyalty features with special offers, loyalty-point updates, coupons and additional information.

“Mobile payments, with embedded, improved and transparent security controls, are a great example of how security can act as a business enabler, contributing to the creation of user trust,” said Christos Dimitriadis, Isaca board chair and group director of information security for Intralot.

Protecting sensitive data in mobile payments

Tokenisation is one of the main mechanisms empowering advancements in mobile payment technology, the report said.

Secure mobile payment applications – or mobile wallets – do not transmit a card’s primary account number (PAN), instead sending a randomly generated token to the point of sale (POS) terminal and payment network. This token safeguards the consumer’s data while in transit.

According to the report, tokenisation is pushing mobile payments ahead of card payments in consumer sensitive financial information protection in the continuous race to stay ahead of hackers and other threats.

The tokens can be configured to work only for transactions that match specific criteria for an exact period of time, specific retailer and certain monetary amount. Only the issuing bank and authorised entities can securely map tokens back to the original payment card data.

Device-specific cryptograms ensure that the payment originated from the card-holder’s device. This means that if a hacker obtains mobile payment transaction data, the cryptogram that is sent to the POS terminal with the token cannot be used on another mobile device. This helps render any stolen data unforgeable and useless.

Two-factor authentication (2FA) provides an additional layer to guard against mobile payment fraud by using two independent mechanisms for authentication.

Among the common credentials used are something the user knows (such as a password), something physical that the user has (such as a payment card or phone) and a biometric such as a fingerprint, voice print or facial recognition.

The report points out that if a mobile device containing a mobile wallet is lost, the mobile device can be erased remotely. In addition, as the consumer’s payment card information is not on the mobile device, the payment cards do not need to be replaced.

However, the report notes that users should have strong authentication for their mobile wallet applications, preferably a complex password and a biometric. The mobile wallet should use tokenisation and the number of transactions that can be processed with the phone should be limited to a small number of tokens stored in the phone.

Mobile device owners should also set up or turn on the device locator/remote erase feature, so that they can remotely erase their device if it is lost or stolen.

Evaluating risk

Like consumers, merchants stand to benefit from mobile payments in many instances. “A key benefit for merchants is that enhanced security should lower fraud and thereby lower costs,” the report said.

The report outlining the security advantages of mobile payments challenges the perception that mobile payments are risky.

Isaca’s 2015 Mobile Payment Security Study shows that only 23% of IT and cyber security professionals said they believe mobile payments keep personal information safe. Still, the global number of mobile payment users is expected to reach 1.09 billion by 2019, according to Ovum, up from 44.55 million in 2014.

While modern mobile payment methods offer many benefits, the guide also notes some potential vulnerabilities.

These include the one-time enrollment when users register a payment card in the mobile wallet application. Mobile wallet providers use methods such as sending payment card data and a device’s geographical co-ordinates to issuing banks, and any discrepancies can result in a call seeking additional verification.

The guide encourages merchants that adopt mobile payment options to regularly re-evaluate risk control measures to ensure any scenarios that could emerge are sufficiently addressed.

Read more about mobile contactless payments

Read more on Hackers and cybercrime prevention

Data Center
Data Management