This is page 2 of:
Securing Mobile Payments – It’s Still Early
My point is: If we are still at the point where we’re saying that mobile payment security and compliance is a “good idea,” are these mobile payment offerings really ready for prime time? Or is mobile payment just another example of a hot technology that winds up in “perpetual pilot” because it cannot be made secure enough to prevent fraud in a production environment?
Actually, we’re pretty positive that mobile payment will provide a secure, PCI compliant payments ecosystem. Maybe not in 2009, but possibly by 2010 or 2011. That’s because one of the most common mobile payments models fits right in with a major trend we see in our research – the outsourcing of payment processing and management, to the greatest extent possible.
The model we’re referring to relies on a Trusted Service Manager (TSM), which is the entity in the mobile payment value chain that provides end-to-end payment security, manages the payment application and the interface to the merchant, the financial institution and is responsible for service delivery and the user interface. In short, the TSM is the one to blame if the mobile payment system doesn’t work, the payment device (phone) is lost or a fraudulent transaction is detected.
But who are the TSMs? Logical candidates are phone companies, credit card networks, and banks – most likely locked together in partnership. I suspect it will take several years before all this shakes out. In the meantime, when is it safe for retailers to move beyond pilots and begin investing in new contactless POS devices?
I believe mobile payment investment is justifiable for those merchants who target the youth market or have a substantial presence in Asia and the parts of Europe where mobile payment is accepted already and large numbers of people carry mobile devices capable of secure payments. In North America, I would look to university pilots to be most successful. The demographics are right for both consumer-to-business and consumer-to-consumer payments.
In any case, retailers need to be very careful that their pilots are run in a restricted environment, so that their overall PCI compliance will not be affected, and they need to be very dogmatic in their insistence on proof of PCI compliance on the part of the providers of the components of the pilots.
Again, it’s early yet, and we expect mobile payment security will be a very hot issue in 2010 and 2011. We’d love to speak with anyone involved in the sector, to broaden our mobile PCI best practices research. Please visit the PCI Knowledge Base, and our “Contact us” page, or if you want to have a personal discussion about PCI and mobile payment issues, just send me an E-Mail at David.Taylor@KnowPCI.com.
-Marc
August 3rd, 2009 at 6:00 am
Just one point. The TSM provides end-to-end security ‘ISSUANCE’ not end-to-end ‘Payment Security’. In short, the TSM is responsible for the personalization of data to the Secure Element in the mobile device. The TSM is not responsible for the payment transaction between the Secure Element in the device and the conventional payment terminals.
August 3rd, 2009 at 9:08 am
TY, you’re right. I am hopeful that the model will evolve and the role of the TSM will expand to include end-to-end payment security. I think it’s a matter of the market demand not existing today. As more merchants insist on end-to-end payment security (e.g., encryption, tokenization) managed by a third party, the TSM (as managed by a bank, telco, network provider, or a combination) will become the provider of this service. There is a real issue as to HOW the market evolves to this, and how long it will take, but that is my expectation, based on things I’ve heard from several of the players in the space and our interviews with leading retailers and restaurants.
Thanks for the comment. Dave T.