Mobile payment security will depend on using the ‘smart’ in smartphone

Simon Keates is mobile payment security expert at Thales e-Security

Confusion and concern over security is cited over and over again as the biggest barrier to widespread consumer uptake of mobile payments. And no wonder – confidence in the protection of sensitive cardholder data lies at the heart of trust in this technology. An EMV card as a physical asset is cryptographically secure. How can we emulate this security with something that is virtual, asks Simon Keates.

The arrival of HCE (host card emulation) has moved industry conversation along when considering the security of customer payment credentials. Prior to HCE, the two options were as follows – to store credentials in a specialist security chip (Secure Element (SE)) in the phone, or to utilise Card On File credentials in the cloud. The first model effectively turns the phone into a mobile wallet, with the SE performing the same function as the chip on an EMV card. The ‘cloud’ option we spoke about several years ago however, was simply a case of storing basic payment information, such as Card Number and Expiry Date or Sort Code and Account Number on the internet.

The introduction of HCE means that the full payment card data – an exact representation of the card using only software – no longer needs to reside on a physical chip, eliminating the need for an SE. This eliminates the battle for ownership of the previously all-important Secure Element, lowering barriers to market entry for new players.

The problem with moving the storage of card data from the chip to a secure environment in the cloud, as it stands, is that in order to complete a transaction, your phone will have to connect to the internet, wait for the crypto to be carried out, and receive a response. Even at the best of times, this will be difficult to complete in the time required by card schemes. Of course, with no signal, it would be impossible. The solution that is being proposed to combat this utilises a concept called ‘tokenisation’. Instead of having to connect to the internet every time you spend, limited use virtual cards would be stored on your phone.

Clearly, this has huge implications from a security perspective – now thieves won’t have to steal your wallet, or even your phone to take your cash. There is the potential for criminals to clone the phone and request the card information, or even write malware to reside on the phone that will send the virtual card to the thief in the blink of an eye.

Outdated authentication

Whether physical or ‘virtual’, payment security will only be as strong as the authentication mechanism. We must be able to bind the identity of the user to the authorisation of the transaction. While banks are extremely familiar with data protection requirements, challengers with less data handling experience will need to be extremely mindful of authentication and risk assessment.

We must look to use the ‘smart’ in smartphone to both authenticate the user, and contribute to the risk assessment of the transaction. Features such as GPS data, 3G location, proximity to wifi locations and the number and type of applications on the device build a unique fingerprint for each phone. Although not bullet proof, they can constitute a valuable asset to determine the likelihood of a fraudulent transaction. This also brings the potential to streamline the consumer experience in-store, lowering authentication barriers if it’s very likely that it’s the approved user, and introducing barriers to disrupt the payment journey if in doubt.

Of course, building up a risk-based authentication picture in this way brings its own security challenges. All this analysis depends on data – reams of personal data that represents an attractive target for malicious hackers, and must be protected against attack. Protecting all this stored personal data goes well beyond the usual password database problem in terms of both volume and sensitivity – authentication is moving from being a ‘password problem’ to a ‘big data problem’. Information must be carefully encrypted, to neutralise it and minimise the impact of its loss or theft.

HCE has been a game-changer, and will rapidly evolve the mobile payment ecosystem. In an increasingly virtual, connected world, we need to use all the tools at our disposal to ensure ease of use and simplicity of mobile payments. Then and only then will we successfully lower the barriers to consumer adoption of mobile payments, and crucially, instil trust in the technology.