December 05, 2011
The future of mobile payments
Although mobile payments have been much slower to develop in the United States than many industry observers had predicted, there have been a number of encouraging recent developments. Starbucks, for example, has processed more than 20 million mobile payments since launching its app, and the Chicago Transit Authority's new fare collection system will be able to accept mobile payments starting in 2013. Still, despite these small successes, the United States has not seen the mobile phone really take off as a vehicle for point-of-sale payments.
|
The Retail Payments Risk Forum takes an active interest in mobile payments. For the past few years, we have gathered together key industry stakeholders to promote dialogue about barriers to adoption and reach a collective understanding about the state of the industry. Forum members have recently published a paper describing the views of these stakeholders and outlining the necessary elements of a successful mobile payments system. |
The Retail Payments Risk Forum recently interviewed David Evans, a payments industry consultant and the founder of Market Platform Dynamics, in a podcast exploring some of the challenges facing widespread mobile payments adoption. Evans maintained that a couple of obstacles have kept mobile payments from taking off in the United States. "Barrier number one is that there is not a very persuasive mobile payments alternative for consumers to use at the point of sale, and the second is that there's really not the technology at the point of sale capable of processing a mobile payments-type transaction."
In addition to these barriers, he said, is the simple fact that most consumers are satisfied with the way things are. Evans explained, "I can pull out a credit or a debit card at the point of sale, I can swipe it, and it works beautifully. Takes about a second. No fuss, no muss—the clerk knows what to do. The technology is all there. So we have this wonderful system that works really well right now that's extremely efficient." To change the status quo, a compelling value proposition must emerge for all parties. "Someone's going to have to come up with a really great alternative that adds value to the merchant and adds value to the consumers to make both of them want to do something different than [what] they are currently doing," said Evans.
Regarding the prospects for mobile payments outside the United States, Evans said, "I think that where we are going to see mobile payments take off around the world is primarily in countries that do not already have a very well-developed payment card industry with acceptance at the point of sale and that have very well-developed mobile phone systems."
The role of different types of market players has been a major source of debate among those forecasting mobile payments. Many disagree how the mobile carriers, such as Verizon and AT&T, will fit into the new landscape. Evans predicted that "the likely role of the carriers in payments is basically being a pipe." He stressed that mobile carriers do not have the expertise to operate mobile payments and are more likely to become pipes for others who will develop mobile payments alternatives.
When asked about his predictions about the type of technology that will ultimately support mobile payments, Evans said that it was still too early to know. However, he did say that "it's really the solution that is going to drive the adoption of a particular acceptance technology at the point of sale, rather than the acceptance technology driving the solution." There are clearly still a lot of unknowns with regards to mobile payments, and Evans wisely concluded that "we should talk about this in 10 years when we may actually know the answer!"
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
December 5, 2011 in mobile payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0153940f0841970b
Listed below are links to blogs that reference The future of mobile payments:
Comments
May 16, 2011
Practical tips for enhanced mobile security
We recently sat down to talk with Soren Bested to discuss mobile security. Soren, who has more than ten years of experience in high-tech industries, currently serves as managing director of Monitise Americas, a leading provider of mobile banking and payments in both the U.K. and U.S. markets. Mobile security is a hot topic at Portals and Rails. Recent posts have covered common myths about mobile banking and payments and laid out foundational principles for a successful mobile payments ecosystem in the United States. Continuing in this vein, Soren offers some practical tips on using mobile devices to secure financial transactions today.
Mobile security is top-of-mind for consumers, and their concerns about the safety of the mobile channel have limited mobile banking and payments adoption. Soren suggests, however, that mobile has the potential to be "super-secure," and even to enhance the security of existing financial service channels. Financial institutions and technology providers might consider the following recommendations in approaching mobile to take advantage of this potential security.
Match service channel to function
The mobile channel incorporates several different technologies, or service channels: SMS (text messages), mobile applications, and mobile browsers. Each of these service channels has a unique security profile,and as such is best suited for different tasks. SMS, for example, transmits information over the air in an unencrypted format, and is therefore inappropriate for carrying payment or personal identification details. However, SMS is perfect for sending notifications because it is immediate, inexpensive, and convenient. Banks might insist that customers use a password-protected mobile application when they conduct more sensitive business, like initiating a peer-to-peer transaction or transferring a balance between accounts. These examples illustrate that the mobile channel cannot be approached with a single security protocol, but rather that security practices should be tailored to each channel and its unique risk profile.
Use existing industry security guidelines
Soren advises that financial institutions not reinvent the wheel when they design mobile security. The industry can instead apply established security guidelines. These are the PCI DSS (Payment Card Industry Data Security Standards) guidelines for card transactions, the SAS70 operational standards, and the FFIEC standards for multi-factor authentication. Conforming to these existing standards decreases the burden on banks by allowing them to take advantage of existing industry expertise in developing a secure product. Banks can then outsource some security development and auditing functions, in the same way that merchants rely on vendors to ensure compliance with existing PCI DSS requirements. Not only does this improve the customer's security, it also lowers the upfront cost and shortens the timeframe to launch a mobile product.
Implement true two-factor authentication
Strong authentication requires multiple unique factors. Possible factors for authentication include "something you know," like a password or your mother's maiden name, "something you have," like an RSA token or an ATM card, and "something you are," which could be a biometric identifier like a fingerprint or voice pattern. Currently, most online banking security consists of username and password, and sometimes challenge questions—all things that the user knows. This approach is not two-factor authentication, but is essentially single-factor authentication twice, and as such offers only limited security. Mobile financial services can also incorporate passwords but can also add the "something-you-have" factor with the mobile device itself. A mobile phone is a personal device unique to the user in a way that computers often are not. While families may share a computer, usually each person has his or her own mobile phone. In addition, technology allows for the unique identification of any mobile device, tying the device to the individual user. Some companies have even experimented with adding a third factor to mobile banking by enabling biometric voice authentication of mobile transactions.
Mobile phones can also increase existing online banking security by acting as a second factor for customer authentication. The user's phone will often be only a few feet away when they log into online banking on the computer, and the user could take a call or SMS to authenticate the session. Mobile technology may be the key that allows banks to fully implement multi-factor authentication, a gold standard of security.
These are just a few of the ways that mobile technology might lead us to greater security in financial services. But we know many of our readers are also mobile experts, and have even more ideas about enhancing security with mobile. Leave a comment or send us an e-mail with your tips on improving mobile security.
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
May 16, 2011 in authentication, mobile banking, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01538e841162970b
Listed below are links to blogs that reference Practical tips for enhanced mobile security:
Comments
April 11, 2011
Dispelling the myths about mobile banking and payments
There is a lot of confusion these days when it comes to mobile banking and payments. Consumer advocates warn that mobile payments will be unsafe and we need to develop consumer protections now to create a harbor from scams and rip-offs. While it's true that payment innovations often introduce new risks, they also create opportunities to create better safeguards that ensure a more secure payments system. So the path forward is best armed with accurate information about how the mobile wallet will work in the future. With so many new product trials and service rollouts for both mobile banking and payment services, it's difficult to separate fact from fiction. Today, we take an opportunity to do just that. We’ll look at some of the myths we hear most often about mobile banking and payments in the United States.
Myth #1: Mobile banking and mobile payments are one and the same
We often hear people use the term mobile financial services to refer to banking and to payments, as if they were the same thing. The fact is, they are different services that appeal to consumers in different ways, and they are accompanied by very different types of risk. As a recent position paper published by the Atlanta and Boston Federal Reserve Banks defined it, mobile banking refers to a service that accesses bank information such as account balances and transaction history and that facilitates transfers between accounts and online bill payment. Mobile payments, on the other hand, refers to the use of the phone either to make a payment for purchasing goods or services at a merchant's point-of-sale—a transaction also known as a proximity payment—or to transfer money to another person or a business. The latter transactions, domestic and remittance payments, are referred to as mobile money transfer (MMT) payments and occur remotely either within a country or cross-border. Because mobile banking services are merely extending online functionality from the PC to the cell phone, the risk profile for the mobile phone is not markedly different.
Myth #2: Mobile payments represent digital money and lack regulation
While emerging markets are experiencing some remarkable advances in mobile commerce using text messaging to send a payment via prepaid airtime, the U.S. experience, as with other developed countries, is very different. Text-message-based mobile payment systems work for those emerging markets because they are clearly safer than cash. Here and in other developed countries, we have safe payments already, so the mobile device would merely be another channel to access existing payment instruments and their networks for clearing and settlement. All the rule sets, laws and regulations, and consumer protections that govern retail payments today will simply migrate to the mobile channel. While new networks, or rails, may emerge in the future, at present, the payment network systems remain the same.
Myth #3: Mobile payments are less secure that other payment methods
First of all, the security functionalities resident in the mobile handset provide authentication capabilities that don't exist in the current payments environment. The ability to add passwords and GPS location functionality to the handset represent additional security controls to accessing payment instruments in the future mobile wallet. Today, there are no locks on your leather wallet to preclude a bad actor from stealing your credit and debit cards and using them for illicit activity.
Moreover, the technologies that enable our current payments are becoming increasingly obsolete and vulnerable to fraud. Card payments grow riskier every day as the United States remains reliant upon mag-stripe technology, which is very easy for criminals to breach and then use to clone cards for illegal payments. Because mobile devices will use contactless technology in the form of an embedded computer chip, the mobile phone will be a much more secure payment device than the plastic cards we use today.
Conclusion So maybe the idea of mobile banking and payments isn't that scary—and maybe these things aren’t even that trendy any more. When you get right down to it, the cell phone is just another form factor for a payment.
But that's not to say that a lot of new ideas aren’t percolating out there. We know that telecoms are taking small steps with micropayments by allowing consumers to pay after-the-fact for digital goods—things like avatar accessories, ringtones, and even cows and corn in online games like Farmville—on their regular phone bills. Facebook credits are reportedly evolving into Facebook payments for physical venues outside of virtual online games and stores. And we all are waiting expectantly to see if Apple will make use of its extensive iTunes network as a more open payment system whenever the next iPhone is released.
At the Retail Payments Risk Forum we'll continue to keep an eye on emerging payment developments such as these, and work toward clearing up confusion. So don't wait for a blog post, feel free to send an e-mail to any one of us in the Risk Forum if you have a question. We’d love to hear from you.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
April 11, 2011 in mobile banking, mobile money transfer, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e608baa3e970c
Listed below are links to blogs that reference Dispelling the myths about mobile banking and payments:
Comments
Posted by:
Knud - San Francisco |
April 13, 2011 at 12:44 AM
April 04, 2011
Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments
As we've mentioned a few times in this blog, mobile payment developments in the United States lag the initiatives undertaken in Asian and African countries. Last week, the payments research teams at the Boston and Atlanta Federal Reserve Banks published a position paper on how the United States should promote the adoption of mobile payments. The paper, "Mobile payments in the United States: Mapping out the road ahead," represents collective views from 15 months of discussions with various representatives of the mobile payments ecosystem, a group that over the course of 2010 came to be known and the Mobile Payments Industry Workgroup (MPIW). The paper lays out the strategic vision for the future and outlines the foundational principles of an efficient and secure mobile payments system.
Convening the MPIW
The Fed brought this group together for several reasons, which we described in an earlier post. We wanted to understand how the key industry stakeholders in this conjoined industry of banks and telecom firms were working together. We hoped to engender a cross-industry dialogue to perhaps develop a mutual understanding between these two groups of the industry direction and consider a noncompetitive strategy to address barriers to industry adoption. The summary of this meeting was published on both the Atlanta and Boston Fed websites to ensure transparency to the industry.
The key takeaway from the meeting was that there is a lot to do to bring the various players together in the United States, where our payment systems are considerably more advanced and suitable for most consumer needs. The group agreed to meet on a quarterly basis to discuss issues of mutual interest, such as how the various participants viewed the drivers and barriers to adoption and how the business models were shaping up, as well as the industry roles and responsibilities. Of course, the group was interested in getting clarity in regulatory and legal oversight for new telecom-enabled financial services.
The group shared ideas and opinions throughout the course of the year. Oftentimes, group members disagreed on specific points. Even on some points of agreement that are outlined in the final paper, in some instances there is still no clear consensus yet on how to move the ball forward. At the very least, the paper represents issues of consensus and those where the industry must collaborate to achieve agreement.
The MPIW foundational principles for successful mobile payments in the United States
The group recognized that the past year has been marked with activity in the form of numerous trials and product rollouts—but without a vision for success shared among all the parties. Ideally, for mobile payments to take off, all participants should have common goals and still be able to flourish in the mobile ecosystem. Standards are necessary for a ubiquitous mobile commerce environment but at the same time, firms need to have the flexibility to differentiate their service offerings and add value to their shareholders. In acknowledging the need for a common environment, the group agreed on a set of foundational principles that represent the business requirements for success, which are described below.
- Most important to the group is the concept of an open mobile wallet that carries broad payment and merchant options for consumer choice and is based on a platform that would enable a wide range of payment methods and networks.
- Near-field-communication contactless technology must be embedded in the handset and support all payment methods and networks, and must comply with business rules and standards for existing payment methods.
- The industry needs to establish a ubiquitous platform for mobile that not only uses existing clearing and settlement channels and rails, such as credit, debit, ACH, prepaid, and carrier billing, but also supports innovative efforts to create new rails.
- The technology supporting the new mobile handset must enable dynamic data authentication to ensure long-term integrity and security.
- The industry must have a global interoperable platform for standards and certification of payment methods for the mobile wallet and all its resident applications —leveraging existing standards when possible.
- The industry needs regulatory clarity to avoid gaps in oversight and ensure robust consumer protections.
- The group acknowledged the importance of the trusted service manager role to manage security and other account management functions.
The goal of the paper is, ultimately, to broadly circulate the ideas and discussions from the MPIW so we can ignite industry leaders to foster further collaborative work. As the paper notes, "[C]learly, there are many more (interested) parties who will need to support the ideas set forth in this document." Further, there are clear benefits to establishing a coordinating entity and forums to continue to build the roadmap for the future.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
April 4, 2011 in banks and banking, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c014e605b3800970c
Listed below are links to blogs that reference Atlanta and Boston Fed position paper promotes U.S. adoption of mobile payments:
Comments
January 18, 2011
Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference
On November 15–16, 2010, law enforcement, regulators, and other selected payments experts gathered once again to exchange ideas, research, and business expertise at the "Emerging Risks in Emerging Payments" conference at the Atlanta Fed. The conference provided a platform for sharing retail payments knowledge and insights among payment industry participants, regulators, and law enforcement. The conference also expanded networking opportunities for industry stakeholders essential to the payments industry, all of whom have a common interest in improving the detection and mitigation of emerging risks and fraud in emerging retail payments systems.
Opening remarks were made by Patrick Barron, first vice president of the Atlanta Fed. He was followed by Richard Oliver, executive vice president and director of the Retail Payments Risk Forum. Five expert panels with representatives from law enforcement, corporations, service providers, and other stakeholders discussed a range of themes related to emerging risks in emerging payments. Each panel provided a high-level overview of the state of the retail payments environment.
The following brief summary captures some of the key themes discussed during the event. Additional presentation materials are available on the Atlanta Fed's website.
Emerging trends in retail payments
Recent technological advances have changed the way retail payments are conducted. For instance, innovations in the card space are providing better ways to combat card fraud. Countries that have adopted Europay, MasterCard, and VISA (EMV) have seen a marked reduction in skimming fraud compared with countries that use magstripe cards, including card-not-present transactions over the Internet.
The mobile payments panelists predict that consumers will eventually migrate to mobile wallets—the speed and convenience of payment both for the merchant and consumer enhance this likelihood. However, the panelists agreed that some of the challenges to mobile payment adoption in the United States include lack of standardization, merchant investment hurdles, perceived security requirements, and lack of a clear value proposition for consumers.
Emerging risks in retail payments
Innovation introduces new risk factors. Several panelists highlighted the ongoing importance of protecting consumer information as the sophistication of financial crimes continues to increase. For instance, one panelist explained that in the card space, virtual prepaid cards can be funded by a transfer from another card or by phone or Internet, often times anonymously. In some cases, illicit funds can become instantly available from ATMs in more than 200 countries, without sharing confidential or bank information, which makes it very difficult for law enforcement to trace and monitor these funds.
Another panelist discussed the risk profiles of the different person-to-person (P2P) business models. For example, while the mobile channel is emerging as a viable method for P2P payments, telecom customer data—and, to a lesser extent, e-mail addresses—have become reliable ways to identify individuals to receive messages. However, they are not 100 percent reliable public directories. Some of the key risk distribution issues in a P2P environment include unauthorized transactions, intermediary error (such as misdirected payments), and fraud.
Additionally, panelists discussed the emergence of payments in the social network realm. One panelist discussed how fraudsters use social network sites and the data they gather from those sites to commit cybercrimes such as identity theft and "clickjacking scams," which trick users into clicking on ads and other sites that divert them from safe and reputable sites. Another panelist discussed the rapidly growing new segment of social network "businesses" that leverage the payments platform but turn out to be shell or fraudulent businesses.
How to address emerging risks in new retail payments?
Fraud and risk detection and mitigation must keep pace with emerging payments trends. Advances in payments technology enable new ways to conduct retail payments but can also create new channels for criminals to exploit and commit payments crimes.
The panelists highlighted these issues and more while proffering ways for regulators, law enforcement, and others to work together towards mitigating and deterring risks and fraud in the emerging payments environment. All in attendance recognized that the challenges ahead are common to all parties involved, and information sharing along with collaborative action is imperative for achieving the goal of ensuring a safe and efficient payments system.
By Ana Cavazos-Wright, senior payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
January 18, 2011 in emerging payments, mobile payments, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0147e1b52c4c970b
Listed below are links to blogs that reference Retail Payments Risk Forum hosts 4th annual "Emerging Risks in Emerging Payments" conference:
Comments
November 29, 2010
Prepaid in the mobile channel: Balancing financial inclusion and risk management
Payment services are coming to your mobile device—even though consumer adoption remains low in the United States, as are near-term prospects in light of reports about security concerns. Financial institutions, carriers, and others are experimenting with trial products and services to try to understand and respond to consumer demand for mobile services. Here in the U.S., the mobile device is emerging as an access device for legacy payment mechanisms like credit and debit cards or deposit account transfers. A viable payment mechanism for consumers to access via the mobile channel may be stored value, using the cell phone instead of a plastic card as the form factor. With the recent economic downturn, prepaid is emerging as an alternative to paper-based payments, allowing some consumers with limited access to credit to continue to participate in the electronic economy.
Some prepaid products carry potential risks because of the anonymity associated with them. The question we face is, how will we balance the potential risks of identity theft and money laundering as prepaid services shift to the mobile channel?
Recent growth in prepaid
Prepaid cards are growing in popularity, especially with the advent of reloadable, open-loop payroll cards that are branded by the major card networks and accepted at ATMs and merchants' points-of-sale. (Open-loop cards are those that consumers can redeem at different establishments. Closed-loop cards are those that the consumer can redeem at a specific establishment, which is also the issuing provider.) Since many carriers have offered prepaid airtime plans for years, the transition to a prepaid "mobile wallet" may be a seamless one. The mobile wallet is expected to operate the same way as a prepaid card, with monetary value loaded and stored on it. Because stored-value cards allow unbanked and underbanked consumers to participate in the electronic economy, their use is growing.
|
|
|
|
Growing population of underbanked consumers
Financially mainstream consumers in the U.S. already have a multitude of safe, secure, and reliable payment choices, so they have little incentive to use their cell phones to access those payments. But a growing segment of the population is underserved by mainstream financial services. ("Underserved" individuals are those who may have a checking or savings account but rely on alternative financial services such as nonbank money orders, check-cashing services, payday loans, or pawn shops.) The increase of the underserved is in part a reflection of the weak economy, high unemployment, and reduced access to credit for many consumers. The FDIC estimates that 7.7 percent of U.S. households are unbanked and an additional 17.9 percent are underbanked.
It might be useful to compare the U.S. unbanked market to those in other countries where mobile payments and banking initiatives are in various stages of deployment.
|
|
|
|
Emerging markets, such as sub-Saharan countries and India, with higher populations of consumers without access to traditional financial services are experiencing rapid adoption of mobile financial services. For example, the success of M-PESA, a mobile phone-based financial service offered by Kenya's Safaricom, has become a business model for other developing countries. In the three years since its inception, M-PESA's customer base has reached 9 million users.
|
|
|
|
Improving security and risk management of prepaid mobile
A number of improvements have been made in recent years in the way some prepaid cards—like payroll cards, for example—can be monitored. Open-loop cards that are branded by the major networks allow the owner to contact the issuing payment service provider if the payment card or device is lost or stolen. And many prepaid issuers will provide periodic statements detailing balances and fees. Still, concerns remain with gift cards and other closed-loop products that may not include the security features of the open-loop cards. In response to these concerns, FinCEN's proposed rulemaking should provide the industry with guidance on how to exercise oversight and control in prepaid transactions.
With respect to the mobile handset, technology is changing rapidly and the potential for improved security in the handset for authentication and identity credentialing looks promising. Given the ability for prepaid issuers to tighten the controls in card registration processes, the mobile device may be a more secure channel than today's card-based prepaid alternatives. In that case, we may see the prepaid services driving consumer confidence for more mobile-based financial services going forward.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
November 29, 2010 in identity theft, mobile payments, money laundering, prepaid | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134899adc7c970c
Listed below are links to blogs that reference Prepaid in the mobile channel: Balancing financial inclusion and risk management:
Comments
November 15, 2010
Retail Payments Risk Forum publishes white paper on mobile payments
Everyone has a cell phone these days, and that ubiquity is paving the way for wide acceptance of mobile money person-to-person transfer services, also known as MMT. Emerging countries, where the mobile channel provides a safe, efficient environment for conducting financial transactions and improving financial inclusion, have been especially quick to adopt MMT. In contrast, mobile payment adoption in the United States has been slow, but many experts believe that, with more people acquiring smart phones and having access to all the applications that go with them, MMT is on the brink of becoming widely accepted.
As roaming agreements between wireless carriers and the globalization of commerce in general work together to render our world's geographic borders irrelevant, how quickly can we expect these services to migrate to the United States? More importantly, as various forms of electronic payment crimes emerge, what should the industry do to prepare for new mobile services in a cross-border environment?
To answer these questions, the Retail Payments Risk Forum recently published a white paper titled "Mobile money transfer services: The next phase in the evolution in person-to-person payments," which describes the current landscape for these services and examines the risk environment for mobile money for both developed and emerging countries as new business partnerships between bank and telecom firms take shape.
MMT has the potential to catalyze the mobile financial services market
Infrastructure developments to support MMTs could support the evolution of other financial services. According to the GSM Association, this infrastructure provides the basis for the concept of the mobile wallet, which will allow mobile phones users to conduct banking, proximity payments using the phone at a merchant's point-of-sale terminal, and remote mobile payments, including domestic and cross-border mobile transfers.
The mobile money risk environment
The risks inherent in all retail payments are also present in the mobile space, including money laundering, privacy and security, consumer protection, fraud, and credit and liquidity. As mobile financial services evolve, there will be a number of issues to consider for managing the new risks mobile phone-based payments stand to introduce. The emergence of more nonbank participants in the distribution of mobile payments, including telecom firms and their agents along with technology vendors, may create additional risk considerations for payment regulators. Since mobile technology-enabled payments do not require the face-to-face interaction that takes place with traditional banking, the resulting opaque, anonymous experience can also create more opportunity for criminal activity. This will be increasingly important in a future where mobile retail payments will occur rapidly and across geographic borders, potentially outside the purview of traditional regulatory oversight. Payments regulators have limited expertise and experience in identifying electronic payments crime in communication systems—so the potential for abuse is a real and imminent threat that is still abstract and not well understood in this early stage of the game.
Policy considerations for industry stakeholders, policymakers, and regulators
The integrity and safety of the world's retail payment systems rely on cooperative information sharing about service developments and potential gaps in regulation. A number of considerations should remain at the forefront of industry discussions.
- The new mobile landscape will require dialogue between the regulatory authorities for financial services and telecom firms. Financial and telecom sector regulators will need a comprehensive understanding of the emerging risks in mobile payments with a collective eye toward the potential need to establish new regulatory concepts of electronic money regulation. This may demand a program for routine communication to ensure that regulators understand payment system risk issues and provide effective risk-based supervision for payment services providers.
- An oversight infrastructure for mobile payments, including the financial services of telecom firms, should be established. This oversight might be established through a routinely convening workgroup representing applicable regulators or the creation of a new organization with expertise in the unique and dynamic risk issues in mobile services.
- Cross-border mobile payments may require improved customer-data sharing on an international basis. The anticipated growth in mobile remittances may demand a new environment of international cooperation and sharing of customer data and analysis.
- U.S. mobile payments services providers should be required to establish programs to mitigate the risk of money laundering. Mobile services will require new methods for detecting and monitoring data flows. All service providers, including telecoms, will need to establish risk management programs commensurate with the risk in their service offerings.
- Converged regulatory authorities should examiner consumer protection risks for potential gaps in regulatory oversight. In the United States, it may be necessary to reexamine the applicability of Regulation E protections to stored-value payments as they become more prevalent in the mobile channel, in order to prevent consumer confusion in error resolution scenarios.
Conclusion
The experts are right in saying that mobile adoption still low. But the rapid pace of change means that industry stakeholders, and especially regulators, need to be forward-looking and anticipate where the winds of change will blow. A rearview mirror approach to addressing emerging risks in mobile payments can be modified with proactive thinking, dialogue, and global collaboration.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
November 15, 2010 in mobile money transfer, mobile payments, money laundering, P2P, risk management | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0134890096f6970c
Listed below are links to blogs that reference Retail Payments Risk Forum publishes white paper on mobile payments:
Comments
October 25, 2010
Can mobile payment adoption define the "end game" for technology investment?
Payment cards in the United States have been stuck for years in a chicken-and-egg quandary when it comes to chip technology. Merchants are reluctant to invest in developing the technology until consumer demand for it is there. But without the technology, it may be that consumer demand just won't be there. Add to this the competing forces that are at play: various stakeholders are pulled in different directions—contact versus contactless technology—and the cost of capital for technological investment is borne disproportionately among these stakeholders.
At the same time, we hear anecdotal evidence that losses from payment card fraud are on the rise. As we've described in previous posts, like this one, this trend could change the paradigm, spurring those in the industry to invest in more fraud-resilient, smart-card technologies. With this pressure, it's inevitable that payments card will shift from magnetic strip to chip card technology. But the problem is that chip card technology is constantly evolving, and those stakeholders bearing the costs for investment in new computer chips and terminal hardware infrastructure want some assurance that their investments are sound before they choose which technology path to follow, contact, or contactless.
In the interest of promoting global interoperability as well as battling magnetic-strip payment card fraud, now may be the time for an industry dialogue on a strategy for investment in smart technology. One question we should be asking ourselves in this discussion is, should we avoid investing in contact card technology if contactless mobile payments represent the end game?
Smart card basics: Contact versus contactless
Contact and contactless smart cards are so named because of the way that the embedded computer chip communicates with a terminal at a merchant's point-of-sale or at an ATM. In the case of contact technology, the data stored in the embedded computer chip is transferred to the reader when the card physically touches the reader. With a contactless card, the data is transferred using some type of radio frequency transmission such as near-field-communication (NFC) technology, which is the current contactless card technology standard. NFC technology, of course, precludes the need for a physical connection between the card and the reader. The user can use it in a variety of devices, including the mobile phone. Importantly, contactless technology in the chip can work with the phone itself to authenticate the user and thereby reduce payments fraud.
Countries that rely on smart card payments are using various combinations of contact and contactless payments that conform to certain security standards and specifications to protect consumers and merchants from payments fraud. To encourage consumer adoption, some issuers have introduced dual-interface cards, with both contact and contactless functionality, so that consumers can use either card at the point-of-sale terminal. This approach, with a dual-interface card, optimizes utility for consumers as retail payments evolve to the mobile channel, potentially empowering both the use of contact cards and contactless mobile payments.
The outlook for contactless mobile payments
Although the evolution of mobile payments in the United States has so far been slow, merchants are introducing new pilots with increasing frequency, and many industry stakeholders want to accelerate the deployment of a universal contactless mobile payments infrastructure. Moreover, U.S. consumers are relying more and more on their mobile phones for new and unexpected applications, which points to a good chance of success for mobile-based payments and related activities in the future. In fact, according to a report from the Pew Research Center, 85 percent of American adults today own a mobile phone, more than any other device.
|
|
|
|
Building consensus in the face of market forces
The recent deployment of contactless card payments in global markets is contributing to the establishment of an infrastructure for contactless mobile. In essence, here in the United States, we can go in either direction, contact or contactless. However, in a world where all stakeholders shared the same fully transparent information and vision for the future, could it be possible to leapfrog spending our investment dollars on contact cards and readers and instead use capital on contactless technology? We can avoid the costs for interim technology solutions if industry stakeholders can agree on a future direction despite the different economic incentives and costs demanded. Really, if NFC deployment is the ultimate endgame for mobile payments, bypassing the investment in contact technology as an interim step is a viable, if not ambitious, consideration.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
October 25, 2010 in cards, chip-and-pin, consumer protection, contactless, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013488750d21970c
Listed below are links to blogs that reference Can mobile payment adoption define the "end game" for technology investment?:
Comments
July 19, 2010
Soccer balls and payment cards: A push for global standards
I am generally not a soccer fan but over the past few weeks I found myself curiously engaged in that nationalistic spectacle called the World Cup. Despite my general disinterest in low-scoring games and Oscar-quality performances by slightly injured players, I got caught up in the intensity of play and extraordinary skill levels displayed by these world class athletes. Then one day a debate erupted regarding standards. Apparently, soccer balls are not standardized and the one being used seemed hard and "skitterish." How bizarre!
Of course, my thoughts immediately turned to a more consequential global-standards issue taking place in the payments card world—the debate about the United States' reliance on the magnetic-stripe card standard as opposed to the chip-and-pin standard being adopted throughout the world, including in neighboring Canada.
Chip-and-pin technology has been deployed in Europe over the last decade as a means of reducing fraud by using the enhanced capabilities of a computer chip embedded in the plastic card to store and manage customer authentication data. Its success has been widely documented in recent fraud studies. This standard has been implemented using a specification called EMV, an acronym of Eurocard, MasterCard, and VISA, the original founders of the standard. In fact, EMV is now a corporation whose ownership has been expanded to include JCB (a Japanese card company) and American Express. So, what's the big deal? We survived the soccer ball dispute, so can't we survive the fact that the United States is not on board with the emerging global payments card standard? The answer may be a resounding "No!"
Various reports from payments research firms such as AITE have suggested that as many as 10 million U.S. travelers experienced difficulties with incompatible card technologies when traveling abroad during the past year. I learned some time ago that the least expensive and most secure way to acquire cash overseas is from an ATM machine. I now foresee a time when I will have to ask a European hotel concierge for the location of an American ATM (one capable of reading mag stripes), only to find out the nearest one is two miles away.
So why doesn't the United States adopt the emerging global standard? While there are many technological and political issues in play, the bottom line is that the overall cost of deployment to the U.S. payments system as a whole, and to merchants specifically, is a staggering number made even more daunting by the current state of the economy and available investment dollars. The Smartcard Alliance estimates that as many as six million merchant terminal devices may need to be replaced or upgraded to embrace chip-and-pin technology, with the bulk of the cost falling on the shoulders of merchants. Consequently, we are left to assume that we are likely to have to travel a long and winding road to migrate to the emerging global standard.
This observation is not in itself calamitous since past roads to worldwide standards are littered with the relics of failure (remember the push to implement the metric system?), but the stakes here are considerably higher in two important ways. First, we may become the only substantial economic power dependent on a payments standard that is less secure than that of the rest of the world. That means that criminals, intent on profiting from card fraud, will continue to migrate to the United States in growing numbers. The second issue is that chip-and-pin technology is a critical element in progressing toward an even more secure and visionary goal—the deployment of mobile phone-based payments capabilities using a chip embedded in the phone. Industry conference agendas are crowded with sessions describing the way a smartphone can be waved near or tapped against a merchant terminal device using radio wave-based near-field communications (NFC) technology to capture the customer's payment credentials. Chips embedded in the phone, coupled with applications loaded on the phone from card-issuing banks, will create the effect of a "mobile wallet" that promises to be more convenient and, yes, more secure than what we use today.
So what should we do about this mess of the United States being out of step with respect to payments card technology? I would suggest that this issue could eventually reach the public policy level. Perhaps it is time for policymakers to consider whether migrating to an increasingly adopted world standard is in our best national interest. After all, we just mandated a move to digital television. While this change facilitated my ability to watch the World Cup in high definition, it cannot possibly be of the same importance as this brewing card issue. If we want to mitigate the possibility of the United States being a center of card fraud and enable our consumers and business folks to travel abroad more easily, it may be time to charge someone in government with developing a well-thought-out, participatory, multi-year plan to move this country to the emerging global payments card standard.
By Rich Oliver, executive vice president, FRB Atlanta's Retail Payments Risk Forum
July 19, 2010 in consumer fraud, mobile payments, risk, telecom | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c01348589ba65970c
Listed below are links to blogs that reference Soccer balls and payment cards: A push for global standards:
Comments
July 12, 2010
The confluence of payments, social networks, and malware: Elements of a perfect storm?
Thanks to a rapid increase in functionality and convenience, consumers are becoming more comfortable conducting e-commerce and participating in social networking with mobile phones instead of computers. At the same time, though, social networks are providing cybercriminals with a ready population of potential victims for emerging malware attacks. Similarly, cell phone applications that serve to extend the customer network reach may actually create vulnerabilities to malware attacks. How can the industry manage the security vulnerabilities in social networks as they migrate to the mobile channel?
More consumers using mobile devices to access social networks
A recent report from digital media firm comScore says social network activity is one of the fastest growing access categories on mobile devices. The report states that the number of mobile channel network users more than tripled over the past year, increasing 240 percent to 14.5 million users by April 2010. The report also says that accessing bank accounts is one of the fastest growing mobile phone functionalities, both by mobile application and Internet browser. As of April 2010, consumers used bank access applications 113 percent more than the prior year.
|
|
| ENLARGE |
Social networks represent a growing target for phishing and malware
Social networks are beginning to compete with financial institutions and e-commerce sites as a favorite target for phishing attempts, according to a Microsoft Security Intelligence Report published in November 2009. This chart reflects a dramatic increase in phishing impressions in May and June of 2009 for social networking sites. (The report defines "impression" as a single attempt to visit a phishing page and being blocked by a filter.) Phishing schemes are frequently used to lure consumers into exposing personal data and introducing links to sites with malware downloads.
|
|
| ENLARGE |
Gaming services—such as Farmville and Mafia Wars—available on these sites provide an additional entry point for phishing, spamming, and other schemes. Users are lured to fraudulent Web pages, where they can earn game points by completing surveys and quizzes. A specific example of a malware attack was the 2009 Koobface Worm. Koobface infiltrated numerous social networking sites including Facebook, Myspace, and Twitter by embedding a malicious link in messages that appeared to be from trusted parties. When users clicked the link, they were redirected to a page that appeared legitimate but actually included a download for malware. Once the malware installed itself on a user's computer, it gained access to the user’s personal data, facilitating identity theft payment fraud.
Malware coming to mobile phones
According to a report from security firm Mxlogic, social network malware is targeting mobile phones through subscriptions to these same gaming services, such as Farmville and Mafia Wars. It reports that when users sign up for the subscriptions, they inadvertently consent to receiving text spam that has the potential to infect a phone. Smartphone manufacturers act as gatekeepers to ensure that application developers design apps that meet their proprietary criteria and standards for leveraging their operating platforms, but with thousands of applications on the market today, mobile phones are increasingly vulnerable to data exposure. Application store operators have been proactive in policing applications for security and authenticity. For example, in December 2009, Google withdrew dozens of unauthorized mobile banking applications known as "09Droid" from its system for violating its trademark policy.
Conclusion
Since criminals follow the money, so to speak, it is reasonable to expect that malware authors will be interested in mobile payments and banking applications going forward. The rapid pace of phone application innovation and deployment will challenge efforts to detect and mitigate new malware schemes and other forms of cybercrime. For the consumer, the best line of defense to guard against viruses and malware attacks in any electronic environment is caution, by avoiding links in unfamiliar messages and social network games and choosing downloaded smartphone applications judiciously, if possible.
By Cindy Merritt, assistant director of the Retail Payments Risk Forum
July 12, 2010 in fraud, identity theft, malware, mobile banking, mobile payments, risk, social networks | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c013485620cfb970c
Listed below are links to blogs that reference The confluence of payments, social networks, and malware: Elements of a perfect storm?:
Thank you Cindy. It is important with this kind of clarification to sift through the confusion between mBanking and mPayment. The various mPayment pilot projects and announcements of mPayment partnerships, while overall encouraging for the industry, unfortunately adds further to the perceived complexities.
You bring up many good points. It is clear that enabling mobile payments for goods and services represents a significant change in the risk and opportunities compared to traditional payments. I firmly believe and agree that appropriately architected mobile payment solutions can provide superior security compared with cards-in-wallet. You list some ways but there are more approaches. I hope you will continue with more clarifying blog posts and share your insight.