May 13, 2013
Which Is Riskier, Change or Avoiding It?
There is no denying that any level of change brings with it some level of risk. However, sometimes avoiding change can result in even greater risk. That is the quandary many retail banks find themselves in today as they grapple with the issues of mobile banking and payments and their role in the bank's overall delivery-channel strategy. Sustainability and regeneration are principles normally associated with the community development and environmental arenas, but they can be easily applied to the banking industry and its consumer delivery channels.
Numerous research studies document a large gap in banking attitudes and product or channel usage between the Gen Y or millennial customers and the older customer segments (those who are over 35, if you consider that old). (The Retail Payments Risk Forum discussed some of this research in a paper posted on our website in April.) Younger customers have less loyalty to bank brand, readily adopt new technology, are highly influenced by advertising and peers, expect free or low-cost banking products and services, and are driven by convenience. While they do have a higher overall trust level of banks compared to nonbanks, the gap is not anywhere near as large as that of the older customer segment. The younger segments have eagerly adopted online and mobile banking and are viewed as the early adopters of mobile payments. In fact, when they select a financial institution, the quality and expansiveness of the mobile banking offering is a major factor in their decision.
So what does this changing landscape have for the future of the traditional brick-and-mortar-branch delivery channel? For some time, banks have tried to establish branches primarily as sales centers while moving basic service transactions to alternative automated, less-expensive delivery channels. This effort will continue, but banks must also regenerate their overall delivery-channel strategy to provide sales and service capabilities through virtual channels in order to attract and retain the growing Gen Y customer segment. This regeneration and sustainability effort involves the "right sizing" of each channel to provide their existing and future customers with the appropriate level of services and features as well as capacity to meet service quality goals. Not only will this effort require risk assessments to be continually made for each delivery channel, but also to develop a holistic risk assessment of each customer across all delivery channels.
Let us know what changes, if any, you are making in your overall delivery-channel strategy to address the changing demographics of existing and potential bank customers.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
May 13, 2013 in mobile banking, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0191021786d2970c
Listed below are links to blogs that reference Which Is Riskier, Change or Avoiding It?:
Comments
March 25, 2013
What's Next in Mobile Payments?
I recently participated in two banking conferences that displayed the full spectrum of strategic options and plans of banks regarding mobile payments. The first event was the annual operations/technology conference of a statewide bankers' association with all the attendees being small- to mid-sized community banks. All these banks currently offer an online banking application to their customers; about half of these have customized their online banking application for mobile device usage. Only one bank indicated they had a mobile payments application currently in operation. I was surprised to find that only a couple other banks planned to offer a mobile payments application within the next 12–18 months.
Later in the day, a panel of four MBA graduate students from a prestigious business school of a private southeastern university gave their views on mobile payments. The objective of this panel was to help the bankers understand the key drivers of this demographic's banking relationships and needs. All four panel members indicated they frequently accessed their banks' online banking services with their mobile devices as well as their laptops and tablets. They also unanimously stated they would switch financial institutions if the banks didn't offer the service or if they began charging a fee for the service. Interestingly, only one panelist used the mobile payments application from his bank, and his usage was infrequent. The reasons the panel members gave for their disinterest in mobile payments included difficulty of use of a mobile phone versus a laptop or tablet for bill payment or little need for the service because they found their existing payment methods to be as or more convenient.
At the Bank Administration Institute's (BAI) Payments Connect 2013 conference the following week, a featured track of the two-and-a-half-day event was the wide range of marketing, operational, risk, and technology issues related to mobile banking and payments. The prognosis for mobile payments couldn't have been more optimistic, with a number of panelists declaring that the tipping point for mobile payments had been realized earlier in the year. They credited the adoption rate for smartphones and other indicators they believed to be key drivers. Of course, we have to realize that many expressing such optimism worked for a company that has a vested interest in the success of mobile payments. However, that optimism was supported by a number of research studies delivered during the conference that concluded that the rate of smartphone penetration, the growing volume of mobile payment transactions, and overall consumer attitudes would translate to successful mobile payments programs.
One of the questions bankers frequently asked during the BAI conference was what a panelist would recommend the bank do regarding their mobile payments strategy. While there were some slight variations, panelists consistently responded that banks should get involved now and try a number of different, small-scale strategies. Several panelists used the gambling analogy of placing a distributed number of bets of small amounts rather than going "all in" with one particular mobile payments scheme. They acknowledged that the technology winner(s) of mobile payments was far from certain at this point, with near field communication, QR codes, and cloud options all in different states of adoption and each with their individual advantages and disadvantages.
The practice of "spreading your bets" is certainly a valid risk management strategy, but how practical is such a strategy for small financial institutions? The large banks have their research-and-development budgets, IT development staff, and other resources that allow them to participate in multiple pilot programs, but smaller institutions do not have such resources. Most would be able to offer only a mobile payments program supported by their core application processing provider.
As with many new payment products in the past, larger banks have led the initial efforts, and the smaller banks followed suit after customer demand for the service became more certain and with the realization that not offer the service would put them at a competitive disadvantage. Could this be the reason many banks, especially the smaller ones, have been sitting on the sidelines for now until the mobile payments picture becomes a bit clearer? Let us know what you think.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 25, 2013 in mobile banking, mobile payments, payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee9bac3b9970d
Listed below are links to blogs that reference What's Next in Mobile Payments?:
Comments
March 18, 2013
March Madness on the Hardwoods, Mobile Madness in the Payments Arena
As an avid sports fan, I am eagerly anticipating college basketball's annual rite of spring commonly known as "March Madness." This nickname for the NCAA's Men's Division I basketball tournament is derived from the amazing finishes and upsets that regularly occur during the tournament each year. A big part of the intrigue around this tournament involves millions of people that will "fill out a bracket," meaning they prognosticate the winner of every game, ultimately choosing the winner of the tournament.
As I was thinking about the upcoming tournament, I realized a similar situation is developing with mobile payments at the point of sale (POS). It seems that every day, I read an article or blog with differing viewpoints on what company, wallet, or solution will come out as the "winner" for mobile payments at the POS. This got me thinking how a "bracket" would look for the mobile payments ecosystem. Interestingly, many of the attributes usually found with the successful basketball teams in March are similar to those attributes I believe are necessary for successfully competing in the mobile payments arena.
Fundamentals are extremely important
Teams that are fundamentally sound tend to perform well in the tournament. Fundamentally sound teams run an efficient offense with a high point per possession percentage and low turnover margin, rebound well, and make a high percentage of their free throw shots.
Likewise, in the mobile proximity payments arena, I expect the winner(s) will nail down the fundamentals of the transaction that consumers and merchants alike expect: ease and quickness. Just as basketball teams can employ innovative styles or plans, mobile payment providers are also developing the latest and greatest add-on to the payments experience. However, if both fail to deliver on basic fundamentals, success can be elusive.
Track record of successful risk taking
Besides excelling at the basic fundamentals, teams that make a high percentage of their three-point shots usually do well during March Madness. The three-point shot is the riskiest shot in the game, yet carries the highest reward. Teams who capitalize this risk with a high success rate are difficult to beat.
Besides the fundamentals of a payment transaction, it is no secret that consumers and merchants want more for paying with their mobile phone at the POS. Discounts, couponing, and instant offers through past purchase behavior and geolocation seem to be a major opportunity of differentiation with mobile payments. But I am not convinced these carrots are enough for any particular player to obtain widespread or mass mobile payment adoption. The player that is able to completely transform a consumer's shopping experience with the mobile phone will likely come out ahead. I believe this will require some risk taking by doing something different from the rest of the field beyond coupons, offers, and discounts. Perhaps this might be a mobile solution that allows a consumer to make a purchase and completely bypass the checkout line and POS while also updating the merchant's inventory level in real time. Established companies, as well as young companies led by teams or individuals, with a successful track record of risk taking should be considered closely.
Excellent defense
A common phrase heard in many sports, basketball included, is "defense wins championships." Basketball teams that hold their opponents to a low field goal percentage and generate a high number of turnovers have proven to be extremely difficult to beat in the tournament.
In the world of payments, defense is all about mitigating fraud. For a mobile payments solution to be successful, it must be as secure. And I could even argue that it must be more secure than current payment methods. Research has consistently shown that consumers must perceive these payments to be secure if they are going to adopt them. Secure solutions developed by companies that are trusted by consumers stand to have a solid chance to move ahead in a "mobile payment POS bracket."
The winning team
Using the same attributes of successful tournament teams and applying them to the mobile payments POS space, I think the ultimate winner of a "mobile payment POS bracket" must offer at least the following three attributes in a cost-effective manner:
- Enable a quick and simple transaction.
- Greatly transform the shopping experience by being unique and different.
- Offer a secure solution that consumers will understand and trust.
More often than not, the traditional and established basketball powers come out on top of the tournament, but it's those unexpected upsets by upstarts and underdogs that put the "madness" in the NCAA Tournament. How will the situation for using mobile phones at the POS play out? Will an established payment provider come out on top of the "mobile payment POS bracket" or will an upstart be that "bracket buster"?
By Douglas A. King, payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
March 18, 2013 in innovation, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017c37d8df8d970b
Listed below are links to blogs that reference March Madness on the Hardwoods, Mobile Madness in the Payments Arena:
Comments
Posted by:
Bob Skattum |
March 19, 2013 at 11:21 AM
February 25, 2013
Focus on Fraud: Targeting the Weakest Link
A recent story in the Wall Street Journal recapped how bank robberies had declined almost 50 percent over the last decade. In addition to citing the increased physical security measures at banks and tougher sentencing for bank robbers, especially if a firearm is involved, the alternative criminal target of the Internet was cited as being more lucrative and having a lower risk, and therefore more attractive. The article offers the logic of the proven security adage that the more sophisticated criminal is more likely to focus on the weakest link in the overall security ecosystem of the targeted victim.
Online fraud offers a number of advantages for the criminal over the old-fashioned "stick-'em-up" bank robbery. The criminal doesn't have to be physically present at the point of the crime. In fact, the further away, the better with regards to investigative difficulties and jurisdictional issues. Also, compared to a typical bank robbery, the potential take for card and online fraud is significantly higher. Based on FBI statistics for 2010, the average bank robbery netted about $7,500. The Javelin Research 2011 Identity Fraud Survey (2010 data) reports that the average debit card fraud amount was $2,529, and the average credit card fraud amount was $3,741. Noncard account fraud added an average of another $3,000. Obtaining just a handful of cards or account numbers through skimming or other illegal methods can quickly result in tens of thousands of dollars in ill-gotten proceeds at a relatively low risk to the criminal.
Fraud risk mitigation is a constant effort by the banking industry and merchant community to stay ahead of the criminal element in their criminal techniques and efforts for identity and account theft. As new payment methods emerge and gain adoption, they will increasingly gain attention from the criminal element looking to exploit a weak link. Javelin's 2012 Identity Fraud Industry Report reveals that consumers with smartphones have a higher incidence of fraud than nonsmartphone consumers by approximately one-third. Key behavior weaknesses cited included failure to update the phone operating software with security patches, saving account log-in information on the phone and not using the phone lock feature—allowing the information to be accessed by anyone finding the phone. In the meantime, consumer advocacy and educational groups, the banking industry, and mobile carriers are making efforts to educate consumers on the best way to safeguard their personal and banking information against such attacks.
The Mobile Payments Industry Workgroup (MPIW), facilitated by the Federal Reserve Banks of Atlanta and Boston, regular discusses risk associated with this emerging payments method with telephony and payments security experts. In the coming months, a subgroup of the MPIW will be working to evaluate the various security issues with mobile payments and making recommendations to the overall workgroup to ensure that the mobile payments ecosystem is sound and as safe as necessary. Portals and Rails will continue to report on the efforts of this and other groups to improve the security of our payments system. As always, we encourage your comments.
By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
February 25, 2013 in mobile payments, online banking fraud | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c017ee8b98b40970d
Listed below are links to blogs that reference Focus on Fraud: Targeting the Weakest Link:
Comments
August 06, 2012
Policymakers, Regulators Keep a Watchful Eye on Mobile Payments
Policymakers and regulatory authorities are beginning to turn their collective eye toward mobile payment developments and with good reason. The rapidly changing environment and the entry of nonbanks in mobile-enabled financial services create a new paradigm in regulatory oversight for consumer protections, bank safety and soundness, and regulatory compliance.
In recognition of these environmental dynamics, the Federal Reserve Banks of Atlanta and Boston recently convened a joint meeting of the Mobile Payments Industry Workgroup (MPIW) and regulatory authorities to discuss recent mobile payment developments and potential regulatory gaps. The two Reserve Banks then jointly published on July 30, 2012, a summary of the meeting describing the meeting dialogue between members of the MPIW and the regulatory community.
You can read the paper on the Atlanta Fed and the Boston Fed websites, but below are some quick highlights.
The complexity of the regulatory framework for mobile financial services requires further ongoing analysis—While regulators recognize supervisory elements common to both mobile and Internet environments, they say that the fast pace of change requires them to more closely monitor mobile payment developments. Regulators have an interest in ensuring safety and soundness as well as consumer protections in the emerging mobile payments environment. Both these objectives require that financial institutions adequately manage vendors when they outsource and partner with third parties in new mobile payment business models.
Education is needed to teach all stakeholders about the mobile environment, from regulators to consumer advocates to consumers themselves—Security, privacy, and consumer protections are important themes that all stakeholders should understand in order to be able to communicate appropriately with policymakers in mobile payments regulation. As mobile payment systems evolve, it will be important to engender cross-industry dialogue at both the industry and regulatory levels to ensure risks in these key themes are sufficiently addressed.
Next steps
The MPIW plans to continue to meet on regulatory issues with regulators as the mobile payments market matures. These meetings will serve to educate the regulators about mobile payment developments and risk mitigation initiatives. At the same time, regulators will be able to share early insights and concerns about mobile payments with the MPIW, while hearing their input and perspectives on future policy and regulatory decision making.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
August 6, 2012 in innovation, mobile payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0167691925b9970b
Listed below are links to blogs that reference Policymakers, Regulators Keep a Watchful Eye on Mobile Payments:
Comments
May 21, 2012
Cramming and bill-to-mobile payments: Managing the risk
An interesting market segment in the evolving mobile payments industry is bill-to-mobile payments, which is a service that permits wireless carriers to add charges to consumers' mobile phone bills for generally small-value transactions involving digital and virtual goods purchased over the Internet. At the same time, the telecommunications industry is accommodating the addition of more third-party charges to consumers' mobile phone bills. Naturally, fraudsters are finding opportunities to apply unauthorized charges to these bills, a practice known as "cramming." As bill-to-mobile services grow more popular, how do we mitigate the potential risk of this fraudulent activity?
Telecoms and bill-to-mobile services
Telecoms have license to add charges to bills for a variety of call-based services. The advent of bill-to-mobile as a type of mobile payment began as intermediary platform providers—namely, Zong and Boku—entered the market to facilitate payments from consumers to online merchants through mobile carrier billing. Even Facebook allows the purchase of Facebook credits for games and apps to be billed to the customer's mobile phone bill in lieu of a credit or debit card payment. These services have become hugely popular as an electronic micropayment solution alternative to credit and debit cards. This makes a lot of sense when you consider the younger demographic market segment for online games and their social reliance on mobile for day-to-day interaction.
Regulation and law enforcement
As mobile phone usage grows, the incidence of criminal activity is growing in lockstep. In fact, since deregulation of the telecommunications industry, according to one state's
Department of Justice report, complaints about erroneous charges on telephone bills have grown. Crammers bet on consumers not reading their phone bills carefully, and thereby failing to notice an extra dollar or two fraudulently charged each month.
The Federal Communications Commission's (FCC) Truth-in-Billing rule requires that telecom firms organize bills clearly by complying with specific requirements, such as including "clear and conspicuous notification" of charges that would be apparent to a reasonable consumer and that the name of the merchant associated with each charge is clearly identified on the bill. It also requires that the bill contain clear and conspicuous disclosure of inquiry contacts in the event of a billing dispute so that the consumer will know who to contact to dispute unauthorized charges.
While the FCC's rule might not have envisioned a mobile-payment-enabled environment and associated charges for financial services, the rule should provide adequate consumer protections for victims of phone bill cramming.
Managing the cramming risk for mobile payments
Currently, U.S. wireless carriers are limiting bill-to-mobile services to micropayments for virtual and digital goods. Purchases are typically limited to $100 a month because so far the carriers have not demonstrated an appetite for managing credit risk. Telecom firms generally resolve complaints quickly, as the cost associated with time spent by staff devoted to error disputes far exceeds the value of the charge in a complaint. As these services grow, however, this may not always be the case.
With appropriate consumer protection regulation in place, risk mitigation lies with the consumer, who should consider the following steps to protect against cramming:
- Read your bill monthly, just as you would a credit card bill.
- Be alert for changes in your bill, particularly those with language including words like "activation" and "service fee."
- Address irregularities as soon as possible. The FCC's Truth-in-Billing rule requires phone bills to include a toll-free number to make it easy for a consumer to quickly report a dispute about a charge.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
May 21, 2012 in crime, mobile payments | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016305b2d682970d
Listed below are links to blogs that reference Cramming and bill-to-mobile payments: Managing the risk:
Comments
May 07, 2012
Regulating mobile: Distinguishing the payment from the channel
The handset is just a device, not a payment
Policymakers and regulators are just beginning to discuss the regulatory environment for mobile banking and payments in the United States. The added dialogue to existing industry conversations can lead to mixed messages about where regulatory and policy action may be needed. Recently we've heard from industry and regulatory agencies that the payments industry should carefully consider introducing new regulations and supervisory guidance.
The mobile handset is "just a device, not a payment," noted Mallory Duncan, senior vice president and general counsel at the National Retail Federation. Duncan, who spoke at the workshop "Paper, Plastic...or Mobile," hosted by the Federal Trade Commission, also said that regulation should be no more stringent than that of the underlying payment. In essence, the laws, regulations, and rule sets associated with a payment type—be it a credit card, debit card, or online payment—should follow that payment through the mobile channel for clearing and settlement. I offered similar conclusions in a previous Portals and Rails post on dispelling myths in mobile payments, adding that "while new networks...may emerge in the future, at present, the payment network systems remain the same."
Fragmented framework on an expanded landscape
One problem the payments industry faces as technology enables new intermediary payment methods (they all start off as something we already use: cash, checks, or cards) is that the legal and regulatory framework includes different consumer protections, disclosure requirements, and error resolution provisions depending on the payment type. While all these payments are used in an Internet environment—whether the Internet is accessed by phone or a traditional PC—the addition of the mobile channel and its telecom partners has seemingly created a tipping point for confusion and speculation. Many of the issues raised about consumer protection for prepaid cards, for example, exist now and have nothing to do with a consumer's ability to use a prepaid account with a mobile device.
Can existing regulatory infrastructure handle new mobile payment business models?
The United States has a more complicated banking system than most countries. National laws, for example, govern national banks, which are preempted from state law. State-chartered banks and nondepository money service businesses (like payday lenders and money transmitters), on the other hand, are responsible for complying with the laws of every state in which they do business. These laws are different from state to state, and sometimes even conflict.
Industry players in each of these separate chartering authorities are stepping into the mobile channel as a way to expand their footprint. While telecoms and technology firms are entering into partnerships with banks to establish new business models in the delivery of mobile payments, so far they're sticking to their knitting and leaving the clearing and settlement, and the extension of credit, to the financial services industry. As long as banks remain the payment issuers in these still nascent business models, caution in rethinking the regulatory infrastructure is probably a good idea as well.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
May 7, 2012 in innovation, mobile banking, mobile payments, regulators | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168eb46b266970c
Listed below are links to blogs that reference Regulating mobile: Distinguishing the payment from the channel:
Comments
February 27, 2012
QR codes versus NFC: Cheaper, but worth the risk?
In recent years, we've seen discussions on the value and viability of near-field communications (NFC) apps morph from the hypothetical to some actual real-life deployments. Google has rolled out an NFC mobile wallet, and others are on their way for trial rollouts, as we discussed in last week's post. As this burgeoning industry takes shape and the costs and barriers become more apparent, some interim and quite disruptive technological alternatives are gaining attention—namely QR (short for "quick response") codes. In fact, many merchants today are touting QR codes as the near-term alternative to a more costly deployment of contact and contactless chip-based payments using NFC and EMV interoperability and security technology standards. They are touting these QR codes despite the superior security that chip technology affords. These discussions beg the question: are short-term economic gains realized from less costly QR code technology adoption at the expense of payment security?
How do QR codes work?
QR codes are a two-dimensional form of barcode whose contents can be decoded electronically at high speed. QR code use exploded in 2011, and telephonic technology has expanded to support their application for storing all kinds of data, including URLs. As a result, consumers are increasingly using QR codes to access magazines and newspapers on the Internet and to find online product reviews by scanning price tags. The camera in a smartphone captures the picture of the QR code, and then decoding software helps the phone connect to a website or a file download.
QR codes and malware
Unfortunately, there is no way to visually discern whether the data contained in the QR code will direct the user to a malicious website or application. Infected QR code problems are just beginning to emerge because most people simply don't know the best way to protect their mobile device. According to Marian Merritt, a Norton online safety advocate, "fewer than 5 percent of people have got some form of security on their mobile devices." 2011 in particular witnessed an upsurge in hackers using QR codes as a means of transmitting mobile viruses in Russia. According to a recent report by AVG Technologies, scanning a QR code and executing its hidden applications on a mobile device is akin to "running an unknown executable on your computer." Mobile-related hacking events are expected to rise in 2012 with the advent of more advanced QR code-enabled mobile applications.
Should economy trump security?
QR codes fulfill a wide range of functionalities, but should they be used for payments? Starbucks has realized considerable success with its QR code-based mobile payment app with millions of transactions since it launched one year ago, and merchants are receptive to a more affordable point-of-sale payment acceptance system generally.
The risk of fraud in micropayments and closed-loop payment systems—such as the QR code prepaid business model that Starbucks uses for a cup of coffee—may not be as significant as for larger, open-loop transactions. Ultimately, QR codes may play a viable role in some smaller, and less risky, payment applications. Payments industry participants should carefully consider the ramifications of a strategy that expands their use more generally in lieu of NFC-enabled payments.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 27, 2012 in contactless, fraud, mobile payments, risk | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0168e812f994970c
Listed below are links to blogs that reference QR codes versus NFC: Cheaper, but worth the risk?:
Comments
February 21, 2012
Security in the mobile wallet: Is it good enough yet?
For years we've heard about the future mobile wallet—using the phone to carry payment cards, loyalty rewards, bank account access, and identification instead of a traditional leather wallet. The wallet will also be able to hold electronic receipts for purchases made using the phone at a merchant's point of sale. 2012 portends to be the year of reckoning, with several trials scheduled for rollout. If your wallet resembles the one in the Seinfeld episode about George Costanza's exploding wallet, an electronic wallet contained in your mobile phone is a welcome prospect.
But the truth is that while recent developments in the application of near field communication (NFC) technology for mobile wallet trials have come faster than most industry expectations, a variety of hurdles are likely to waylay widespread adoption in the near term; namely, hurdles relating to security.
Different security deployments for mobile wallets may postpone widespread adoption
While, as noted in our 2011 mobile industry position paper, firms engaged in rolling out new mobile payments services have agreed that successful near-term adoption will rely on common standards for security and interoperability, free market dynamics dictate that all players in this new mobile ecosystem will not necessarily work together, motivated instead by a responsibility to create shareholder value. As a result, current industry discussions show that the service providers—namely, the mobile operators and the financial institutions partnering in these new business models—are considering different security deployments.
A recent article by Dan Balaban in the February 13 issue of NFC Times summarizes the situation well:
"While mobile operators continue to push for the SIM card to become the de facto secure element in NFC phones, some banks and other service providers still are seeking alternatives. The products that continue to draw the attention of a number of banks include microSDs, as well as iPhone attachments—the latter using either microSDs or embedded secure chips as secure element. Of course, there are no strong signals yet that microSDs, either as part of phone attachments or working in full NFC handsets, will challenge SIM cards or embedded chips as the primary secure element in contactless-mobile phones. At present, the microSDs generally carry higher costs, face logistical problems and still lack standards."
It stands to reason that a lack of standards in security can threaten consumer trust when something goes wrong, as we saw this week with the Google Wallet, the first U.S. mobile wallet deployment to date. Google has stopped activating new prepaid accounts in its mobile wallet after discovering a security flaw that allows unauthorized users to access the prepaid account without requiring a PIN. While the flaw is related more to the wallet application than to the security technology in the chip used to store data in the handset, the negative press from the event may impact consumer adoption for other mobile wallet trials scheduled to rollout in 2012.
Security standards for mobile apps may lag development cycle
According to ViaForensics, the lack of standards for mobile application security may challenge application testing methodologies. In fact, a February 13 post on ViaForensics' blog asserts that "...the speedy mobile development cycle and this lack of experience in the platforms is causing coders to throw all of those secure development principles the industry has fought for over the past five years right out the window when it comes to mobile apps..." While attention to security for mobile applications is evolving, ViaForensics's recent study found that financial services applications had the largest percentage of apps that passed their security tests.
Regulatory considerations for financial institutions
In most developed countries, such as the United States, mobile financial services are deployed in bank-led service models, partnering with the mobile telecom operators. A recent article published by the Federal Deposit Insurance Corporation, "Mobile Banking: Rewards and Risks," aptly notes that any financial service provider that engages a third-party service provider such as a telecom firm is expected to conduct appropriate due diligence to ensure they are working with reliable and reputable vendors to develop secure applications. Regulators will look to financial institutions to make sure their mobile services partners are fulfilling meeting the terms of third-party agreements with respect to application and device security.
Widespread adoption may occur gradually
While stakeholders develop common standards for device and application access, and data security, it may take a while for mobile wallets to become commonplace. Reported security mishaps may be beneficial, in the end, if they serve to temper consumer adoption while financial institutions and their mobile services partners work to identify and manage potential security issues.
By Cynthia Merritt, assistant director of the Retail Payments Risk Forum
February 21, 2012 in emerging payments, innovation, mobile banking, mobile payments, payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c016301c7d1b3970d
Listed below are links to blogs that reference Security in the mobile wallet: Is it good enough yet?:
Comments
December 05, 2011
The future of mobile payments
Although mobile payments have been much slower to develop in the United States than many industry observers had predicted, there have been a number of encouraging recent developments. Starbucks, for example, has processed more than 20 million mobile payments since launching its app, and the Chicago Transit Authority's new fare collection system will be able to accept mobile payments starting in 2013. Still, despite these small successes, the United States has not seen the mobile phone really take off as a vehicle for point-of-sale payments.
|
The Retail Payments Risk Forum takes an active interest in mobile payments. For the past few years, we have gathered together key industry stakeholders to promote dialogue about barriers to adoption and reach a collective understanding about the state of the industry. Forum members have recently published a paper describing the views of these stakeholders and outlining the necessary elements of a successful mobile payments system. |
The Retail Payments Risk Forum recently interviewed David Evans, a payments industry consultant and the founder of Market Platform Dynamics, in a podcast exploring some of the challenges facing widespread mobile payments adoption. Evans maintained that a couple of obstacles have kept mobile payments from taking off in the United States. "Barrier number one is that there is not a very persuasive mobile payments alternative for consumers to use at the point of sale, and the second is that there's really not the technology at the point of sale capable of processing a mobile payments-type transaction."
In addition to these barriers, he said, is the simple fact that most consumers are satisfied with the way things are. Evans explained, "I can pull out a credit or a debit card at the point of sale, I can swipe it, and it works beautifully. Takes about a second. No fuss, no muss—the clerk knows what to do. The technology is all there. So we have this wonderful system that works really well right now that's extremely efficient." To change the status quo, a compelling value proposition must emerge for all parties. "Someone's going to have to come up with a really great alternative that adds value to the merchant and adds value to the consumers to make both of them want to do something different than [what] they are currently doing," said Evans.
Regarding the prospects for mobile payments outside the United States, Evans said, "I think that where we are going to see mobile payments take off around the world is primarily in countries that do not already have a very well-developed payment card industry with acceptance at the point of sale and that have very well-developed mobile phone systems."
The role of different types of market players has been a major source of debate among those forecasting mobile payments. Many disagree how the mobile carriers, such as Verizon and AT&T, will fit into the new landscape. Evans predicted that "the likely role of the carriers in payments is basically being a pipe." He stressed that mobile carriers do not have the expertise to operate mobile payments and are more likely to become pipes for others who will develop mobile payments alternatives.
When asked about his predictions about the type of technology that will ultimately support mobile payments, Evans said that it was still too early to know. However, he did say that "it's really the solution that is going to drive the adoption of a particular acceptance technology at the point of sale, rather than the acceptance technology driving the solution." There are clearly still a lot of unknowns with regards to mobile payments, and Evans wisely concluded that "we should talk about this in 10 years when we may actually know the answer!"
By Jennifer C. Windh, a payments risk analyst in the Retail Payments Risk Forum at the Atlanta Fed
December 5, 2011 in mobile payments, payments systems | Permalink
TrackBack
TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01053688c61a970c0153940f0841970b
Listed below are links to blogs that reference The future of mobile payments:
Comments
I completely agree with Evan's statement: Someone's going to have to come up with a really great solution that adds value to the interaction. The majority of consumers are not going to adopt mobile payments because it's cool to pay for something with your smartphone. Early adopters will, but the rest of us won't. We will adopt mobile payments when it is clearly more valuable (more convenient, more fun, etc).
I think a good example of this is Square's Card Case mobile payment app which allows consumers to pay for stuff through their Square account without ever taking the phone out of their pocket.
To read more about this, you can check out my blog post on the subject here: http://www.zootweb.com/blog/index.php/mobile-disruptive-innovation/756/
Posted by:
Alex Johnson |
January 18, 2012 at 11:50 AM
I fully agree with Mr Evans - it will take something really ground-breaking to change the way we pay for our shopping. None of the alternatives being proposed or in some cases rolled out right now seems to have what is takes to stop us from using cash and cards in most transactions.
Posted by:
Merchant Services |
December 07, 2011 at 06:18 AM
Excellent discussion and apt analogy. I would add that just like the NCAA Tournament the winner(s) get to the final grouping by winning one game at a time and moving inexorably forward while not letting the hype and hoopla distract them from their goal. In mobile payments, this may mean incremental improvements and constant adjustment to the transaction process with an occasional "fast break" from the old paradigm will ultimately result in an application that addresses all of the needed attributes.