Guido Vrola - Fotolia
Mobile payment systems are on the rise, and many business leaders fear those transactions are upping their security risks, too.
Consider the findings from a Ponemon Institute study released this spring, in which more than half of the survey respondents said they believe the use of mobile payment systems increase the risk of a data breach.
Just as telling is the fact that 53% of them not only accept the risk but also said their companies believe customer convenience is more important than those security concerns.
The findings, based on the responses of 748 U.S.-based security, risk management and other payment systems professionals and reported in 2015 Data Security in the Evolving Payments Ecosystem, come as more consumers pay via their smartphones or smartwatches.
Although IT leaders are justified in their concerns, mobile payment solutions could actually boost a company's security profile, according to analysts and security experts.
They said mobile payments are actually more secure than traditional credit card transactions overall but also agreed that IT leaders aren't off the hook when it comes to security.
That's because the new mobile payment systems aren't completely foolproof, so CIOs need to be aware of both security improvements and possible vulnerabilities in mobile payments.
"CIOs understand there are security benefits to this new system, but we're not at the point that it helps them sleep better at night," said Tim Herbert, senior vice president for research and market intelligence for CompTIA, an IT trade association.
Mobile payments, also known as contactless pay, use near field communication (NFC) to send encrypted customer payment information to retail terminals. A mobile device then generates a code randomly for each transaction, so credit card data remains with the consumer rather than residing on the retailer's computer systems, said John P. Pironti, president of IP Architects LLC and a risk and security advisor with ISACA, a professional association focused on IT governance and security.
"The design is to reduce the liability to the merchant. They get an authorization code that says you're going to get paid. It dramatically improves your security profile," Pironti said.
IT leaders at retailers (and retailers mainly are businesses currently implementing mobile payment solutions) still have work to do, Pironti and others said.
But what additional security work they have to do beyond implementing the technology to enable mobile payment transactions is, at this point, a bit undefined because the technology is fairly new.
Mobile payment vendors do the heavy-lifting on security
Herbert credited vendors with doing a lot of the heavy lifting around security, because these contactless payment systems mean businesses don't have to access consumer credit card numbers.
"That's an added layer of security," Herbert said, adding that vendors have also created security layers for the transmission process. "It's not completely foolproof, but a lot of that has been addressed."
However, Herbert said contactless pay could be even more secure if the devices -- whether a smartphone or a smartwatch -- used extra security measures such as biometrics to ensure only the proper owners could use the payment system. He said studies show that relying on passwords to protect devices and the mobile payment systems remains a weak link because humans continue to use predictable passwords like 1-2-3-4 and 1-1-1-1.
"The technology can be secure, but a lapse in some other human component can compromise the system," Herbert said.
Hackers have mobile payment vendors in their sights
Moreover, he and others said the greatest risk remains hackers getting into the credit card data stored by companies. With mobile pay, that means mobile payment vendors that have credit card data now become the likely targets for hackers.
"If one of the payment providers is compromised it would be as bad as if any of the traditional credit card systems were compromised," Herbert said. "That would inflict the maximum damage."
Tim Herbertsenior VP, research and market intelligence, CompTIA
In fact, G. Mark Hardy, founder and president of both National Security Corp. and CardKill Inc. and an instructor with the SANS Institute, said one of the biggest risks is that fact that mobile payment apps and systems such as Apple Pay, CurrentC and Google Wallet still use credit cards as part of the process. Thieves can use a stolen credit card to populate a payment system with money or they can use a stolen smartphone's payment account to shop.
"Right now the problem is when you're using this electronic payment, clerks aren't quite sure how to challenge it," Hardy said.
He added: "It's the newness of the system that creates some vulnerabilities."
If that's the case, then who exactly assumes liability for fraudulent transactions? Although that answer may be outside the CIO's scope of responsibility, IT leaders will still be called upon to help mitigate the possibility of such fraud occurring.
About the author:
Mary K. Pratt, a freelance writer based in Massachusetts, writes frequently about business management and information technology. She can be reached at [email protected].
Learn how Danske Bank and PowaTag teamed up and further mobile payments in Denmark.