United States District Court Judge John Gleeson, who is presiding over In re Payment Card Interchange Fee and Merchant Discount Antitrust Litigation, has ruled that this website and others like it posted certain information regarding the settlement of that case that was misleading. Additional information as to class members' rights and options under the settlement is available at www.paymentcardsettlement.com.
Sign In

The Association for Convenience & Fuel Retailing

Skip Navigation LinksNACS Online / Magazine / Past Issues / 2012 / May 2012 / Exposing the Mobile Wallet

Exposing the Mobile Wallet

Know what's going on with mobile payments — or third-party vendors may take control of your mobile wallet.

Exposing the Mobile Wallet
By Jerry Soverinsky

Three months after Google Wallet launched last September, digital forensics and security firm viaForensics performed a high-level analysis of the mobile pay­ment service â€" the first major U.S. mass market attempt at smartphone payment processing â€" and concluded the wallet contained a number of vulnerabilities, leaving sensitive user data, including financial information, exposed.

"While Google Wallet does a decent job securing your full credit card numbers…the amount of data that Google Wallet stores unencrypted on the device is significant," viaForensics wrote on its blog. ViaForensics worked with Google to address the shortcomings, though a follow-up analysis in February revealed additional shortcomings.

Â

Â
"There were a number of issues that were indeed fixed…however, there was still enough information stored on the device that we did not feel that we could give it a passing grade," said viaForensics Chief Investigative Officer Andrew Hoog.

Â

There was no actual evidence of consumer loss; the analyses simply revealed security lapses in the service â€" not auspicious findings for a fledgling industry trying to cultivate retailer and consumer confidence and adoption.

Complicating the security issue is a rush of players trying to claim space in the emerging mobile payments landscape.

Security as an Afterthought
Missing from the headlines â€" with the exception of the Google Wallet analyses â€" is any conversation of security, whose very mention seems to detract from the industry chorus that promises quick, easy and super-cool payment schemes.

"Security is not a sexy topic," said Gray Taylor, executive director of PCATS and payment consultant to NACS, "so not a lot of people are get­ting involved in it…What’s sexy is the [mobile payment] wallet."

No doubt, the wallet is indeed sexy, with the technology’s transactional benefits â€" efficiency and cost-effec­tiveness, not to mention seamless loy­alty tie-ins â€" pushing aside security concerns, at least until the public (not firms like viaForensics) demands it.

"Irrespective of which technology or technologies emerge as the winner, the fact remains that security will likely continue to be an afterthought to con­venience," writes Chris Mark, execu­tive vice present for emerging markets at ProPay Inc., for Pymnts.com.

Mark cites historical examples to back his prediction, including creation of the Payment Card Industry Data Se­curity Standard (PCI DSS) to address credit card data breaches. Prior to 2003, cards had implemented disparate "best practices" recommendations â€" none that mandated compliance. Only after a massive 2003 breach, in which 17 mil­lion accounts were compromised, did the card brands unify to create industry standards and force compliance.

Â

Â

It is unfortunate yet true that regu­latory bodies are hesitant to pass leg­islation until there is public outcry," Mark wrote. "Compliance with the PCI DSS was not mandated until major data breaches made the public aware of the security deficiencies within the pay­ment card industry."


Parties with a vested interested in mobile payments â€" mobile phone companies, banks, the government and NACS, on behalf of retailers â€" are working behind the scenes, developing what they hope will become retail in­dustry security standards. While their efforts are far from unified, all want to avoid consumer loss.

"We need to keep consumers from getting hurt," Taylor said. "And if you have breaches up front, mobile pay­ments will get delayed. So everyone has a vested interest in making this secure."

Of equal importance to Taylor and others involved with merchant groups is avoiding a payments landscape bear­ing any resemblance to the status quo. "Thirty years ago, we didn’t care about mag stripes and look what happened, we’re stuck to a proprietary set of rails," Taylor said. "We’re not going to do it again. We’re going to be involved and make sure it is open and transparent but still the most secure platform pos­sible."

Why Payments Security Matters Now
To that effort, Taylor has been work­ing with the Federal Reserve Bank of Boston, as part of its Mobile Payments Industry Workgroup (MPIW), devel­oping, among other things, recommen­dations for security standards.

"There’s no limit to smartphone apps but only one secure element and only one trusted security provid­er, if at all," Taylor said, who believes security should be hardware-based. But the issue then be­comes one of ownership and manage­ment.

"If you talk to [the mobile phone companies], they own it. If you talk to [the banks], they own it. And if you talk to a retailer, they’re not sure if they own it but they don’t want to pay some­one to access it," he said.

Therein lies a fundamental mobile payments security concern for retailers: whoever owns it can charge rent to ac­cess it, a potentially huge cost obligation for retailers, should mobile payments reach widespread consumer adoption.

It’s one reason that MPIW, after more than a year studying and laying out a framework for mobile payments, argued for an open mobile wallet, a position adopted by the Federal Reserve Banks of Boston and Atlanta in the 2011 white paper, "Mobile Payments in the United States: Mapping out the Road Ahead."

"Ubiquity will be achieved by creat­ing a set of standards for payment appli­cations that co-exist in a mobile wallet open to all (credit, debit and prepaid) networks as well as ACH [Automated Clearing House], that work across all carriers, and are accepted by all mer­chant POS terminals across all borders."

What You Can Do
To help ensure openness and a rent-free mobile payments environment, Taylor urges retailers to join NACS and PCATS, "because this is what we’re do­ing, and security will determine the fu­ture of mobile payments.

"We’re trying to use the value prop­osition of open access to keep the big players from locking it up. Google can fight Apple and NFC [near field com­munication], but while they’re doing that, we’re going to create a standard," he said.

While competing against those major players conjures up David versus Goli­ath scenarios, Taylor remains undaunt­ed by the challenge. "People ask me, ‘You mean you’re going to tell Google how to do a transaction?’"

He pauses, before providing what he hopes will become a unified retailer re­sponse. "Yes, we are. Google is nowhere in brick-and-mortar. If Google wants to play with brick-and-mortar, we can tell them how to play."

Jerry Soverinsky is a NACS Magazine and NACS Daily contributing writer.