By Jerry Soverinsky
Three months after Google Wallet launched last September, digital forensics and security firm viaForensics performed a high-level analysis of the mobile payÂment service â€" the first major U.S. mass market attempt at smartphone payment processing â€" and concluded the wallet contained a number of vulnerabilities, leaving sensitive user data, including financial information, exposed.
"While Google Wallet does a decent job securing your full credit card numbersâ€¦the amount of data that Google Wallet stores unencrypted on the device is significant," viaForensics wrote on its blog. ViaForensics worked with Google to address the shortcomings, though a follow-up analysis in February revealed additional shortcomings.
"There were a number of issues that were indeed fixedâ€¦however, there was still enough information stored on the device that we did not feel that we could give it a passing grade," said viaForensics Chief Investigative Officer Andrew Hoog.
There was no actual evidence of consumer loss; the analyses simply revealed security lapses in the service â€" not auspicious findings for a fledgling industry trying to cultivate retailer and consumer confidence and adoption.
Complicating the security issue is a rush of players trying to claim space in the emerging mobile payments landscape.
Missing from the headlines â€" with the exception of the Google Wallet analyses â€" is any conversation of security, whose very mention seems to detract from the industry chorus that promises quick, easy and super-cool payment schemes.
"Security is not a sexy topic," said Gray Taylor, executive director of PCATS and payment consultant to NACS, "so not a lot of people are getÂting involved in itâ€¦Whatâ€™s sexy is the [mobile payment] wallet."
No doubt, the wallet is indeed sexy, with the technologyâ€™s transactional benefits â€" efficiency and cost-effecÂtiveness, not to mention seamless loyÂalty tie-ins â€" pushing aside security concerns, at least until the public (not firms like viaForensics) demands it.
"Irrespective of which technology or technologies emerge as the winner, the fact remains that security will likely continue to be an afterthought to conÂvenience," writes Chris Mark, execuÂtive vice present for emerging markets at ProPay Inc., for Pymnts.com.
Mark cites historical examples to back his prediction, including creation of the Payment Card Industry Data SeÂcurity Standard (PCI DSS) to address credit card data breaches. Prior to 2003, cards had implemented disparate "best practices" recommendations â€" none that mandated compliance. Only after a massive 2003 breach, in which 17 milÂlion accounts were compromised, did the card brands unify to create industry standards and force compliance.
It is unfortunate yet true that reguÂlatory bodies are hesitant to pass legÂislation until there is public outcry," Mark wrote. "Compliance with the PCI DSS was not mandated until major data breaches made the public aware of the security deficiencies within the payÂment card industry."
Parties with a vested interested in mobile payments â€" mobile phone companies, banks, the government and NACS, on behalf of retailers â€" are working behind the scenes, developing what they hope will become retail inÂdustry security standards. While their efforts are far from unified, all want to avoid consumer loss.
"We need to keep consumers from getting hurt," Taylor said. "And if you have breaches up front, mobile payÂments will get delayed. So everyone has a vested interest in making this secure."
Of equal importance to Taylor and others involved with merchant groups is avoiding a payments landscape bearÂing any resemblance to the status quo. "Thirty years ago, we didnâ€™t care about mag stripes and look what happened, weâ€™re stuck to a proprietary set of rails," Taylor said. "Weâ€™re not going to do it again. Weâ€™re going to be involved and make sure it is open and transparent but still the most secure platform posÂsible."
To that effort, Taylor has been workÂing with the Federal Reserve Bank of Boston, as part of its Mobile Payments Industry Workgroup (MPIW), develÂoping, among other things, recommenÂdations for security standards.
"Thereâ€™s no limit to smartphone apps but only one secure element and only one trusted security providÂer, if at all," Taylor said, who believes security should be hardware-based. But the issue then beÂcomes one of ownership and manageÂment.
"If you talk to [the mobile phone companies], they own it. If you talk to [the banks], they own it. And if you talk to a retailer, theyâ€™re not sure if they own it but they donâ€™t want to pay someÂone to access it," he said.
Therein lies a fundamental mobile payments security concern for retailers: whoever owns it can charge rent to acÂcess it, a potentially huge cost obligation for retailers, should mobile payments reach widespread consumer adoption.
Itâ€™s one reason that MPIW, after more than a year studying and laying out a framework for mobile payments, argued for an open mobile wallet, a position adopted by the Federal Reserve Banks of Boston and Atlanta in the 2011 white paper, "Mobile Payments in the United States: Mapping out the Road Ahead."
"Ubiquity will be achieved by creatÂing a set of standards for payment appliÂcations that co-exist in a mobile wallet open to all (credit, debit and prepaid) networks as well as ACH [Automated Clearing House], that work across all carriers, and are accepted by all merÂchant POS terminals across all borders."
To help ensure openness and a rent-free mobile payments environment, Taylor urges retailers to join NACS and PCATS, "because this is what weâ€™re doÂing, and security will determine the fuÂture of mobile payments.
"Weâ€™re trying to use the value propÂosition of open access to keep the big players from locking it up. Google can fight Apple and NFC [near field comÂmunication], but while theyâ€™re doing that, weâ€™re going to create a standard," he said.
While competing against those major players conjures up David versus GoliÂath scenarios, Taylor remains undauntÂed by the challenge. "People ask me, â€˜You mean youâ€™re going to tell Google how to do a transaction?â€™"
He pauses, before providing what he hopes will become a unified retailer reÂsponse. "Yes, we are. Google is nowhere in brick-and-mortar. If Google wants to play with brick-and-mortar, we can tell them how to play."
Jerry Soverinsky is a NACS Magazine and NACS Daily contributing writer.