Congress Probes Mobile Payments SecurityExperts Debate Whether More Regulatory Oversight Is Needed
See Also: Rethinking Endpoint Security
Two-thirds of U.S. adults now own smartphones, and more than 36 million Americans are expected next year to use mobile payments options to conduct $27 billion in transactions, according to statistics from Juniper Research and CNET that were gathered for a Dec. 1 hearing of the House Energy & Commerce Committee.
But how secure are these alternative payments methods? And with built-in functions, such as geo-location and biometric authentication, can consumers feel confident that their privacy is being protected? Those were among the questions raised at the committee's hearing on mobile payments.
The main takeaway from the hearing, which included testimony from PayPal, Samsung Pay and the Merchant Customer Exchange, is that while most mobile payments options provide stronger user authentication and convenience, they do not have the same legal and legislative protections as other payment methods.
The committee, which held the hearing as part of a series to review disruptive technologies, noted that this was a preliminary review of mobile payments security. It did not announce plans to take any legislative action, but encouraged stakeholders to submit additional comments and concerns about mobile security over the next 30 days.
"We want to explore the new ways consumers are paying for goods through their mobile devices, and how consumer information is being secured on mobile devices," said Rep. Frank Pallone Jr., D-N.J. "We want to be sure that information saved on mobile devices is secure, even if data on mobile devices can still be hacked."
Need for More Regulatory Oversight?
Sarah Jane Hughes of the Maurer School of Law at Indiana University told the committee lawmakers may need to consider whether Congress should mandate that mobile carriers, payments gateways and mobile service providers meet the same regulatory requirements for consumer fraud protections and privacy as banking institutions.
"Two federal statutes protect consumers with credit and debit payments - the Electronic Fund Transfer Act [Regulation E] and the - EFT and [Dodd-Frank Wall Street Reform and] Consumer Protection Act," Hughes, a mobile legal expert, noted during her testimony. "Those same protections for mobile do not exist, and that is a big issue for the unbanked and underbanked, who don't have credit or debit cards. Consumers who bill to a mobile phone statement, as opposed to a financial institution, do not have the same level of protections."
Banking institutions also have expressed concerns about the security practices of non-bank payments providers and processors, Hughes added.
"The potential for a mobile payment provider and the downstream payments participants necessary for clearing and settlement of the payment back to the merchant involved to collect and use information about the customer's spending habits and vendors of choice is, and will continue to be, substantial," she testified. "Whenever additional entities handle payment and user information, the risks of capture and improper use of these data grow. Thus, a multiparty, mobile-payments downstream network could create privacy risks in a degree comparable to or greater than privacy risks experienced in credit and debit transactions."
PayPal's John Muller, vice president of global payments policy, told the committee that that the multiparty networks often involved with processing mobile payments pose security challenges. Muller says this is why stronger authentication practices, such as biometrics, are increasingly becoming necessities.
"Biometric authentication features on mobile devices are radically changing this [mobile] model and, subsequently, are minimizing damage done in a breach or hack," Muller testified. "Through PayPal's leadership and collaboration with Samsung and the FIDO Alliance, PayPal was the first payment company to introduce fingerprint biometric payment authentication on Android mobile devices."
Sang Ahn, chief commercial officer for Samsung Pay in the U.S., told the committee that Samsun Pay uses biometrics as well, enabling users to apply fingerprints to their mobile phones' built-in sensors to authenticate transactions.
"Additionally, our smartphones incorporate the Samsung KNOX security platform, keeping all payment data locked and secure," Ahn testified. "Other mobile payment solutions employ tokenized transactions. But ... these solutions only work in the small fraction of stores with NFC-equipped terminals."
A Security Roadmap for Mobile
Hughes testified that despite little regulatory oversight, mobile payments providers have plenty of guidance to help them implement best practices that can sufficiently protect consumer privacy and ensure transaction security.
"Between the rule written by the FTC [Federal Trade Commission] in 2000, and now also enforced by the Consumer Financial Protection Bureau, and the rules written by the Comptroller of the Currency, the Federal Deposit Insurance Corp. and Board of Governors of the Federal Reserve System, most of the providers of mobile payments should have a sufficient roadmap on how to handle the personal identifiable information and financial information that they obtain from the processing of payments via mobile devices," she says.
In 2000, the FTC passed a rule to implement a subchapter of the Gramm-Leach-Bliley Act that covers all participants providing consumer financial products and services, including data processing and data transmission services.
And earlier this year, the OCC called for tighter regulatory controls over mobile and non-traditional payments providers (see OCC: Cyber-Risks to Payments Growing).
At a June 3 event, Comptroller of the Currency Thomas Curry said banking regulators, using authority granted by the Dodd-Frank Wall Street Reform and Consumer Protection Act, could do more to oversee e-commerce and emerging payments players, to "ensure a more level playing field and protections for customers of non-banks."
Sorting Out the Risks
Avivah Litan, a financial fraud expert and analyst at the consultancy Gartner, says lawmakers and others must understand the different risks posed by different types of mobile payments. "For example, paying a bill through a mobile browser is a totally different risk proposition than paying for groceries using ApplePay. They can't lump all of the different types of payments a consumer can make from a mobile phone into one category called 'mobile payments' and have a meaningful discussion about risk."
Mark Horwedel, CEO of the Merchant Advisory Group, which represents 85 of the largest U.S. merchants, contends mobile payments pose far fewer risks than conventional credit and debit card payments.
"Ultimately, mobile as well as the Internet will provide much higher levels of security than today's card payments, since both of the former channels are much more flexible and can adapt to new forms of authentication much sooner than traditional card payments," Horwedel says.
But Tom Kellermann, chief cybersecurity officer at security firm Trend Micro, says malware attacks and intrusions waged against mobile devices are on an upswing, and mobile payments security should be a top concern.
Al Pascual, director of fraud and security at Javelin Strategy & Research, agrees that mobile security is a growing worry. "Mobile malware has now evolved to a point that delivery is as easy as pointing a user to an infected or malicious site that contains the malware, and with no other action the program is downloaded, installed and can convey administrative access to the device," he says. "These attacks would place payment credentials and consumer PII at risk, which could have a deleterious effect on trust; and trust is a critical aspect of any successful payment scheme. Case in point: 40 percent of consumers who avoid mobile payments cite concern over security as the impediment to adoption."