Prepare for a Payments RevolutionWhy Apple Pay, Tokenization Are Altering the Landscape
At Information Security Media Group's Fraud Summit Dallas, opinions varied widely on the long-term viability of Apple Pay and other emerging payments technologies, including cryptocurrencies such as Bitcoin.
But regardless of what new technologies emerge as the winners, the payments arena is entering a period of revolutionary change, says cybersecurity attorney Joseph Burton, a managing partner at San Francisco law firm Duane Morris.
Here are a few takeaways from Burton and other experts at our Dallas event.
Banks and retailers should offer strong support for Apple Pay because the technology is superior to anything else available in the market today, Burton contends. That's because Apple Pay, an EMV-compliant chip transaction, also uses tokenization.
But will mobile payments be embraced by consumers in the U.S.?
That depends on whether Google also adopts a model similar to Apple Pay for use on Android devices, argues Javelin Strategy & Research analyst Al Pascual. After all, Android phones are far more commonly used than iPhones.
Meanwhile, Dennis Simmons, outgoing CEO of SWACHA, a regional payments association based in Texas, questions how secure Apple Pay's NFC payments really are.
Simmons' perspective: Sure, Apple Pay's NFC transactions are encrypted; but wouldn't a contact EMV transaction be a safer short-term bet for the industry?
And we can't forget that not everyone owns a smart phone. That means users of more basic cellular mobile phones will have to continue to use payment cards. And as long as we have cards in the market, we still have to figure out how to secure those cards.
Of course, card transactions could eventually run on a system that has features similar to Apple Pay. But until the U.S. market completes its transition to the EMV chip, with no lingering magnetic-stripes, we're in trouble.
I suspect that it will take until at least 2017 before we see a completed rollout of EMV in the U.S. There's no way all card issuers and merchants are going to be EMV compliant by October 2015, the fraud liability shift date set by the card brands.
So what about other emerging payment options?
Paul Yanowitch, assistant U.S. attorney for the Northern District of Texas, says banks need to carefully monitor the latest Bitcoin developments. That's because the money-laundering and know-your-customer risks related to the use of virtual currencies will only increase. So ensuring compliance with the Bank Secrecy Act has to be top-of-mind.
And what needs to be done to make sure retailers are taking adequate steps in the fight against payment card fraud?
Kate Larson, regulatory counsel for the Consumer Bankers Association, argues that Congress should pass legislation that ensures merchants are held to higher security standards - standards similar to those mandated for banking institutions under the Graham-Leach-Bliley Act as well as those from the Federal Financial Institutions Examination Council.
We can definitely expect to see a continued push by banking institutions for congressional action in 2015 to hold retailers more accountable for breaches. But it's unlikely we will see much from Congress anytime soon. After all, we've been talking about a national breach notification standard for years, and we're still waiting.
Where I do expect some progress to be made, however, is in the issuance of new regulatory guidance related to cybersecurity at banks and credit unions. Banking regulators have already said institutions should be preparing for new guidance - they just haven't said when it is coming (see FDIC: What to Expect in New Guidance).
How do you think Congress and banking regulators will address payments security in the coming year?
You can get involved in the debate by posting your comments below.