Mobile Payments: Apple Pay vs. RivalsABA's Kenneally on Security Risks of New Payments Options
Apple Pay has been touted for its baked-in tokenization and compliance with the EMV chip standard. But authentication gaps in Apple Pay's solution have allowed fraudsters to load stolen card data into the app, ultimately providing the opportunity for fraudulent transactions (see Apple Pay: Fraudsters Exploit Authentication).
During the American Bankers Association's Risk Management Forum April 15-17 in St. Louis, the merits of Apple Pay were weighed against two other up-and-coming mobile payments options: Google Wallet and LoopPay, the latter of which mobile device manufacturer Samsung acquired in February.
Steve Kenneally, vice president of payments and cybersecurity for the ABA, says many banking institutions are not aware of all these mobile payments options available to consumers and merchants. But it would behoove them to learn more about how each of these offerings works.
In this interview with Information Security Media Group at the ABA event, Kenneally reviews and compares Apple Pay with Google Wallet and LoopPay, based on points he debated during a panel discussion with independent payments and fraud consultant Rayleen Pirnie.
"With Apple Pay, the onboarding procedure to validate that the individual is who they say they are - that the card is valid - some of those controls weren't as strong as they can be," Kenneally says during the interview. "I think some banks have recognized that, obviously, and they've increased their security on the onboarding procedure. So, they've solved that problem."
But have banks missed the mark by focusing so much attention on Apple Pay and not enough on other offerings? Kenneally says it's possible, because Google Wallet, at least from a fraud-liability perspective, offers more protections for banks than Apple Pay.
And then there's LoopPay, which unlike Apple Pay and Google Wallet is not a mobile wallet, but merely a mechanism by which merchants can accept magnetic-stripe card payment through the mobile phone.
"It's an interesting product, because it will use your card, or a device that will mimic the customer's mag-stripe, so it's not a real mobile transaction using NFC [near-field communication] or the cloud or anything like that," he says. "It basically enables someone to use their phone or the dongle attached to it to initiate a mobile transaction at any POS [point-of-sale] terminal that accepts magnetic transactions."
But the technology and security behind LoopPay are still not well understood, Kenneally adds.
Other topics discussed during this interview:
- How mobile offerings, including LoopPay, could represent a shift in the market;
- The new industry focus on faster, and in some cases real-time, payments;
- Why the Federal Reserve could step in to play a more hands-on role in its push for faster payments.
Kenneally works in the Center for Payments and Cyber Risk at the ABA, addressing security and compliance issues related to legacy payment systems, including check, ACH, card and wires, and emerging payment technologies, such as digital wallets, virtual currency and peer-to-peer payments. He is the staff liaison to two standing member committees focused on payments issues, in addition to the ABA's Emerging Payments Advisory Group. Before joining the ABA in 2005, Kenneally worked at the U.S. Department of the Treasury, where he managed the private network of banks collecting non-tax payments on behalf of the federal government and drafted regulations and guidance on cash management issues.