Near Field Communication (NFC) technology has been integrated into more and more mobile devices in recent years, meaning instances of mobile contactless payments are continuing to grow as more retailers accept mobile payments in-store.
However, with new financial technologies come new ways for criminals to potentially defraud both businesses and consumers.
In this PCI Compliance Guide guest post, David Midgley of Total Processing sets out what retailers now accepting mobile payments need to do to ensure they remain PCI compliant, and that both they and their customers don’t fall victim to fraud.
Accepting Mobile Payments Requires Security Checks
While I think the technology underpinning the ability to pay for stuff using your phone is a wonderful advance, mobile payments are indicative of the convenience culture we now live in. However, when it comes to a person’s financial information, security should not be compromised in order to provide convenience.
It should be said though that Android Pay, Apple Pay and Samsung Pay all appear to be very secure; not only does the Security And Privacy Overview on the Apple website go to great lengths to let you know exactly who sees your information, where your information goes and what Apple does to protect your information at different stages, for example, but on a practical, day-to-day basis, the app require users to authenticate transactions with their fingerprint every time they make a purchase, while Samsung Pay requires either fingerprint or PIN authentication.
However, these encryption protocols can be broken through with the right knowledge and set of circumstances, meaning those with malicious intent could still defraud mobile payment app users.
For example, one of the reasons NFC technology is lauded as being secure is because the read range is only a few centimetres. Therefore, it would be quite obvious if someone was trying to intercept the communication between a phone and your Point-of-Sale (POS) terminal, as their device would need to be right next to both. However, researchers at the University of Surrey have shown the read range can be extended to 80cm using inconspicuous equipment. Thus, while someone standing right next to the terminal would be quite obvious, the person casually sitting or standing nearly three feet away wouldn’t be. Hence, retailers need to be vigilant of those utilising technology who are acting suspiciously in their stores.
In addition, while the payment apps themselves are very secure, the NFC chip that makes them possible isn’t necessarily. For example, you may remember there were reports in February on social media of people using a POS terminal on the London Underground to clandestinely steal amounts up to £30 from commuters’ contactless cards. While the image used was found to have been taken from Russian media and may simply have been someone trying to scaremonger, it highlighted that contactless cards are vulnerable to fraud as they do not require cardholder authentication in order to process the transaction.
Apple, Google and Samsung, however, have put an authentication step (i.e., fingerprint recognition or PIN code) in place in Apple Pay, Google Wallet and Samsung Pay respectively, in order to authorise the transaction.
Therefore, if someone stole a contactless card, they would be able to spend on it until the card was reported stolen. If they stole someone’s phone, though, they’d be thwarted at the authentication stage by the fingerprint scanner or the need for a PIN code and wouldn’t be able to buy anything using it. Furthermore, being unable to complete the transaction with a device that is explicitly linked to it’s rightful owner should also alert the retailer that something is amiss, which would hopefully lead to the police being contacted.
Given that mobile payment apps utilise the same technology, it remains to be seen if criminals will find a way to bypass the authentication processes and security measures that have put in place by Apple, Google and Samsung.
Mobile payments are the future of payments. Therefore, it makes sense for retailers to offer customers the ability to pay from a mobile device. However, retailers also need to ensure that these payments remain secure. While Apple, Google and Samsung have been seen to secure their devices and payment applications, it is also the responsibility of retailers to ensure they are doing everything they can to secure payments in-store too and comply with PCI standards.
David Midgley is Head of Operations at UK-based payment gateway and merchant services provider Total Processing. Prior to this, he spent nine years working for HSBC from 2004 and also spent two and a half years at Axcess Merchant Services before taking up his current role at Total Processing in February 2016.