While cash and card payments are still the most widespread methods of payment,
studies show that UK shoppers increasingly prefer using mobile payments instead of credit cards. Mobile payments could very well become the new norm, especially now that all the major players – including Apple, Google and Samsung – have developed apps enabling
users to make payments at point-of-sale systems and the ceiling limit for contactless payments has increased to £30 in the UK.
However, the change mobile payments will bring to the industry will be gradual. Similar to the way in which cheques were slowly phased out, plastic cards won’t disappear for many years. One of the reasons is that although the use of online banking and shopping
has grown significantly, so too has the number of security threats targeting such services. According to the latest
Breach Level Index report, there were 888 data breaches in the first half of 2015, compromising 246 million data records of customers’ personal and financial information worldwide. In fact, Samsung’s
LoopPay was hacked just a few weeks ago, and
recent research has shown hackers could easily use contactless card readers to remotely "steal" key details from cards.
This shows that while the need to secure payment transactions and data remains critical, and though there is heightened pressure to comply with payment standards, securing financial data is far from simple. Effective security measures are being built into
new mobile payment mechanisms but security teams will almost certainly have to contend with increasingly sophisticated attacks, a technological environment that is evolving rapidly and compliance with multiple standards and regulations. Add this to the fact
that transactions will continue to rely on a complicated ecosystem with multiple points of vulnerability and it’s clear that securing financial data will be far from simple.
That being said, new cybersecurity regulations in the E.U. and the U.S. may set clear European and national standards for consumers and businesses, both of which will get more involved in data security and privacy issues. While compliance with this new regulation
is expected to be costly, it will also give companies the opportunity to begin to understand that security is a differentiator. As a result, businesses will begin to market themselves as providers of secure services, much in the same way that Google, Yahoo
and Facebook are already doing.
In the meantime, at the very least businesses should understand the payment vulnerabilities they face and protect their customers’ data as early in the transaction process as possible by moving to a framework centred on the data itself. This means focusing
on specific points of vulnerabilities, and using end-to-end encryption to secure data from the earliest possible moment of its capture, ensuring it remains in an encrypted state consistently until it arrives at the payment gateway. Companies should also implement
multi-factor chip and pin authentication to secure access to secure financial transactions, protecting the identities of users, and ensuring that a user is who he claims to be.
Ultimately, businesses need to understand that data breaches are not just breaches of security. They are also breaches of trust between companies and their customers. It’s up to each organisation to bridge that gap by moving away from the traditional strategy
of focusing on breach prevention and implementing a ‘secure breach’ approach that focuses on securing the data once intruders penetrate the perimeter defences.