A post relating to this item from Finextra:
20 November 2013 | 9731 views | 0
The European Central Bank has set out draft recommendations on mobile payments security, covering everything from customer authentication to data protection.
The ECB published its recommendations for the security of mobile payments last week last week. Although unrelated, this latest set of recommendations shows how Governments and Central Banks (US Federal Reserve Banks recently announced a
public consultation exercise on improving the future U.S. payment system, and the newly formed Financial Conduct Authority (FCA) has also just published an
interim report exploring some early findings of a review into mobile banking services) see their role in shaping the new payments landscape.
When it comes to financial services (mobile or otherwise), consumers want convenience and trust. Mobile payments can deliver a strong value proposition here so it is inevitable that such services are attracting the ECB’s attention. Mobile is clearly at the
centre of a revolution that is happening. This is logical as we have an intelligent, sophisticated device that is with us 24x7, be it our smartphone or tablet, we expect to be able to control our lives through this one device, for communication, commerce,
banking, work, watching films, playing games and listening to music. The attitude of consumers to banking and payments is no different, and why should it be? The mobile device is set to become the dominant device to enable a paradigm shift in traditional business
models, and the device to enable new business models and experiences.
I read the paper with interest even though I was uncertain as to what conclusions I should expect. I have to admit that I was pleased to see that the ECB shows a good grasp of the challenges and opportunities at hand. As analysts predict the number of payments
using mobile devices could grow by 52.7% a year to reach 17bn in 2013 (source: World Payments Report 2012) – this is to be added to predictions of up to $670bn of global mobile payments being made by 2015 (source: Juniper Research). The ECB is right, security
is a major challenge to ensure that the mobile payments sector realises its full potential – Gartner has predicted that the financial impact of cybercrime will grow 10% per year through to 2016. It’s a no brainer, as payments evolve, cyber-crime grows in size
and sophistication - the correlation is clear.
The ECB recommendations point to the correct direction: Security procedures need to be integrated into the mobile payments architecture, by design, from the outset, which leads us to the $million question: “Who’s responsibility is it any way?”. As some of
these transactions and capabilities can carry considerable risk, fraudsters will certainly focus their attention on the new way that we make payments and are quick to capitalise on any inherent weaknesses, be it in processes, procedures, or methods. As the
payments space moves mobile we need appropriate solutions, constructed from the ground up, for this new area; the FCA is right to engage early with the FS industry on that area. Many of the mobile-based offerings available today provide little application,
i.e. end-user, functionality, possibly due to weak registration processes, whilst others require onerous registration processes that are more aligned with other, traditional banking channels. The solution, as is so often the case with electronic financial
services, is implementing the right security architecture and recognising the needs of the consumer in the most demanding of all channels: the consumer interface channel. Such approach needs to extend to the full lifecycle of the mobile banking app, not just
the registration or enrolment function.
Criminals are very sophisticated these days, and organised crime will expose the weaknesses in the chain. It is no longer just down to the bank to bear the responsibility for securing transactions. Every step of the chain, holistically, needs to be secured,
from the phone manufacturers, to the mobile network operators, the merchants, the acquirers, the payment processors, the schemes, and of course the consumers' bank. I believe that telcos could be at an advantage here. They can leverage their unique position
as the mobile network operator, just as groups like ISIS in the US and in the UK, Project Oscar (the NFC consortium made up of Vodafone, O2/Telefonica, Everything Everywhere) have positioned themselves in the mobile payment space. Ultimately, they have the
“last mile” in terms of the relationship with their subscriber.
Faced between the choice of catching the crooks or stopping the fraud, I am of the view that detection and prevention is of course the preferred outcome. Improving our capabilities before the fraud event, or as the event is occurring is the ultimate result.
Being able to determine the difference between a fraud event and a false positive is of course the ultimate weapon in the defence against crime, and the ultimate in terms of best practice consumer protection and customer satisfaction. The key of course lies
in the security architecture, built from the ground up to reflect the individual transaction needs of the new mobile payments landscape, providing the highest levels of security and privacy by combining invisible security layers, and low or no friction on
the consumer side. Consumers will be quick to recognise the brand of trust that provides them with the assurance that their identity is assured, their transactions are secure and their interactions are intuitive – in short, the $billion brand of the future!