Blog article
See all stories »

No need to compromise over payment security

The answer is in the palm of your hand. 

The US retail giant, Target, has recently been in the press for all the wrong reasons. It's estimated that 110m of its customers have been left open to identity theft. Target joins Sony, TJX, Shell, Lush and many others compromised by this.

The result has been a war of words over new security standards between the National Retail Federation and US banks and recriminations continue. This is entirely understandable of course, changes need to be made for the better. However, there is a danger that any knee-jerk reactions could go too far and not be properly thought through.

If security becomes too stringent in the fall-out of Target, consumer utility will suffer.

Consumers expect financial transactions to be safe and secure. But they also expect them to be swift and simple. There is no use security being so arduous that it hampers commerce. Consumers certainly won't thank the industry for making their lives more difficult. So, when breaches like these happen, commentators immediately ask how we "balance" security and simplicity.

This is taking the debate somewhere pointless. The idea of "balance" is actually a compromise. When it comes to security versus simplicity, there shouldn't be a compromise at all. Consumers expect and deserve a highly security and a great experience when shopping.

This is easier said that done, however. Let's look at retail examples.

Although mostly obsolete in Europe, many US retailers still accept payment cards via a swipe of the magstripe and a signature. It's simple, it's easy but it's not secure at all. Magstripe information is unsecure and easily compromised and signatures are easy to forge.

The other end of the spectrum is 3-D Secure, used widely in online transactions. While it adds another layer of security to the purchasing process, it also slows the process down. And, it's yet another password for the consumer to remember.

In Europe, EMV (often know as Chip and PIN) is the two –factor authentication standard for payment card security. Two-factor authentication relies on 'something you know' (the PIN) and 'something you have' (the card). However, it has yet to make any impact in the US. It would require substantial investment from banks to issue new EMV cards and retailers would have to purchase new POS devices to accept them.

What's the solution? It's actually something you possibly have in your hand right now: a mobile phone. The smart device can act as 'something you have' and instead of putting your PIN in a POS terminal, it can be keyed into the device. So unlike a card, new multi-factor authentication technology can ensure that access to payment services can only be granted to the person who has the specific device (even a duplicate wouldn't work) and knows the PIN.

This means there is no need for new payment cards or other new devices to be issued to consumers or for retailers to invest in expensive new POS terminals. Mobile enabled commerce has other security benefits. By using a QR code to make purchases and transactions, no personal or financial information needs to be transmitted and the risk of breach is minimised.

The smart device has revolutionised our day-to-day lives. It has the power to revolutionise retail security too. 


Comments: (0)

Now hiring