It seems that the technology for supporting mobile payments will soon become widely available. Most of the major smartphone operating systems have announced support for NFC. Many big names such as Nokia, Blackberry and HTC have launched NFC phones and some key Mobile Network Operators have made announcements too. However, this new payment eco-system will present an array of security requirements and challenges.
Mobile contactless payment applications must be ‘provisioned’ before they can be used. ‘Provisioning’ covers the process of preparing and loading an application on a user’s phone with personalised account data. It also includes the deployment of unique personalisation keys to protect the loading of information to the device and the transactions made by the payment application.
Payment applications on mobiles will typically be provisioned ‘Over-the-Air’, which means many parties can potentially be involved in the provisioning process. This increases the risk profile and subsequently the various data exchanges must be highly secure to ensure that no data is compromised.
Furthermore, consumers will expect mobile payments to be as secure as EMV. And it’s important that they are, because following the recent significant, and very public, data breaches from the likes of Sony and Epsilon, consumer awareness of security risks has increased greatly.
There is technology that exists, however, which makes the security of issuing mobile payments as secure as issuing cards.
Although not mandated to do so, card issuers are finding that Hardware Security Modules (HSMs), which generate and protect encryption keys, are necessary to address security and manage risk. HSMs secure keys and sensitive data, which avoids the vulnerability of keys stored in software (see "Can a fence around the house prevent your guests stealing the family silver?"). This ensures that sensitive data is never exposed and reduces risk for the service provider. Using HSMs can also greatly simplify the task of issuing payment applications to mobiles securely.
Of course, we must remember that encryption isn’t the sole answer. It must be teamed with authentication to provide protection for data exchange and authorisation. If a business wants to take advantage of the huge growth in mobile-based payments that is being widely predicted, security needs to be the foundation to minimise risk.