Laptops. Tablets. Smartphones. Thermostats. Fitness trackers. Insulin pumps. Cars. Increased connectivity means a lot more data. A lot more data means the need for data protection…and trusted relationships between the providers of that data, the consumers of that data and the conduits for that data.
The past decade’s explosion of data can modestly be called a digital transformation, a transformation that is driving new business models and revenue and making possible whole new ways of building relationships with customers and suppliers. This digital transformation, brought about in part by a proliferation of mobile devices, has also led to a dramatic expansion of the payments ecosystem, bringing new players such as mobile operators, handset manufacturers and application providers into the mix. In the past few years, the payments ecosystem has also given birth to mobile payments, with companies like PayPal paving the way for Apple, Google, Square and Venmo. As with many new technologies, the promising mobile payments world also poses risks.
Balancing Convenience and Security
Mobile payments are popular. They’re fast, they’re easy, and they’re convenient. They’re far easier than inserting a card into a point-of-sale, entering a PIN and waiting for transaction authorization. But while convenience may be king for the consumer, convenience isn’t always synonymous with security.
For the purpose of this blog, I’ve focused on three key areas that make up said comprehensive security infrastructure: a) secure identities/root of trust; b) security of data in transit; and c) security of repositories and processing environments.
Secure Identities/Root of Trust
Are you who you say you are? The ability to manage user identities and effectively control access to data and applications is a critical aspect of securing the mobile payments ecosystem – and arguably one of the most important security priorities of our time. An organization’s ability to ensure only authorized access to its systems and data—and to prove that it has done so—is a critical piece of protecting systems and information, easing compliance, enforcing accountability, and streamlining routine operations. Controlling access, in turn, depends heavily on secure processes for identity management—defining identities, associating them with credentials, placing those credentials in the right hands, and managing them over time.
Simply put, devices need secure identities to ensure payments are not fraudulently made. Without secure identities, attackers can clone a device and impersonate a user, leading to direct fraud and theft. Unfortunately, stolen and misused data often leads to painful disclosures, adverse publicity, lawsuits and compliance fines. Fortunately, there are a number of existing identity management products supporting strong user authentication and consistent management of user identities.
Security of Data in Transit
Secure identities are one piece (albeit one pivotal piece) of the mobile payments security puzzle. The next obstacle to address is that of securing data in transit (aka secure communications).
One element is insuring that payment credentials and applications are not compromised when installed. Over-the-air provisioning of payment credentials and applications potentially creates new attack vectors for eavesdroppers to steal and misuse customer data if not properly controlled and authenticated. Another element is secure communications. Secure communications standardsensure that financial information in payments transactions are secure and not sniffed or intercepted in transit between the device and providers.
Security of Repositories and Processing Environments
All secure, all in the clear? Not so fast; we’re only 2/3 of the way there. On back end systems and in processing centers, attackers can steal and misuse data, leading to painful disclosures, adverse publicity, and fines. Data must be safely stored, analyzed and processed on back end systems to prevent wholesale breaches and theft.
The good news is that there are proven trust models for minimizing the risk of fraudulent transactions while protecting all critical keys and payment credentials – such as access controls, encryption and data access monitoring. All of these technologies limit exposures to threats and enable user behavior monitoring that reveal when credentials have been compromised.
Mobile Payments + Security=Business Enablers
The competitive advantages of mobile payments are numerous. They’re catnip to convenience-obsessed consumers, in that they expand customer relationships and build loyalty. They enable banks to conduct real-time two-way communications with their customers. They bypass the limitations of plastic payment cards. For banks in particular, mobile payments open up new revenue streams.
Banks and merchants wise to the revenue opportunity but blind to the security risks will find themselves in a precarious situation; one big data breach could bring them down. On the flip side, banks and merchants who view security as a business enabler (instead of an obstacle) will ultimately come out on top.
Encryption is a critical element in doing this. Secure identities for providers and devices enable positive identification of users and secure communications using encryption. Storage secured with encryption at the OS and application level, and combined with access controls and access monitoring, make it exponentially more challenging for the “bad guys” to cause financial, reputational and legal harm by stealing data from core applications and repositories. With properly implemented encryption solutions, new risks that result from mobile payments are minimized or eliminated.
The takeaway here? When pursuing digital transformation though mobile payments, the architecture and security concerns must be addressed at every level of the solution – securing identity on the device, data in transit and the security of access to information on back end systems. Encryption, enabled by secure identities, is a basic requirements at every level.
Think this is interesting? Please keep your eye out for the results of Vormetric’s mobile payments security survey, hitting later this month. You can also find me at @kessalan.