Once, commerce was driven by the exchange of goods (barter), or by money that “clinked.” Then came paper money, letters of credit, checks, central banks, credit cards, ATMs, interbank transfers and online banking. Now the payments industry is well into yet another major transition: the rise of digital payments. In fact, according to Visa’s 2016 Digital Payments Study, global consumer adoption of mobile payments has tripled in the past year; with Turkey, Denmark and Norway noted as the top three markets for mobile payment users. The volume of transactions from apps that enable digital payments is also projected to grow at 10% this year (Capgemini), coming at three times faster than estimated global growth rates of around 3.4%. And Worldpay’s latest report predicted that eWallets will overtake credit cards as the most popular form of payment by 2019.
Digital payment adoption on the rise; increased concerns about data security
Here in the U.S. we’re seeing a similar trend. In conjunction with Wakefield Research, we surveyed more than 1,000 American consumers about their use of digital payment methods, as well as their beliefs about the perceived safety of those transactions. We found that more than half of respondents (60%) currently use a digital payment service – and, unsurprisingly, nearly three quarters (74%) of millennials have already adopted the technology. The most popular digital payment method was PayPal, currently used by 51% of respondents. Other popular digital payment options hovered around a 10% usage rate:
- PayPal (51%)
- Apple Pay (11%)
- Google Wallet (7%)
- Android Pay (6%)
- Chase Pay (6%)
- Samsung Pay (5%)
- Venmo (3%)
But while digital payments have certainly become a faster, easier and more convenient payment method for consumers – which has absolutely contributed to the rise in its adoption – we found that people were very concerned about the security of these new payment methods.
- Almost 9 out of 10 (88%) of those we surveyed said that they would discontinue using a digital payment provider if they personally fell victim to cybercriminal activities as a result of a data breach at the provider.
- Another 40% added that they don’t feel safe using digital payments while traveling.
Here’s the detailed breakdown of what people said would cause them to discontinue use:
- Money was stolen from a linked bank account – 70%
- Unauthorized charges appeared on a linked credit card account – 68%
- A username and password was stolen – 59%
- They experienced increased spam emails – 30%
With this as a backdrop, keep in mind that there have already been a number of incidents in the digital payments industry that have since been remedied. These include reports of apparent flaws in Venmo’s security and support systems and others.
American consumers seem to enjoy the ease of use that digital payments offer, however the mobile payment industry must take note, their future success – and the continued adoption of their product – hinges on the trust of their customer base. We all know how easily trust can be diminished after just one misstep, and that’s clearly what our survey showed. As a result, it’s imperative that mobile payment operators provide the strong protection of their infrastructure, transactions and data that customers expect.
How to build digital trust for mobile and digital payments
The use of encryption is a key technology behind the innovation of digital payments. Although encryption has been used for many years it is now being deployed more broadly to ensure that payments data is protected right from the moment of capture. This opens up a new level of flexibility for payment providers because data can now be routed through untrusted devices such as mobile phones and across untrusted networks. The combination of new payments technologies and the ubiquity of the mobile devices are changing the payment landscape and the security mechanisms to protect the transaction from end to end.
For example, now with mobile point of sales devices (mPOS), merchants large and small can accept payments with the benefit of never bringing them into scope for PCI DSS. Since all cardholder data is securely encrypted within the mPOS card reader merchant systems are only exposed to encrypted payment data, which therefore can travel through unsecured devices and unsecured networks. Since the merchant has no access to any keys to decrypt the payment data, the mPOS application running on the merchant smart phone or tablet is not subject to compliance scrutiny and can therefore provide a rich user experience and be tailored to suit individual merchant needs without any restrictions.
When using encryption, one of the most effective ways to protect the keys is by using a Hardware Security Module (HSM). HSMs significantly reduce the risk of key compromise and in applications using point to point encryption (P2PE) which rely on strong key management from the merchant to the payment provider, those applications require a proven method of securing critical keys and cryptographic processes from physical and logical tampering. They are used extensively throughout the payments chain to ensure the integrity of the systems.
Another key concern is the steps payment providers are taking to protect their backend systems against threats. With today’s reality that a determined enough attacker can compromise nearly any organization’s infrastructure, additional protections around backend data are also required. Encryption with access controls and data access monitoring is the minimum control set. Payment and user data needs protection from both system / OS level threats, and from within applications. This combination reduces attack surfaces by limiting access to only those who require it for their work, and then being able to monitor actions directly related to sensitive payment data. Not only do fewer attacks succeed, you’ll also know when they start, and be able to take action – even if your network intrusion detection and prevention tools have been bypassed.
Want more insight into the latest payment trends or have more questions about building digital trust? View our recent webinar on the topic, or drop me a line at peter.galvin@thalesesec.com.