MOBILE devices have changed business and everyday life in terms of communication, and now are also changing the way financial transactions are made. Consumers are becoming increasingly familiar with using smartphones for various purposes such as secure financial transactions via a web banking site. Mobile banking involves using mobile devices to gain access to traditional banking and financial services, principally banking and investing. Now another opportunity is emerging for service providers and merchants – the use of a mobile phone as a mobile wallet.
Mobile payments centre on transactions between consumers and merchants that involve direct purchase of goods and services that can be both account-based and point-of-sale (POS). As global IT association Information Systems Audit and Control Association (ISACA) notes in its new mobile payments guide, two categories of payments exist based on the entity that holds the account of the customer: bank-centric and non-bank-centric.
In the bank-centric model, the customer’s account is held by a bank. Issues involving such matters as liability, anti-money laundering, transaction monitoring for fraud detection and compliance fall under the appropriate local, national and international banking laws and regulations. The payment networks used are the traditional ones such as Visa and MasterCard, and the major differences are at the endpoints of the transaction, where the credit card or the traditional paper money is replaced from a mobile phone usually equipped with a near field communication (NFC) chip.
In the non-bank-centric model, the account of the customer is held at a non-financial organisation such as a mobile network operator (MNO) or a third-party payment service such as PayPal.
The advent of mobile payments brings a variety of benefits from both a business and consumer perspective:
? There is no need for money to be exchanged between the merchant and the client, reducing the risk of carrying and transferring cash, particularly in high-risk or volatile environments.
? Improved authentication via a PIN-based service provides an enhanced layer of security.
? Typically, there is quicker realisation of theft/loss of a mobile phone than of a credit card since phones are multifunctional and, therefore, more frequently used.
? Use of smartphones and their advanced software and hardware features counters skimming methods that account for a significant portion of card fraud.
? Remote swipe functionality that is widely available on smartphones and tablet devices – either by default or as an application – provides protection of users’ personal and financial information should the mobile device be lost or stolen.
? It provides speed and convenience for customers as they do not need to carry cash or credit cards.
Download our Whitepapers
But it is not without its challenges. For instance, the mobile payment transaction can be more exposed to risks because several parties are involved in performing the payment service jointly. This may worsen if important services are outsourced to potentially unregulated third parties without clear lines of accountability and oversight, or which are located abroad.
With careful planning that includes all the stakeholders, processes and technologies involved, the opportunity exists to make security an intrinsic element of all mobile payment systems. The lack of clear regulation should not be used by an organisation as an excuse for not being proactive. Each organisation involved in the chain of the transaction data should put in place strong positive controls to protect payment data while in its custody.
One central concern is ensuring that the transaction being undertaken is most likely being carried out by the person authorised or registered to carry it out with the user (use of two factor authentication).
Another important factor to consider is the data classification during the transmission and the storage of the data at the various nodes. If the mobile payment data will be used for marketing services, the organisation could be found liable for unfair business practices if it utilises the customer data for purposes not included in the customer notice.
Equally important to consider are the POS systems in the case of proximity payments. Organisations should ensure that the third-party POS providers and merchants they interact with have robust security governance projects in place. Additionally, specific attention should be given to the trusted service manager, which acts as the entity that “personalises” the compatible chip on the vendor-supplied mobile device. In such a collaborative cross-platform environment, an organisation’s risk control programme should have a strong focus on the management of the third-party services. ?
Nikolaos Zacharopoulos is IT auditor for Geniki Bank, Greece, and chair of ISACA’s project development team for the Mobile Payments: Risk, Security and Assurance Issues white paper.