Taken at face value, mobile payments are considered more secure than credit cards, even more secure than EMV chip cards. Unlike chip cards, the payment credentials stored on the phone or watch are tokenized, whereas the chip card has the actual card number on the chip. Also, the phone requires an additional authentication (a fingerprint or a passcode) which the card does not require. This is the current case with Apple/Samsung/Android Pay. But there are other forms of payments both in the market and in start-ups whose focus is not on security. These start-ups are working on merchant-specific payment and loyalty apps, on-demand service apps, pay-at-the-table apps, and the vulnerability of these new forms of payments are driving increased security concerns.
In a survey of 3,700 IT security practitioners conducted by the Ponemon Institute on behalf of Gemalto, 54% of the companies represented have had their payments data breached four times in the last two years. This number is expected to rise as new payment forms are introduced and new payment disruptors enter the industry. The two most common problems cited are not being PCI DSS compliant, and lack of encryption.
If demonstrations at trade shows are any prediction of the near future of payments, then there will be many new forms of payments going on. The Amazon commercial shown at the end of the Super Bowl where Alec Baldwin asks his Amazon Echo to order replacement socks; a Tesla performing self-diagnosis, and ordering parts and scheduling service; and the Samsung smart refrigerator that has a camera inside to monitor food, and order groceries for delivery, are all harbingers of the future of “things” that will be making payments on our behalf.
But all of these connected devices are like adding more windows to the building – you’re creating more points of vulnerability, as demonstrated by the fact that the fridge has already been hacked and gmail credentials were compromised. Likewise, security researchers were able to show how the connected Tesla could be hacked (Tesla had a security patch remotely downloaded before any real hackers could take advantage).
So does all this imply that credit unions should avoid fraud by shunning the future of payments? Of course not! There are several recommendations to help keep your members data safe.
10 steps credit unions should take to keep member data safe
Credit unions need to assure members that the digital wallets and online wallets being enabled for debit and credit cards, namely Apple/Samsung/Android Pay as well as Visa Checkout and MasterPass, have the proper safeguards in place, and are backed by your zero liability on Visa and MasterCard signature rails.
Lou is the Director of Payments Strategy at CSCU and is responsible for providing leadership to the organization for emerging payments and industry trends, as well as managing the product portfolio.
Prior to joining CSCU, Lou was Director of Mobile Products within the North American Retail Payments division at FIS. There he was responsible for enabling seamless access from smartphones and tablets to FIS products and services.
Lou holds an MBA from Duke, and a Master’s degree in Computer Engineering from the University of South Florida.