The security focus for payment platforms has moved
to the front-end, with the emphasis placed on the various ways in
which end-users can authenticate themselves. This is not inherently
complicated, but becomes more so once the expansion of payments
channels, notably to mobile, comes into play, writes Alison
Ebbage
Go deeper with GlobalData
Payments platforms are an essential link in
the overall payments chain, providing the hub through which
payments instructions are processed and sent onto back office
systems. Due to regulation and their long-standing existence in the
payments jigsaw, the platforms themselves are generally considered
to be pretty secure. They have robust firewalls and intrusion
detection devices to safeguard the data they hold and process.
As a consequence, the security focus has now
moved firmly to the front-end with the emphasis being placed on the
various ways in which end users can authenticate themselves. This
is not inherently complicated, but becomes more so once the
expansion of payments channels, notably to mobile, comes into
play.
Instead, peer-to-peer payment providers,
mobile operators, retail institutions and global digital and social
media companies are all fighting to get a slice of consumers’
payments. The end result is a lack of uniformity in authentication
methods, which may result in a trade off between usability and
security for users.
Ian Rutland, managing director at Commidea
says:
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Thank you!
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form
By GlobalData“From a generic perspective, there is starting
to be a focus on the responsibility of the individual or end-user
to authenticate themselves and to protect their own devices from
malware. There is little point in a platform having a robust and
sophisticated firewall or intrusion detection system if the
end-user’s security is so lax that it allows an intruder to place a
keystroke logger on the pc and get their card details.”
Security = layer of
simplification
In this context then, the security role of the
platform is to provide a layer of simplification and checking,
where the functionality to deal with the security can be pushed out
to the end-user or device.
This has been dealt with fairly effectively in
more established channels such as point of sale transactions sent
in encrypted form with the encryption keys sat on a secure piece of
hardware – known as PKI (public key infrastructure) sources.
Banks too have looked to improve and ensure
they have much better capabilities when it comes to detecting
fraudulent activity. HSBC, for example, has installed a holistic
and analysable view of customer activity, a single customer view,
rather than keeping various channels like online or credit
separate. The idea is that having an overview gives a better idea
of where the potential for fraud is.
Duncan Ash head of sales at SAS explains:
“By having a good overview of activity and
running various scenarios in their systems, banks get a richer data
pattern to analyse and can make decisions on whether activity is
fraudulent- based on contextual information and normal behaviour
patterns. HSBC has deployed this technology in close to 30
countries and has worked hard to increase the quality of its
modelling.”
This sort of analytics – to provide better
context around payments and transactions – is now commonplace. It
can pick up things like the same card being tried from two
different IP addresses; something that is obviously suspicious. And
if a customer tries to make a payment or withdrawal that does not
fit in with his or her usual activity and is in a different
location from normal, then the combination of the two signals flags
up that something may not be right.
New channels make compliance
difficult
When dealing with payments from established
channels, such as Visa and MasterCard, security arrangements are
well described in rule books and platforms are compliant. Indeed
platforms must comply or choose to not be members of the
scheme.
But with newer channels such as mobile
payments or online shopping, things are less straightforward –
there is no standard rule book and things are still evolving. The
biggest trend with all channels is a move towards unique
identifiers at the front end. Online banking for example now
commonly uses card readers or other unique identifiers that are
generated by the end user.
Professor Steve Furnell, senior member of the
IEEE and head of the school of computing and mathematics at
Plymouth University, UK says:
“The traditional solution has been based on a
combination of user name and password and this is now being added
to so that pins sent by email or SMS are now also becoming
standard. Other things being used are card readers or devices that
generate pins or unique codes”.
Online merchants also commonly use schemes
such as Verifed by Visa to provide end-user authentication. This is
essentially redirecting the consumer away from the retailer’s
website to a security site where they are promoted to enter an
additional password. The platforms too use unique identifiers and
here there have been traditionally two options; firstly for
merchants to use a hosted page for payments that redirects the user
away from the merchant site, and secondly for merchants to host
their own payments page.
This latter option has been favoured by larger
retailers who want to capture the maximum data possible about their
customers.
Jumping through the PCI DSS
hoops
But since the PCI DSS rules came in,
merchants hosting their own payments pages have had to jump through
many more regulatory hoops because sensitive payments data is
passing through the retailers own system before being sent out to
the platform to be processed.
Rutland says: “The most popular way for
merchants to tread the line between keeping customers on their site
and easing regulatory burden is the merchant redirecting the
customer one time only to enter card details via a payments
platform.
“That information is then retained directly by
the platform, and the retailer is sent a unique identifier which
they can use to recognise a returning customer. Transactions with
the unique identifier are passed onto the platform and linked to
the actual payment details. Essentially this is around displacing
the sensitive information and thus the compliance responsibility to
the platform.”
But what works for one channel, authentication
wise, does not always suit another. And this is even more relevant
now that those payments channels and methods are evolving fast and
contactless payments looks set to become commonplace. Carrying
around a card reader for example is not practical or having to
enter a pin number at a point of sale terminal when trying to make
a contactless mobile payment somewhat defeats the object of being
‘contactless’.
Filipe Dos Santos, regional sales director for
Europe, at Compass Plus explains: “Newer channels invite different
methods of authentication – for example you can have random number
generators via card reader for online banking, or numbers sent to
mobiles to be then entered on a website. Newer channels are a lot
less rigid and people tend to have different ways of doing things,
the security needs to cover all of that. It will be an evolution as
mobile and internet converge.”
Mobileas channel
Indeed, the increasing use of mobile as a
channel looks set to test the current trend for authentication. How
to adapt end-user authentication to mobile payments while retaining
usability is a tricky issue. The issue is further confused by the
fact that a mobile phone being used to make a payment or transact
online being something entirely different to the mobile being used
as the actual payment device, ie replacing a cash or credit
card.
In the first example the mobile is merely the
channel, in much the same way as the internet, and the behind the
scenes security framework is much the same. Although the end
interface may be designed specifically for mobile the back end is
much the same; the most innovative smart phone apps provided by the
likes of Argos and Amazon are just basically a different
configuration at the front end to allow for easier access.
Mobile banking though, is slightly trickier
given that access into an individual’s bank account is sought,
making the potential loss greater, rather than just making a single
payment. Furnell warns: “M-banking carries the risk of the device
itself being less secure and that current authentications are
designed for the internet. No thought is being given to the
peculiarities of mobiles.”
Mobileas a payment
device.
Mobiles as payment device are different
entirely because in this context the mobile is acting like cash or
card and thus needs protecting. The hitch is that in a contactless
world, entering a pin at the point of sale would not be fulfil the
‘contactless’ part. In addition the mobile needs to be usable with
one hand (the other one is holding the phone) and so having an
additional reader that would generate a pin to then enter on the
phone itself would be pretty impractical.
Peterson says: “Critical to mobile users will
be their usability. Smart phones are quickly becoming the device of
choice but you need to be able to use them with one hand and
quickly, you don’t want to be carrying around a second device to
get a code from. In addition many of the phone require you to come
out of an app to retrieve an SMS code and then go back into the
app- this would not be very practical or speedy.”
But one of the biggest challenges is to get
the app to initiate the contactless payment capability onto the
phone in the first place. Once it is on the phone it sits on the
SIM card; it is the equivalent of the chip on a card and so
should be secure.
Rutland explains that if the chip containing
the sensitive information is actually on the phone then it can be
protected by either being held within a secure area in the phone’s
memory, thus suiting the handset manufacturer’s interests.
The chip can also be embedded within the SIM card or there can be a
memory card with a secure secondary area, which would play well to
the network providers or third party providers
respectively.
Furnell thinks that the way forward, given the
near certain ubiquity of mobiles in the future, might be to use the
mobile device as a receptor of pins/ codes etc with an app that
would generate the authentication for the user. “This does rely on
the phone itself being pin protected and kept safe, he points out.
“Tying the payment to the person making the payment is a level of
protection, having a payment protection attracted to the actual
channel is an additional one.”
Peterson meanwhile cites voice recognition as
something that could be applied to all channels. “The technology to
verify your voice could sit over the top of pretty much any channel
at platform level,” he says.
P2P a long way off
Peer-to-peer payments via mobile have yet to
become widely used, giving the industry valuable time to iron out
such issues. Once they do start to make their mark it is inevitable
that there will be demand to extend their scope from small
transactions to larger ones, and that will come with additional
security requirements. The more stringent the security and the more
authentication methods and devices, then generally the less user
friendly a device becomes.
But ultimately might the lack of a single
security solution even hinder the development and acceptance of new
channels?
Rutland says: “The lack of uniformity ensures
that cards continue to be the prime payment method. It is also
important to recognise that although those in the industry might be
comfortable with the possibilities of mobile, the general public
are not. There is still a large portion of the population that
might research online but go into a store to make a payment.”
To that extent it seems that time is at least
on the side of the industry and that although great possibilities
exist, that developing best practice and trying to bridge the gaps
between usability and security would be a good use of that
time.
