40
Mobile Payments Security 101 How merchants and mobile payment service providers can protect their users against mobile payments fraud. GUIDE DEVELOPED AND PUBLISHED BY:
Mobile Payments Security 101How merchants and mobile payment service providers can protect their users against mobile payments fraud.
GUIDE
DEVELOPED AND PUBLISHED BY:
2Mobile Payments Security 101 | © 2015 Networld Media Group
Page 3 Executive Summary
Page 4 Chapter 1 | Introduction Mobile payment methods Mobile wallets
Page 8 Chapter 2 | Mobile Payments Transaction Volume Apple Pay Rival services
Page 13 Chapter 3 | Threats Mobile malware Jailbreaking and rooting Native apps Mobile payments fraud The Association for Financial Professionals Apple Pay fraud Page 19 Chapter 4 | PCI Compliance mPOS devices
Page 22 Chapter 5 | Security Technologies Point-to-point encryption (P2PE) Wi-Fi Tokenization EMV EMV and NFC Authentication technologies
Page 27 Chapter 6 | Overview of Solutions Providers Alaric Bell ID Carta Worldwide Cybera DeviceAuthority FIS InAuth Ingenico Mobile Solutions Jumio Kaspersky Lab MagTek Omlis OneVisage Payfone Authentify acquisition ThreatMetrix ValidSoft Veridu Verifone WiseSec
Page 39 References
CONTENTS
Published by Networld Media Group © 2015 Networld Media GroupWritten by Robin Arnfield, contributing writer, MobilePaymentsToday.com.Tom Harper, president and CEOKathy Doyle, executive vice president and publisherWill Hernandez, editorChristopher Hall, managing editor, payments and technology groupTiffany Smith, custom content editor
3Mobile Payments Security 101 | © 2015 Networld Media Group
The popularity of banking and m-commerce on smartphones and tablets, merchant adoption of mPOS devices, the growth of in-app payments, and the emergence of mobile wallets and NFC-based point-of-sale payment services mean that ensuring the security of mobile transactions and the privacy of customers’ data is critical.
This report provides guidance on how merchants and mobile payment service providers can protect their users against mobile payments fraud. It reviews best practices for mobile payments security, such as:
• not jailbreaking or rooting smartphones;
• deploying technology to verify the identity of mobile devices used for m-payment transactions;
• replacing consumers’ card information with one-time tokens;
• ensuring cardholder data is encrypted from the point of interaction with an mPOS device’s card reader all the way to the acquirer; and
• installing controls on mPOS devices so only approved and secure apps can be downloaded by employees.
EXECUTIVE SUMMARY
Robin ArnfieldMobilePaymentsToday.com
Robin Arnfield has been a technology journalist since 1983. His work has been published in ATM Marketplace, Mobile Payments Today, ATM & Debit News, ISO & Agent, CardLine, Bank Technology News, Cards International and Electronic Payments International. He has covered the United Kingdom, European, North American and Latin American payments markets.
4Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 1
The popularity of banking and m-commerce on smartphones and tablets, merchant adoption of mPOS devices such as Square, the growth of in-app payments, and the emergence of mobile wallets and NFC-based point-of-sale payment services such as Apple Pay mean ensuring the security of mobile transactions and the privacy of customers’ data is critical.
“Mobile and other connected devices are fast becoming the leading way for users to access commerce and banking services,” said Vanita Pandey, senior director of strategy and product marketing at San Jose, California-based ThreatMetrix. “Mobile is the biggest emerging opportunity and risk for businesses and financial institutions trying to deliver frictionless experiences to their customers. Continued growth of mobile payments and banking will lead to stricter rules and regulations to secure these transactions.”
Mobile payment methodsThere are five main ways to carry out mobile payment transactions at the point of sale.
MPOSMPOS transactions involve customers swiping or inserting their card into a card reader attached to a smartphone or tablet that connects to a payment network through a wireless link.
NFCIn an NFC transaction, an NFC-enabled smartphone communicates via an RFID link with a contactless transmitter attached to a POS device. The cardholder pays using a card held in digital form in a mobile wallet, which is stored either in a secure element on their smartphone’s SIM card or in the cloud using a technology called Host Card Emulation (HCE).
At checkout, the consumer tells the clerk that he or she wishes to pay using a smartphone. The consumer opens the mobile wallet, selects the desired card and then taps the smartphone on the merchant’s contactless POS
Introduction
5Mobile Payments Security 101 | © 2015 Networld Media Group
terminal. The consumer’s payment credentials are retrieved automatically from the smartphone’s secure element — or from the cloud using HCE — and transmitted via NFC to the payment terminal.
The advantage of HCE over secure element-based NFC is that, since HCE is supported by Google’s Android KitKat 4.4 operating system, it can run on any Android-based smartphone, not just on NFC-enabled smartphones.
“Visa believes that (HCE) cloud-based mobile payments represent a significant opportunity to accelerate mobile payments globally,” said Rodrigo Meirelles, Visa’s senior director of digital payments solutions for Latin America and the Caribbean.
BluetoothBluetooth low energy (BLE) is a protocol that enables Bluetooth-based smartphones and other mobile devices to communicate with BLE-based wireless transmitters known as Beacons. On entering a store, the consumer’s m-payment app senses a BLE Beacon and “checks in” to alert the retailer’s POS of the consumer’s presence. At checkout, the consumer tells the clerk to post the sale to his or her m-payment account, which is visible on the clerk’s POS terminal. The clerk verifies the consumer’s identity and completes the transaction.
According to the Mobile Payments Today white paper “The iBeacon/BLE vs NFC Debate: Now the Truth,” which is sponsored by Pyrim Technologies, BLE transmitters are designed to continually broadcast a discovery signal. “Any app residing within a BLE-enabled (Bluetooth 4.0) smartphone can be configured to listen for these signals,” the white paper says.
QR codesAs an alternative to NFC, some m-payment service providers such as Starbucks and LevelUp offer QR code-based systems that store payment information in the cloud instead of the handset and can be executed on any smartphone.
The LevelUp mobile app for iPhone and Android allows registered users to link their payment card to a unique QR code displayed within the app. To pay with LevelUp, users scan the QR code on their phone at LevelUp terminals located at LevelUp-accepting merchants. In addition, LevelUp also supports NFC and Apple’s BLE-based iBeacons.
Cloud-based appsSeveral mobile payment providers such as PayPal offer apps that
CHAPTER 1 Introduction
6Mobile Payments Security 101 | © 2015 Networld Media Group
communicate in the cloud with retailers at the point of sale without users scanning QR codes or tapping their smartphones on a POS terminal.
PayPal’s app shows users a list of retailers who accept PayPal in a particular area. Customers use the app to check in with the merchant when in the store, tell the clerk they are using PayPal and then pay for purchases through their PayPal accounts.
Mobile walletsMobile wallets serve an array of functions. According to Mobile Payments Today’s Mobile Wallet Comparison Guide 2015, they provide a place where consumers store and organize coupons, loyalty programs, payment cards, tickets and any other kind of paper items that can be digitized.
Other mobile wallets offer bill payment, comparison shopping, location-aware services, P2P payments functionality and social-media connectivity.
Both Visa and MasterCard offer digital wallets for their issuing banks’ cardholders.
In July 2014, Visa introduced Visa Checkout, an online payment service that replaced its previous digital wallet V.me in Canada, Australia and the U.S. By the end of 2015, Visa Checkout will be available in 13 additional countries, including Brazil, China, Malaysia, Mexico, South Africa and the United Arab Emirates.
Visa Checkout enables consumers to enter their payment details once when they enroll and pay online with just a username and password. Consumers can enroll through their issuing bank, through participating retailer websites or at the Visa Checkout website, and they can link non-Visa payment cards to their Visa Checkout accounts. More than 110 merchants — including Gap, Neiman Marcus, Orbitz, Pizza Hut and Staples — have deployed Visa Checkout.
MasterCard launched its MasterPass digital wallet in February 2013. For online purchases, MasterPass provides shoppers with a simple checkout process by eliminating the need to enter detailed shipping and card information for every purchase. At the point of sale, MasterPass offers cloud-based, NFC and QR code-based payments.
In August 2014, MasterCard added support for in-app payments to MasterPass. Retailers can use an API to embed MasterPass as a checkout option within a mobile app, mobile website or desktop app, according to MasterCard.
CHAPTER 1 Introduction
7Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 1 Introduction
U.K.-based telco Vodafone said in March 2015 that its customers soon will be able to add bank cards to their Vodafone Wallets and use smartphones to pay for goods and services at contactless terminals (http://www.mobilepaymentstoday.com/news/vodafone-partners-with-visa-carta-worldwide-for-contactless-m-payments/). Following agreements with Visa and payments processor Carta Worldwide (see Chapter 6, Carta Worldwide, page 27), bank card payments via Vodafone Wallet will be enabled in European markets from the second quarter of 2015 onward.
The service, which requires a Vodafone NFC-enabled SIM card, will be supported on a wide range of Android smartphones. To use the service, customers will:
input their bank cards to the Vodafone Wallet app, where an alias of each card is stored securely in the Vodafone NFC-enabled SIM card;
confirm ownership of the card using Verified by Visa authentication;
pay by tapping their phones against a contactless POS terminal; and
check their mobile payment transaction history using their phones.
Payments are debited automatically from the selected bank cards, which are protected with a four-digit PIN for higher-value payments.
Vodafone digital wallet
8Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 2
Forrester Research says U.S. mobile payment transactions rose from $32 billion in 2013 to $52 billion in 2014. The U.S.-based consultancy predicts that U.S. mobile payment transactions will rise to $67 billion in 2015 and $142 billion in 2019.
According to a blog by Forrester Research senior analyst Denée Carrington, U.S. adoption of smartphones rose from 19 percent of consumers in 2009 to 66 percent in 2014. U.S. consumers will increasingly use their smartphones for purchases, Carrington predicted.
The Federal Reserve Board report “Consumers and Mobile Financial Services 2015” says that, based on a December 2014 survey, 39 percent of all U.S. mobile payment users with smartphones made POS payments using their smartphones in 2014.
In-person m-payments will grow the fastest, but remote m-payments will remain the biggest.“In-person mobile payments is currently the smallest category of mobile payments, but it holds the greatest growth potential,” Carrington wrote. “The fastest growth will occur in verticals where friction is embedded in the commerce experience and with high-velocity merchants. Services represent 75 percent of U.S. consumer spending and likewise services will also drive significant growth for both in-person and remote mobile payments. Remote mobile payments was the first category to gain traction, is currently the largest category and will continue to be so through 2019.”
2015 will be the year of Apple Pay.“Apple Pay will influence every discussion of mobile payments through 2015,” Carrington wrote. “Apple Pay will motivate competitors to completely rethink their mobile payment strategies. Apple Pay will be the catalyst for new debates on balancing data privacy with customer engagement and loyalty. Apple Pay will also be the standard-bearer for the best use of tokenization to secure payments and biometrics to combat fraud. In fact, the quest for security will dominate the U.S. payments marketplace throughout 2015.”
Mobile Payments Transaction Volume
“The quest for security will dominate the U.S.
payments marketplace throughout 2015.”
— Denée Carrington, Forrester Research senior analyst
9Mobile Payments Security 101 | © 2015 Networld Media Group
Apple PayApple launched its Apple Pay NFC-based m-payment service in October 2014 for the iPhone 6 and the Apple Watch. Users also can make Apple Pay purchases within participating apps on the iPhone 6, iPad Air 2 and iPad mini 3.
Apple has signed up a significant number of U.S. financial institutions and iPhone 6 users for Apple Pay. In a January 2015 earnings call, Apple CEO Tim Cook said Apple Pay accounts for two out of every three dollars of contactless payments on American Express, Visa and MasterCard’s U.S. card payments networks.
“Panera Bread tells us Apple Pay represents nearly 80 percent of their mobile payment transactions, and, since the launch of Apple Pay, Whole Foods Market has seen mobile payments increase by more than 400 percent,” Cook said.
Apple Pay’s security features include Apple’s Touch ID fingerprint-authentication sensor, storage of payment credentials in Apple Passbook and the secure element chip built into the iPhone 6 and the Apple Watch for NFC payments at the point of sale.
To pay with Apple Pay, iPhone 6 users hold their iPhone near the merchant’s contactless card reader with their finger on Touch ID. Apple Pay also can be used to pay with a single touch in apps.
Apple Pay assigns a unique Device Account Number to each registered payment card, which is encrypted and stored in the iPhone 6’s secure ele-ment. Using tokenization technology (see Chapter 5, Tokenization, page 22), the Device Account Numbers are used instead of their associated payment card numbers, along with a one-time security code. That means users don’t reveal their names, card numbers, expiration dates or card security codes to cashiers when making in-store payments.
Actual payment card numbers aren’t stored on Apple servers, nor are they shared with merchants or transmitted with payments, Apple says. Users can add payment cards to Apple’s Passbook from their iTunes account or by us-ing the iPhone 6’s camera to capture card information.
If an iPhone 6 is lost or stolen, the Find My iPhone feature can be used to put the device in Lost Mode so nothing is accessible, or the iPhone can be wiped completely clean.
CHAPTER 2 Mobile Payments Transaction Volume
10Mobile Payments Security 101 | © 2015 Networld Media Group
Rival servicesIn response to Apple Pay, Samsung announced Samsung Pay in March 2015. Samsung Pay, which will launch in summer 2015, will use proprietary contactless payments technology developed by LoopPay, which Samsung acquired in February 2015.
LoopPay’s technology will be embedded in Samsung’s new Galaxy S6 and Galaxy S6 Edge smartphones. The new devices still will rely on NFC chips to enable users to conduct tap-and-pay transactions at contactless-enabled POS terminals. But if contactless is unavailable, LoopPay’s Magnetic Secure Transmission technology will communicate with the magnetic-stripe reader currently present on all terminals. Samsung Pay will sense which option is available and adjust accordingly.
In February 2015, Google bought U.S. mobile wallet scheme Softcard from AT&T, Verizon and T-Mobile and partnered with the telcos to preload Google Wallet on their Android-based handsets running KitKat 4.4 or higher.
In May 2015, Google announced Android Pay, with American Express, Mas-terCard, Visa and retailers such as McDonald's, Panera, Whole Foods, and Uber announcing support for the new mobile payment system. Google Wallet will live on as a dedicated person-to-person mobile app for both Android and iOS devices.
Android Pay is due to arrive on handsets later this year to coincide with Google's launch of an updated mobile operating system, which at the mo-ment is referred to as Android M, and will eventually become a standard feature on future AT&T, Verizon and T-Mobile smartphones thanks to the Softcard acquisition.
Michelle Evans, senior consumer finance analyst at Euromonitor Internation-al, told Mobile Payments Today that Android Pay will leverage NFC technol-ogy [and HCE support] and enable merchants to accept mobile payments in-store from participating consumers, as well as enable merchants to embed Android Pay directly into their mobile apps. Android Pay also will support fin-gerprint readers for users to authenticate payments at checkout in the same vein as Apple Pay, Evans said.
According to Mobile Payments Today, U.S. retailer-owned Merchant Customer Exchange (MCX) is expected to launch an early stage version of its CurrentC mobile wallet in the U.S. in mid-2015. MCX is backed by Walmart, Best Buy and other major U.S. retailers. MCX likely will use QR codes as its communications method, although it eventually could support NFC or Bluetooth as well.
CHAPTER 2 Mobile Payments Transaction Volume
11Mobile Payments Security 101 | © 2015 Networld Media Group
CurrentC is intended to store and automatically apply exclusive offers, coupons and promotions from participating merchants during the payment process. It also will enable customers to organize all participating merchant loyalty cards and membership accounts in one app.
CurrentC will offer customers the choice of paying with a variety of financial accounts, including checking accounts, merchant gift cards and select merchant-branded credit and debit accounts.
CHAPTER 2 Mobile Payments Transaction Volume
12Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 3
Mobile devices face the same security risks as PCs and laptops, including malicious apps, viruses and other types of malware. They also have the risk of malicious code such as phishing links being inserted into QR codes, according to Kaspersky Lab.
In addition, retailers’ Wi-Fi networks are vulnerable to intrusion, which poses a security risk for their mPOS devices and customers’ smartphones.
Mobile malwareAccording to a report by Alcatel-Lucent’s Motive Security Labs division, mobile malware infections increased by 25 percent globally in 2014 compared to a 20 percent increase in 2013.
The “Motive Security Labs Malware Report — H2 2014” estimates that worldwide about 16 million mobile devices are infected by malware. “Mobile malware is increasing in sophistication with more robust command and control protocols,” the report says.
Six of the report’s mobile malware top 20 list are mobile spyware. Those are apps used to spy on the smartphone’s owner by tracking the phone’s location, monitoring ingoing and outgoing calls and text messages, monitoring email and tracking the victim’s Web browsing.
The infections identified in the report were split 50/50 between Android devices and Windows/PCs (connected to mobile networks via dongles and mobile Wi-Fi devices or tethered through smartphones), with under 1 percent coming from other smartphones such as the iPhone and BlackBerry.
Because of Apple’s “walled garden” approach to apps, its iOS operating system is subject to much fewer attacks from malware than Android-based devices are. “The Apple App Store whitelists apps and eliminates insecure apps,” said Sterling Brown, chief technology officer at U.S. m-payment service provider Rezzcard.
Consumers should be wary when downloading apps to their mobile devices. “So many smartphone and tablet apps ask for personal information,” Brown
Threats
13Mobile Payments Security 101 | © 2015 Networld Media Group
said. “Consumers need to be aware when they are providing personal information that makes them vulnerable to attacks through an app. You don’t want to download anything that makes you vulnerable to keylogging when doing mobile payments or mobile banking.”
Jailbreaking and rootingJailbreaking and rooting of smartphones are consumer behaviors that can cause significant mobile security problems, because they open up devices to malware.
Jailbreaking refers to removing the limitations set by Apple in iOS and running on an iOS device third-party apps that have not been approved by Apple. Rooting describes the same process on Android devices. Both jailbreaking and rooting have the effect of breaking the default security provided by the device manufacturer.
“When you root or jailbreak a smartphone, you circumvent the controls,” said Jeremy Gumbley, chief technology officer for m-payments gateway provider Creditcall. “This means you don’t have to go to the official Google app store or the Apple App Store to get apps, and can install any apps you like.”
Jailbreaking can lead to a malicious app being installed on the device, which spies on the user and steals credentials and unencrypted information, says Tom Karren, CEO of mobile security firm MokiMobility.
And if a user roots a device, anything that happens on that device could be compromised, says Jared Blake, Moki’s chief technology officer. “For example, if you use fingerprint authentication on a smartphone which has been rooted, then malware could steal a copy of your fingerprint.”
Mark Schulze, co-founder of Android tablet-based mPOS vendor Clover Network, which is owned by First Data, says his company provides controls to ensure the security of its customers’ mobile devices.
“We offer our own secure version of Android, with controls to ensure merchants’ employees can’t use Clover tablets to play games, for example,” he said. “If a tablet goes missing, we shut it down remotely and erase everything stored on it. You can’t jailbreak or root our devices, and you can only download apps from our app store.”
Native appsA large percentage of mobile transactions are completed by using native mobile apps instead of by using mobile browsers. Crime associated with their use has increased correspondingly, resulting in a critical need to detect
CHAPTER 3 Threats
“Mobile spyware is definitely on the increase.”
— “Motive Security Labs Malware Report — H2 2014”
“Malware can detect if a smartphone has been
jailbroken and then install itself on the phone.”
— Jeremy Gumbley, chief technology officer for Creditcall
14Mobile Payments Security 101 | © 2015 Networld Media Group
and prevent fraud related to their malicious use, says the ThreatMetrix white paper “Fraud Protection for Mobile Applications.”
The rise in app-related fraud is due largely to the fact that mobile apps seldom have the infrastructure necessary to enable adequate mobile device identification and profiling, ThreatMetrix says. “Additionally, implementing these features requires skills far beyond those of most mobile app developers,” it says. “As a result, mobile apps frequently lack a number of security features, and it’s difficult for fraud-prevention systems to determine if the device in question is being used legitimately — creating a prime opportunity for fraudsters.”
When transactions are enacted via traditional desktop browsers or standard default browsers on mobile devices, ThreatMetrix says its fraud-prevention systems are able to perform advanced profiling of the device, uniquely identify it and establish a trust score that identifies the level of fraud risk.
However, native mobile apps downloaded to a smartphone or tablet are designed for a specific website or Web application and are lightweight in comparison to traditional browsers. They generally don’t have the infrastructure required to positively identify the device and adequately determine risks or threats it may present.
“Unless the mobile app is upgraded and equipped with the necessary infrastructure and intelligence, trust cannot be properly established, and the user may experience rejection or stepped-up authentication,” ThreatMetrix says. “Unfortunately, adding the necessary technology and controls requires a great deal of work and very specific knowledge, both of which are generally outside the experience of most mobile app developers.”
To address those problems, ThreatMetrix (see Chapter 6, ThreatMetrix, page 34) offers a lightweight software development kit (SDK) that developers can integrate easily within their mobile apps. “This SDK, known as TrustDe-fender Mobile, provides mobile apps with the infrastructure and intelligence needed to verify the trustworthiness of the mobile device,” ThreatMetrix says. “Legitimate users of such apps are immediately recognized as such, and can conduct their transactions without having to respond to additional authentica-tion procedures in order to verify their identity. In this manner, TrustDefender Mobile provides benefits for both business owners and their customers or end users.”
Mobile payments fraudLexisNexis Risk Solutions and Javelin Strategy Solutions & Research’s Lex-
CHAPTER 3 Threats
15Mobile Payments Security 101 | © 2015 Networld Media Group
isNexis 2014 True Cost of Fraud Mobile Study says that, as merchants flock to the mobile channel, so too are fraudsters.
Revenue that U.S. mobile commerce merchants lost to fraud rose 70 percent in 2014 to 1.36 percent compared to 0.80 percent in 2013, the study says. By comparison, all U.S. merchants lost 0.68 percent of revenue to fraud in 2014 in comparison to 0.51 percent in 2013.
For their study, LexisNexis and Javelin surveyed 1,142 risk and fraud decision-makers and influencers at U.S. retailers and conducted interviews with five U.S. financial institutions.
The complexity of additional payment channels such as digital wallets — coupled with additional access channels such as mobile websites and apps — produces more avenues for fraud. The study found that m-commerce merchants accept an average of 4.5 payment channels, significantly more than the 2.6 channels accepted by all merchants.
M-commerce companies have more fraud exposure than other types of retailers do. More than a fifth (21 percent) of all fraudulent transactions are attributed to the mobile channel, which is disturbing because of the fact that the number of transactions occurring through m-commerce channels is still low for the average m-commerce merchant, LexisNexis says. In 2014, 14 percent of all U.S. transactions were accepted via m-commerce channels.
Bloomberg quoted Aaron Press, LexisNexis Risk Solutions’ director of e-commerce and payments, as saying that many merchants aren’t equipped to track mobile devices’ unique identifiers such as Internet Protocol (IP) addresses. Stores often don’t catch when a card issued in Los Angeles is used for a mobile order from Mexico, he told Bloomberg.
“Mobile commerce is going to be more widely adopted by merchants because customers are clamoring for the convenience,” said Dennis Becker, LexisNexis Risk Solutions’ vice president of corporate markets. “To reduce customer friction and sell more through the mobile channel, now is the time for m-commerce retailers to put in place fraud-prevention tools to counter the disproportionate amount of fraud that is currently occurring.”
Merchants are struggling to manage fraud costs for merchandise sold through the mobile channel. The LexisNexis Fraud Multiplier(SM) cost for the mobile channel rose to $3.34 in 2014 from $2.83 in 2013, a result of the mobile channel’s expansion into physical goods markets.
Based on the study’s findings, customer identity verification is the top fraud-prevention challenge for m-commerce merchants, followed by friendly fraud.
CHAPTER 3 Threats
“At $3.34 per dollar of fraud losses, the LexisNexis
Fraud Multiplier(SM) cost for fraudulent mobile transactions is the highest of any channel.”
— LexisNexis 2014 True Cost of Fraud Mobile Study
16Mobile Payments Security 101 | © 2015 Networld Media Group
The inability to confidently verify the identity of a customer and his or her device leads to friendly fraud, which is defined as fraud perpetrated by family members or close associates. The study found that 24 percent of fraudulent mobile transactions are due to friendly fraud. “We expect this percentage to drop, as more m-commerce merchants adopt mobile-channel specific fraud-prevention tools,” Becker said.
Association for Financial ProfessionalsThe Association for Financial Professionals’ 2015 AFP Payments Fraud and Control Survey found that in 2014 only 1 percent of organizations reported an attempted or actual fraud attempt using compromised mobile devices.
The survey, underwritten by J.P. Morgan and conducted in January 2015, is based on 741 responses from corporate treasury and finance professionals with the following job titles: cash manager, analyst and director.
“For B2B transactions, the mobile payment option has yet to break any par-ticular ground,” said
Magnus Carlsson, manager of treasury and payments at the AFP.
More than three-quarters (78 percent) of survey participants said they believe concerns about security are keeping consumers from embracing mobile pay-ments, the AFP said.
Survey respondents suggest that specific security issues are preventing greater consumer use of mobile payments, such as concerns about trans-mitting financial data over cellphone networks (54 percent of respondents), potential exposure of personal financial information resulting from the loss of smartphones (53 percent) and authentication (26 percent).
Finance professionals themselves have numerous questions about the measures being used to secure mobile payments, the AFP said. “There are concerns about whether information is being transferred securely and if there is a risk of sensitive information being exposed,” it said. “As mobile payments become equipped with security features such as tokenization and biometric authentication, which don’t impact their usability, they will be more widely ac-cepted as a payment solution.”
Apple Pay fraudAccording to news reports, criminals have been creating Apple Pay accounts using stolen card credentials. CNBC quoted Cherian Abraham, m-payments adviser at Experian Global Consulting, as estimating Apple Pay’s fraud rate
CHAPTER 3 Threats
17Mobile Payments Security 101 | © 2015 Networld Media Group
at 6 percent, compared with a traditional credit card fraud rate of 10 cents for every $100 spent.
Bloomberg reported that some U.S. banks have begun to make changes in how they activate customers’ card accounts to use Apple Pay.
Richard Crone, Crone Consulting’s chief executive officer, told Bloomberg some banks require users to call them to activate Apple Pay, to ensure their identities haven’t been stolen.
“While Apple Pay has been hailed as one of the most secure mobile pay-ment options because of its use of tokenization and biometric authentica-tion, there is a weak link in the chain that has caused a surge in fraudulent transactions,” David Divitt, product marketing manager for Alaric, said in a blog published on ATM Marketplace. “As ever in payments, criminals adore a weak link, especially in a system that is otherwise very secure — this makes it all the more likely their fraud will go unnoticed.”
Avivah Litan, vice president and distinguished analyst for Gartner, explained in a blog how fraudsters are exploiting a vulnerability in banks’ Apple Pay verification processes to bridge the gap between card-present transactions and the card-not-present world.
“The bad guys are loading iPhones with stolen card-not-present card infor-mation (which is much easier to steal than card-present mag-stripe data) and essentially turning that data into a physical card à la Apple Pay,” Litan said.
According to Litan, the responsibility for the fraud lies not with Apple Pay but with the card issuers who must be able to prove Apple Pay cardholders are legitimate customers with valid cards.
“Apple does provide the issuer with information to help inform that decision,” Litan wrote in her blog. “This data includes information on a customer’s device and iTunes account such as: device name; its current location; and whether or not the customer has a long history of transactions within iTunes.”
For years, we have been briefed by vendors offering a plethora of innovative and strong user authentication solutions for mobile pay-ments. And, for years, we have been asking the vendors touting them how they know their mobile app is being provisioned to a legiti-mate user rather than a fraudster. That always appeared to me to be the weakest link in mobile commerce — making sure you provide the app to the right person instead of a crook.
Litan said the key to identify proofing in a non-face-to-face environment is reducing reliance on static data — much of which is personally identifiable
CHAPTER 3 Threats
18Mobile Payments Security 101 | © 2015 Networld Media Group
information (PII) that has been compromised by the crooks — and increas-ing reliance on dynamic data such as reputation, behavior and relationships between non-PII data elements.
Litan warned that the problem of stolen card number fraud experienced by Apple Pay “is only going to get worse as Samsung/LoopPay and MCX/CurrentC release their mobile payment systems, without the customer data advantages Apple has in its relatively closed environment.”
CHAPTER 3 Threats
“While Apple Pay has been hailed as one of the most
secure mobile payment options because of its use of
tokenization and biometric authentication, there is a
weak link in the chain that has caused a surge in fraudulent
transactions.” — David Divitt, product marketing manager for Alaric.
19Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 4
Like all merchants accepting payments cards, merchants using mPOS card readers must adhere to the Payment Card Industry Security Standards Council’s (PCI SSC) data security standards, the most important of which is the PCI Data Security Standard (PCI DSS).
The PCI SSC is an open forum that develops and manages the PCI DSS and related payment card data security standards. Merchants, processors, card issuers and technology vendors are required to comply with those standards.
The PCI standards’ purpose is to safeguard cardholder data and sensitive authentication data by eliminating security vulnerabilities at any point in the payment card infrastructure. The standards cover POS, e-commerce and ATM transactions.
Entities that are non-compliant with PCI DSS or that suffer breaches face substantial fines from the card schemes as well as potential liability for the cost of fraud.
MPOS devices“When a mobile device is transformed into a POS terminal for a merchant to accept card account data, there is a responsibility to protect that information,” the PCI SSC says. “Thus PCI standards begin to apply when a mobile device is used for payment card acceptance.”
In July 2014, the PCI SSC updated two guidance documents it originally issued in February 2013: “The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users” and “Accepting Mobile Payments with a Smartphone or Tablet.”
The guidance documents cover mPOS acceptance applications that operate on consumer handheld devices such as smartphones or tablets that aren’t dedicated solely to payment-acceptance transaction processing.
The PCI SSC warns that, as merchants’ mobile devices aren’t used only as POS tools but also to carry out other functions, they introduce new security
PCI Compliance
20Mobile Payments Security 101 | © 2015 Networld Media Group
risks. “By design, almost any mobile application could access account data stored in or passing through the mobile device,” it says.
In addition to security risks such as malicious apps, keyloggers, viruses and intrusions, mPOS card readers face a threat from fraud specifically because of their mobility, the PCI SSC says.
MPOS card readers can be used not just inside stores but at remote loca-tions such as customers’ homes or farmers’ markets. A key risk to merchants is the ease with which criminals can steal an mPOS device, modify it so they can intercept cardholder data and return it without anyone realizing it was gone, the PCI SSC says.
The PCI SSC guidelines have three objectives covering the main risks as-sociated with m-payment transactions:
• Prevent account data from being intercepted when entered into a mobile device;
• prevent account data from compromise while being processed or stored within the mobile device; and
• prevent account data from interception while being transmitted from the mobile device.
The PCI SSC says that merchants deploying mPOS payments should use a PIN-entry device (PED), encrypting PIN pad (EPP) or secure card reader that complies with its Payment Card Industry PIN Transaction Security – Point of Interaction (PCI PTS – POI) standard.
Merchants should not implement solutions that permit PIN entry directly into the mobile device. If the system incorporates PIN-entry capability, it should occur only through a PCI-approved PED or EPP, the PCI SSC says.
Merchants should look for an indication of a secure state in their mPOS app — for example, through a displayed secure state icon provided by their app vendor. If no indication is present, the payment app shouldn’t be used, the PCI SSC recommends.
According to the Mobile Payments Today report “Mobile Banking and Pay-ments Security,” merchants should check regularly that their mPOS devices haven’t been physically tampered with — for example, by the insertion of a card skimmer.
CHAPTER 4 PCI Compliance
21Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 4 PCI Compliance
The table below outlines each best practice described within the “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users” document along with who should be responsible for its implementation. The definitions of those entities that are responsible for the best practices are:
Merchant as an End-User (M): Any entity that uses the mobile payment-acceptance solution to accept payments.
Mobile Payment-Acceptance Solution Provider (SP): The entity that integrates all pieces in the mobile payment-acceptance solution and is responsible for the back-end administration of the solution. This includes the merchant as a solution provider.
Best practices and responsibilities
M SP
1. Prevent account data from being intercepted when entered into a mobile device. X X
2. Prevent account data from compromise while processed or stored within the mobile device. X X
3. Prevent account data from interception upon transmission out of the mobile device. X
4. Prevent unauthorized physical device access. X
5. Protect mobile device from malware. X X
6. Ensure the device is in a secure state. X
7. Disable unnecessary device functions. X X
8. Detect loss of theft. X X
9. Ensure the secure desposal of the device. X
10. Implement secure soutions. X X
11. Ensure the secure use of the payment-acceptance soution. X
12. Prefer online transactions. X
13. Prevent unauthorized use. X
14. Inspect system logs and reports. X X
15. Ensure that customers can validate the merchant/transaction X
16. Issue secure receipts. X
Best practice
Source: PCI Security Standards Council, “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users.”
22Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 5
This chapter reviews key security technologies and best practices for mobile payments.
Point-to-point encryption (P2PE) When selecting mPOS card readers, merchants should avoid any reader that only converts the magnetic-stripe data on the customer’s card into an audio signal that is transmitted in unencrypted form via the merchant’s smart-phone. That is a bad security practice, as there could be malware on the smartphone that will intercept the card data.
The PCI SSC mPOS guidelines (see Chapter 4, mPOS devices, page 18) state that the best option for merchants using mPOS is to use a PCI-validat-ed and approved point-to-point encryption (PCI P2PE) solution.
The PCI SSC’s PCI P2PE standard provides a specification for the use of strong encryption to achieve point-to-point encryption, where clear-text card data is removed from the payments environment. This is achieved by encrypting data from the point of interaction (where cards are swiped or dipped) until the data reaches the P2PE solution provider’s secure decryp-tion environment.
With P2PE, the card number is encrypted in the card reader with a key that isn’t known to the merchant, and the card number can be decrypted only by the processor or the issuer. By using a PCI-compliant P2PE solution, mer-chants potentially can reduce their PCI compliance obligations.
Benoit Boudier, vice president of international sales at Ingenico Mobile Solu-tions, says the apps on Ingenico’s mPOS devices cannot access sensitive customer card data.
“We encrypt the card data at the point of acceptance both for Bluetooth-con-nected PIN pads and for card readers connecting via a smartphone’s audio jack,” he said. “The encrypted data is then sent to the acquirer.”
Visa Europe requires that mPOS solutions deployed by its acquirers are
Security Technologies
23Mobile Payments Security 101 | © 2015 Networld Media Group
implemented in a manner consistent with PCI P2PE principles, a Visa Europe spokesperson says.
“This includes a requirement for mPOS devices such as card readers at-tached to smartphones/wireless tablets to be certified to PCI PTS – POI V2, V3 or V4 with SRED (secure reading and exchange of data) included and for the full solution to support P2PE. This ensures that the mobile device doesn’t see any card data and that the mPOS system offers the similar level of secu-rity as traditional card acceptance devices.”
Wi-FiUsing Wi-Fi for mPOS or standard POS payments has security risks, says Ingenico’s Boudier. “Retailers really need to use P2PE on their in-store Wi-Fi networks. Although you can try to provide perimeter security to stop anyone from breaking into your Wi-Fi network, the reality is that, with a distributed payment-acceptance environment like in-store mobile payments, it’s pos-sible for hackers to break in. While you should definitely secure your Wi-Fi network, you must also encrypt data traveling on your network so that, if it is intercepted, it is meaningless.”
Small merchants such as coffee shops that use mPOS technology should ensure the Wi-Fi connection they use for their mPOS device is separate from the Wi-Fi network they provide for customers to use in their store. The mPOS Wi-Fi connection should be on a secure network that is segmented from a public Wi-Fi network.
TokenizationTokenization is a security technology that involves a one-time number be-ing used to represent an actual credit- or debit-card number in a payment transaction. That token has zero value to criminals, as it can be detokenized only by the tokenization service provider. The cardholder’s primary account number (PAN) is stored only on the tokenization service provider’s system.
There are three types of tokenization.
First, website tokenization occurs when a customer enters his or her full PAN on a merchant’s website, but the merchant never sees the PAN as it is tokenized immediately by the processor in a software vault.
Second, POS terminal tokenization occurs when the cardholder’s PAN is tokenized as soon as the card is swiped or tapped against a POS terminal.
Third, network tokenization involves a card network, such as Visa or Master-Card, tokenizing a cardholder’s PAN and the token being stored securely on
CHAPTER 5 Security Technologies
Cryptography is an important information security tool that can protect the confidentiality of data. It uses a secret code called a key. Using the key, data is changed into what appears to be random data (a process called encryption). You need the key again to change the random data back into the original data (a process called decryption).The key must be protected from unauthorized access or disclosure.
Source: “Accepting Mobile Payments with a Smartphone or Tablet,” PCI Security Standards Council
24Mobile Payments Security 101 | © 2015 Networld Media Group
the user’s mobile device or in an HCE cloud-based software vault. “Mobile payment services such as Apple Pay and Samsung Pay use this type of net-work tokenization,” said Hitesh Anand, Verifone’s vice president of commerce enablement and mobile.
According to a Mobile Payments Today blog by Experian’s Abraham, both Visa and MasterCard’s HCE platforms involve tokenization.
Tokenization helps simplify consumers’ purchasing experience, as it elimi-nates the need to enter and re-enter their account numbers when shopping on mobile devices, tablets or PC, Visa’s Meirelles says. “In addition, tokens eliminate the need for merchants to store payment card account numbers. This increases transaction security, reduces the risk of fraud in digital chan-nels such as e-commerce and further enhances issuers’ ability to manage risk and provide customer support.”
Tokenization works well in combination with P2PE, Boudier says. “You encrypt the transaction message including the cardholder’s token and then send it to the acquirer and the card network in encrypted form.”
In March 2014, EMVCo — the EMV chip card standards body jointly owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa — published “The EMV Payment Tokenisation Specification — Technical Frame-work v1.0.” The document is designed to help merchants, acquirers, issuers and mobile and digital payments providers develop globally interoperable tokenization solutions in online or mobile environments.
Visa said in February 2015 that it plans to tokenize all online transactions initiated using Visa Checkout through its Visa Token Service.
Visa Token Service was launched in October 2014, enabling secure mobile payments for Visa cardholders on Apple devices through the Apple Pay service.
“In 2015, other leading device manufacturers and technology companies will begin deploying Visa Token Service to deliver secure mobile payments through their phones, tablets and other connected devices,” Visa said. For example, Visa will provide its Visa Token Service for Samsung Pay (see Chapter 2, Samsung Pay, page 10) transactions involving Visa cards.
NFC World quoted MasterCard CEO Ajay Banga as telling analysts during the card network’s 2014 year-end earnings call that it plans to incorporate tokenization technology into its MasterPass digital wallet in the near future. “We are very focused on tokenization; it’s a very important aspect of where we’re going for safety and security,” Banga said.
CHAPTER 5 Security Technologies
“In the mobile environment, tokenization
involves replacing the cardholder’s PAN with
a token that is linked to a specific device such
as their smartphone and stored in the smartphone’s
SIM card secure element or in an HCE cloud-based
software vault.” — Benoit Boudier, vice president of international sales at
Ingenico Mobile Solutions
25Mobile Payments Security 101 | © 2015 Networld Media Group
EMVFrom October 1, 2015, U.S. merchants who haven’t upgraded their POS terminals to accept EMV chip card payments will become liable for fraudu-lent misuse of EMV cards occurring on their terminals, under a liability shift imposed by MasterCard, Visa and the other card networks.
The EMV standard is designed to prevent card skimming and counterfeiting, as EMV-compliant cards contain an embedded chip as well as a magnetic stripe. An EMV card’s chip stores the cardholder’s account data more secure-ly than a magnetic-stripe-only card does.
EMV cards are ubiquitous across Europe and will become widely adopted in the U.S. because of the October 1 liability shift.
“U.S. mPOS vendors need to be able to demonstrate a clear roadmap for supporting EMV,” said William Nichols, president and CEO of Montreal, Canada-based m-payments firm AnywhereCommerce.
“Any U.S. mPOS provider which doesn’t already offer EMV capability or doesn’t plan to offer EMV in the next six months should be of concern to merchants,” said Thad Peterson, a senior analyst for U.S.-based consultancy Aite Group. “The big mPOS providers such as Verifone and Ingenico already support EMV, and Square will launch an EMV card reader in spring 2015.”
EMV and NFCAccording to industry experts interviewed by Mobile Payments Today, NFC payments stand to benefit from the U.S. migration to EMV, as new EMV-enabled POS terminals contain the necessary technology for consumers to make contactless payments with their smartphones. Vendors such as Ingenico and Verifone already have deployed thousands of EMV-enabled POS terminals in the U.S., and the majority of those readers are equipped with contactless technology.
A lack of contactless-enabled POS terminals and NFC-enabled smartphones has hindered U.S. adoption of NFC payments. Both are no longer the big obstacles they once were, Mobile Payments Today says, because of the U.S. migration to EMV and the fact that a variety of Android-powered smartphones now contain NFC chips as a standard feature. HCE also has helped mobile-wallet providers sidestep access to the secure element on Android smart-phones to enable contactless transactions. Apple will include NFC chips as a standard in some of its most popular devices.
CHAPTER 5 Security Technologies
26Mobile Payments Security 101 | © 2015 Networld Media Group
Authentication technologiesA number of authentication technologies can be deployed to enhance mobile payments security.
Device authentication ensures that a mobile device interacting with a mobile banking or payment system is genuinely the registered user’s device, isn’t being spoofed by a fraudster’s device and hasn’t been jailbroken.
Mobile device authentication involves a security provider taking a digital “fin-gerprint” of a mobile device, noting facts such as the type of device, the apps and cookies it contains, and the sites it visits, Verifone’s Anand says. It also may involve using information from the mobile network operator to triangulate the physical location of the device and its IP address.
For example, Payfone (see Chapter 6, Payfone, page 32) provides the Identity Certainty solution, which assigns each mobile user in its database with a unique tokenized ID based on the mobile subscriber’s phone number, SIM card and account number. Fraud detection and monitoring systems from vendors such as ThreatMetrix (see Chapter 6, ThreatMetrix, page 34) look at customer history and behavior to determine whether a transaction is genuine or fraudulent.
Biometric technologies such as voice prints, facial recognition or fingerprint scans provide an additional layer of authentication over and above login methods such as passwords, PINs and security challenges requesting users to supply previously registered personal data.
A report by Juniper Research, “Human Interface & Biometric Devices: Emerging Ecosystems, Opportunities & Forecasts 2014-2019,” predicts that more than 770 million biometric authentication applications will be download-ed per year by 2019, up from 6 million in 2015, dramatically reducing depen-dence on alphanumeric passwords in the mobile phone market.
Juniper says several high-profile deployments of biometric authentication techniques — such as Apple Pay’s combination of Touch ID authentication and tokenization — will drive biometric authentication adoption.
CHAPTER 5 Security Technologies
“Device fingerprinting is among the best-suited
solutions for mobile device authentication. It has the benefit of being invisible to the consumer, adding
no friction to the checkout process.”
— LexisNexis 2014 True Cost of Fraud Mobile Study
27Mobile Payments Security 101 | © 2015 Networld Media Group
CHAPTER 6
AlaricA subsidiary of NCR, London-based Alaric offers the Fractals intelligent fraud-detection solution for online, ATM, POS and mobile channels. Fractals is used by issuers, acquirers, processors, networks, payment service providers, ISOs and merchants.
The latest version of Fractals, released in December 2014, includes a Fraud Integration Hub, which brings together data from specialized sources such as mobile geolocation, IP intelligence and device reputation to analyze transac-tions. Alaric says Fractals uses a combination of self-learning models and user-defined rules to tackle any type of transactional fraud problem.
Bell IDBell ID develops software that enables banks and enterprises to issue and manage credentials on NFC-enabled mobile devices and EMV-based smart cards.
The Rotterdam, Netherlands-based firm offers solutions for:• HCE
• secure element management
• tokenization management
• m-payments service provider enablement
Bell ID’s Tokenization Manager provides Token Service Provider functional-ity in line with EMVCo’s EMV Payment Tokenisation Specification – Technical Framework v1.0.
Bell ID said in March 2015 that it is enabling the launch of ANZ New Zea-land’s upgraded goMoney mobile app, which is set to feature a cloud-based HCE NFC wallet. The project, for ANZ Bank’s New Zealand division, will bring contactless mobile payments to 120,000 ANZ customers’ smartphones.
Overview of Solutions Providers
28Mobile Payments Security 101 | © 2015 Networld Media Group
The ANZ goMoney wallet uses Bell ID’s Secure Element in the Cloud platform, which removes the need for a separate app or SIM card upgrade for customers.
Carta WorldwideToronto, Canada-based processor Carta Worldwide launched its Cloud Suite 1.0 for mobile payments, a full-service cloud-based payments and EMVCo-compliant tokenization product for banks and wallet service providers, in February 2015.
Cloud Suite 1.0 offers tailored delivery of Carta’s cloud-based payments and tokenization technology, including:
• Pilot and Test Platform: for development of m-payment applications and cloud payment functionality;
• Platform-as-a-Service: cloud-hosted software for scalable deployment of HCE m-payment products with flexible roadmap options; and
• Software License: for custom in-house implementation.
Carta says a highlight of Cloud Suite 1.0 is its Platform-as-a-Service offer-ing, which provides a complete technology solution — including tokeniza-tion, digital credential management and a developer environment — all as a hosted service. The solution supports HCE, NFC proximity payments and remote payments.
CyberaFranklin, Tennessee-based Cybera offers the Cybera ONE for Mobility ap-plications solution, which enables retailers to secure cloud-based mobile wallet point-of-sale purchases in their stores. The solution ensures that, when a customer visits a store and buys a product on the Web by using a smartphone, the specific store receives the revenues to cover the cost of the product.
Cybera says its managed software cloud and virtual application network securely connect the retailer’s mobile payment application to the local store POS system where inventory is being redeemed. This allows the local store site to settle the transaction and account for the inventory being sold.
Using Cybera’s solution, retailers can accept mobile payments without the cost of upgrading their POS system. “Additionally, utilizing a secure cloud ensures that payment information will be delivered safely from the mobile cloud application to the POS system at the specific store site without jeop-
CHAPTER 6 Overview of Solutions Providers
29Mobile Payments Security 101 | © 2015 Networld Media Group
ardizing the integrity of the card data environment,” Greg Tennant, Cybera’s senior vice president of marketing and strategy, wrote in a Mobile Payments Today blog.
DeviceAuthorityFremont, California-based DeviceAuthority offers the D-FACTOR authenti-cation engine, which issues a “digital fingerprint” authentication challenge to mobile devices connecting to payment systems to check whether they are genuine, whether they contain malware and whether they have been jailbroken.
According to a white paper by DeviceAuthority’s marketing partner — Simi Valley, California-based XYPRO Technology Corp. — D-FACTOR prevents security breaches from unauthorized devices due to:
• keyloggers; • stolen cookies and user credentials; • phishing attacks; • circumvented knowledge-based authentication; • circumvented fraud detection; • man-in-the-middle attacks; • man-in-the-browser attacks.
FISIn March 2015, U.S.-based banking software vendor FIS added biometric access to its mobile banking application via Apple’s Touch ID. According to a news release, FIS was to become the first provider to offer fingerprint access to its Cardless Cash ATM application when it enabled fingerprint authentication in April 2015.
Using Touch ID, customers of banks that have deployed FIS’s Cardless Cash ATM software will be able to withdraw cash from ATMs and check their balances from their smartphones, without using plastic cards. Au-thentication, account selection and amount selection all occur through the FIS Mobile Wallet with Cardless Cash app, and a QR code is scanned to complete the transaction.
The FIS Mobile Wallet with Cardless Cash is a cloud-based platform that gives financial institutions control of the branding and user experience within the application. Customers can add debit, credit, stored value and loyalty cards, as well as redeem mobile coupons and offers. All credentials are stored securely in the cloud, not on the smartphone, FIS says.
CHAPTER 6 Overview of Solutions Providers
30Mobile Payments Security 101 | © 2015 Networld Media Group
InAuthVenice, California-based mobile fraud prevention and app security provider InAuth raised $20 million in a Series A funding round led by Bain Capital Ventures in March 2015.
InAuth said the investment came after a year of record growth in which the company added four of the five largest U.S. banks as customers. Founded in 2011, InAuth serves customers including large global banks, payment processors, e-commerce merchants and health insurance companies.
To protect their users, application developers embed InAuth’s technology into their apps. InAuth then secures both application data and financial transactions from malicious actors, preventing fraud and data loss.
InAuth says its Mobile Identity Platform measures not just the network risk of a mobile device, but also the confidence that a mobile device user is the user expected to be using the device. The platform also checks for fraud and detects anomalies such as jailbroken or rooted devices, the company says.
Ingenico Mobile Solutions“All Ingenico’s mPOS devices are PCI-certified and encrypt cardholder data at the point of capture,” Ingenico’s Boudier said.
Ingenico offers the On-Guard P2PE solution, which consists of three PCI-certified components: an encryption module, a decryption module and an encryption key-management solution.
The encryption module is available across the complete range of Ingenico POS terminals including mobile acceptance devices such as the iCMP chip-and-PIN mobile card reader. The decryption module is hosted in the infra-structure of any service provider, processor or retailer.
On-Guard can be complemented by a tokenization add-on that allows merchants to identify their customers without storing sensitive data such as account numbers.
Ingenico announced a partnership in April 2015 with Intel to jointly develop a mobile tablet that supports EMV and NFC payments.
The partnership will result in Intel Data Protection Technology for Transac-tions being combined with Ingenico payment acceptance capabilities in mo-bile and future products in the U.S. and Canada, beginning with the jointly developed mobile tablets based on the Intel Atom processor.
CHAPTER 6 Overview of Solutions Providers
31Mobile Payments Security 101 | © 2015 Networld Media Group
JumioIn February 2015, Jumio, a Palo Alto, California-based online/mobile cre-dentials management company, launched a new version of its ID card scan-ning service, Netverify. The service provides businesses using mobile and online channels with an accurate way to authenticate their customers and prospects’ identity credentials.
The new release features a new ID image-capturing technology, which allows users to position their ID any way within their camera view. This enhanced template-matching capability automatically detects the ID edges, rotates the ID and accurately crops it in the frame, regardless of the angle at which the user holds the ID. This results in a higher scan-acquisition rate.
To ensure the person presenting the ID to the device camera is the indi-vidual featured in the ID, Jumio›s Face Match technology compares the customer’s face with the photo on the ID and produces a likelihood-of-match score.
The latest Netverify release includes enhanced liveness-detection technol-ogy, which is designed to detect even the slightest facial movements when a customer presents his or her face to the device’s camera. This guards against use of IDs that are bona fide but have been stolen.
Liveness detection ensures that the person is actually present and pre-cludes a criminal’s attempt to beat Face Match by presenting a static photo image of the fraud victim, Jumio says.
Jumio also offers BAM Checkout, which enables consumers to scan their payment cards and driver’s licenses when using a mobile shopping app.
Kaspersky LabIn February 2015, anti-virus firm Kaspersky Lab launched a free mobile app, Kaspersky QR Scanner. The program not only reads information in QR codes, but also warns users about potentially dangerous links — such as phishing links — embedded by cybercriminals within them. The app is avail-able for both Google Android and Apple iOS apps.
Kaspersky says cybercriminals can insert malicious code into a QR code online in place of a legitimate image or by covering over a genuine code on a poster.
“When reading QR codes, it’s important to check that the QR code isn’t spoofed,” says Ingenico’s Boudier.
CHAPTER 6 Overview of Solutions Providers
32Mobile Payments Security 101 | © 2015 Networld Media Group
Kaspersky QR Scanner scans the QR code and checks it against a current extensive database of known malicious links. If the code is valid, the scanner will open the page. If not, the app will send the user a warning notification.
In addition to website addresses, the scanner detects text messages en-crypted in QR codes as well as contact information.
MagTekSeal Beach, California-based transaction security company MagTek launched the Qwick Codes Mobile Wallet in 2012. Qwick Codes are dy-namic, one-time-use tokens that replace payment card information for ATM, POS and online transactions.
The Qwick Codes Mobile Wallet is a subscription-based application that resides in the cloud at Magensa, MagTek’s PCI-certified subsidiary.
To use the Qwick Codes Mobile Wallet, consumers open the Qwick Codes app, swipe their card through a complimentary MagneSafe reader they receive with a paid subscription and enter the transaction details such as maximum dollar amount and an expiration date. A Qwick Code, which con-sumers can scan from their smartphone or type into a POS terminal or ATM instead of swiping their card, then is created.
MagTek also manufactures devices and systems for the reliable issuance, reading, transmission and security of cards, checks, PINs and other identi-fication documents. Its products include secure card reader authenticators, check scanners, PIN pads and distributed credential-issuing systems.
MagTek’s devices and services are secured using its MagneSafe Security Architecture technology. By leveraging strong encryption, secure tokeniza-tion, real-time authentication and dynamic transaction data, MagneSafe-based products enable users to assess and validate the trustworthiness of credentials used for online identification, payment processing and other electronic transactions.
MagTek’s QwickPAY solution is a secure mPOS offering for card-present mobile payment transactions. QwickPAY works on iOS-based devices, in-cluding iPhone 4, iPhone 3G, iPad and iPod touch; and on the Android and Windows PC platforms.
Based on MagneSafe, QwickPAY encrypts card data within the card reader’s head, reducing the scope of PCI compliance by eliminating sensi-tive card data from the application. Decrypted data is delivered only to a PCI DSS-certified payment processor or gateway. QwickPAY also tokenizes sensitive transaction data.
CHAPTER 6 Overview of Solutions Providers
33Mobile Payments Security 101 | © 2015 Networld Media Group
OmlisNewcastle upon Tyne, U.K.-based Omlis has developed encryption technol-ogy to protect mobile banking and payments transactions. It says that stan-dard encryption techniques rely on the repeated use of master encryption keys, which can be intercepted by malicious third parties. Omlis’ solution uses randomly generated one-time encryption keys instead of master keys to prevent hackers from intercepting transactions. It also uses payment tokens and authentication tokens.
In January 2015, Omlis announced that it had secured $31 million in con-tracts to implement its services with various partners over the next five years.
OneVisageOneVisage, a Swiss digital identity products developer, has launched what it calls the world’s first 3D facial-authentication product to operate on stan-dard smartphones.
OneVisage says its SelfiLogin product is meant to eliminate the two-step authentication process that it believes is the cause of transaction cancella-tions and resulting lost revenue for merchants.
“A sizeable amount of these abandonments represent security concerns emphasized by Generation Z, spanning the ages of 16 to 24,” said Chris-tophe Remillet, OneVisage’s chief technology officer. “Studies prove that 75 percent of Generation Z is willing to use biometric security solutions like SelfiLogin instead of passwords or PINs for authentication.”
PayfoneIn December 2014, New York-based Payfone introduced Identity Certainty, an authentication product that relies on the same security standards mobile network operators use to identify their subscribers, Mobile Pay-ments Today reported.
Payfone launched a pilot of Identity Certainty with three major banks in early 2015 through a partnership with fraud-protection and risk-management company Early Warning, Mobile Payments Today said.
Payfone didn’t reveal which banks are using the service, but Early Warning is owned by Bank of America, BB&T, Capital One, Chase and Wells Fargo. Early Warning also is a Payfone investor.
Identity Certainty provides an extra layer of protection that banks can use to confirm mobile banking customers’ identity when they log into the service.
CHAPTER 6 Overview of Solutions Providers
34Mobile Payments Security 101 | © 2015 Networld Media Group
Mobile identity authentication has become more important for banks as consumers migrate from online banking to smartphones or tablets.
“Banks have learned that a lot of things that can be done on PCs (for au-thentication) don’t translate well to mobile phones,” Roger Desai, Payfone’s CEO, told Mobile Payments Today. “What the banks wanted us to do was create a consistent way to identify a phone.”
Payfone has 300 million mobile identities in its database, thanks to partner-ships with all four major U.S. telcos. The company assigns each identity a unique tokenized ID, known as the Payfone Signature, based on a mobile subscriber’s phone number, SIM card and account number. Banks use the tokenized ID to make sure everything lines up with their systems.
Identity Certainty tracks 400 different “lifecycle” events to help banks con-firm a customer’s mobile identity. Some events occur more often than oth-ers, such as an address change, a new phone number or a replacement for a lost device. Other events are less frequent, such as a consumer switching mobile operating systems or using a company-provided device.
“All of these things are critical for the bank to know,” Desai said. “We elimi-nate human interaction when it comes to this authentication method. It’s done behind the scenes through the telco’s network. This kind of authenti-cation works because lots of things change with customers that the banks have a hard time tracking.”
According to Payfone, if a customer reports that a mobile phone has been lost, replaced or stolen, the Payfone Signature is revoked automatically, ter-minating access to apps and services in real time on the individual device.
Authentify acquisitionIn April 2015, Early Warning signed a definitive agreement to acquire Authentify. Founded in 1999, Authentify provides phone-based, multifactor authentication products and serves 1,200 financial institutions and e-com-merce companies.
Early Warning said the acquisition will enable it to offer organizations digital multifactor authentication and the ability to integrate and manage multiple digital channel authentication methods via one platform.
With its acquisition of Authentify and its exclusive partnership and equity investment in Payfone, Early Warning says it can provide a suite of services that:
• improves mobile security and reduces consumer friction by leveraging innovation in biometric and behavioral authentication;
CHAPTER 6 Overview of Solutions Providers
35Mobile Payments Security 101 | © 2015 Networld Media Group
• strengthens authentication events, unlike usernames and passwords;• supports the integration, delivery, prioritization and management of current
and future digital authentication technologies enabled by an SDK; and• offers a true, persistent identifier that is authenticated in real time, via
mobile network operators.
ThreatMetrixThreatMetrix offers fraud-prevention solutions that leverage its ThreatMe-trix Global Trust Intelligence Network shared digital identity network and real-time analytics platform to protect customers against account takeover, payment fraud, fraudulent account registrations resulting from malware and data breaches.
The ThreatMetrix Global Trust Intelligence Network analyzes 1 billion monthly transactions, including 250 million mobile transactions from 200 countries.
“We’re seeing over 20 million new mobile deployments each month repre-senting more than 25 percent of the total new devices being added to our network,” said Andreas Baumhof, ThreatMetrix’s chief technology officer.
By creating an anonymized digital identity for consumers based on their device, persona and behavior from every interaction (account origination, login and access, and purchase) and comparing it in real time to previous activity, ThreatMetrix clients can accurately identify their customers from cybercriminals, regardless of channel, ThreatMetrix says.
ThreatMetrix TrustDefender Mobile is a mobile SDK that developers can include in their mobile apps. The firm says TrustDefender Mobile helps its customers identify fraudulent behavior and reduce friction for transactions originating from mobile applications.
The newest version, launched in March 2015, extends ThreatMetrix’s mobile app reputation and integrity capabilities to iOS devices in addition to Android and widens the breadth of attributes analyzed from mobile devices.
“One challenge our customers face in the mobile channel comes with the explosion of apps from a multitude of different vendors, many of which are used as vehicles to deliver malware,” said Dean Weinert, ThreatMetrix’s director of mobile products. “It’s important for businesses to distinguish be-tween real, trusted apps and apps that have been altered, but that requires a significant amount of data, especially for mobile devices. ThreatMetrix provides a solution that is lightweight on users’ devices, putting those de-vice attributes and threat risks into our digital identity network. The network is constantly learning about the growing mobile attack surface so our custom-ers don’t have to.”
CHAPTER 6 Overview of Solutions Providers
36Mobile Payments Security 101 | © 2015 Networld Media Group
TrustDefender profiles devices for the following information: • Persistent device identification: This feature identifies individual mobile
devices for both iOS and Android platforms, even if the device has been reset or the application has been reinstalled.
• Location services: This feature gathers latitude and longitude information from the GPS hardware and compares IP addresses with physical loca-tions to detect the use of proxies and virtual private networks (VPNs).
• Detects jailbroken and rooted devices: Dynamic jailbreak and root detec-tion technologies determine when device security controls have been thwarted. New jailbreak and root methods are pulled from the TrustDe-fender server each time a device is profiled, to keep the system up-to-date without requiring new application releases.
• Malware detection: For Android-based systems, TrustDefender Mobile verifies the integrity of the app in which it is embedded to ensure it hasn’t been compromised or infected. It also analyzes all other apps installed on the device and reports their reputation and the presence of malicious code.
• Anomaly detection: This feature detects device tampering as well as attempts to masquerade as a different device, along with a number of other anomalies that may indicate fraud.
• Packet fingerprinting: This feature automatically detects device and data spoofing via analysis of the network traffic packet signatures originating from the device.
ValidSoftValidSoft offers a multifactor user authentication platform including a Voice Biometric engine and Device Trust technology.
The U.K.-based company’s platform authenticates mobile transactions using four elements:
• “Something you are” — voice biometrics;• “Something you know” — a challenge such as a request for a password,
personal data or PIN;• “Something you have” — a personal device such as a smartphone
or tablet;
• “Somewhere you are/not” — correlation of registered device to a location.
The ValidSoft Device Trust solution, which is available on a stand-alone basis, is designed to counteract the growing threat created by fraudsters
CHAPTER 6 Overview of Solutions Providers
37Mobile Payments Security 101 | © 2015 Networld Media Group
who maliciously redirect mobile phone calls and text messages to defeat out-of-band authentication systems and other anti-fraud measures involving customer contact via mobile phones.
Out-of-band authentication involves a one-time PIN or passcode being sent to a mobile device when a customer logs in to another channel such as a PC.
Device Trust helps banks protect their customers’ data and transactions by securing their communication channels against account takeover, SIM swap, call divert and international roaming related fraud.
VeriduVeridu, a London-based ID verification company, provides an API-based service that enables banks and retailers to base risk-assessment decisions on a potential user’s social media profiles.
Rasmus Groth, Veridu’s CEO, told Mobile Payments Today that banks and retailers can use the company’s ID verification system in the customer on-boarding process or as a risk-management tool to flag potential fraudulent transactions. Groth argues that social media profiles can be a better verifi-cation method than asking people to scan documents or ID cards, which he believes can be faked easily.
Once a bank or retailer integrates Veridu’s API into its online or mobile channel, it can ask potential users to sign into a combination of social me-dia networks such as Facebook, Twitter and LinkedIn.
Veridu rates the profiles collectively by using a number system between 0 and 100. Theoretically, a higher score means that the potential user is who they claim.
“The way we gear the service is that 57 percent is what we consider a nor-mal, trustworthy person,” Groth said. “Anything below 50, we think some-thing might be off. There’s always a balance. It depends on what kind of service you have. If your primary concern is making enrollment or onboard-ing really easy, you set thresholds quite low in the beginning, but later you can have the person reverify their identity.”
Verifone“All Verifone’s payment acceptance products, whether mPOS or standard payment terminal solutions, across all payment types including mag-stripe, EMV and NFC/contactless, comply with all the PCI standards and support our P2PE and tokenization solution VeriShield Protect and our Secure Com-merce Architecture (SCA),” said Joe Majka, Verifone’s chief security officer.
CHAPTER 6 Overview of Solutions Providers
38Mobile Payments Security 101 | © 2015 Networld Media Group
In a data breach, malware steals cardholder information from an integrated POS system, a vulnerability that SCA and VeriShield Protect are designed to counteract.
“Using SCA and VeriShield Protect, we prevent cardholder data from enter-ing the POS system, and we deliver this data in encrypted form from the payment terminal directly to the merchant’s processor,” Majka said. “Using a P2PE solution such as VeriShield Protect with SCA also reduces a mer-chant’s PCI and EMV certification burden.”
WiseSecTel Aviv, Israel-based WiseSec has developed a security technology to protect Bluetooth-based mobile payments on any type of smartphone, including Android- and iOS-based smartphones. Its solution uses low-cost Bluetooth-based beacons to locate and authenticate customers in a store, enabling them to pay by tapping their smartphone against a touchpad.
WiseSec claims its solution has a lower cost than NFC, as retailers don’t need to install NFC card readers. “We provide a ‘plug-and-play’ solution, which doesn’t require special infrastructure changes to install,” said Vadim Maor, WiseSec’s CEO. “With our technology, the only players are the cus-tomer, their card issuer and the merchant.”
“Our protocol works on BLE (Bluetooth low energy) and on other types of Bluetooth links, and offers an alternative to NFC,” Maor said. “It creates a tokenized communications channel between the server and the touchpad to simulate full NFC, and can be used for POS payments or cardless transac-tions at ATMs.”
WiseSec creates two types of tokens. “First, we tokenize the customer’s pay-ment card, and secondly we secure the transaction between the touchpad, which can be a POS device or an ATM, and the server using tokens,” Maor said. “All data is encrypted during transit from the touchpad to the server.”
WiseSec’s technology verifies a customer’s identity, device and location and passes that information to the card issuer to check that the customer’s card hasn’t been stolen or counterfeited. “To make a cardless cash withdrawal, a consumer needs to tap their smart-phone against an ATM which is enabled with our technology,” Maor said. “Because of our military-grade security protocol, we are the only technology approved by the Bank of Israel for cardless ATM withdrawals in Israel.”
The Bank of Israel, the country’s central bank, acts as a regulatory and ap-proval body for the Israeli Ministry of Finance.
CHAPTER 6 Overview of Solutions Providers
39Mobile Payments Security 101 | © 2015 Networld Media Group
REFERENCESMobile Payments Todaywww.mobilepaymentstoday.com
“Mobile Banking and Payments Security: What banks and payment service providers need to know to keep their customers safe,” by Robin ArnfieldNetworld Media Grouphttp://www.networldmediagroup.com/inc/sdetail/12036/18751
“Mobile Payments State of the Industry 2015 – Omnibus Edition”Networld Media Grouphttp://www.networldmediagroup.com/inc/sdetail/12036/19754
“mPOS 101: What merchants need to know about mobile point-of-sale technology,” by Robin ArnfieldMobile Payments Todayhttp://www.mobilepaymentstoday.com/whitepapers/mpos-101/
Mobile Payments Today white papershttp://www.mobilepaymentstoday.com/whitepapers/
“A look at the PCI guidelines for mobile POS”Mobile Payments Today white paper sponsored by Mokihttp://www.mobilepaymentstoday.com/whitepapers/a-look-at-the-pci-guidelines-for-mobile-pos/
Mobile Payments Today directory of suppliershttp://www.mobilepaymentstoday.com/companies/directory/companies-by-category/
“Mobile Wallet Comparison Guide, 2015 edition”Networld Media Grouphttp://www.networldmediagroup.com/inc/sdetail/12036/20723
“Accepting Mobile Payments with a Smartphone or Tablet”“Mobile Payment Acceptance Security Guidelines for Merchants as End-Users v1.1”“Mobile Payment Acceptance Security Guidelines for Developers v1.1”Payment Card Industry Security Standards Councilhttps://www.pcisecuritystandards.org/security_standards/documents.php?document=pciscc_mobile_payments_0512
“End-to-End Security in an Open and Mobile World”Ingenico white paperhttp://ingenico.us/wp-content/uploads/2012/07/Ingenico-End-to-End-Security-in-an-Open-and-Mobile-World-EN.pdf
40Mobile Payments Security 101 | © 2015 Networld Media Group
REFERENCESPayment Card Industry Security Standards Council (PCI SSC) documents pagehttps://www.pcisecuritystandards.org/security_standards/documents.php
The LexisNexis 2014 True Cost of Fraud(SM) Mobile StudyLexisNexis Risk Solutions and Javelin Strategy Solutions & Researchhttp://www.lexisnexis.com/risk/insights/true-cost-fraud-mobile.aspx
Square’s EMV information sitehttps://squareup.com/emv#
PCI SSC Tokenization Product Security Guidelines https://www.pcisecuritystandards.org/security_standards/documents.php
“The iBeacon/BLE vs NFC Debate: Now the Truth”Mobile Payments Today white paper sponsored by Pyrim Technologies http://www.mobilepaymentstoday.com/whitepapers/the-ibeaconble-vs-nfc-debate-now-the-truth/
Visa Digital Solutionshttp://usa.visa.com/clients-partners/technology-and-innovation/visa-digital-solutions/index.jsp?ep=v_sym_digitalsolutions
