A new report from Frost & Sullivan states that new security challenges and solutions must be examined as the mobile payments (m-payments) market moves towards the simpler and more cost effective hybrid solution of mobile phones with near-field communication (NFC) technology integrated in a cloud-based system.
The new approach will provide storage of the cardholders’ account details in the cloud rather than on the more secure element within a mobile phone, opening the door to a multitude of security risks involved in data transmission.
“M-payments that use contactless technologies, such as NFC, are an emerging global trend,” said Shuba Ramkumar, a Frost & Sullivan research analyst. “Important market players like Google, Isis and Microsoft have created some of the currently available mobile wallet apps using NFC technology.”
According to Frost & Sullivan, security infrastructure for NFC payments is multi-layered. The customer’s account and card details are stored in a secure element within the device used for the payment. The secure element might be directly embedded by the mobile device manufacturer or offered by a payment service provider as a removable Secure Digital (SD) card. The use of a physical secure element as the current industry trend is vital because in its absence the exposure to risk is much higher. Nevertheless, security solution providers like ARM, Gemalto, and Giesecke & Devrient, are also working on the development of the trusted execution environment (TEE) as a security standard.
“Implementing additional security, for instance, a personal identification number (PIN) for access, can help mitigate financial losses. An easy-to-use mechanism for deactivating NFC services on a misplaced or stolen device and reactivating them on another will also enhance security,” said Ramkumar.
A cloud-based m-payment solution, on the other hand, involves the use of a mobile app, such as PayPal, that requires an individual’s authentication prior to connecting with the account details stored in a cloud to process the transaction. The advantage of using a cloud payment solution over NFC is that the transaction can be carried out using any device with network connectivity. Additionally, the data in a cloud-based solution is stored virtually and is not easy to access or track, provided the cloud service offers appropriate protection.
“Despite constant monitoring and authentication checks that make the cloud itself secure, transmitting data over the air carries an element of risk,” said Ramkumar. “Payment information for many individuals is stored in the cloud, and it is mapped individually to a person logging into an m-payment app. Therefore, data transferred between the cloud and the device initiating the transaction occurs over the air, putting the data at risk to exposure to parties capable of reading it during transmission.”
However, a hybrid approach that combines NFC and with cloud-based systems for m-payments will still require additional solutions to mitigate the security risks involved in data transmission, as it both removes the physical secure element on a mobile phone and still has the inherent weakness of cloud-based security. The appeal of hybridizing NFC with cloud-based systems, however, is that it will make the application of NFC services simpler and cheaper.
“This should be done in respect of international payment standards such as PCI DSS [Payment Card Industry Data Security Standard] in order to protect personal data during data transfer. At the moment, the security used for cloud based solutions is mostly the same as the one for e-commerce, so digital certificates features. This is probably a first step to accelerate cloud-based payment solutions, but at the end, a higher level of security will probably be needed,” said Ramkumar.
(For additional information contact: Frost & Sullivan, +48 22 481 62 20, www.frost.com.)