With the continued growth of both e-commerce and the use of mobile devices, mobile and contactless payments, like Google Pay, Apple Pay, PayPal, etc., are becoming increasingly popular and are likely to equal or even surpass traditional payment methods in the near future. According to a recent Javelin report, it is estimated that mobile payments will comprise 49 percent of all online U.S. retail transactions by 2020, totaling approximately $319 billion. As the expectation from consumers that organizations will offer mobile payment capabilities expands, evaluating this payment option for your merchants is important.
Below are some of the top factors that should be considered as you are reviewing acceptance of these new payment methods.
1) Benefits of Mobile Payments
Organizations can make it more convenient for customers by accepting mobile payments, thus allowing them to leave their wallets at home. Mobile payments speed up the checkout process and improve overall user experience and customer satisfaction.
Merchants can also increase customer engagement by offering coupons, incentives, rewards, and loyalty programs within the applications on their smartphones. It is also possible to take advantage of increased customer analytics and gather information on things like preferred payment methods, how frequently they shop, typical transaction amounts, etc.
2) Payment Types
There are two types of mobile payments – physical Point of Sale (POS) and online.
Most physical POS payments work by utilizing Near Field Communication (NFC) technology found in smartphones. Once the cashier has rung up the total cost and asked for payment, the customer can hold their phone up to the contactless terminal and exchange data to make the payment. For most applications, the actual 16 digit card number or any sensitive cardholder data is not stored on the phone. Instead, a ‘token’ is given to the merchant, making the transaction itself very secure. Some applications, like Apple Pay, also require transactions to be verified by fingerprint ID or passcode. This use of multi-factor authentication (MFA) is an important added layer of security.
Mobile e-commerce utilizes mobile wallets that can be used online or through apps, appearing as an option to pay with PayPal or with Apple Pay. This typically allows a faster checkout process. For example, once signed into PayPal, all the necessary information is already present and does not have to be re-entered.
3) Payment Devices
As long as your Point of Sale (POS) device has the ability to read contactless payment information and has this feature enabled (often referred to as CTLS), this payment method
should be acceptable. There are no special considerations regarding P2PE vs. non P2PE validated solutions, stand-alone analog terminals, etc. when it comes to being able to accept contactless payments in a compliant manner.
4) Compliance Risks
What sort of effect is there on your PCI compliance program if merchants begin accepting these payment methods?
In simple terms, this will not affect PCI compliance efforts as the full PAN is not being passed through the payment device or accessed by merchants, so therefore does not fall under the requirements for protection. Even if an organization loses the data supplied from a mobile payment application, criminals could not use it because the process requires a second factor authentication (MFA) from the user through the payment application on their mobile device.
5) Acceptable Use
Be sure to check your organization’s policies on accepting contactless payments. You may also need to verify that your city or state regulations do not limit particular payment types into merchant accounts.
Can mobile payment fraud occur? As with any new and emerging technology, criminals also start to pay attention as the opportunity for compromising larger amounts of data increases. As stated above, no payment card information is directly available, so the risk of this information being exposed is low.
However, there are still risks for consumers using these applications. Due to their size, mobile phones are more susceptible to loss or theft. Encourage (or require) employees to implement use of a passcode and automatic lock out features on their mobile devices, as well as remote wipe, so if their device is stolen the thief does not have automatic access to the mobile wallet.
Security controls are also often limited on personal mobile devices, and smart phones are susceptible to malware and operating system vulnerabilities. Smart phones should be treated like small computers with anti-virus software, anti-malware, etc. installed, as well as the use of strong passwords and multi-factor authentication.
A final risk is that stolen payment card details obtained elsewhere, from a hacked e-commerce site or a card skimmer, can be used to actually set up fraudulent mobile payment accounts. If a hacker has stolen card details, they may use this information to set up a Google Pay account, just as they could use your card number to make online purchases.
Mobile and contactless payments will continue to increase in popularity. If you are considering making these payment options available in your merchant locations, please don’t hesitate to reach out to us for additional guidance.
Some additional guidance from the CampusGuard Security Advisor team:
[Coudeyras]: Ensuring multi-factor authentication (MFA) is vital. For example, a combination of something you know (a password or PIN) and something you are (biometrics, such as a fingerprint). It is riskier to only utilize one factor – for example, unlocking a phone with a PIN, then authorizing a payment with a PIN in the application. Instead, utilize at least two factors – requiring a PIN to unlock the phone, then requiring a fingerprint to authorize a payment.