For consumers, convenience and rewards are the most commonly discussed benefits of near-field communication for mobile payments. There is also a substantial security benefit, though banks are reluctant to let consumers know.
NFC-equipped phones can enable two-way authentication that lets merchants and consumers alike verify that the other party in a transaction is legitimate and that a third party is not able to steal their payment details.
However, just as when they added dynamic authentication with contactless cards, banks are focusing their marketing attention away from these security perks; such talk can highlight how insecure magnetic stripe cards have become in today's environment.
"There is a fine line between educating the consumer and scaring the pants off them," said Nick Holland, a senior analyst at Yankee Group, in a panel discussion Wednesday at the Visa 2011 Global Security Summit in Washington.
The panel said that the infrastructure to ensure payments in a mobile environment is more secure than the Internet, as it builds on the investments made over the years to secure online transactions.
The number of smartphones is expected to exceed the number of personal computers within the next few years, experts said, and within the next year, NFC-enabled phones will number in the tens of millions, Mercator Advisory Group of Boston said in a report Wednesday.
With that in mind, Holland said it was important to manage consumer expectations around security.
"The issue is not just around payment, but around the consumer and merchant perception of mobile payments," Holland said.
Deepak Jain, co-founder and chief executive of DeviceFidelity Inc., a near-field communication and contactless payment company in Richardson, Texas, said the enhanced trust level for mobile partially stems from the ability of NFC smartphones to enable multiple levels of authentication for bank account access and payments.
This month, two major banks, Wells Fargo & Co. and JPMorgan Chase & Co., said they would offer EMV cards, commonly called chip and PIN, for international travelers (JPMorgan Chase's version would not use a PIN). However, Jain suggested that phones would leapfrog EMV technology in the U.S.
"The next generation of smart card is the NFC phone," he said.
DeviceFidelity is conducting mobile payments trials with Visa Inc., MasterCard Inc. and Bank of America Corp.
Michael Upton, E-channels and customer solutions executive for B of A, said that it is necessary to balance consumer convenience and enjoyment of the channel with security. If this balance is achieved, consumers can have the confidence to use their devices for mobile commerce. Such consumer trust, Upton said, had a huge value proposition and was an effective branding tool for the bank.
"We are taking advantage of a lot of the investments we have made in the infrastructure in online, and we are extending those security investments into mobile," he said.
William Gajda, mobile executive for Visa, said, "The mobile ecosystem is more secure than the Internet. We are starting from a better foundation than we found ourselves in with PCs."
As opposed to the Internet, where the driving industry and consumer concerns have always been with creating application security, the driving factors for mobile commerce are around process, said Zane Lackey, a senior security consultant for ISEC Partners of San Francisco.
"People have a lot higher level of trust with mobile network and mobile operators than they do with applications deployed over the Internet," Lackey said. Instead of security concerns, consumers have more privacy worries when it comes to mobile transactions, and they are concerned about data leakage and what kind of information is being collected about them, Lackey said.
Other industry analysts who attended the summit but did not speak on the panel were a bit more circumspect.
Thomas A. Layman, the president of Global Vision Group, an electronic payments consultancy in San Mateo, Calif., said that the degree of the technology improvements would vary for each smartphone.
"It is not clear that all payment transaction messages would necessarily be required to utilize that technology or information," Layman said in an email.
"There are a lot of potential points of compromise, just as there are in the various [point of sale] terminals and other payment acceptance technologies out there in the market today," he said.
Avivah Litan, vice president and distinguished analyst at Gartner Inc., said mobile commerce presented hackers and other criminals with an extremely diverse, though limited, set of platforms.
As such, "it will be difficult to create world-class and epidemic worms and malware," she said by email.
"Further, we'll see the evolution of permissions on mobile devices that will be able to stop the malware from attaching itself to the phone," Litan wrote.
Such permissions are typically set by customers when they download applications to their phones, and they set parameters around the kind of information the application can access.
But Litan said that the U.S. needs to move in tandem with the rest of the world, and to develop an infrastructure for chip and PIN cards that also supports contactless payments.
Gartner estimates that only 5% of mobile phone users will be conducting mobile payments by 2014.
"We can't wait around for that number to reach critical mass," Litan said.
"We need to do something today with the plastic Americans carry in their wallets," she added.
Litan predicted that the upgrades to terminals and other infrastructure necessary to support chip-and-PIN or contactless payments would take at least five to 10 years if they began right away.
