Near the end of the Federal Reserve Bank of Chicago’s one-day payments symposium Sept. 26, Wal-Mart Stores Inc.’s Jamie Henry posed a question that had yet to be answered during the previous eight hours.
“What are the next steps in improving security in online payments?” the retail giant’s senior director of payment services asked during a panel discussion.
The Fed’s conference, held in conjunction with the Secure Remote Payment Council, sought to answer the question or at least get the conversation going in the right direction.
But what Henry and others found is that there are more questions than answers in the industry’s efforts to protect sensitive information when consumers make purchases online or from a mobile phone.
The council’s goal is to promote a set of best practices for payment companies and merchants involved in e-commerce and mobile transactions. The organization, however, first must address various issues before it can agree on which best practices to promote, says Steve Elefant, the former chief information officer at Heartland Payment Systems Inc. who now is managing director for venture capital firm Soaring Ventures Inc.
“On the mobile side, there are ways to secure [sensitive information] that gets into the phone using encrypted readers,” Elefant says regarding mobile-acceptance devices. “No matter what kind of [malicious software] is in the phone, if [the information is] encrypted, it’s just going to pass through the phone on the way to the processor.”
To help secure online transactions, the council is working with industry stakeholders to determine how to protect the data as early as possible in the payments process, Elefant notes.
“There is no one right answer here,” he says. “There are a lot of stakeholders with different agendas, and the council–and the Fed even–are trying to think through a lot of different scenarios.”
For now, it appears the council will focus on securing e-commerce because it is a more immediate concern compared with a developing mobile payment and acceptance market.
“But some of those things that you start to put together for e-commerce you have to make sure can be ported to mobile products as well as that channel develops,” Paul Tomasofsky, the council’s president and executive director, tells PaymentsSource.
E-commerce and mobile payments already share some characteristics in that both have certain elements such as a card number that need protecting, he adds.
“There are certain principles that apply to any type of payment regardless of how they’re made,” Tomasofsky says. “They are not different for mobile than any other channel.”
But bringing e-commerce security models to mobile will be difficult because that market contains what seems like an infinite amount of approaches, he says. For example, at least a dozen companies offer mobile card-acceptance devices, not to mention the Google Wallets and Isis’ of the world (
“There is no question with the experimentations in mobile that it does make it more difficult to apply [e-commerce] security models because you don’t know how things are going to work,” Tomasofsky says.
Companies, however, can use mobile as an authentication tool for Internet transactions, Tomasofsky notes.
Adaptive Payments provides such a service (
Merchants integrate the E-commerce Checkout system into their checkout software. To complete a transaction, consumers enter their phone number in a dedicated field on the retailer’s checkout page. An automated system then calls their phone to verify the transaction details, and they enter their card PIN using the phone keypad to complete the transaction. A hardware-security module on Adaptive’s back-end system encrypts the PIN before Adaptive sends the transaction information to a payment gateway to begin the processing cycle.
Executives appear at odds over the consumer’s role in the authentication process.
Several executives who spoke at the symposium suggested consumers do more to protect their transactions. Others, however, cited consumer apathy toward such authentication methods as MasterCard Worldwide’s SecureCode and Verified by Visa (
Elefant does not favor putting more responsibility for securing payments on consumers.
“As a merchant and as an industry, we don’t want to create more friction to make it harder for people to buy,” Elefant says. “The whole idea is to make it as simple as possible, like the Amazon’s 1-Click idea.”
Amazon’s 1-Click enables consumers to enter their payment preference and shipping address once and then click a single button to pay in subsequent visits to the online retailer.
“The industry has to look at how we can use various tools between end-to-end encryption and tokenization and securing the environment at the [point of sale] instead of trying to push this onto the consumer,” Elefant says.
The council plans to keep the dialogue going through similar meetings, white papers and other projects.
Tomasofsky wants to create groups within the organization to tackle the issues and address problems one at time.
“We need in the industry a go-to source to say exactly what the size is of the problem we need to solve,” he says.
It may be some time before the council truly answers the questions Henry first raised.
What do you think about this? Send us your feedback.
