In the final pre-launch days, a possible issue with Apple Pay has come to light – does Apple or the card issuer know who is actually loading a credit card into Apple Passbook? As Apple Pay and the myriad of payment alternatives become available to tens of millions of consumers, mobile payment providers and card issuers face a basic problem – is the person loading a credit card into a mobile wallet the account holder of that card?
As the excitement over Apple Pay grows and the clamor for Apple-esque simplicity that consumers have come to expect from all mobile experiences, the challenge for both mobile wallets and card issuers will be determining what level of security they must add to ensure that credit cards added to mobile wallets belong to the right consumers… without stifling adoption and usage.
Here’s a simple illustration of the risks involved in elevating simplicity over security that takes place even before a payment transaction is conducted– a consumer handing their card to an ill-intentioned restaurant worker who simply loads the consumer’s card onto their own Apple Passbook account. From that point on, Touch ID and tokenization kick in to guard against typical fraud scenarios, but it’s not enough. The damage is already done and a perfectly secure transaction will be authorized on a compromised account. In less than five minutes, not only has the consumer paid for dinner – she now may be picking up the tab for multiple unauthorized transactions. These losses all accrue to the issuers.
We read the Apple Pay security and privacy overview to delve into the details of how Apple has approached this issue so far:
"If you use the camera to enter the card information, the information is never saved to the device or stored to the photo library. Apple decrypts the data, determines your card’s payment network, and re-encrypts the data with a key that only your payment network can unlock. Then it sends the encrypted data, along with other information about your iTunes account activity and device (such as the name of your device, its current location, or if you have a long history of transactions within iTunes) to your bank. Using this information, your bank will determine whether to approve adding your card to Apple Pay.”
So essentially in cases where new cards are added by taking a picture, a set of information is sent to the issuer for approval. As Apple’s documentation shows, it includes things such as the name of your device, its current location, and history of transactions within iTunes. But what it is a new device (as all iPhone 6s will be) and what if there is little to no iTunes account history. The issuers will need balance spending a lot of time with each consumer on the phone with call center agents or take the risk on letting the card be added. Overall, a tricky situation, considering how lofty consumer expectation will be for a magical experience. Experts believe that additional, new factors of authentication will be required to fill the gap of experience and security. As an example, when a payment gateway deals with an e-commerce transaction, its fraud detection and prevention engine will perform several verifications including velocity checks, geo-location, time of the day, type of item purchased, cross check against negative database, name, billing address and various other patterns and parameters. Additionally gateways are starting to look at mobile device inputs that further bolster certainty. What will be the equivalent of this in the physical world for in-store payments using Apple Pay?
We reached out to experts who spoke at The money Event’s Fraud and Authentication track earlier this month and asked for their view. Examples of new, mobile-centric factors can be a combination of hardware inputs, mobile network inputs, as well as device and SIM inputs. This new set of parameters could add unprecedented security to Apple Pay, and tokenization in general, while delivering the magic that Apple desires.
So the core issue is that most of the authentication systems were designed for the PC environment. What’s the point of sending an SMS code to the mobile if the mobile can authenticate itself? We need "made for mobile" payments authentication, and there is plenty of untapped “mobile” DNA that needs to be leveraged in “mobile payments”.
We asked Tom Noyes, CEO, Commerce Signals for his view on which companies could provide these types of new capabilities:
The key to its success is not security, but in tying a real person, to their biometrics, phone and bank account. Payfone is the only company that currently provides this service, through strong trust and data relationships with both Banks and MNOs, I hope Apple joins them… quickly.
Fundamentally, mobile payments security will benefit from a multi-layered solution: Apple has already integrated Touch ID; companies like Payfone bring the mobile-originated capabilities, and others such as Socure can bring the social graph to play a meaningful role in transaction security.
The point is that collaboration is required within the broader ecosystem to bolster and continuously evolve the security and authentication systems. Fintech startups can play a big role in this endeavor and can help Apple Pay and other platforms to become mainstream and more secure at the same time.
Tom was also quick to point out that “Apple, together with Visa and MasterCard, has created the most secure payment method in the last 20 years”. We agree, but what’s become evident from Apple Pay and by extension from all mobile wallets, is that security needs to be thought through from a fresh, mobile first perspective – we can’t just focus on the point of sale, it has to start from the very beginning, the moment a mobile wallet is opened for the first time.