May 15, 2015
Most cash replacement products have been introduced and became popular because of their convenience benefits - checks, magstripe cards, mobile wallets, etc. While security is touted as a feature, that has never been the primary motivation for the consumer to adopt a new form factor or to form a new habit.
Think about some of the best payment experiences you have had in mobile payments so far. I am sure Starbucks is one of them. The Starbucks' app implementation is an illustration of the critical decisions that businesses have to take when it comes to convenience over security - the vulnerability was pointed out last year and became very evident yesterday.
Even mobile payments using Touch ID is no different. The key word here is 'Touch', not 'ID'. There is no central repository or clearinghouse of Touch IDs. The ability to quickly touch a finger on the button and take an action that is relatively hard (not impossible) for someone else to replicate provides enough assurance to the average consumer that it's 'good enough'. Neither Apple nor the banks supporting Apple Pay pitch it as more secure, but consumers might have understandably assumed that to be the case. Note that Apple requires the actual (alphanumeric) password to be entered when the phone is turned off and on. This mis-assumption of 'Touch ID security' does not cost the consumer anything because the banks offer zero liability protection as a historical cost of doing business.
EMV might be different. This might actually be a step backwards in convenience: the consumer will have to learn a new habit; she will be more likely to forget the card in the POS (already cases have been reported; 9% of shoppers in Canada forget their EMV cards in POS terminals!); she might have to remember a PIN, etc. The merchants also have to deal with a lot: it is costing them an arm and a leg to upgrade terminals; it will take longer to service the lines at checkout - all this to reduce fraud and also the fraud costs for the issuers. The liability shift is a nice incentive, but that's attractive only if it's an issue in the first place - QSRs (quick service restaurants) may not see a need to shift any liability because small value transactions get aggregated and paid automatically today anyways if the amounts are lower than $35 to $50. It's more expensive for the banks to investigate these low value disputes, so they let them go.
Back to mobile payments: are other biometrics, other than fingerprints, the answer? Before delving too deeply into some of these technologies (many of them of the 'cool gee-whiz' category) that are expensive, require new hardware and not easily deployed, let's look at what's already possible with smart mashups of readily available data and resources. One such example is device fingerprinting. That's good, but not good enough because devices can be lost or stolen. How about ID's without a form factor? Those are also good, but need to cut across entities (banks and merchants). What's required is a multi-layered approach to identity, a network approach that builds on all of the above ideas and is continuously enhanced with information curated from various sources, creating a digital signature hat gets better over time and with use.
If you want to learn more about this topic, you should read a detailed assessment that we did 6 months ago on companies leading the way in fraud and authentication. It's one of our LTP9 leaderboards that highlight the leading companies in a particular sector. As an example, the Payfone Signature is a deterministic, trusted mobile identity that is solid and secure. Through relationships with the US Tier 1 Mobile Network Operators (MNOs) as well as all the major US banks (through its partnership with Early Warning), the Payfone Signature leverages data directly from the MNOs to permanently bind, verify, and subscribe to mobile identity at the account level. Similarly, another solution is from Authentify that continues to expand its footprint in telephone-based, real time, multi factor, out-of-band authentication services.
The answer to Security vs Convenience in Payments probably lies in an old saying, "Success is a journey, not a destination" -- Arthur Ashe