In September 2014, when Apple CEO Tim Cook announced the release of Apple Pay, he noted the “outdated and vulnerable magnetic interface” of credit and debit cards as one of the many reasons traditional payments was broken (clearly this was before the advent of EMV/chip cards, however, he still has a point since only 22%-37% of retailers so far are processing cards as chip versus swipe). Immediately, outlets like The Verge were calling Apple Pay “revolutionary,” even though PayPal and Google had already launched similar efforts. But those efforts weren’t widely adopted and were considered by many to be failures due to incompatible and confusing systems. And Apple had a reputation for learning from the mistakes of others.
Early reviewers approved of the service and commented on its ease of use, and Apple reported more than 1 million credit cards were registered with Apple Pay in the first three days following its launch. And in 2015, Android and Samsung released their own versions of the service. Mobile wallets had a ton of momentum in 2014 and 2015, so why, nearly two years after the initial launch, are people continuing to rely more on traditional plastic cards than mobile wallets?
It certainly isn’t because of their limitations — services like Apple Pay, Android Pay and Samsung Pay are accepted at most major retailers. Add to that the announcement from banks, including Chase and Wells Fargo, that in the next two years they’re rolling out ATMs enabled with near field communication (NFC) – the technology used by mobile wallets to transfer data from your phone to a payment terminal without even touching it – and you’d expect everyone with a smartphone to be setting up their mobile wallet.
But when you consider the ever-increasing, ever-evolving threat of cyber crime and the number of data breaches that have resulted in stolen identification and payment information, it’s no wonder people are hesitant to add financial information to any type of electronic device.
According to a study by Protiviti, 35% of people surveyed said they believed mobile wallets are less secure than traditional magnetic swipe cards, and 30% felt they were about as secure as cards. That’s some serious skepticism, especially when you consider that our physical plastic cards aren’t very secure at all – although the chip card itself has been a step in the right direction to secure the physical card from counterfeiting, Wal-Mart’s latest lawsuit against Visa demonstrates that retailers strongly believe the cards still need to be backed up with a PIN and not a signature.
The EMV chip is only one of the necessary elements essential to protecting card data during a payment transaction — the other two are tokenization and Point-to-Point Encryption (P2PE). While traditional card providers and merchants are still struggling to adopt some of these technologies, mobile wallets make use of NFC and tokenization to keep data secure.
The Protection of Data in Mobile Wallets
First, mobile wallets utilize NFC, which means the presence of a physical card isn’t necessary, and you don’t have to worry about someone running off with your card or wallet. And, if someone steals your phone, both main smartphone providers (Android and Apple) offer ways to lock and erase data from your phone remotely.
Second, Android, Apple and Samsung mobile wallets utilize a form of tokenization to protect data during a transaction. When you enter your card details, they are encrypted and sent to Apple, Android or Samsung servers. Then, the information is decrypted, the card’s payment network is identified, and the information is re-encrypted with a key only the card’s payment network can use.
The network then creates a Device Account Number for your phone that is encrypted and sent back to the phone manufacturer. The Device Account Number can’t be decrypted or stored with the device manufacturer, and it is kept separate from the phone’s operating system and isn’t backed up in the cloud.
Risk is Still Present
However, as we know from traditional payment methods – including credit and debit cards, which also utilize tokenization in some fashion – no technology is completely free of risk. There have been reports in the past of lapses in verification between Apple Pay and banks, which could make it possible for hackers to link cards to their Device Account Number through information gathered from online stores. The problem wasn’t widespread, but it did happen.
EMarketer Inc. estimates only 9.6% of users made mobile payment transactions in the last year. This tells us widespread adoption of these services is still a long way off, and people still view these services as vulnerable to cyber-attacks.
Interestingly enough, a 2015 presentation by market research firm Walker Sands found that in terms of security, only 1% saw mobile payments as secure – and in this question, cash still reigned as king, with 56%, followed very far behind by credit cards at 22% and debit cards at 116%.
Which pretty much says that ALL payment methods (outside of the paper dollar) have some security work to do in the eyes of the consumer. This is our focus at Bluefin – how we can use our P2PE, tokenization and transparent redirect technologies, in combination with EMV for point of sale, to ensure that no matter the electronic payment type, the transaction is protected.