Establishing trust in mobile payments
At the start of the year, Thales released the findings of its latest annual global Data Threat Report, which found that as businesses everywhere undergo a form of digital transformation, the risk of data breaches has reached an all-time high.
According to the report, 37 percent of organisations use sensitive data with mobile applications and 91 percent are either using or are planning to use mobile payments. 41 percent of the organisations surveyed for the report expressed concern about the security of personally identifiable information (PII), with a similar number (39%) concerned over payment card information.
It’s worth noting, however, that securing mobile data against potential threats is not necessarily about encrypting the data on the mobile device itself. Indeed, beyond your name, not a great deal of PII is loaded on to a bank card in the first place, and any account numbers will be tokenised, and will only resemble the real number.
When it comes to the security of mobile payments or of any app that concerns monetary value, we need to start by establishing trust in the device. If I’m going to load my bank card’s information into Apple Pay or Android Pay, for example, it’s important to know that it’s being loaded on to the right device, and that I’m able to secure it.
This trust starts with a ‘digital birth certificate’, in which cryptographic credentials, or keys, are loaded onto the device from the start, by the manufacturer or carrier, to establish its unique identity. When sending sensitive information such as your tokenised account number over the air to a mobile device, these birth credentials will then allow you to authenticate the device and set up a session in which that information can be encrypted.
Some mobile devices don’t have a Secure Element to securely store cryptographic information or sensitive data, and payment information will tend to reside in the operating system instead. As this offers very little protection, banks will load a tokenised account number along with the keys necessary for signing and authenticating transactions. But as these keys can’t be protected and are, therefore, open to compromise, they must either be frequently updated or used only for single transactions. Protecting this sensitive information on a mobile device can, in these cases, become more about active management, such as having to change the password on your PC every so often.
Overall, protecting mobile data against potential threats starts with the use of cryptographic keys and ‘digital birth certificates’ to establish trust for an entire infrastructure. It’s about making sure payment credential information is not being sent to the device of a hacker who has intercepted a transmission from the bank.
Thales’s device credentialing solutions play strongly into putting these birth certificates into mobile devices during manufacture while our mobile payment solutions address the provisioning and security alternatives depending on device capabilities. Our payShield HSM product provides support for the protocols used to securely load and manage payment credential information on those devices.
As we saw in the recent Data Threat Report, the number of businesses using mobile payments continues to grow, along with concern about the security of these payments. Trust is needed to allay this concern, and this trust should start at birth. It’s time then to unlock the full potential of secure mobile payments.