New security standards for mobile payments coming
A financial services technology group is developing standards for making secure mobile payment transactions.
The project is an effort of the Financial Services Technology Consortium (FSTC), an industry group comprising banks, technology vendors, researchers and government organizations, which develops technology standards for the financial services sector.
The goal of the project is to develop standards and processes so that banking customers are able to securely pay a merchant or another bank customer using their phone, no matter what mobile device or carrier they use, John Fricke, chief of staff at the FSTC, told SCMagazineUS.com on Wednesday.
This week the FSTC announced the completion of phases one and two of the project, in which goals for improving mobile payment security were established and technologies were identified. It will now move on to phase three and four, during which standards will be created and roll-out strategies established, Fricke said.
Mobile payment methods soon will become more widespread, allowing consumers to pay businesses, other consumers, or the government from their mobile devices, Fricke said.
Some retailers already offer consumers the ability to pay for an item by scanning their phone past a reader, which verifies the payment. Mobile payment transactions also are being conducted online. And in the future, consumers simply will be able to send a text message to make a payment, Fricke said.
Creating standards to secure mobile payments is difficult because consumers use different phones and carriers, Fricke said. Security needs to be standardized so that if a consumer is paying someone else, the two devices are able to correspond with one another.
“We are going to raise the bar on the security of financial transactions,” Jim Pitts, managing executive of the FSTC's Payments Standing Committee (Payments SCOM), told SCMagazineUS.com on Wednesday. “Payments will become more secure with these new technologies, instead of less secure like some people think.”
The biggest threat surrounding mobile financial transactions is that when a device gets lost, the finder would likely be able to conduct unauthorized transactions. In addition, the finder could also install malicious software on the device prior to returning it to the proper owner, Randy Abrams, director of technical education at ESET, told SCMagazineUS.com in an email Thursday.
The FSTC has an “enormous task” if they really want to make mobile payment transactions more secure, Abrams said. He added that the cost of “doing it right” will likely cause significant pushback from the financial services industry.
Similarly, Paul Kocher, president and chief scientist at Cryptography Research told SCMagazineUS.com Thursday in an email that with so many stakeholders involved in mobile payment systems – including consumers, issuing banks, merchants, carriers and handset makers -- it is going to be difficult to any technical solution that everyone will agree to.
To ensure security in mobile transactions, the FSTC likely will include in its standards that some type of chip must be used in mobile devices, much like a SIM card or memory chip, to authenticate the device and authorize the payment, Pitts said. He added that the standards may also recommend that indviduals be authenticated before making a purchase.
“The chips would be utilized in the majority of payment transactions done on mobile phones,” Pitts said.
Once the project is complete, FSTC's recommended standards will be submitted to the American National Standards Institute (ANSI) and the International Organization for Standardization (ISO), which will use the input, along with feedback from other groups, to publish recommended standards for the industry.
The FSTC is looking for technology providers who would like to participate in the next phases of the project. For more information, contact the FSTC at (202) 589-4308 or email firstname.lastname@example.org or email@example.com.