'Complicated' m-payments industry needs standards

The entrance of new merchants unaware of security best practices and vendors prioritizing convenience over security when developing mobile technologies have complicated the mobile payments industry. As such, there is a need for industry standards to be established across the board, a Payment Card Industry (PCI) Council executive urged.

Bob Russo, general manager of the PCI Council, noted that mobile payments is gaining much traction globally with the proliferation of smartphones and tablets and the ease and convenience in using these devices to conduct financial transactions. However, ensuring security of payments made across the spectrum of devices available on the market today is difficult, he said during an interview on Wednesday.

Given that the industry is relatively new and many new technologies, including devices, apps, and payment software, continue to emerge, vendors are finding it difficult to ensure security across these technologies, he explained.

These companies also tend to prioritize convenience over security during the development process, which does not help the situation, Russo added.

One the retailers' end, the general manager pointed out that the low barriers to entry mean more merchants are entering the mobile payments arena. These companies, though, are often unaware of security risks and best practices involved in deploying the technologies. In fact, people who have not used credit cards before or understood IT security previously are now on board as merchants, he pointed out.

Additionally, retailers from emerging countries have also jumped on mobile payments despite their less-than-developed infrastructure and lack of familiarity with security protocols, he said.

These newcomers, Russo noted, have resulted in payment fraud activities migrating toward smaller merchants due to their lack of knowledge and adequate safeguards to protect their customers.

Ultimately, the executive says the overall mobile payments industry has become "complicated" by these factors, and it is "worrying" that standards have not been established for better regulation.

Technology, people and processes standards for security
The PCI general suggested that to address these security concerns, standards for the technology, processes and people need to be implemented both within companies and across the industry. This is because while many companies have implemented hardware encryption to safeguard devices, doing this alone will not guarantee security, he said.

Companies must educate their employees on potential security risks that they may face, as well as knowing what they should or should not do when handling payments such as how taking credit card details over the phone should be conducted, he stated.

"It all boils down to education," Russo said. "Vendors and merchants must be educated on the latest trends of mobile payments such as how to make their devices safer, what risks are involved and how customer payments should be handled securely."

The PCI Council is also in the process of establishing industry standards for mobile payments, and collaborating with its members such as banks, vendors and merchants, he noted. Standards will be established through security assessments, gathering feedback from members and information from the industry, he explained.

Asked if standards will be developed for near-field communications (NFC), Russo said it is not a priority right now.

However, most Europay, MasterCard, Visa (EMV) payment methods accept NFC so the standards developed for mobile payments will apply to the technology too, he added.