Mobile Payments as a Security Control?

Mobile Payments
Author: Rob Clyde, Chair of ISACA Board Governance and Nominating Committee
Date Published: 1 July 2016
español | italiano | 中文

Ask any merchant and he/she will tell you that accepting credit card payments comes with its own set of security challenges. Not only are there the (fairly prescriptive) requirements of the Payment Card Industry Data Security Standard (PCI DSS) to worry about, but being a security professional in a merchant context comes with a host of other things to cause concern as well. This includes staying ahead of potential fraudulent transactions, keeping tabs on where cardholder data are stored and the paths the data traverse inside a merchant’s environment, ensuring the appropriate delineation between the cardholder data environment (CDE) and other environments, evaluating the security and compliance status of service providers, and numerous other issues.

The point is, payments can be challenging from a security point of view. Since no one has an unlimited budget, the onus is on security practitioners to find creative ways to address those challenges in a budget-conscious and efficiency-focused way. Being creative in this context often means looking to sometimes seemingly unorthodox ways to squeeze every drop of utility out of the opportunities that present themselves to advance security interests while ensuring those opportunities remain minimally impactful to business operations.

Believe it or not, mobile payment acceptance can be one such avenue. By understanding how mobile payments work under the hood—and looking for creative ways to turn that into an advantage from a security point of view—stakeholders can potentially take a few steps to move their security programs forward while, at the same time, providing a valuable service to customers.

Why Mobile Payments?

Frankly, that statement might sound crazy to many practitioners. For example, ISACA’s 2015 Mobile Payment Survey found that 87 percent of the 900 security practitioners surveyed expected to see an increase in mobile payment data breaches in the next year. About half (47 percent) indicated that mobile payments are not secure, and only 23 percent responded that mobile payments are secure in keeping personal information safe. So, clearly, it is an understatement to say that the profession views mobile payments with skepticism.

That said, it is worth considering the alternatives to mobile payments. Ponder for a moment the avenues for fraud and abuse available each and every time customers present their card to initiate a card-present transaction. Anytime the card is out of the cardholder’s wallet, there exists the opportunity for it to be lost or stolen. There is the possibility of interception via the point of sale (i.e., via a skimmer), the opportunity for theft via the logical storage on the point of sale (POS) itself, the possibility of network sniffing between the POS and whatever system hands the payment details off to the payment processing back end, etc. At each and every step along that path, things could go wrong in a big way.

Now, compare that with a mobile payment scenario such as Android Pay, Samsung Pay or Apple Pay. Under those models, the primary account number (PAN) is protected via payment tokenization, transactions are authenticated using strong cryptography, and there are mechanisms in place to mitigate or even eliminate many of the fraud scenarios that one might encounter in a traditional card-present context. Moreover, there is a robust binding between the cardholder and the payment transaction itself via the requirement for supplemental authentication (biometric or personal identification number [PIN]) before payment can be initiated.

No one is saying that mobile payments universally have more robust security properties in every use case that exists, rather it is simply suggested that there can be advantages in many situations relative to a traditional card-present transaction. Understanding that this is the case, mobile payment acceptance can then move from challenge to opportunity.

Practical Risk Reduction

With this in mind, what are some ways that mobile payments can be leveraged to gain traction for security professionals in the field? The first area is to understand the security properties that mobile payments have and the possible benefits/drawbacks that come as a result as outlined here. To do this is not to suggest that one must read engineering specifications or the like, but it does behoove security professionals to understand the concepts at a high level since, ultimately, they will be making risk decisions about it. ISACA’s recent white paper, Is Mobile the Winner in Payment Security?, outlines the business (and, yes, security) value propositions and describes some controls that can help security practitioners in the field mitigate some of the possible risk.

As the white paper explains in more detail, one of the key advantages of mobile payments using payment tokenization is that the PAN is not actually stored on the mobile device or transmitted to the merchant. Even if the merchant network is compromised, the PAN is not compromised, thus reducing the risk of theft or fraud.

This is a good starting point, but there is an additional way in which mobile payments can provide value to security programs even beyond this: Specifically, since the deployment of mobile payment acceptance requires an in-tandem refresh of the POSs in retail locations, that refresh can itself provide a useful opportunity to revisit those retail locations and simultaneously take a broader look at the security countermeasures in place (since, as any merchant can tell you, retail locations are often the point at which specific challenges occur).

Coupling a systematic revisiting of the security measures in place for retail locations—both as it pertains to the POS and to the location more generally—has a number of benefits. Keep in mind that to complete the documentation required under the PCI DSS program (a Report on Compliance [RoC] for larger merchants or a Self-Assessment Questionnaire [SAQ] for smaller ones), a subset of these locations would likely be under investigation potentially anyway. Specifically, since the retail locations involved in a payment transaction will almost always be part of the CDE, they are almost always included in an assessment. This means that the budget employed for the refresh of the POS could potentially serve two purposes by both upgrading that POS (and potentially mitigating certain areas of risk that already exist) as well as creating a broader opportunity to revisit other potential areas of concern at the retail locations themselves.

The rollout of mobile payment acceptance is certainly a challenge and carries with it an understandable uneasiness as the technology itself is relatively new. However, it does also present an opportunity for savvy professionals who know what to look for and can—like judo experts—turn the situation to their advantage.

Robert Clyde, CISM
Is managing director of Clyde Consulting LLC (USA). He also serves as a director on the boards of White Cloud Security (trusted app list enforcement); TZ Holdings (formerly Zimbra), a leader in community and collaboration software; and Xbridge Systems, a leader in data discovery software. He chairs a board-level ISACA committee and has served as a member of ISACA’s Strategic Advisory Council, Conference and Education Board, and the IT Governance Institute (ITGI) Advisory Panel. Previously, he was CEO of Adaptive Computing, which provides workload management software for some of the world’s largest cloud, high performance computing (HPC) and big data environments. Prior to founding Clyde Consulting, he was chief technology officer at Symantec and a cofounder of Axent Technologies. Clyde is a frequent speaker at ISACA conferences and for the National Association of Corporate Directors (NACD). He also serves on the industry advisory council for the Management Information Systems Department of Utah State University (USA).