Balancing Security and Convenience
by Chris Mark (EVP; Emerging Markets at ProPay, Inc.)
Mobile payment technology is an exciting topic that stirs endless debate and inquiry. While Visa has stated that “NFC (Near Field Communication) is emerging as the de facto technology standard,”  consumers have yet to validate this position as NFC, mobile swipe technology, web-based payments, or some as yet undiscovered technology, jockey for position. Irrespective of which technology or technologies emerge as the winner, the fact remains that security will likely continue to be an afterthought to convenience. Recently, the debate surrounding mobile security has reached a fevered pitch. On one side of the debate are the companies working toward building security into their products, while on the other side are those who either discount the need for security, sometimes citing the “protections that are built into the card” or are misinformed about how to protect data. Data security, like all security, consumes resources, increases complexity of processes and products, decreases efficiency, and increases time to market. Unless required to implement security, many companies will choose the path of least resistance and simply ignore the need for security or find ways to pass the proverbial buck to the consumer, card brand, or other party. While it is easy to cast aspersions on those that don’t view security in an altruistic light, in reality, it is simply a function of human nature and market forces that allow and even encourage businesses to produce products that capture the greatest market share in the shortest amount of time. An additional barrier restricting companies from including security in their products is that many consumers don’t understand the risks and do not demand security as a feature until a breach or other incident makes them aware of the importance of securing data.
Examples abound of companies, and even entire industries, that were unsafe or reckless until required to change their operations by the Federal government or other regulating body such as the Payment Card Industry Data Security Standard (PCI SSC) or card brands. Those familiar with the history of the PCI DSS, for example, know that it was a single event that truly put the industry on notice and compelled the payment card industry toward self-regulation. In 2003, a payment processor in Nebraska experienced what was then the largest breach to date. Over 17 million accounts were stolen and transmitted overseas. Until then, the Cardholder Information Security Program (CISP), and the Site Data Protection Program (SDP), which were Visa’s and MasterCard’s security schemes preceding the PCI DSS, were considered ‘best practices’ and compliance was neither mandated nor enforced. After the breach, both Visa and MasterCard began mandating compliance with their security standards. By 2006, the entire industry had adopted the PCI DSS and all of the major card brands were requiring and enforcing compliance.
This theme of disaster, followed by regulatory reaction is familiar to the mainstream in the wake of 9/11 and the USA PATRIOT Act, and the tech and housing bubbles and their subsequent regulations, but it is certainly not just a 21st century phenomenon. For example, one catalyst for passing the Pure Food and Drug Act (PFDA, 1906) and forming the Food and Drug Administration was the publication of Upton Sinclair’s book The Jungle, which described the horrific and unsanitary conditions inside the Chicago meat packing industry. A particularly relevant quote from the book reads:
"This is no fairy story and no joke; the meat will be shoveled into carts and the man who did the shoveling will not trouble to lift out a rat even when he saw one." Chapter 14, pg. 162
While it is doubtful that the owners of the plant or the person shoveling would consider eating the meat from the factory, there appears to be little concern for the safety of the consumers of the product. This is a clear example of profit taking precedence over safety.
Another relevant example is that of the Highway Safety Act (HSA) of 1970 passed after publication of Ralph Nader’s book, Unsafe at Any Speed. While Nader’s book did not alone foster the passing of the law, the book highlighted for the American public what the automobile manufacturers already knew; that the cars being manufactured by some companies had serious design flaws that put drivers and passengers at risk.
It is unfortunate yet true that regulatory bodies are hesitant to pass legislation until there is public outcry. Notice that the PFDA and HSA were only passed after the publication of books that highlighted the deficiencies in a particular industry. Compliance with the PCI DSS was not mandated until major data breaches made the public aware of the security deficiencies within the payment card industry. This is not a unique approach to policymaking. Overregulation often stifles growth and hinders innovation. For this reason, the U.S. government prefers a laissez-faire approach to the market. In short, efforts are made to promote growth, adoption and profitability while not imposing controls that hamper those goals. Even our own industry, payments, employs this strategy. Recently, the Payment Card Industry Security Standards Council (PCI SSC) made a public statement that mobile applications would be evaluated at a later date. They then took the step of delisting previously validated mobile payment applications. A January 25th, 2011 statement said, in part: 
“Until it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated.”
A more recent example is that of the major card brands’ hesitance to implement EMV technology within the U.S. market. While there is little debate surrounding the security advantages of EMV over magnetic stripe data, and while the rest of the world continues to move toward EMV, the U.S. market is not considered a candidate due to the perceived impact on the market at large. As stated in a Visa press release dated February 9th, 2011:
"With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation," said Bill Sheedy, Group Executive for the Americas, Visa Inc. 
In the hyper-competitive mobile payments market, the same forces that would allow a meat packing company to operate in the manner described in Mr. Sinclair’s book, and allow the US Market to delay the implementation of EMV, also impact the manner in which mobile payment vendors approach data security. Companies are under constant pressure to get products to market in the most cost efficient manner possible. According to the 2010 World Payments Report , the mobile payments market is estimated to exceed $1.13 trillion by 2014. These projections have companies scrambling to capture market share, but with what considerations for security? It is unfortunate that the combination of a new market and new technology often means that security is sacrificed for the sake of market share.
Information security, and particularly mobile security, makes for interesting and complex debate within the payment card industry. People are passionate about their positions and information security professionals (this author included) often have the luxury of residing in ivory towers and espousing advice in complex terms and acronyms that often confuse the uninitiated. Application Layer Firewalls, Stateful Packet Inspection Firewalls, File Integrity Monitoring, 802.1x, 802.3, Heuristic Virus Detection, certificate authorities, and more are all common terms thrown about by security professionals. The complex and often nuanced topics allow for finger pointing, shifting of responsibility, and misinformation. While traditional data security can be confusing, mobile security adds an additional layer of complexity to the discussion. Evidence of this can be seen in the willingness of companies to promote mobile practices that would be considered insecure in traditional circumstances. Companies that would never think of storing or promoting the storage of unencrypted data on a personal computer or server (hopefully anyhow) appear to have little problem advocating the storage or transmission of unencrypted data on a smartphone, which for all intents and purposes is simply a computer.
Some of the more curious comments posted by prominent mobile payment vendors in the public domain over the past few weeks include the following:
“Your payment data should solely be stored on your phone and not in someone else’s database …This is the only thing that truly deters hackers from going after a big score.” 
The statement above is a frightening proposition. In fact, in early 2011 Google removed 21 applications from their Android app store that were identified as having been infected with malicious software. To suggest that it is a safer proposition to retain sensitive data on a mobile phone than with a trusted third party is akin to recommending that your life savings be stored under your mattress as opposed to deposited in a bank.
Another prominent vendor, in response to a claim that their own device was not encrypting data, that such concerns about security “overlooks all of the protections already built into your credit card.” 
Granted there are fraud control technologies that are built into payment cards, but this apparent attempt to shift responsibility solely to the card brands is troubling. This statement appears to ignore the impact to the merchants (ostensibly the vendor’s customers) and instead focuses on the protection given to the cardholders by Federal law, the issuers, and the card brands.
All participants in the payment process play a role in fraud prevention and security of data. Card brands define and enforce payment security and fraud rules. Card brands and payment card issuers are responsible for fraud identification, and development of authentication mechanisms. Merchants are responsible for ensuring compliance with the rules defined by the card brands (including PCI DSS), ensuring the security of their networks, applications, and systems. Additionally, merchants are responsible for employing fraud prevention controls such as authentication mechanisms (CVV2, 3DSecure, etc.). Cardholders are responsible for protecting the cards in their possession and not purposely or accidentally providing the information to unauthorized parties. Finally, 3rd party vendors and service providers are responsible for developing solutions that support the objectives of the other groups.
Mobile payment technology is exciting, but as with any new technology, it is incumbent upon industry participants to understand the risks inherent in the technology and the role they play in mitigating those risks. Each participant should ask: Do the risks introduced outweigh the convenience? Does the product address the significant concerns of all stakeholders (merchants, consumers, issuers, etc.)? While I am not advocating strict regulation for mobile payments, it is important to understand that without regulation there will always be free riders that do not act responsibly, and as such, it is imperative that the other stakeholders ensure that they are self-policing for the benefit of the industry. As innovative as the payments industry has been in responding to the PCI DSS and the increased level of state and federal regulation of privacy and security practices, one can only imagine the ways in which mobile data can be protected. Rather than seeing mobile security as an obstacle, the industry should view the protection of mobile data as a challenge to ingenuity and an opportunity to differentiate. In the meantime, merchants, vendors and consumers should all practice caution and due diligence when selecting a mobile payments solution.
 “A letter on credit card security and Square.” March 9th, 2011: www.squareup.com