More from the “Tips for 2012” Series
- Platform Carcasses – How to Keep Yours Out of the Pile
- Making Your Loyalty Program Worth the Expense
Mobile Security – Although discussions of mobile payment security have long focused on security at the physical POS, the real story for mobile security in 2012 will be how to better secure the hundreds of billions of dollars of financial transactions that are already taking place via mobile handsets. Mobile banking is well-established as a mature category, as consumers have become increasingly comfortable checking balances, transferring money and paying bills via mobile handsets. Both SMS and smartphone-based online banking solutions might benefit from added security measures, as the sheer volumes of financial information now moving through mobile channels will become an irresistible target for hackers and fraudsters.
Moreover, with players like PayPal leading the way with more than $3.5 billion in mobile commerce volume in 2011, vulnerabilities in mobile apps, OS, etc., will undoubtedly come under attack. New forms of two-factor authentication are being touted by security companies, but face the typical adoption challenges by consumers looking for convenience and simplicity. Until major security vulnerabilities are exposed, most consumers are unlikely to look proactively for new security solutions. Banks and merchants, however, who bear some of the liability for security challenges, may in fact start to look at new security solutions, particularly if they employ, low-cost, consumer-friendly software implementations (vs. more expensive and cumbersome physical-token solutions).
EMV in the US – Is 2012 the Year? – Back in August, Visa announced aggressive EMV targets for 2012. (Read announcement) Starting in October 2012, Card Present merchants that have the ability to accept EMV chip cards (as well as comply with the Visa contactless specification) on 75% of their terminals will be able to eliminate the requirement for annual PCI Data Security compliance validation. This incentive is unlikely to be a key motivator for most large merchants, as their PCI Data Security compliance activities are typically part of a more extensive set of data security activities designed to protect the retailer’s brand reputation as well as avoid financial liability.
In addition, by 2015, those without the ability to handle EMV/contactless will face new liability for counterfeit card losses. Although the actual liability shift will not go into effect until 2015 (2017 for fuel merchants), the liability shift is a meaningful issue for most merchants, particularly, as fraud losses from EMV-compliant countries have started to migrate to non-compliant countries like the United States. Given this new Visa EMV push, most acquirers and retailers are starting to figure out how to factor EMV and mobile acceptance into their plans for medium-term POS investments. That said, it is not clear that 2012 will be the year for EMV changes to take place. For a variety of reasons, many retailers and banks are taking a “wait-and-see” attitude, proceeding with small scale pilots on both the POS and the issuing side. Alternative security solutions, like tokenization and encryption and two-factor authentication solutions that support a broader set of security objectives, may have higher priorities. Moreover, alternatives to EMV and the existing contactless NFC spec are already gaining traction in the mobile arena and may prove to have more momentum than the current EMV efforts.
Ultimately, there are a number of significant technology adoption issues in the mobile commerce, data security and authentication realms that have yet to settle out, and until they do, most retailers are unlikely to make major POS investments that lock them into a single security/contactless framework. Moreover, until domestic card issuance seems to be something more than a niche activity focused on a handful of international travelers, it is not yet clear whether the banks will be incented to spend the additional resources required to shift to wholesale chip card issuance. On balance, it looks as if 2012 will be a year for EMV pilots and “test and learn” activity, rather than full scale implementations.
Margaret is a Managing Director at Market Platform Dynamics and experienced payments industry executive with a proven track record of commercializing new technologies in small start-ups, and large multi-national corporations. Read More