Data brokers collect an average of 3,000 data segments on nearly every U.S. consumer, says the FTC. And with wearable payment technology comes an entirely new avenue for even more data collection – but at the same time, an increased potential for security breaches. Doc Vaidhyanathan, VP Product Management, Digital Payments at CA Technologies, recently sat down with PYMNTS to discuss his POV on securing wearable technology including the Apple Watch, the Apple Pay fraud issue, and what he thinks is the biggest obstacle standing in the way of Apple Pay adoption.
Mobile payments’ evolution has entered a new phase, with Apple Watch being one example. One interesting development is that you don’t seem to need to authenticate with Touch ID as long as you have your iPhone on you. What are your thoughts on this?
DV: This is consistent with the trend we are seeing in the authentication world. Earlier, the trend was to make the authentication a big gate and have the user pass a rigorous test (complex passwords, two factors, etc.) to get access to a resource or be allowed to do an action. Now the trend is to be subtler about it and combine various factors (often without the user’s explicit active participation) to make a graduated decision.
Wearables opens an entirely new avenue for data collection, and with that, the potential for security breaches. According to the FTC, data brokers collect an average of 3,000 data segments on nearly every U.S. consumer. How can this data be protected?
DV: Wearables are the next step in the continuum of miniaturization and personalization that we have seen from desktops to laptops to PDAs to mobile devices. Although significantly large amounts of data will be collected, not all of them are PII unless linked with the user. For example, my activity, eating and sleeping patterns are not relevant in themselves unless combined with other personal data about me. The trick here will be to make sure the attacker cannot easily combine data and derive material for an attack. The payment world has already started a trend here – by tokenizing the information that is available on the phone with Apple Pay. This token is limited in its scope to Apple Pay transactions only. So while a compromise could happen, it will be contained. Enterprises have to work with the assumption that the end user is not going to be particularly security aware – they have to build solutions that are resilient, contained and anonymized to the extent possible.
Apple Pay has shown us that the cybercriminals always find the weakest link and use it to commit fraud. For example, criminals are now using stolen credit card data to create iTunes accounts and then Apple Pay accounts on iPhone 6's. Is the banks’ verification process strong enough to stop fraud? Why or why not?
DV: This is a big gap and vulnerability area. The Apple Pay onboarding process provides an easy and consistent way for the consumer, but puts the card issuer in the driving seat on how best to verify the identity of the user. Banks are evolving this process and will adopt practices and solutions that are based on their experience and learning on how to minimize fraud during online purchase. Vendors like CA have adapted their anti-fraud solutions for precisely this use case and can leverage the data from eCommerce to minimize fraud in Apple Pay onboarding.
PYMNTS.com, in partnership with InfoScout, has recently released a study that shows that while Apple Pay adoption is improving, it still has a very long way to go. Will Apple Watch help ignite Apple Pay? In your opinion, what is in the way of Apple Pay adoption?
DV: Apple Pay in its first version is merely substituting the physical card with something on the phone. But this is the beginning of a platform that will evolve over time to combine other facets of the human experience and prove more valuable over time. In the first version, Apple Pay is reducing the time to take out a piece of plastic, swipe it and put it back. But that in itself is only a subset of the interaction at the Point of Sale (POS). Depending on the merchant there are several other steps – opting for a carry bag or not, entering the loyalty card number and electing to make a contribution to a worthy cause or not. So Apple Pay does not make a significant impact on the totality of the time at the POS. Along with Apple Pay platform changes and value additions, the merchant POS experience should also change – that will lead to higher adoption.
VP Product Management, Digital Payments, CA Technologies
As Vice President of Product Management for Digital Payments at CA Technologies, Doc is responsible for defining the Strategy and Product Vision for CA’s suite of products that enable Digital Payments.
Doc came into CA Technologies in Oct 2010 through its acquisition of Arcot Systems – where he was the Chief Product Officer. During his time at Arcot, Doc was responsible for the identification and definition of multiple products. In particular, he led the creation of the cloud infrastructure for delivering Authentication As A Service (AAAS) – establishing Arcot as the Cloud Authentication Leader – with over 120 million enrolled users and a high availability service that is PCI Level 1 certified and SSAE-16 Type II SOC1 compliant. Prior to Arcot, Doc held senior management roles – building and managing software applications for a variety of industries. Early in his career he worked as a VC making investments in startup and emerging companies.
Doc holds a B.Tech in computer science from Indian Institute of Technology (IIT) and a MBA from Indian Institute of Management (IIM). He has served on the board of CRY America – a non-profit focused on upholding children’s rights.