Canada: Mobile Payments: Is Security The Key To Consumer Uptake? Banking Review: Fall 2012

THE MOBILE LANDSCAPE

Smartphones are increasingly becoming an indispensable tool in daily life. A third of Canadians own smartphones and the numbers are growing exponentially. A vast majority may leave their wallets behind but can't think of going anywhere without their phones. As new services emerge, Canadians are starting to research and shop using their smartphones, with 20% of smartphone users having made a purchase on their phone.¹ In fact, smartphone market penetration has grown from 5% to 40%, despite the economic downturn.² The implication is clear: mobile will become pervasive and having a coherent strategy is critical to customer engagement.

Canadian banks have started going down this path and have introduced mobile banking on major smartphone platforms: BlackBerry, Apple and Android. However, adoption of mobile banking has been slow. According to a PwC survey of Canadian consumers³, just 13% of Canadians use mobile banking applications on their smartphones. That said, online traffic has begun shifting from personal computers to mobile devices, and tablets are replacing desktops. A range of players, including PayPal, Google and Starbucks, have begun offering mobile payments and launched mobile payment platforms in 2011.

A mobile payment transaction allows the transfer of value from one entity to another —person to person, person to a merchant or between merchants. The use of the word 'value' is deliberate – besides funds, value transfers can encompass coupons, offers and loyalty points. In the past, payments were the exclusive domain of banks. Bank-owned or bank-participated networks were the primary basis for funds transfers. With smartphone adoption, a range of new players – telephone companies, technology providers and device manufacturers – see an opportunity to provide services and secure their share of transaction rewards. This is important to banks, which have never had to trust someone else's systems to carry out their customers' payment transactions. More importantly, as a channel, mobile awards less exclusivity to banks when interacting with their customers. This is an uncomfortable position for banks to be in, but this is an issue they'll have to address head-on to succeed with mobile payments.

There's potential for Canadian banks to gain a competitive advantage as consumers already hold their banks to high standards of accountability, with 84% holding banks responsible for safeguarding privacy while a similar percentage expressing that they don't fully trust their phone company or handset manufacturer with their financial information.^4,5 The 2011 PwC financial mobile services survey also shows that 67% of those surveyed from Canada and the US would prefer that their mobile payments be enabled by their banks. And 76% say that regardless of who provides the service, they want the money to come out of their bank account and go into the receiving party's bank account. They appear generally apprehensive of funds sitting in intermediate locations before being settled via the banking system – giving rise to trust and security issues.

Trust then is the key in unlocking the potential of mobile payments. With traditional boundaries being extended, participation and collaboration in an extended ecosystem—banks, mobile networks, device manufacturers, technology companies and other service providers—become critical. There are now many more touch points where a consumer's private and confidential information can be compromised. And consumers are worried.

The challenge

Our survey of Canadian consumers also reveals that security risk and fraud is a top concern for 74% of respondents when it comes to mobile payments, while 67% are worried about the privacy of their data.⁶ Participants were also asked if they trust smartphone manufacturers and wireless carriers with their financial data – the overwhelming response was "no".

These responses are not surprising and hold the key to how financial institutions, or for that matter service providers, should move forward to secure their place in the mobile payments ecosystem. Canadian banks start from a position of strength: they've proven they can safeguard their customers' financial data and in turn have secured their trust.

But can this trust be maintained? Until recently, payments have been managed within tight boundaries, where banks could exercise influence. With mobile payments, the ecosystem is extended. No single organization will be able to control all forms of value transfers from an end-to-end perspective, single handedly guarantee the security of the transaction, and in turn seek the associated rewards.

For banks to secure and even extend their revenue potential from mobile payments, they'll have to play an active role in the enforcement of standards across the ecosystem. End-to-end security hinges on all the participants collaborating to create these standards that can evolve as technology changes and as risk and potential threats emerge. An excellent illustration of this collaboration is the near field communications (NFC) voluntary guidelines, known as the Mobile Reference Model, supported by the Canadian Bankers Association (CBA). But key questions remain:

• How will consumers be protected when fraudulent payments occur?
• Who will indemnify them?
• Up to what amount will they be indemnified?
• Will some of these costs be borne by merchants?
• How will costs be apportioned between participating ecosystem players?

Mobile payments in Canada

The CBA has been asked by the Canadian financial institutions to help coordinate the development of the mobile guidelines because of the CBA's broad membership which includes 54 domestic banks, foreign bank subsidiaries and foreign bank branches operating in Canada.

Excerpt from a CBA announcement:⁷

Canadians continue to adopt mobile technology and demand for mobile payments capability continues to grow. As a result, in May 2012 the banking industry and credit union system announced a set of voluntary, secure, open guidelines for the development of mobile payments at the point-of-sale in Canada.

The voluntary guidelines, technically known as the Mobile Reference Model, will serve as a blueprint for how mobile payment capabilities can be offered in the Canadian market.

The 133-page model begins with a set of guiding principles for mobile payments in Canada, explaining that they must be⁸:

Open

• Allow for different business models
• Foster innovation
• Ensure competition among market participants

Safe and secure

• Protect confidential personal, financial and transactional information within the mobile payments ecosystem
• Facilitate secure interactions between financial institutions and the mobile payments ecosystem

Responsive to end user and merchant needs

• Provide for ease of use, speed, availability, security, transparency, choice and consistency for users

Standards-based

• Establish clearly defined standards essential for interactions between financial institutions and the mobile payments ecosystem
• Align with the Canadian regulatory environment and avoid overlap with existing standards
• Consider and respect international standards as a means of facilitating interoperability

Sustainable

• Create a path forward for standards to support the long-term viability of mobile payments in Canada
• Encompass activities between financial institutions and the mobile payments ecosystem
• Adapt over time as technology and the ecosystem evolve
• Allow for economically viable business models that accelerate mobile payments adoption for the mobile payments ecosystem

What about the US?

On March 22, 2012, the Congressional subcommittee on Financial Institutions and Consumer Credit hosted a hearing titled 'The Future of Money: How Mobile Payments Could Change Financial Services.' This was one of the first meetings hosted by Congress on the topic, and expert panelists ranging from the Federal Reserve to industry participants (MasterCard, PCI Security Standards Council (PCI SSC), Smart Card Alliance) were brought in to explain the basics of mobile payments and address concerns.⁹

Chief among the concerns of many Members of Congress were questions surrounding security.

Today, according to PCI SSC, mobile payment security can be divided into two categories:¹⁰

• Merchant acceptance applications where phones, tablets, and other mobile devices are used by merchants as POS terminals in place of traditional hardware terminals
• Consumer facing applications where the phone is used in place of a traditional payment card by a consumer to initiate payments

Notably, the PCI SSC has only concentrated on providing requirements and guidance to the first category — securing the use of mobile devices as a point of sale acceptance tool. As for the second category of applications, there are no regulators, forums, roadmaps or industry standards that wallet providers can refer or adhere to.^11,12 This is likely to change in the coming years and represents a potential area of growth for trusted mobile security players.

This is an excerpt from Opportunity calls: An update on the evolution of mobile payments.

To read the rest of this publication please go to: www.pwc.com/us/en/banking-capital-markets/publications/evolution-mobile-payments-update.jhtml

KEEPING CONSUMER DATA SECURE

Within many banks, risk and finance are still worlds apart, making it very difficult to generate integrated information and insights. Why is this?

Banks need fundamentally new approaches to manage security and privacy, given the growing reliance on partners and third-party service providers to deliver the same degree of assurance to customers as provided by Canadian banks. This is by no means a small task and banks will be increasingly under pressure to play the role of the gate keeper in keeping their customers' data secure – even when customers use third-party services.

What can banks do? The first step is to help establish and propagate a set of standards that is both robust and widely accepted by the expanded ecosystem— banks, cell phone makers, mobile networks, technology companies—and to constantly evolve those standards. Security threats do not stay idle and all participants will need to embrace a coordinated approach when dealing with new fraud and security threats.

The next step is to ensure standards are enforced and demonstrate this enforcement. This will go a long way in building trust with consumers. Some banks are considering third-party assurance to critique standards and review how banks and their partners will jointly deliver these standards. This third-party assurance seal can serve two purposes:

1. Provide executive management consolation that the bank's risk assessment and control procedures align with those of the service providers
2. Together, the bank and its partners will provide business processes that deliver the required degree of security and trust

Such assurance may also be critical from a regulatory perspective and may provide a competitive differentiation for banks in the short term.

Maintaining trust: The key in making mobile payments mainstream

The message from consumers is clear: concerns over the security and privacy of their personal data pose a significant barrier to the adoption of mobile payments technology. One vehicle for building consumers' trust already exists in the form of a well-recognized North American framework, the Trust Services Principles. This framework can be leveraged through assurance reporting on existing governance structures, processes and controls to provide an independent assessment of banks' mobile payment operations. As the use of technology and the number of players delivering ecommerce increases, trust reporting and independent assurance around non-financial risk is becoming increasingly important to all stakeholders and will likely become standard operating procedure in the near future.

To use the Trust Services Principles, you should first identify the five criteria to report to your stakeholders about:

1. privacy
2. confidentiality
3. processing integrity
4. availability
5. security

Different stakeholders will have different concerns. For example, a merchant would be most concerned that the system is available for operation and use, while an individual will want to be reassured that their privacy and data are protected. Banks can then tailor their reports to satisfy the needs of each category of client and build the confidence necessary to encourage adoption.

The mobile payments ecosystem has grown to include new players including mobile networks, and banks should ensure that new entrants are equally trustworthy and as controlled as the banks to maintain the level of trust. The mobile payments process will only be as strong as each individual player. Banks must have confidence in each of those players as they can impact the trust that banks have created with their customers. That means obtaining assurance from those entities regarding their processes and controls. The Trust Services Principles can be utilized for this purpose as well.

The Trust Services framework also provides the opportunity for the banks and their business partners to obtain third-party Trust Services seals (WebTrustTM and SysTrustSM) to demonstrate to end users that their systems and processes are reliable and comply with ecommerce standards. The seals can be placed on their websites to give a visual representation that there's been an independent evaluation. By clicking on the seal, stakeholders will have access to the report and the measures put in place to protect their data.

Implementing a Trust Services framework will give early adopters a competitive advantage by providing a means to enhance trust and transparency— a critical success factor in allaying the concerns of consumers around mobile payments.

CONCLUSION

Payment transactions constitute an important source of revenue for banks worldwide. For Canadian banks, this opportunity is even more pronounced given the degree of trust established with their customers.

While standards continue to evolve and expand beyond NFC, two dimensional (2D) code and cloud processing technologies, banks can adopt several key practices to ensure they secure their fair share of revenues generated within the mobile ecosystem:

• Know your risks: Focus on new points in the transaction life cycle where customer data can be compromised. Some of these break points will be outside the domain of the banks.
• Develop a collaboration model to interact with ecosystem participants, both known and emerging: Clarify how trust will be managed, what controls will be deployed, what assurance can be obtained that such controls are functioning and effective and how risks will be shared. Embrace a formal due diligence model to certify third-party service providers.
• Educate consumers: The risks associated with the use of wallets and other services, such as couponing, offers, loyalty points and in general sharing of personal information, need to be clarified together with liability disclosures. Mobile payments allow for the collection of a significant volume of information, and not all customers may want this information divulged.
• Be technology agnostic: Mobile technologies are still in their infancy and will mature over time. With new tools come new risks of inadvertent disclosures and opportunities for deliberate intrusions. Validate new technologies critically with a focus on customer information protection.
  
  

Footnotes

1. Google. Our Mobile Planet: Canada, Understanding the Mobile Consumer. May 2012. Retrieved from http://services.google.com/fh/files/blogs/our_mobile_planet_canada_en.pdf.

2. MIT Technology Review. Are Smart Phones Spreading Faster than Any Technology in Human History? May 9, 2012. Retrieved from http://www.technologyreview.com/news/427787/are-smart-phones-spreading-faster-than-any-technology-in-human-history.

3. PwC. Canadian consumer survey 2012.

4. PwC. Citizen Compass: Next generation of eservices. 2012.

5. PwC. Canadian consumer survey 2012.

6. PwC. Canadian consumer survey 2012.

7. Canadian Bankers Association. Mobile Payments in Canada. July 19, 2012. Retrieved from http://www.cba.ca/en/component/content/category/89-mobile-payments-in-canada.

8. NFC World. Canadian banks issue landmark NFC payments guideline. May 14, 2012. Retrieved from http://www.nfcworld.com/2012/05/14/315691/canadian-banks-issue-landmark-nfc-payments-guidelines.

9. United States Congress Committee on Financial Services. Hearing entitled "The Future of Money: How Mobile Payments Could Change Financial Services." March 22, 2012. Retrieved from http://financialservices.house.gov/Calendar/EventSingle.aspx?EventID=284912.

10. Troy Leach, PCI Security Standards Council. Prepared Remarks for "The Future of Money: How Mobile Payments Could Change Financial Services." March 22, 2012. Retrieved from http://financialservices.house.gov/UploadedFiles/HHRG-112-BA-WState-TLeach-20120322.pdf.

11. Darin Contini, Marianne Crowe, Cynthia Merritt, and Richard Oliver, Federal Reserve. Mobile Payments in the United States: Mapping Out the Road Ahead. March 25, 2011. Retrieved from http://www.bostonfed.org/bankinfo/payment-strategies/publications/2011/mobile-payments-mapping.htm.

12. Richard Oliver. Prepared Remarks for "The Future of Money: How Mobile Payments Could Change Financial Services." March 22, 2012. Retrieved from http://financialservices.house.gov/uploadedfiles/hhrg-112-ba-wstate-roliver-20120322.pdf.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.