People may think I’m not being serious with this post title, but I really am. These past few weeks yet more examples of security not being taken seriously in the payments market have emerged. It started with an article I read on Finextra regarding Google bypassing the secure element on an Android phone for NFC based transactions. It’s the launch of HCE (Host Card Emulation).
HCE and NFC
I’m not going to go into too many details and technicalities about it, but my own take on the whole situation with HCE, NFC and Google is that Google and the card schemes are changing the rules in which payments are supposed to be made. They are doing this to better fit with their own solutions, and to potentially lock out ventures like ISIS in the US and WEAVE here in the UK and at the risk of security.
There are strict reasons behind PCI compliance and the use of EMV (secured chip and pin to most of us) and it seems that these are now causing issues for Google and others, so instead of looking for real solutions they change the rules. A great take on this can be found on finextra here
QR/Barcodes in transactions
These are the choice of many payment solutions out there, including my own companies CloudZync with Zwallet. However, QR and Barcodes are easy to create, especially static ones, so using these for passing payment information has to be taken into consideration, and I would never allow an authorisation of a payment to be made just because a valid code has been scanned. Yet I have witnessed many solutions out there now that do this…
With Zwallet we always make sure the consumer is involved in the authorisation process fully, so we keep intelligence in the process at the cost of 1 second in the transaction process. For me, 1 extra second making a payment is well worth it to aid in security. (I would like to point out that Zwallet transactions are still dramatically quicker than typical card based transactions, even with the added 1 second for security).
Security underlying cause for concern?
So what is the underlying cause of security concerns with payments? What really causes so much effort to go into technology a trying to patch security issues or catch fraud post a transaction? The answer is the actual card scheme itself and the infrastructure behind it.
Let’s be real. Cards are amazing. For the last 40 years they have steadily dominated the way in which most of us pay for goods and services. But, has security increased much in that time? A little is the answer. There is a lot more technology backed behind it, but fraud is back on the rise again, so we must ask ourselves why. And the answer is simple, cards were never designed for the digital economy. Everything that we do to utilise the card infrastructure is a cludge, a patch/hack in tech terms. All this technology and security to try and secure something that is very insecure, 16 digits on a card, mixed with two dates and 3 digits on the back. If we lose control of those details then a fraudster can do whatever they want with our cards, and that’s why so much is invested in fraud detection post a transaction and so much is invested in risk management.
My fear is, while card based transactions using Chip and Pin remain ok, the way we use cards digitally isn’t so secure. Throw into the mix mobile payments and companies actively trying to utilise card details in their solutions to make payments, and holes start to appear. In essence, trying to use technology to secure something that by its nature is not secure causes all sorts of issues. And though great lengths to make things much more secure are possible, the costs behind these rack up.
No matter how you try to secure card details, or to what lengths you go, the fact remains that the infrastructure for cards requires those simple card details, and fraudsters are becoming increasingly intelligent, innovative and capable of getting their hands on those details and using them.
The security solution
The only real secure option is to start with a blank sheet of paper for payments and wake up and realise that the digital economy requires payments to be carried out on an infrastructure that is designed for digital transactions from the ground up. It also MUST include more human elements in the process and not just require everything to be automated.
Real intelligence still remains with the consumer and the business. By removing them from the process more and more, we may make the payment process a little quicker, but we increasingly make it less secure. After all, the process of me having to know my PIN to make a payment is far more secure if I have lost my card, compared to just waving my card in front of a reader and making a payment.
These are the reasons behind the security approaches we have at CloudZync, the reasons why we make sure the consumer has to actively be involved in the purchase process and actively have to authorise each and every payment. If we remove them too much, then there are more gaps for fraudsters to exploit.
I’m not saying everything can be 100% secure, it simply can’t, and intelligent innovative fraudsters will always find a way to exploit processes and technology, but we must actively make it as hard as possible, and currently, in the race to stamp authority on possibly the payments method of the future, security seems to be being overlooked…That is a great concern of mine, and should be a great concern for each and every consumer out there and business owner…