Embed Size (px)
Citation preview
MOBILE PAYMENTS: RISK, SECURITY AND ASSURANCE ISSUESMARC VAEL, BRUSSELS, JUNE 2014
AGENDA! Definition of mobile payment
! Mobile payment types
! Mobile payment category & ecosystem
! Mobile payment benefits & challenges
! Mobile payment risks
! Mobile payment governance & change
! Mobile payment assurance
! Conclusions
3
DEFINITION OF MOBILE PAYMENT
Payment for products or services between two parties
for which a mobile deviceplays a key role
in the realization of the payment.
5
MOBILE PAYMENT TYPES1/ Proximity payment
Contactless payments in which payment credential is stored in mobile device and is exchanged over the air, based on NFC technology, with dedicated & compatible payment terminal. Mobile device acts as contactless payment card (new payment form factor). Contactless payment could be used remotely; for example, to make online purchase by swiping mobile device over contactless NFC reader plugged into computer.
2/ Remote payment
Payments take place either via mobile web browser or resident smartphone application, in which mobile phone is used as device to authenticate personal information stored remotely. Remote payments can be used for transactions such as face-to-face and vending machine transactions.
MOBILE PAYMENT CATEGORYFinancial institutions & mobile network operators (MNOs) are competing for entity that will hold customer account and receive biggest portion of fees. This environment has created another categorization: • Bank-centric model: customer account is held by bank.
Issues involving matters such as liability, anti-money laundering, transaction monitoring for fraud detection and compliance fall under appropriate local, national and international banking laws & regulations. When payment is initiated, consumer’s bank must authorize transaction. Payment networks are traditional ones (like Visa, MasterCard) and differences are at transaction endpoints.
• Non-bank-centric model: customer account is held at nonfinancial organizations such as MNO or third-party payment service (like PayPal, Google Wallet, Ripple). Important regulatory, security and even profit sharing questions arise: which entity will be responsible for regulation of these services—respective national telecommunication authority or respective national bank?
MOBILE PAYMENT ECOSYSTEM• Consumers
• Financial service providers (FSPs)
• Payment service providers (PSPs)
• In-service providers (merchants), including content providers
• Network service providers (NSPs)
• Device manufacturers
• Regulators
• Standardization & Industry bodies
• Trusted service managers (TSMs)
• Application developers
Life cycle of a bank-centric NFC mobile payment
MOBILE PAYMENTS BENEFITS1 Speed & convenience for customers (no need to carry cash or credit cards). 2 Cost-effective coverage available in rural areas where no financial institutions exist. 3 Capability to send money abroad via person-to-person (P2P) mobile payment services. 191 million migrant workers worldwide & potential for international remittance of $257 billion in 2005 (according to UN & World Bank), international fund transfers via mobile phone represent significant opportunity for mobile operators. 4 Mobile wallet can consolidate many cards (no physical cards and providing one type of device for all NFC applications). 5 Improved authentication via PIN-based service (enhanced layer of security). 6 Opportunity to reach large proportion of earth’s population without need for large investment in technology. Mobile phones are more widespread than bank accounts, particularly in rural areas. 7 No need for cash for merchants & clients (reduces risk of carrying and transferring cash, particularly in high-risk or volatile environments).
MOBILE PAYMENTS BENEFITS8 Amount of required stored data to meet compliance requirements is reduced. 9 Smartphone capabilities (such as geo-location) and Internet connection can be used to improve transaction security & improve fraud-detection capabilities (combination creates “geomarketing” where merchant can use geo-location & mobile payment data to build a customer profile and provide a personalized experience). 10 Better realization in case of theft of mobile phone vs. theft of credit card. 11 Mobile payments open market for professionals and low-segment merchants without point-of-sale (POS) terminals. 12 Use of smartphones counters skimming methods that account for significant portion of card fraud. They also provide protection against so-called pickpocketing of information from cards equipped with radio frequency identification (RFID) tags. 13 Remote wipe functionality is widely available on smartphones & tablet devices either by default or as application. (protection of user personal & financial information should mobile device be lost or stolen)
MOBILE PAYMENTS CHALLENGES1. agreement on business model to be used for revenue sharing &
customer ownership
2. retooling costs to support mobile payments (such as deploying NFC capability)
3. current regulatory uncertainty.
MOBILE PAYMENTS RISKSFraudsters have always targeted various payment vehicles and so are mobile payments: upfront analysis & counter measures are needed to mitigate mobile payment risks. Risk from mobile payments can be categorized: • Traditional risk: denial/theft of services and loss of revenue, brand
reputation and customer base • Emerging risk: money laundering & terrorist funding.
Risk for participants in mobile payments ecosystem depends on role of the entity user, network or communication provider or payment service provider.
http://siteresources.worldbank.org/INTAML/Resources/WP146_Web.pdf
MOBILE PAYMENTS RISKS
MOBILE PAYMENTS RISKS
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKSMobile payment transaction can be more exposed to risk because several parties are involved in performing the payment service jointly. This may worsen if important services are outsourced to potentially unregulated third parties without clear lines of accountability & oversight, or which are located abroad. This multiparty transaction environment is conducive to exploitation by fraudsters using technological & sociological attacks IF appropriate protection mechanisms & accountability controls are not established throughout mobile payment ecosystem. With careful planning that includes all stakeholders, processes and technologies involved, opportunity exists to make security an intrinsic element of all mobile payment systems.
http://www.isaca.org/bookstore/extras/Pages/Securing-Mobile-Devices-Using-COBIT-5-for-Information-Security.aspx
Layers of Existing Security Controls
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS4 initial comments: • Financial, Payment and Network Service Providers (FSPs, PSPs,
NSPs) should implement appropriate safeguards, privacy and security governance programs.
• Lack of clear regulation should not be used by organizations as excuse for not being proactive.
• Risk from misuse by authorized users exist such as money laundering and risk of illegal use (latter area may require support from new laws that will evolve to ensure adequate protection).
• Each organization involved in transaction data chain should put in place strong positive controls to protect data while in its custody.
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKSA. Identity Protection: ensuring transaction being undertaken is most likely being carried out by the person authorized or registered to carry it out. B. Data classification during data transmission & storage at the various nodes. Organizations should identify data which are considered personal & sensitive and should ensure appropriate mechanisms are in place.
C. Data integrity: Organizations should take this into account.
D. Privacy: In case mobile payment data will be used for marketing services, organizations could be found liable for unfair business practices if they use customer data for purposes not included in customer notices.
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKSE. POS system security for proximity payments. Organizations should ensure that third parties with which they interact have robust security governance projects in place.
F. TSM security: which acts as entity that “personalizes” TSM-compatible chip on vendor supplied mobile device. In such a collaborative cross-platform environment, an organization’s risk control program should strongly focus on third-party services management.
G. User security awareness: users should be educated to understand corresponding risks.
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKSH. Secure mobile interoperability: Mobile device manufactures should collaborate with payment industry for development of platforms ensuring secure environment for conducting mobile transactions + interoperability between different smartphone models as users tend to frequently change/update their mobile phones. Seamless provision of secure interoperable services is of critical importance for mobile payment success.
I. Leverage control mechanisms developed by banks: those controls, when used in conjunction with technological countermeasures & information that can be derived from mobile transactions—such as geo-location—can raise confidence that a transaction is not fraudulent.
J. Transactions security: transactions should be segmented by purchase amount, location and merchant category, and risk should be managed accordingly.
MOBILE PAYMENTS GOVERNANCE & CHANGETraining & new internal controls should be designed & monitored. Major driver in mobile payment services adoption = business model that delivers value to all players in the ecosystem. Business models can be bank-centric, mobile operator-centric, independent service provider-centric or hybrid-collaborative. Today we focus on bank-centric aspects of the mobile ecosystem.
From business model perspective for B2B and B2C activities, there will need to be provision for fair access to consumer segments among mobile payment stakeholders & adequate customer protection and privacy. Sound CRM will require adequate & timely disclosure of risk, responsibilities and liabilities associated with mobile transactions to customers; and identification of recourse for customers and establishment of grievance handling procedures for both internal and cross-platform and cross-organizational transactions.
MOBILE PAYMENTS GOVERNANCE & CHANGEThere will be a need to modify existing networks or develop new network structures to provide seamless interoperability needed among participants in mobile payments ecosystem.
Due to mobile payments nature, individual organization countermeasures will not be sufficient so specific attention should be given to inter-organization relationships within mobile payments ecosystem. For example, until now payment cards had been controlled by financial organization or institution. Now, card information is stored on chips, e.g., SIM cards, that can be moved from device to device. And customers change mobile phones, lose phones and buy from various vendors that are not controlled by banks. This situation requires that new entity be put in place to govern uncontrolled chip & ensure trusted distribution of payment card information.
MOBILE PAYMENTS GOVERNANCE & CHANGEPossible solution = deploy TSM architecture that is collaborative across technical and business boundaries to provide core of secure mobile payment ecosystem. TSM would be neutral intermediary to oversee business & operational requirements for large-scale deployment of mobile payments. Its functions would include things as management of business rules and authentication, providing connectivity between MNOs and service providers, ensuring end-to-end security, providing application life cycle management for MNOs, handsets and customers, and end-to-end customer support. Caveats = TSM would not participate in actual NFC contactless transaction processes, i.e., transactions would be processed over existing payment channels and TSM would facilitate secure authentication to network edge prior to transmission over existing channels.
MOBILE PAYMENTS ASSURANCE
MOBILE PAYMENTS ASSURANCEOptimal way to determine what assurance criteria should be applied (and in what context) = consider 2 assurance levels:
• Applying banking-level compliance scrutiny to service providers handling distribution of money as well as payment services (e.g., PayPal, Western Union, Google Checkout, lottery systems)
• Applying standard audit models & standards for payment systems associated with purchase of goods & services (e.g., MNOs, transit system authorities, retail merchants)
MOBILE PAYMENTS ASSURANCEWhen reviewing mobile payment services providers, auditors should consider following: • COBIT5 framework as basis for risk management, compliance and proper
protection and use of mobile payment information. • Ensuring compliance with pertinent regulations governing both payment industry
& telecommunication industry • Contractual relationship of organization with TSM, particularly mutual assurance
obligations & representations • Trust transfer points of mobile payment transaction process and how these are
protected to ensure end-to-end trust from consumer initiation of transaction to purchase fulfillment, payment and settlement
• Privacy protection & integrity of transaction data and customer data account details
• Awareness training of organization members for new risk & responsibilities for handling mobile payments
MOBILE PAYMENTS ASSURANCE
MOBILE PAYMENTS ASSURANCE
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Mobile-Computing-Security-Audit-Assurance-Program.aspx
CONCLUSIONSMobile payments market is undergoing transformation and holds a promising future for both consumers & providers. Some key points for mobile payments are: 1 Collaborative & competitive models for mobile payment services are created. 2 Security & privacy as well as convenience are key drivers from consumer perspective. 3 Strong assurance from independent trusted third parties & development of, and adherence to, best business practices within mobile payments ecosystem will be required to encourage widespread consumer adoption. 4 Right now the future is promising and seductive, but uncertain.
