While challenges still exist, the day of consumers routinely pulling out their mobile phones to pay for gas or convenience goods is approaching like a slow but expected sunrise. Just think three to five years down the road, says a researcher with the Boston-based Aite Group.
Through interviews with more than 50 sources within the payments vertical, Thad Peterson, retail banking and payment senior analyst for Aite, believes hurdles still stand, such as the lack of near-field communication (NFC) payment terminals.
That said, developments such as Redmond, Wash.-based Apple’s choices for its ApplePay solution have quieted other aspects of the chaos, furthering the kind of progress necessary to make mobile phones a significant form of payment.
With Apple and Google using NFC as a primary payment method, it’s become the de facto standard in the United States, Peterson says. The challenge is that NFC-capable terminals represent only a small percentage of point-of-sale (POS) terminals in the field today, although movement to Europay MasterCard Visa (EMV) will fuel POS upgrades.
In terms of what Peterson further defines as “mobile proximity” payments, growth for the next three years will be “reasonably slow.” But as the critical mass of NFC terminals arrives and virtually every mobile device becomes NFC-enabled, “you’ll see a whole new generation [of phones], and things will kick off,” he says.
Security & Ease of Use
Two elements of ApplePay’s solution address key consumer concerns: security and ease of use, Peterson says.
ApplePay uses tokenization, which means the credit-card number isn’t seen. It also uses biometric science to allow the transaction to happen via the user’s fingerprint.
The touch initiation also plays into the ease of use. “The key driver for this entire [movement] is the user experience,” he says. “Apple raised the bar.”
Its process eliminates the lock screen, which is the first screen people see when they turn on their phones. At that point, they typically enter a code to gain entry into the phone. Eliminating that step is “a radical deal,” Peterson says. “It’ll be a challenge for everyone else to get to the same place.”
While declaring that the ApplePay process is easy, Phil Schwartz, manager of information systems for Valero, San Antonio, says retailers have concerns with certain aspects of how mobile payment is evolving. For instance, with tokenization, whatever entity owns the token “library” also owns the data, which is a concern for retailers who want to own their customer data.
Tokenization is also a complex process, with alternatives such as point-to-point encryption being an easier solution to implement.
Also with ApplePay, its solution basically accepts the established U.S. credit structure, including use of major credit cards. Part of the allure of mobile payments was its disruptive potential, with retailers for years expressing frustration over having to pay credit-card companies high interchange fees.
“Some mobile-payment [solutions] just clamp onto the rails of existing credit processing,” Schwartz says. “And some are trying different types of payment methodology.”
Nonetheless, ApplePay is winning over merchants. “Everyone applauds [Apple] embracing the payment ecosystem as a solution,” Peterson says. “They got to market faster but made all the players in the ecosystem their friends. It makes it simple for the merchant to adopt. Overall, it’s the smart way to go.”
What's the Buzz?
Schwartz says mobile payment essentially comes in two genres. One is ubiquitous and includes the main mobile-payments options that have emerged.
“As a retailer, I want to accept as many forms of payment as I can, and it would be nice to standardize that,” he says.
The other form is essentially branding payment, with chains such as Framingham, Mass.-based Cumberland Farms and Waycross, Ga.-based Flash Foods going this route. Seattle-based Starbucks is also a poster child for such a solution. But infrastructure and marketing investments have to factor into the return. Also, in Schwartz’s case, Valero’s network of systems and devices are so different that creating such a solution would not be possible.
Still, however mobile payments ultimately evolve, Peterson of Aite Group advises to plan for the rapid growth of NFC. He also suggests the buzz will arrive faster than actual transactions at the register, but that situation will change quickly, in as little as three to five years.
Further, Peterson says online commerce will be an important factor, and retailers should not forget existing forms of payment: “Keep [it all] in context and include cards, because cards aren’t going away.”
CONTINUED: Mobile Security
Mobile Security
Addressing concerns about data security and mobile payment, Dan Fritsche, managing director of application security for Coalfire Labs, a data-security auditing firm in Louisville, Colo., answered a few questions:
Q: What should a retailer be worried about regarding consumers’ phones?
A: Mobile security has several concerns in that the device itself is not as “hardened” as traditional PC (personal computer) operating systems. Secure memory is one concern when storing any sensitive data, whether it’s credit-card data, passwords or personal information. The ability for applications to access various functions across the mobile device, such as address books, physical location information, pictures [and] the camera, are all unique areas of concern.
Q: What can retailers do?
A: Apply standard security practices to mobile solutions, then go beyond that to consider the unique risks mobile solutions introduce. Look to an independent third party for review, penetration testing and validation of security within the mobile solution. For merchant-based solutions, harden the devices in use and ensure developers are following secure SDLC (software development life cycle) practices. Double-check any claims from a mobile-solution provider you may use. Have they done all they can to ensure security?
Q: Any other thoughts?
A:Continually check on the latest information. This space is changing quickly, and there are often newer and better ways of managing risks. Also, understand the risks you are introducing with any new payment solution. Treat any sensitive data as if the environment is already compromised. If you assume that, then are you protecting that data properly?
Members help make our journalism possible. Become a CSP member today and unlock exclusive benefits, including unlimited access to all of our content. Sign up here.