As mobile phones become more like digital Swiss Army knives, credit card companies, banks and telecom carriers believe that one day in the not-too-distant future, consumers will use their devices pay for items at the cash register.
A pilot project partnered between Visa, Royal Bank (RBC) and Rogers Communications was announced a year ago and went into action in June. This mobile payment system works using Near Field Communications (NFC), whereby a tiny chip inside a mobile phone connects to the sensor on the payment terminal over-the-air as it's waved in front of it. The process takes seconds and a text message can be sent as a digital receipt for your records immediately thereafter. An unconfirmed number of retailers are taking part, though only select Motorola phones with the NFC chip inside are able to actually conduct any transactions. Any retailer who can scan the newer chip-embedded credit cards using Visa's payWave terminals will already be able to accept mobile phone payments.
The convenience of this method is highly touted amongst all the players involved, but they also acknowledge the trepidation users may have about security, and whether or not the carriers will gain access to their financial information.
"The data is stored and transmitted in an encrypted way, so when the phone is being waved in front of the point-of-sale terminal, it's not your number being transmitted, it's an encrypted version," explains Mike Bradley, vice-president of products at Visa Canada. "It's always a balance between security and convenience. If you ask consumers about security, they want more of it. But when they are asked to make tradeoffs with usage, accessibility and convenience, that's where the forced tradeoffs are required."
Bradley cites the rollout of the chip-embedded credit cards as a good example of how the technology's design has limited the business case for cyber attackers. "Even if they spent a month's worth of computer power to crack a single chip, the banks have added layers of security that would make sure the exposure doesn't go much beyond that," he says.
He also pointed to Visa's "zero-liability" policy, which absolves its customers of any responsibility for fraudulent transactions, and would be extended to mobile payments. It's also entirely possible that users would be able to choose a threshold for transactions, meaning that transactions above $20, for example, would require unlocking the phone or inputting a password. Plus, with alerts being sent immediately after a transaction via text, fraudulent attempts would be caught far sooner, he adds.
The carriers, meanwhile, wouldn't be able to access a customer's financial information arbitrarily, and they would add a level of protection as well. David Robinson, vice-president of new business planning at Rogers, confirmed in an interview that new SIM cards would be rolled out to coincide with the NFC chips. The new SIM would essentially store all the financial data, so if the phone was reported lost or stolen, the card could be deactivated within minutes. The new SIM would also make it easier to transfer all that data when upgrading to a new handset, he says.
Khoi Nguyen, product manager for Symantec's mobile security group, is more measured in his analysis. He has seen a rise in cyber attacks targeting mobile phones using some of the same methods plaguing PC users like, phishing, spyware and other tactics aimed at text and multimedia messaging.
"If we take a step back and look at how smartphones provide users with e-mail applications, SMS text capabilities, and Internet access, then combine the low adoption rates of mobile security solutions, it adds up to create a perfect storm for mobile device attacks," Nguyen says.
He went on to suggest that targeted attacks on government agencies, wealthy individuals and consumers interested in mortgage refinancing and investments would be likely, given that their mobile devices would probably store valuable information. Cyber criminals could buy, sell and market that data and reap significant profits in the underground economy.
Despite the looming security threats, Frank Maduri, a Toronto-based consultant on mobile payment technologies, feels the bigger issues are consumer acceptance and an arrangement that makes all the players happy. Between the credit card companies, banks, carriers, phone manufacturers and government regulators, he feels there may be some time before everything is put in place.
"They'll get there, but I think they will need to focus on making this simple, easy and safe for consumers to adopt," Maduri says. "People are already buying stuff on their phones, whether it be ringtones, songs, applications - and all of that comes out of credit cards, so there is a certain comfort level already."
The more immediate impact, he says, will be on changing habits with "micro-payments", meaning that mobile payments will eventually dominate fast, low-cost transactions like, coffee, fast food and tokens for the bus or subway, as just a few examples. "I'm not trying to belittle security, but when retailers and consumers find that they can roll through lineups in half the time, they'll feel more comfortable in taking part."
Maduri also believes there won't be any exclusivity agreements between the card companies, banks and carriers because that will stifle adoption. "If they want a lot of transactions, they'll have to keep it wide open," he says.
Neither Visa nor its partners have indicated how long consumers can expect to see mobile payments roll out officially, or even how the anticipated addition of new entrants into the wireless industry might impact the space.
Says Bradley: "We can't have a 'Visa-only' phone and address only a portion of the market in order for payments technology on mobile phones to be effective."