Mobile payments on wearables and phones – how secure is the transaction?
Mobile technology has changed the way we communicate, work and transact. It’s fast becoming the convenient way to make a payment in our time-poor lives.
Now a seamless payment can be made using a wearable device. Investec Private Banking has enabled payments for its Investec Visa card on Fitbit and Garmin devices and Samsung Pay on Samsung watches and phones.
Mark Dabbs, Fraud Systems and Analytics Manager for Investec UK and Kevin Hogan, Fraud Risk Manager for Investec SA, examine the security of this payment method.
“We already experience contactless payments with tap-and-go credit cards,” says Kevin.“Now, you can use tap-and-go technology with a credit card loaded on your phone or wearable fitness device.”
The average person owns about six connected devices and increasingly uses these to make payments. Often paying with a smartwatch or cellphone is as commonplace as whipping out a credit card. “We often use our phones to make payments with the likes of Zapper and SnapScan that use a QR code to do away with the need for cash,” says Mark. “As technology advances, contactless payments are set to be ubiquitous.”
Globally, merchants are coming on board with contactless payments as more devices are upgraded to support this type of payment. South Africa has only recently seen point of sales (POS) being upgraded to support tap-and-go payments, but the future rollout is expected to be quicker.
Sometimes users don’t need to wait for merchant upgrades. For example, Samsung phones use magnetic security technology (MST); the technology creates ‘soundwaves’ that makes the card on the phone and the payment terminal ‘talk’ to each other.
“There’s a perception that mobile equals unsafe as a physical card is not present, but this is far from the truth,” Kevin says. “Mobile payments are as, if not more, secure as other payment methods. I believe the misconceptions are often generational. Millennials want the convenience of digital, while older generations focus on security and prefer something tangible, like cash or a card, to feel they have control over the transaction.”
However, convenience and security are not mutually exclusive. Tokenisation, for instance, replaces sensitive credit card data with a unique identity code that remains hidden during the cardless payment process.
“In this way, tokenisation makes cardless payments more secure because the threat surface is smaller,” Kevin adds. “It is reducing rather than increasing the risk of fraud and may potentially decrease the chance of fraud associated with a physical credit card.” Moreover, wearable devices often ask users to set up a PIN that is separate to a credit card PIN. The second PIN is required to unlock the payment mechanism on the device before payment is made, which adds another layer of security.
Tokenisation keeps its secrets
The risks are behind the scenes, within a circular and often complex payment chain between merchants, payment facilitators (Visa, Mastercard) and banks. However, tokenisation removes the possibility of data breaches in the chain too.
“It means that merchants are no longer storing customer card information,” Mark explains. “If you consider traditional websites and online payment portals that track and save your card details, there is always a chance of someone getting your details if your account is hacked.”
Kevin agrees that this represents a fundamental change in terms of potential credit card fraud. “That’s not to say that clients should forget to lock their devices and do away with fingerprint and iris recognition identity technology,” he says. “Working together, tokenisation and standard security features significantly help lower the risk of security breaches.”
However, there is no time to be complacent. Because tokenisation reduces the threat of fraud significantly, fraudsters are looking for their next opportunity. “We are already seeing a rise in malware in the mobile space, whereas previously more malware was detected on desktops,” he concludes. “We have to think two steps ahead to ensure safer transactions.”
Robust global security posture
Investec Private Bank won the Visa 2018 Global Service Quality Awards in three categories, including the Emerging Payment Adoption – Contactless Issuer, Highest Authorisation Approval Rate – Card not Present, Highest Authorisation Approval Rate – Cross Border Consumer Point of Sale.
Furthermore, Investec Private Banking clients can temporarily block their Investec Visa card on Investec Online and the App and have 24/7/365 access to Investec’s global Client Support Centre if they suspect fraud.
While the bank introduces new payment innovations, clients can rest assured that their fraud risk is kept to a minimum due to sophisticated fraud prevention and detection systems. The bank’s Fraud Risk team also strives to address and resolve fraud queries in less than 24 hours.