So far, the world of mobile payments has been a “Wild West”, before the sheriff came to town. The vendors have been making their own rules, though at least a few have been smart, and have prepared for what they guessed would happen. The solution can be expressed in one word: Encryption.
As early in the payment process as possible, all the way to the bank (acquirer).
The PCI Council has issued a press release on mobile payment security, along with an “At a Glance” publication. These usually precede the release of new standards/best practices documents by a few months as fair warning. This post is my attempt to analyze where the Council sits on the matter, and a bit of reading between the lines to try to predict what’s coming.
End to end encryption, or point-to-point encryption (P2PE), as the PCI Council calls it, is easily the best solution to securing the explosion of mobile payment applications now on the market. It is ideal because, in most cases, when implemented, it is invisible to the user, the merchant and the application. Apps don’t have to be rewritten, the user experience doesn’t suffer, and the merchant still has the same level of convenience. Most importantly, when done correctly, it is easily the most secure approach available.
There is a price though, and it is on the merchant. All solutions I’ve seen offered raise the transaction rate. Such is the price for the convenience of mobile payment acceptance in this case.