MOBILE PAYMENTS MARKETS

THE GROWTH OF MOBILE PAYMENTS The growth in mobile payments is quite

impressive. Mobile payments are expected to grow to over $1.3 trillion worldwide
by 2017, a growth of over 400% since 2012. Breaking down how mobile
payments are being used gives some insight into the role of mobile devices as a
payment vehicle. Figure 1 separates out the ways that payments are really being
made. The vast majority of mobile payments $726 billion in 2015 are being
used for purchases that appear on phone bills. Historically, this has included
games, ring tones and screen savers.

Key Growth Drivers:

1. Increasing Mobile Commerce industry
Merchant purchases using the mobile device as the payment device or
through a mobile payment service is the third most popular application
about $177 billion in 2015. An example is the use of PayPal from a mobile
device to make purchases from an on-line commerce site
2. Ease of Payments
3. Ability to Purchase a wider basket of goods and services via
mobile payments
A wider array of goods and services are being offered via mobile payments
Eg. Groceries
4. Substitution of existing transfer services like Western Union with
mobile payment systems Like Airtel Money, M-PESA
5. Mobile Banking
Over 75% of banks provide some kind of mobile banking capability to their
customers. Nearly 50% of smart phone owners used mobile banking in the
last year, while nearly 30% of all mobile phone owners have used mobile
banking in the last year
6. Reduced Costs
Merchants have several motivations for providing mobile banking and
mobile payments. Beyond customer retention, Merchants can also improve
the cost of providing services.
7. Increased reach across geographies
8. Transaction Fee Capture

Growth Inhibitors:
1.
2.
3.
4.

Security Issues: Authentication

Commercial Infrastructure
Regulations
Cash Endpoints

Significant Security Issues:

A core issue for reliable mobile payments is Authentication. Merchants and
banks need assurance that the party at the mobile end of a transaction is who
they appear to be. Three general strategies have emerged to improve
authentication. First, the use of authentication technology used by other
payment processes is being promoted. One example is EMV, implemented in
mobile devices through NFC. The experience with the EMV technology has
provided a risk profile that banks and merchants have been able to accept.
Second, multifactor authentication is being developed. Specifically there is work

looking at how to incorporate various kinds of biometrics into the authentication

Importance of mobile banking to consumers Country Important or very important
Brazil 60% India 55% China 46% US 23% Global average 33% Mobile payment
processing Conventional credit card processing 73 process, such as voice
identification, iris scans, gesture recognition and finger print analysis. Third,
there is deployment of back end analytic identification prediction, sometimes
called continuous authentication or frictionless authentication.

Conventional Credit Card Payment Mechanism

Mobile Payment Mechanism

Major Players:

Alipay Network Technology Co. Ltd.

American Express Company
Citrus Payment Solutions
Google Inc.
MasterCard Inc.
Microsoft Corp. Inc.
Oxigen Services (India) Private Limited
PayPal Inc

The Mobile Payment Ecosystem:

The mobile payment ecosystem involves the following types of stakeholders:
Consumers
Financial service providers (FSPs)
Payment service providers (PSPs)
In-service providers (merchants), including content providers
Network service providers (NSPs)
Device manufacturers
Regulators
Standardization and industry bodies
Trusted service managers (TSMs)
Application developers

Mobile Payment Risks:

Target
Type
User

Vulnerabil
ity
Inadvertent
installation
of
malicious
software on
mobile
phone by
user

User

Absence of
two-factor
authenticat
ion
POS
system
accepts
OTA
transmissio
ns

Service
Provide
r

Threat

Risk

Downloade
d
application
intercept of
authenticat
ion data

Theft of
authenticat
ion
parameters
,
information
disclosure,
transaction
repudiation
Fraudulent
transaction
s, provider

User
masqueradi
ng
Malicious
party
floods POS
system
with
meaningles
s requests

Denial of
Service
(DoS)

Counter
Measures
Authenticatio
n of both user
(PIN) and
application
(digital
signature by
trusted third
party), TPM
Two- Factor
Authenticatio
n
Request
filtering at
reader based
on mobile
device-reader
relative
geometry

Security Best Practices:

1. Authenticate the user-application-device triplet:
Once the application is installed, theres a strong binding of the couple
application-device. The specific installed application is identified through a
unique identifier that, during the authentication phase, is utilised in
combination with device-specific information (such as device identifier) to
authenticate the combination of application and device.
There is a strong user authentication giving a high level of assurance
that your customer is actually using that particular installation of the
application on that particular device

2. Secure design: The first headline of MSDNs Lessons learned from five
years of building more secure software is: Its not just the code.
According to them, many vulnerabilities are design issues and not related
to coding at all.
3. Secure application deployment: In the deployment phase, make sure
your customer is directed to, and installs, the correct application. This can
be achieved in many different ways and can have varying degrees of
impact on the user experience. The recommendation here is to design a
secure application deployment process that keeps your risk within
tolerance, without deteriorating the user experience too much.
4. Upgrade through the official application stores: Make sure you
actively warn against the customer installing upgrades from other sources.
Be aware of security issues that might allow fraudsters to publish
application upgrades that appear to have been signed and built by you.
5. Maintain the application: make sure that changing circumstances (e.g.
new Operating Systems) do not affect your application security and that
release management includes proper source code control and versioning.
6. Sensitive data not recoverable: make sure that you store the minimum
set of sensitive data on the device and that it is not possible to recover
usable data on lost and stolen devices. If this is not achievable for the
design of your product, make sure you devalue the usable data that can
be recovered (e.g. tokenisation).
7. Cover time: make sure you obfuscate the data and code in your mobile
application to protect against reverse engineering. Make sure you have
carried out a cover time analysis and know how long it will take before
your obfuscation cannot be considered secure anymore (this requires up
to date expertise on the latest attack methods).
8. Hiding/obfuscation of keys: Make sure you obfuscate keys that have to
be stored as part of your mobile application and that you protect them
with a recognised mechanism, such as key wrapping. You may want to use
hardware backed key storage when available.
9. App integrity protection: you may want to implement mechanisms to
protect the application integrity to mitigate the risk of malware trying to
modify or gain access to your installed applications or data.

Info graphics Compiled From Search Engine Research

References:
http://www.cgap.org/blog/drivers-mobile-money-profitability
http://www.strategyr.com/MarketResearch/Mobile_Wallet_Market_Trends.asp
http://www.futuremarketinsights.com/reports/global-mobile-payment-transactionmarket
http://www.visaeurope.com/media/pdf/secure%20mobile%20payment
%20systems%20guide.pdf
http://www.researchgate.net/profile/Mark_Sherman4/publication/266657628_An_i
ntroduction_to_mobile_payments_market_drivers_applications_and_inhibitors/link
s/547de5170cf27ed9786255f4.pdf?
inViewer=true&&origin=publication_detail&inViewer=true