Guide Mobile Payments Security 101

GUIDE
Mobile Payments
Security 101
How merchants and mobile payment
service providers can protect their
users against mobile payments fraud.
DEVELOPED AND PUBLISHED BY:
CONTE NTS
Page 3 Executive Summary Page 27 Chapter 6 | Overview of
Solutions Providers
Page 4 Chapter 1 | Introduction Alaric
Mobile payment methods Bell ID
Mobile wallets Carta Worldwide
Cybera
Page 8 Chapter 2 | Mobile Payments DeviceAuthority
Transaction Volume FIS

Apple Pay InAuth
Rival services Ingenico Mobile Solutions
Jumio
Page 13 Chapter 3 | Threats Kaspersky Lab

Mobile malware MagTek
Jailbreaking and rooting Omlis
Native apps OneVisage
Mobile payments fraud Payfone
The Association for Authentify acquisition
Financial Professionals ThreatMetrix
Apple Pay fraud ValidSoft
Veridu
Page 19 Chapter 4 | PCI Compliance Verifone

mPOS devices WiseSec
Page 22 Chapter 5 | Security Technologies Page 39 References

Point-to-point encryption (P2PE)
Wi-Fi
Tokenization
EMV
EMV and NFC
Authentication technologies
Published by Networld Media Group

2015 Networld Media Group
Written by Robin Arnfield, contributing writer,
MobilePaymentsToday.com.
Tom Harper, president and CEO
Kathy Doyle, executive vice president and publisher
Will Hernandez, editor
Christopher Hall, managing editor, payments
and technology group
Tiffany Smith, custom content editor
Mobile Payments Security 101| 2015 Networld Media Group 2

E X ECUTI V E S U M M A RY
The popularity of banking and m-commerce on smartphones and tablets,
merchant adoption of mPOS devices, the growth of in-app payments, and
the emergence of mobile wallets and NFC-based point-of-sale payment
services mean that ensuring the security of mobile transactions and the
privacy of customers data is critical.
Robin Arnfield
This report provides guidance on how merchants and mobile payment MobilePaymentsToday.com
service providers can protect their users against mobile payments fraud.
Robin Arnfield has been a technology
It reviews best practices for mobile payments security, such as:
journalist since 1983. His work has
not jailbreaking or rooting smartphones; been published in ATM Marketplace,
Mobile Payments Today, ATM & Debit
deploying technology to verify the identity of mobile devices used News, ISO & Agent, CardLine, Bank
for m-payment transactions; Technology News, Cards International
replacing consumers card information with one-time tokens; and Electronic Payments International.
He has covered the United Kingdom,
ensuring cardholder data is encrypted from the point of interaction European, North American and Latin
with an mPOS devices card reader all the way to the acquirer; and American payments markets.
installing controls on mPOS devices so only approved and secure

apps can be downloaded by employees.

CH A P TE R 1
Introduction
The popularity of banking and m-commerce on smartphones and tablets,
merchant adoption of mPOS devices such as Square, the growth of in-app
payments, and the emergence of mobile wallets and NFC-based point-of-
sale payment services such as Apple Pay mean ensuring the security of
mobile transactions and the privacy of customers data is critical.
Mobile and other connected devices are fast becoming the leading way
for users to access commerce and banking services, said Vanita Pandey,
senior director of strategy and product marketing at San Jose, California-
based ThreatMetrix. Mobile is the biggest emerging opportunity and risk for
businesses and financial institutions trying to deliver frictionless experiences
to their customers. Continued growth of mobile payments and banking will
lead to stricter rules and regulations to secure these transactions.
Mobile payment methods

There are five main ways to carry out mobile payment transactions at the
point of sale.
MPOS
MPOS transactions involve customers swiping or inserting their card into a
card reader attached to a smartphone or tablet that connects to a payment
network through a wireless link.
NFC
In an NFC transaction, an NFC-enabled smartphone communicates via
an RFID link with a contactless transmitter attached to a POS device. The
cardholder pays using a card held in digital form in a mobile wallet, which is
stored either in a secure element on their smartphones SIM card or in the
cloud using a technology called Host Card Emulation (HCE).
At checkout, the consumer tells the clerk that he or she wishes to pay using
a smartphone. The consumer opens the mobile wallet, selects the desired
card and then taps the smartphone on the merchants contactless POS

CHAPTER 1 Introduction
terminal. The consumers payment credentials are retrieved automatically

from the smartphones secure element or from the cloud using HCE
and transmitted via NFC to the payment terminal.
The advantage of HCE over secure element-based NFC is that, since HCE
is supported by Googles Android KitKat 4.4 operating system, it can run on
any Android-based smartphone, not just on NFC-enabled smartphones.
Visa believes that (HCE) cloud-based mobile payments represent a

significant opportunity to accelerate mobile payments globally, said
Rodrigo Meirelles, Visas senior director of digital payments solutions for
Latin America and the Caribbean.
Bluetooth
Bluetooth low energy (BLE) is a protocol that enables Bluetooth-based
smartphones and other mobile devices to communicate with BLE-
based wireless transmitters known as Beacons. On entering a store, the
consumers m-payment app senses a BLE Beacon and checks in to alert
the retailers POS of the consumers presence. At checkout, the consumer
tells the clerk to post the sale to his or her m-payment account, which
is visible on the clerks POS terminal. The clerk verifies the consumers
identity and completes the transaction.
According to the Mobile Payments Today white paper The iBeacon/BLE vs

NFC Debate: Now the Truth, which is sponsored by Pyrim Technologies,
BLE transmitters are designed to continually broadcast a discovery signal.
Any app residing within a BLE-enabled (Bluetooth 4.0) smartphone can be
configured to listen for these signals, the white paper says.
QR codes
As an alternative to NFC, some m-payment service providers such as
Starbucks and LevelUp offer QR code-based systems that store payment
information in the cloud instead of the handset and can be executed on any
smartphone.
The LevelUp mobile app for iPhone and Android allows registered users
to link their payment card to a unique QR code displayed within the app.
To pay with LevelUp, users scan the QR code on their phone at LevelUp
terminals located at LevelUp-accepting merchants. In addition, LevelUp
also supports NFC and Apples BLE-based iBeacons.
Cloud-based apps
Several mobile payment providers such as PayPal offer apps that

communicate in the cloud with retailers at the point of sale without users
scanning QR codes or tapping their smartphones on a POS terminal.
PayPals app shows users a list of retailers who accept PayPal in a

particular area. Customers use the app to check in with the merchant when
in the store, tell the clerk they are using PayPal and then pay for purchases
through their PayPal accounts.
Mobile wallets
Mobile wallets serve an array of functions. According to Mobile Payments
Todays Mobile Wallet Comparison Guide 2015, they provide a place where
consumers store and organize coupons, loyalty programs, payment cards,
tickets and any other kind of paper items that can be digitized.
Other mobile wallets offer bill payment, comparison shopping, location-

aware services, P2P payments functionality and social-media connectivity.
Both Visa and MasterCard offer digital wallets for their issuing banks
cardholders.
In July 2014, Visa introduced Visa Checkout, an online payment service

that replaced its previous digital wallet V.me in Canada, Australia and the
U.S. By the end of 2015, Visa Checkout will be available in 13 additional
countries, includingBrazil, China, Malaysia, Mexico, South Africa and the
United Arab Emirates.
Visa Checkout enables consumers to enter their payment details once

when they enroll and pay online with just a username and password.
Consumers can enroll through their issuing bank, through participating
retailer websites or at the Visa Checkout website, and they can link non-
Visa payment cards to their Visa Checkout accounts. More than 110
merchants including Gap, Neiman Marcus, Orbitz, Pizza Hut and Staples
have deployed Visa Checkout.
MasterCard launched its MasterPass digital wallet in February 2013. For

online purchases, MasterPass provides shoppers with a simple checkout
process by eliminating the need to enter detailed shipping and card
information for every purchase. At the point of sale, MasterPass offers
cloud-based, NFC and QR code-based payments.
In August 2014, MasterCard added support for in-app payments to

MasterPass. Retailers can use an API to embed MasterPass as a
checkout option within a mobile app, mobile website or desktop app,
according to MasterCard.

Vodafone digital wallet
U.K.-based telco Vodafone said in March 2015 that its customers soon will
be able to add bank cards to their Vodafone Wallets and use smartphones
to pay for goods and services at contactless terminals (http://www.
mobilepaymentstoday.com/news/vodafone-partners-with-visa-carta-
worldwide-for-contactless-m-payments/).Following agreements with Visa
and payments processor Carta Worldwide (see Chapter 6, Carta Worldwide,
page 27), bank card payments via Vodafone Wallet will be enabled in
European markets from the second quarter of 2015 onward.
The service, which requires a Vodafone NFC-enabled SIM card, will be
supported on a wide range of Android smartphones.To use the service,
customers will:
input their bank cards to the Vodafone Wallet app, where an alias of
each card is stored securely in the Vodafone NFC-enabled SIM card;
confirm ownership of the card using Verified by Visa authentication;
pay by tapping their phones against a contactless POS terminal; and
check their mobile payment transaction history using their phones.
Payments are debited automatically from the selected bank cards, which
are protected with a four-digit PIN for higher-value payments.

CH A P TE R 2
Mobile Payments Transaction Volume
Forrester Research says U.S. mobile payment transactions rose from $32
billion in 2013 to $52 billion in 2014. The U.S.-based consultancy predicts
that U.S. mobile payment transactions will rise to $67billion in 2015 and
$142 billion in 2019.
According to a blog by Forrester Research senior analyst Dene Carrington,

U.S. adoption of smartphones rose from 19 percent of consumers in 2009 to
66 percent in 2014. U.S. consumers will increasingly use their smartphones
for purchases, Carrington predicted.
The Federal Reserve Board report Consumers and Mobile Financial

Services 2015 says that, based on a December 2014 survey, 39 percent of
all U.S. mobile payment users with smartphones made POS payments using
their smartphones in 2014.
In-person m-payments will grow the fastest, but remote m-payments

will remain the biggest.
In-person mobile payments is currently the smallest category of mobile
payments, but it holds the greatest growth potential, Carrington wrote.The
fastest growth will occur in verticals where friction is embedded in the
commerce experience and with high-velocity merchants. Services represent
75 percent of U.S. consumer spending and likewise services will also drive
significant growth for both in-person and remote mobile payments. Remote
mobile payments was the first category to gain traction, is currently the
largest category and will continue to be so through 2019.
2015 will be the year of Apple Pay. The quest for security
Apple Pay will influence every discussion of mobile payments through 2015,
Carrington wrote. Apple Pay will motivate competitors to completely rethink
will dominate the U.S.
their mobile payment strategies.Apple Pay will be the catalyst for new debates payments marketplace
on balancing data privacy with customer engagement and loyalty.Apple Pay will throughout 2015.
also be the standard-bearer for the best use of tokenization to secure payments
and biometrics to combat fraud.In fact, the quest for security will dominate the Dene Carrington, Forrester Research senior analyst
U.S. payments marketplace throughout 2015.

CHAPTER 2 Mobile Payments Transaction Volume
Apple Pay
Apple launched its Apple Pay NFC-based m-payment service in October
2014 for the iPhone 6 and the Apple Watch. Users also can make Apple
Pay purchases within participating apps on the iPhone6, iPad Air2 and
iPadmini3.
Apple has signed up a significant number of U.S. financial institutions and

iPhone 6 users for Apple Pay. In a January 2015 earnings call, Apple CEO
Tim Cook said Apple Pay accounts for two out of every three dollars of
contactless payments on American Express, Visa and MasterCards U.S.
card payments networks.
Panera Bread tells us Apple Pay represents nearly 80 percent of their

mobile payment transactions, and, since the launch of Apple Pay, Whole
Foods Market has seen mobile payments increase by more than 400
percent, Cook said.
Apple Pays security features include Apples Touch ID fingerprint-

authentication sensor, storage of payment credentials in Apple Passbook and
the secure element chip built into the iPhone 6 and the Apple Watch for NFC
payments at the point of sale.
To pay with Apple Pay, iPhone 6 users hold their iPhone near the merchants
contactless card reader with their finger on Touch ID. Apple Pay also can be
used to pay with a single touch in apps.
Apple Pay assigns a unique Device Account Number to each registered

payment card, which is encrypted and stored in the iPhone 6s secure ele-
ment. Using tokenization technology (see Chapter 5, Tokenization, page 22),
the Device Account Numbers are used instead of their associated payment
card numbers, along with a one-time security code. That means users dont
reveal their names, card numbers, expiration dates or card security codes to
cashiers when making in-store payments.
Actual payment card numbers arent stored on Apple servers, nor are they
shared with merchants or transmitted with payments, Apple says. Users can
add payment cards to Apples Passbook from their iTunes account or by us-
ing the iPhone 6s camera to capture card information.
If an iPhone 6 is lost or stolen, the Find My iPhone feature can be used to put
the device in Lost Mode so nothing is accessible, or the iPhone can be wiped
completely clean.

Rival services
In response to Apple Pay, Samsung announced Samsung Pay in March
2015. Samsung Pay, which will launch in summer 2015, will use proprietary
contactless payments technology developed by LoopPay, which Samsung
acquired in February 2015.
LoopPays technology will be embedded in Samsungs new Galaxy S6 and

Galaxy S6 Edge smartphones. The new devices still will rely on NFC chips
to enable users to conduct tap-and-pay transactions at contactless-enabled
POS terminals. But if contactless is unavailable, LoopPays Magnetic Secure
Transmission technology will communicate with the magnetic-stripe reader
currently present on all terminals. Samsung Pay will sense which option is
available and adjust accordingly.
In February 2015, Google bought U.S. mobile wallet scheme Softcard from
AT&T, Verizon and T-Mobile and partnered with the telcos to preload Google
Wallet on their Android-based handsets running KitKat 4.4 or higher.
In May 2015, Google announced Android Pay, with American Express, Mas-
terCard, Visa and retailers such as McDonald's, Panera, Whole Foods, and
Uber announcing support for the new mobile payment system. Google Wallet
will live on as a dedicated person-to-person mobile app for both Android and
iOS devices.
Android Pay is due to arrive on handsets later this year to coincide with
Google's launch of an updated mobile operating system, which at the mo-
ment is referred to as Android M, and will eventually become a standard
feature on future AT&T, Verizon and T-Mobile smartphones thanks to the
Softcard acquisition.
Michelle Evans, senior consumer finance analyst at Euromonitor Internation-

al, told Mobile Payments Today that Android Pay will leverage NFC technol-
ogy [and HCE support] and enable merchants to accept mobile payments
in-store from participating consumers, as well as enable merchants to embed
Android Pay directly into their mobile apps. Android Pay also will support fin-
gerprint readers for users to authenticate payments at checkout in the same
vein as Apple Pay, Evans said.
According to Mobile Payments Today, U.S. retailer-owned Merchant

Customer Exchange (MCX) is expected to launch an early stage version
of its CurrentC mobile wallet in the U.S. in mid-2015. MCX is backed by
Walmart, Best Buy and other major U.S. retailers. MCX likely will use QR
codes as its communications method, although it eventually could support
NFC or Bluetooth as well.

CurrentC is intended to store and automatically apply exclusive offers,

coupons and promotions from participating merchants during the payment
process. It also will enable customers to organize all participating merchant
loyalty cards and membership accounts in one app.
CurrentC will offer customers the choice of paying with a variety of financial
accounts, including checking accounts, merchant gift cards and select
merchant-branded credit and debit accounts.

CH A P TE R 3
Threats
Mobile devices face the same security risks as PCs and laptops, including
malicious apps, viruses and other types of malware. They also have the
risk of malicious code such as phishing links being inserted into QR codes,
according to Kaspersky Lab.
In addition, retailers Wi-Fi networks are vulnerable to intrusion, which poses

a security risk for their mPOS devices and customers smartphones.
Mobile malware
According to a report by Alcatel-Lucents Motive Security Labs division, mobile
malware infections increased by 25 percent globally in 2014 compared to a
20 percent increase in 2013.
The Motive Security Labs Malware Report H2 2014 estimates that

worldwide about 16 million mobile devices are infected by malware. Mobile
malware is increasing in sophistication with more robust command and
control protocols, the report says.
Six of the reports mobile malware top 20 list are mobile spyware. Those
are apps used to spy on the smartphones owner by tracking the phones
location, monitoring ingoing and outgoing calls and text messages,
monitoring email and tracking the victims Web browsing.
The infections identified in the report were split 50/50 between Android
devices and Windows/PCs (connected to mobile networks via dongles and
mobile Wi-Fi devices or tethered through smartphones), with under 1 percent
coming from other smartphones such as the iPhone and BlackBerry.
Because of Apples walled garden approach to apps, its iOS operating

system is subject to much fewer attacks from malware than Android-based
devices are. The Apple App Store whitelists apps and eliminates insecure
apps, said Sterling Brown, chief technology officer at U.S. m-payment
service provider Rezzcard.
Consumers should be wary when downloading apps to their mobile devices.

So many smartphone and tablet apps ask for personal information, Brown

CHAPTER 3 Threats
said. Consumers need to be aware when they are providing personal Mobile spyware is definitely
information that makes them vulnerable to attacks through an app. You dont on the increase.
want to download anything that makes you vulnerable to keylogging when
Motive Security Labs Malware Report H2 2014
doing mobile payments or mobile banking.
Jailbreaking and rooting

Jailbreaking and rooting of smartphones are consumer behaviors that can
cause significant mobile security problems, because they open up devices
to malware.
Jailbreaking refers to removing the limitations set by Apple in iOS and

running on an iOS device third-party apps that have not been approved
by Apple. Rooting describes the same process on Android devices. Both
jailbreaking and rooting have the effect of breaking the default security
provided by the device manufacturer.
When you root or jailbreak a smartphone, you circumvent the controls, said
Jeremy Gumbley, chief technology officer for m-payments gateway provider
Creditcall. This means you dont have to go to the official Google app store
or the Apple App Store to get apps, and can install any apps you like.
Jailbreaking can lead to a malicious app being installed on the device, which
spies on the user and steals credentials and unencrypted information, says
Tom Karren, CEO of mobile security firm MokiMobility.
And if a user roots a device, anything that happens on that device could
be compromised, says Jared Blake, Mokis chief technology officer. For
example, if you use fingerprint authentication on a smartphone which has
been rooted, then malware could steal a copy of your fingerprint.
Mark Schulze, co-founder of Android tablet-based mPOS vendor Clover

Network, which is owned by First Data, says his company provides controls
to ensure the security of its customers mobile devices.
Malware can detect if
We offer our own secure version of Android, with controls to ensure
merchants employees cant use Clover tablets to play games, for example,
a smartphone has been
he said. If a tablet goes missing, we shut it down remotely and erase jailbroken and then install
everything stored on it. You cant jailbreak or root our devices, and you can itself on the phone.
only download apps from our app store. Jeremy Gumbley, chief technology officer for Creditcall
Native apps
A large percentage of mobile transactions are completed by using native
mobile apps instead of by using mobile browsers. Crime associated with
their use has increased correspondingly, resulting in a critical need to detect

CHAPTER 3 Threats
and prevent fraud related to their malicious use, says the ThreatMetrix white
paper Fraud Protection for Mobile Applications.
The rise in app-related fraud is due largely to the fact that mobile apps
seldom have the infrastructure necessary to enable adequate mobile device
identification and profiling, ThreatMetrix says. Additionally, implementing
these features requires skills far beyond those of most mobile app
developers, it says. As a result, mobile apps frequently lack a number of
security features, and its difficult for fraud-prevention systems to determine
if the device in question is being used legitimately creating a prime
opportunity for fraudsters.
When transactions are enacted via traditional desktop browsers or standard

default browsers on mobile devices, ThreatMetrix says its fraud-prevention
systems are able to perform advanced profiling of the device, uniquely
identify it and establish a trust score that identifies the level of fraud risk.
However, native mobile apps downloaded to a smartphone or tablet are

designed for a specific website or Web application and are lightweight
in comparison to traditional browsers. They generally dont have the
infrastructure required to positively identify the device and adequately
determine risks or threats it may present.
Unless the mobile app is upgraded and equipped with the necessary
infrastructure and intelligence, trust cannot be properly established, and the
user may experience rejection or stepped-up authentication, ThreatMetrix
says. Unfortunately, adding the necessary technology and controls requires
a great deal of work and very specific knowledge, both of which are generally
outside the experience of most mobile app developers.
To address those problems, ThreatMetrix (see Chapter 6, ThreatMetrix,

page 34) offers a lightweight software development kit (SDK) that developers
can integrate easily within their mobile apps. This SDK, known as TrustDe-
fender Mobile, provides mobile apps with the infrastructure and intelligence
needed to verify the trustworthiness of the mobile device, ThreatMetrix says.
Legitimate users of such apps are immediately recognized as such, and can
conduct their transactions without having to respond to additional authentica-
tion procedures in order to verify their identity. In this manner, TrustDefender
Mobile provides benefits for both business owners and their customers or
end users.
Mobile payments fraud

LexisNexis Risk Solutions and Javelin Strategy Solutions & Researchs Lex-

CHAPTER 3 Threats
isNexis 2014 True Cost of Fraud Mobile Study says that, as merchants flock
to the mobile channel, so too are fraudsters.
Revenue that U.S. mobile commerce merchants lost to fraud rose 70 percent
in 2014 to 1.36 percent compared to 0.80 percent in 2013, the study says. By
comparison, all U.S. merchants lost 0.68 percent of revenue to fraud in 2014
in comparison to 0.51 percent in 2013.
For their study, LexisNexis and Javelin surveyed 1,142 risk and fraud
decision-makers and influencers at U.S. retailers and conducted interviews
with five U.S. financial institutions.
The complexity of additional payment channels such as digital wallets

coupled with additional access channels such as mobile websites and apps
produces more avenues for fraud. The study found that m-commerce
merchants accept an average of 4.5 payment channels, significantly more
than the 2.6 channels accepted by all merchants.
M-commerce companies have more fraud exposure than other types of

retailers do. More than a fifth (21 percent) of all fraudulent transactions are
attributed to the mobile channel, which is disturbing because of the fact that
the number of transactions occurring through m-commerce channels is still
low for the average m-commerce merchant, LexisNexis says. In 2014, 14
percent of all U.S. transactions were accepted via m-commerce channels.
Bloomberg quoted Aaron Press, LexisNexis Risk Solutions director of

e-commerce and payments, as saying that many merchants arent equipped
to track mobile devices unique identifiers such as Internet Protocol (IP)
addresses. Stores often dont catch when a card issued in Los Angeles is
used for a mobile order from Mexico, he told Bloomberg.
Mobile commerce is going to be more widely adopted by merchants

because customers are clamoring for the convenience, said Dennis Becker,
LexisNexis Risk Solutions vice president of corporate markets. To reduce
customer friction and sell more through the mobile channel, now is the time
for m-commerce retailers to put in placefraud-prevention tools to counter the
disproportionate amount of fraud that is currently occurring. At $3.34 per dollar of fraud
Merchants are struggling to manage fraud costs for merchandise sold losses, the LexisNexis
through the mobile channel. The LexisNexis Fraud Multiplier(SM) cost for Fraud Multiplier(SM) cost for
the mobile channel rose to $3.34 in 2014 from $2.83 in 2013, a result of the fraudulent mobile transactions
mobile channels expansion into physical goods markets. is the highest of any channel.
Based on the studys findings, customeridentity verificationis the top fraud- LexisNexis 2014 True Cost of Fraud Mobile Study
prevention challenge for m-commerce merchants, followed by friendly fraud.

CHAPTER 3 Threats
The inability to confidently verify the identity of a customer and his or her
device leads to friendly fraud, which is defined as fraud perpetrated by family
members or close associates. The study found that 24 percent of fraudulent
mobile transactions are due to friendly fraud. We expect this percentage to
drop, as more m-commerce merchants adopt mobile-channel specific fraud-
prevention tools, Becker said.
Association for Financial Professionals

The Association for Financial Professionals 2015 AFP Payments Fraud and
Control Survey found that in 2014 only 1 percent of organizations reported an
attempted or actual fraud attempt using compromised mobile devices.
The survey, underwritten by J.P. Morgan and conducted in January 2015, is

based on 741 responses from corporate treasury and finance professionals
with the following job titles: cash manager, analyst and director.
For B2B transactions, the mobile payment option has yet to break any par-
ticular ground, said
Magnus Carlsson, manager of treasury and payments at the AFP.
More than three-quarters (78 percent) of survey participants said they believe
concerns about security are keeping consumers from embracing mobile pay-
ments, the AFP said.
Survey respondents suggest that specific security issues are preventing

greater consumer use of mobile payments, such as concerns about trans-
mitting financial data over cellphone networks (54 percent of respondents),
potential exposure of personal financial information resulting from the loss of
smartphones (53 percent) and authentication (26 percent).
Finance professionals themselves have numerous questions about the

measures being used to secure mobile payments, the AFP said. There are
concerns about whether information is being transferred securely and if there
is a risk of sensitive information being exposed, it said. As mobile payments
become equipped with security features such as tokenization and biometric
authentication, which dont impact their usability, they will be more widely ac-
cepted as a payment solution.
Apple Pay fraud

According to news reports, criminals have been creating Apple Pay accounts
using stolen card credentials. CNBC quoted Cherian Abraham, m-payments
adviser at Experian Global Consulting, as estimating Apple Pays fraud rate

CHAPTER 3 Threats
at 6 percent, compared with a traditional credit card fraud rate of 10 cents for
every $100 spent.
Bloomberg reported that some U.S. banks have begun to make changes in
how they activate customers card accounts to use Apple Pay.
Richard Crone, Crone Consultings chief executive officer, told Bloomberg

some banks require users to call them to activate Apple Pay, to ensure their
identities havent been stolen.
While Apple Pay has been hailed as one of the most secure mobile pay-
ment options because of its use of tokenization and biometric authentica-
tion, there is a weak link in the chain that has caused a surge in fraudulent
transactions, David Divitt, product marketing manager for Alaric, said in a
blog published on ATM Marketplace. As ever in payments, criminals adore a
weak link, especially in a system that is otherwise very secure this makes
it all the more likely their fraud will go unnoticed.
Avivah Litan, vice president and distinguished analyst for Gartner, explained
in a blog how fraudsters are exploiting a vulnerability in banks Apple Pay
verification processes to bridge the gap between card-present transactions
and the card-not-present world.
The bad guys are loading iPhones with stolen card-not-present card infor-
mation (which is much easier to steal than card-present mag-stripe data) and
essentially turning that data into a physical card la Apple Pay, Litan said.
According to Litan, the responsibility for the fraud lies not with Apple Pay but
with the card issuers who must be able to prove Apple Pay cardholders are
legitimate customers with valid cards.
Apple does provide the issuer with information to help inform that decision,
Litan wrote in her blog. This data includes information on a customers
device and iTunes account such as: device name; its current location; and
whether or not the customer has a long history of transactions within iTunes.
For years, we have been briefed by vendors offering a plethora of

innovative and strong user authentication solutions for mobile pay-
ments. And, for years, we have been asking the vendors touting
them how they know their mobile app is being provisioned to a legiti-
mate user rather than a fraudster. That always appeared to me to be
the weakest link in mobile commerce making sure you provide the
app to the right person instead of a crook.
Litan said the key to identify proofing in a non-face-to-face environment is

reducing reliance on static data much of which is personally identifiable

CHAPTER 3 Threats
information (PII) that has been compromised by the crooks and increas- While Apple Pay has been
ing reliance on dynamic data such as reputation, behavior and relationships hailed as one of the most
between non-PII data elements.
secure mobile payment
Litan warned that the problem of stolen card number fraud experienced options because of its use of
by Apple Pay is only going to get worse as Samsung/LoopPay and MCX/ tokenization and biometric
CurrentC release their mobile payment systems, without the customer data
advantages Apple has in its relatively closed environment.
authentication, there is a
weak link in the chain that has
caused a surge in fraudulent
transactions.
David Divitt, product marketing manager for Alaric.

CH A P TE R 4
PCI Compliance
Like all merchants accepting payments cards, merchants using mPOS card
readers must adhere to the Payment Card Industry Security Standards
Councils (PCI SSC) data security standards, the most important of which is
the PCI Data Security Standard (PCI DSS).
The PCI SSC is an open forum that develops and manages the PCI DSS and
related payment card data security standards. Merchants, processors, card
issuers and technology vendors are required to comply with those standards.
The PCI standards purpose is to safeguard cardholder data and sensitive

authentication data by eliminating security vulnerabilities at any point in the
payment card infrastructure. The standards cover POS, e-commerce and
ATM transactions.
Entities that are non-compliant with PCI DSS or that suffer breaches face
substantial fines from the card schemes as well as potential liability for the
cost of fraud.
MPOS devices
When a mobile device is transformed into a POS terminal for a merchant to
accept card account data, there is a responsibility to protect that information,
the PCI SSC says. Thus PCI standards begin to apply when a mobile device
is used for payment card acceptance.
In July 2014, the PCI SSC updated two guidance documents it originally
issued in February 2013: The PCI Mobile Payment Acceptance Security
Guidelines for Merchants as End-Users and Accepting Mobile Payments
with a Smartphone or Tablet.
The guidance documents cover mPOS acceptance applications that operate

on consumer handheld devices such as smartphones or tablets that arent
dedicated solely to payment-acceptance transaction processing.
The PCI SSC warns that, as merchants mobile devices arent used only as
POS tools but also to carry out other functions, they introduce new security

CHAPTER 4 PCI Compliance
risks. By design, almost any mobile application could access account data
stored in or passing through the mobile device, it says.
In addition to security risks such as malicious apps, keyloggers, viruses and

intrusions, mPOS card readers face a threat from fraud specifically because
of their mobility, the PCI SSC says.
MPOS card readers can be used not just inside stores but at remote loca-
tions such as customers homes or farmers markets. A key risk to merchants
is the ease with which criminals can steal an mPOS device, modify it so they
can intercept cardholder data and return it without anyone realizing it was
gone, the PCI SSC says.
The PCI SSC guidelines have three objectives covering the main risks as-
sociated with m-payment transactions:
Prevent account data from being intercepted when entered into
a mobile device;
prevent account data from compromise while being processed

or stored within the mobile device; and
prevent account data from interception while being transmitted

from the mobile device.
The PCI SSC says that merchants deploying mPOS payments should use a
PIN-entry device (PED), encrypting PIN pad (EPP) or secure card reader that
complies with its Payment Card Industry PIN Transaction Security Point of
Interaction (PCI PTS POI) standard.
Merchants should not implement solutions that permit PIN entry directly into
the mobile device. If the system incorporates PIN-entry capability, it should
occur only through a PCI-approved PED or EPP, the PCI SSC says.
Merchants should look for an indication of a secure state in their mPOS app
for example, through a displayed secure state icon provided by their app
vendor. If no indication is present, the payment app shouldnt be used, the
PCI SSC recommends.
According to the Mobile Payments Today report Mobile Banking and Pay-
ments Security, merchants should check regularly that their mPOS devices
havent been physically tampered with for example, by the insertion of a
card skimmer.

CHAPTER 4 PCI Compliance
Best practices and responsibilities
The table below outlines each best practice described within the PCI Mobile
Payment Acceptance Security Guidelines for Merchants as End-Users document
along with who should be responsible for its implementation. The definitions of
those entities that are responsible for the best practices are:
Merchant as an End-User (M): Any entity that uses the mobile payment-
acceptance solution to accept payments.
Mobile Payment-Acceptance Solution Provider (SP): The entity that integrates
all pieces in the mobile payment-acceptance solution and is responsible for
the back-end administration of the solution. This includes the merchant as
a solution provider.
Best
practice M SP
1. Prevent account data from being intercepted when entered
into a mobile device. X X
2. Prevent account data from compromise while processed
or stored within the mobile device. X X
3. Prevent account data from interception upon transmission
out of the mobile device. X
4. Prevent unauthorized physical device access. X
5. Protect mobile device from malware. X X
6. Ensure the device is in a secure state. X
7. Disable unnecessary device functions. X X
8. Detect loss of theft. X X
9. Ensure the secure desposal of the device. X
10. Implement secure soutions. X X
11. Ensure the secure use of the payment-acceptance soution. X
12. Prefer online transactions. X
13. Prevent unauthorized use. X
14. Inspect system logs and reports. X X
15. Ensure that customers can validate the merchant/transaction X
16. Issue secure receipts. X
Source: PCI Security Standards Council, PCI Mobile Payment Acceptance Security Guidelines
for Merchants as End-Users.

CH A P TE R 5
Security Technologies
This chapter reviews key security technologies and best practices for
mobile payments.
Point-to-point encryption (P2PE)

When selecting mPOS card readers, merchants should avoid any reader
that only converts the magnetic-stripe data on the customers card into an
audio signal that is transmitted in unencrypted form via the merchants smart-
phone. That is a bad security practice, as there could be malware on the
smartphone that will intercept the card data.
The PCI SSC mPOS guidelines (see Chapter 4, mPOS devices, page 18)
state that the best option for merchants using mPOS is to use a PCI-validat-
ed and approved point-to-point encryption (PCI P2PE) solution.
The PCI SSCs PCI P2PE standard provides a specification for the use
of strong encryption to achieve point-to-point encryption, where clear-text
card data is removed from the payments environment. This is achieved by
encrypting data from the point of interaction (where cards are swiped or
dipped) until the data reaches the P2PE solution providers secure decryp-
tion environment.
With P2PE, the card number is encrypted in the card reader with a key that
isnt known to the merchant, and the card number can be decrypted only by
the processor or the issuer. By using a PCI-compliant P2PE solution, mer-
chants potentially can reduce their PCI compliance obligations.
Benoit Boudier, vice president of international sales at Ingenico Mobile Solu-

tions, says the apps on Ingenicos mPOS devices cannot access sensitive
customer card data.
We encrypt the card data at the point of acceptance both for Bluetooth-con-
nected PIN pads and for card readers connecting via a smartphones audio
jack, he said. The encrypted data is then sent to the acquirer.
Visa Europe requires that mPOS solutions deployed by its acquirers are

CHAPTER 5 Security Technologies
implemented in a manner consistent with PCI P2PE principles, a Visa Europe

spokesperson says.
Cryptography is an important information
This includes a requirement for mPOS devices such as card readers at- security tool that can protect the
tached to smartphones/wireless tablets to be certified to PCI PTS POI V2, confidentiality of data. It uses a secret code
V3 or V4 with SRED (secure reading and exchange of data) included and for called a key. Using the key, data is changed
the full solution to support P2PE. This ensures that the mobile device doesnt into what appears to be random data (a
see any card data and that the mPOS system offers the similar level of secu- process called encryption). You need the key
rity as traditional card acceptance devices. again to change the random data back into
the original data (a process called decryption).
Wi-Fi The key must be protected from unauthorized
access or disclosure.
Using Wi-Fi for mPOS or standard POS payments has security risks, says
Ingenicos Boudier. Retailers really need to use P2PE on their in-store Wi-Fi Source: Accepting Mobile Payments with a Smartphone
or Tablet, PCI Security Standards Council
networks. Although you can try to provide perimeter security to stop anyone
from breaking into your Wi-Fi network, the reality is that, with a distributed
payment-acceptance environment like in-store mobile payments, its pos-
sible for hackers to break in. While you should definitely secure your Wi-Fi
network, you must also encrypt data traveling on your network so that, if it is
intercepted, it is meaningless.
Small merchants such as coffee shops that use mPOS technology should
ensure the Wi-Fi connection they use for their mPOS device is separate from
the Wi-Fi network they provide for customers to use in their store. The mPOS
Wi-Fi connection should be on a secure network that is segmented from a
public Wi-Fi network.
Tokenization
Tokenization is a security technology that involves a one-time number be-
ing used to represent an actual credit- or debit-card number in a payment
transaction. That token has zero value to criminals, as it can be detokenized
only by the tokenization service provider. The cardholders primary account
number (PAN) is stored only on the tokenization service providers system.
There are three types of tokenization.
First, website tokenization occurs when a customer enters his or her full
PAN on a merchants website, but the merchant never sees the PAN as it is
tokenized immediately by the processor in a software vault.
Second, POS terminal tokenization occurs when the cardholders PAN is

tokenized as soon as the card is swiped or tapped against a POS terminal.
Third, network tokenization involves a card network, such as Visa or Master-

Card, tokenizing a cardholders PAN and the token being stored securely on

the users mobile device or in an HCE cloud-based software vault. Mobile In the mobile
payment services such as Apple Pay and Samsung Pay use this type of net-
work tokenization, said Hitesh Anand, Verifones vice president of commerce environment, tokenization
enablement and mobile. involves replacing the
According to a Mobile Payments Today blog by Experians Abraham, both cardholders PAN with
Visa and MasterCards HCE platforms involve tokenization. a token that is linked to
Tokenization helps simplify consumers purchasing experience, as it elimi- a specific device such
nates the need to enter and re-enter their account numbers when shopping as their smartphone and
on mobile devices, tablets or PC, Visas Meirelles says. In addition, tokens
eliminate the need for merchants to store payment card account numbers. stored in the smartphones
This increases transaction security, reduces the risk of fraud in digital chan- SIM card secure element
nels such as e-commerce and further enhances issuers ability to manage
or in an HCE cloud-based
risk and provide customer support.
software vault.
Tokenization works well in combination with P2PE, Boudier says. You
Benoit Boudier, vice president of international sales at
encrypt the transaction message including the cardholders token and then Ingenico Mobile Solutions
send it to the acquirer and the card network in encrypted form.
In March 2014, EMVCo the EMV chip card standards body jointly owned
by American Express, Discover, JCB, MasterCard, UnionPay and Visa
published TheEMV Payment Tokenisation Specification Technical Frame-
work v1.0. The document is designed to help merchants, acquirers, issuers
and mobile and digital payments providers develop globally interoperable
tokenization solutions in online or mobile environments.
Visa said in February 2015 that it plans to tokenize all online transactions
initiated using Visa Checkout through its Visa Token Service.
VisaToken Service was launched in October 2014, enabling secure

mobile payments for Visa cardholders on Apple devices through the
Apple Pay service.
In 2015, other leading device manufacturers and technology companies

will begin deploying Visa Token Service to deliver secure mobile payments
through their phones, tablets and other connected devices, Visa said. For
example, Visa will provide its Visa Token Service for Samsung Pay (see
Chapter 2, Samsung Pay, page 10) transactions involving Visa cards.
NFC World quoted MasterCard CEO Ajay Banga as telling analysts during
the card networks 2014 year-end earnings call that it plans to incorporate
tokenization technology into its MasterPass digital wallet in the near future.
We are very focused on tokenization; its a very important aspect of where
were going for safety and security, Banga said.

EMV
From October 1, 2015, U.S. merchants who havent upgraded their POS
terminals to accept EMV chip card payments will become liable for fraudu-
lent misuse of EMV cards occurring on their terminals, under a liability shift
imposed by MasterCard, Visa and the other card networks.
The EMV standard is designed to prevent card skimming and counterfeiting,

as EMV-compliant cards contain an embedded chip as well as a magnetic
stripe. An EMV cards chip stores the cardholders account data more secure-
ly than a magnetic-stripe-only card does.
EMV cards are ubiquitous across Europe and will become widely adopted in
the U.S. because of the October 1 liability shift.
U.S. mPOS vendors need to be able to demonstrate a clear roadmap for

supporting EMV, said William Nichols, president and CEO of Montreal,
Canada-based m-payments firm AnywhereCommerce.
Any U.S. mPOS provider which doesnt already offer EMV capability or
doesnt plan to offer EMV in the next six months should be of concern to
merchants, said Thad Peterson, a senior analyst for U.S.-based consultancy
Aite Group. The big mPOS providers such as Verifone and Ingenico already
support EMV, and Square will launch an EMV card reader in spring 2015.
EMV and NFC

According to industry experts interviewed by Mobile Payments Today, NFC
payments stand to benefit from the U.S. migration to EMV, as new EMV-
enabled POS terminals contain the necessary technology for consumers
to make contactless payments with their smartphones. Vendors such as
Ingenico and Verifone already have deployed thousands of EMV-enabled
POS terminals in the U.S., and the majority of those readers are equipped
with contactless technology.
A lack of contactless-enabled POS terminals and NFC-enabled smartphones

has hindered U.S. adoption of NFC payments.Both are no longer the big
obstacles they once were, Mobile Payments Today says, because of the U.S.
migration to EMV and the fact that a variety of Android-powered smartphones
now contain NFC chips as a standard feature. HCE also has helped mobile-
wallet providers sidestep access to the secure element on Android smart-
phones to enable contactless transactions. Apple will include NFC chips as a
standard in some of its most popular devices.

Authentication technologies
A number of authentication technologies can be deployed to enhance mobile
payments security.
Device authentication ensures that a mobile device interacting with a mobile

banking or payment system is genuinely the registered users device, isnt
being spoofed by a fraudsters device and hasnt been jailbroken.
Mobile device authentication involves a security provider taking a digital fin-

gerprint of a mobile device, noting facts such as the type of device, the apps
and cookies it contains, and the sites it visits, Verifones Anand says. It also
may involve using information from the mobile network operator to triangulate
the physical location of the device and its IP address.
For example, Payfone (see Chapter 6, Payfone, page 32) provides the
Identity Certainty solution, which assigns each mobile user in its database
with a unique tokenized ID based on the mobile subscribers phone number,
SIM card and account number. Fraud detection and monitoring systems from
vendors such as ThreatMetrix (see Chapter 6, ThreatMetrix, page 34) look at
customer history and behavior to determine whether a transaction is genuine
or fraudulent.
Biometric technologies such as voice prints, facial recognition or fingerprint Device fingerprinting
scans provide an additional layer of authentication over and above login
methods such as passwords, PINs and security challenges requesting users
is among the best-suited
to supply previously registered personal data. solutions for mobile device
A report by Juniper Research, Human Interface & Biometric Devices:
authentication. It has the
Emerging Ecosystems, Opportunities & Forecasts 2014-2019,predicts that benefit of being invisible
more than 770 million biometric authentication applications will be download- to the consumer, adding
ed per year by 2019, up from 6 million in 2015, dramatically reducing depen-
dence on alphanumeric passwords in the mobile phone market. no friction to the
checkout process.
Juniper says several high-profile deployments of biometric authentication
techniques such as Apple Pays combination of Touch ID authentication LexisNexis 2014 True Cost of Fraud Mobile Study
and tokenization will drive biometric authentication adoption.

CH A P TE R 6
Overview of Solutions Providers
Alaric
A subsidiary of NCR, London-based Alaric offers the Fractals intelligent fraud-
detection solution for online, ATM, POS and mobile channels. Fractals is
used by issuers, acquirers, processors, networks, payment service providers,
ISOs and merchants.
The latest version of Fractals, released in December 2014, includes a Fraud

Integration Hub, which brings together data from specialized sources such as
mobile geolocation, IP intelligence and device reputation to analyze transac-
tions. Alaric says Fractals uses a combination of self-learning models and
user-defined rules to tackle any type of transactional fraud problem.
Bell ID
Bell ID develops software that enables banks and enterprises to issue
and manage credentials on NFC-enabled mobile devices and EMV-based
smart cards.
The Rotterdam, Netherlands-based firm offers solutions for:

HCE
secure element management
tokenization management
m-payments service provider enablement
Bell IDs Tokenization Manager provides Token Service Provider functional-

ity in line with EMVCos EMV Payment Tokenisation Specification Technical
Framework v1.0.
Bell ID said in March 2015 that it isenabling the launch of ANZ New Zea-
lands upgraded goMoney mobile app, which is set to feature a cloud-based
HCE NFC wallet. The project, for ANZ Banks New Zealand division, will bring
contactless mobile payments to 120,000 ANZ customers smartphones.

CHAPTER 6 Overview of Solutions Providers
The ANZ goMoney wallet usesBell IDs Secure Elementin the Cloud
platform, whichremoves the need for a separate app or SIM card upgrade
for customers.
Carta Worldwide
Toronto, Canada-based processor Carta Worldwide launched itsCloud Suite
1.0 for mobile payments, a full-service cloud-based payments and EMVCo-
compliant tokenization productfor banks and wallet service providers, in
February 2015.
Cloud Suite 1.0 offers tailored delivery of Cartas cloud-based payments

and tokenization technology, including:
Pilot and Test Platform:for development of m-payment applications
and cloud payment functionality;
Platform-as-a-Service:cloud-hosted software for scalable deployment

of HCE m-payment products with flexible roadmap options; and
Software License:for custom in-house implementation.
Carta says ahighlight of Cloud Suite 1.0 is its Platform-as-a-Service offer-

ing, which provides a complete technology solution including tokeniza-
tion, digital credential management and a developer environment all as
a hosted service. The solutionsupports HCE, NFC proximity payments and
remote payments.
Cybera
Franklin, Tennessee-based Cybera offers the Cybera ONE for Mobility ap-
plications solution,which enables retailers to secure cloud-based mobile
wallet point-of-sale purchases in their stores. The solution ensures that,
when a customer visits a store and buys a product on the Web by using a
smartphone, the specific store receives the revenues to cover the cost of
the product.
Cybera says its managed software cloud and virtual application network
securely connect the retailers mobile payment application to the local store
POS system where inventory is being redeemed. This allows the local store
site to settle the transaction and account for the inventory being sold.
Using Cyberas solution, retailers can accept mobile payments without the
cost of upgrading their POS system. Additionally, utilizing a secure cloud
ensures that payment information will be delivered safely from the mobile
cloud application to the POS system at the specific store site without jeop-

ardizing the integrity of the card data environment, Greg Tennant, Cyberas
senior vice president of marketing and strategy, wrote in a Mobile Payments
Today blog.
DeviceAuthority
Fremont, California-based DeviceAuthority offers the D-FACTOR authenti-
cation engine, which issues a digital fingerprint authentication challenge to
mobile devices connecting to payment systems to check whether
they are genuine, whether they contain malware and whether they have
been jailbroken.
According to a white paper by DeviceAuthoritys marketing partner Simi

Valley, California-based XYPRO Technology Corp. D-FACTOR prevents
security breaches from unauthorized devices due to:
keyloggers;
stolen cookies and user credentials;
phishing attacks;
circumvented knowledge-based authentication;
circumvented fraud detection;
man-in-the-middle attacks;
man-in-the-browser attacks.
FIS
In March 2015, U.S.-based banking software vendor FIS addedbiometric
access to its mobile banking application via Apples Touch ID. According
to a news release, FIS was to become the first provider to offer fingerprint
access to its Cardless Cash ATM application when it enabledfingerprint
authentication in April 2015.
Using Touch ID, customers of banks that have deployed FISs Cardless
Cash ATM software will be able to withdraw cash from ATMs and check
their balances from their smartphones, without using plastic cards. Au-
thentication, account selection and amount selection all occur through the
FIS Mobile Wallet with Cardless Cash app, and a QR code is scanned to
complete the transaction.
The FIS Mobile Wallet with Cardless Cash is a cloud-based platform that
gives financial institutions control of the branding and user experience
within the application. Customers can add debit, credit, stored value and
loyalty cards, as well as redeem mobile coupons and offers. All credentials
are stored securely in the cloud, not on the smartphone, FIS says.

InAuth
Venice, California-based mobile fraud prevention and app security provider
InAuth raised $20 million in a Series A funding round led by Bain Capital
Ventures in March 2015.
InAuth said the investment came after a year of record growthin which the
company added four of the five largest U.S. banks as customers. Founded
in 2011, InAuth servescustomers including large global banks, payment
processors, e-commerce merchants and health insurance companies.
To protect their users, application developers embed InAuths technology

into their apps. InAuth then secures both application data and financial
transactions from malicious actors, preventing fraud and data loss.
InAuth says itsMobile Identity Platform measures not just the network risk
of a mobile device, but also the confidence that a mobile device user is the
user expected to be using the device. The platform also checks for fraud and
detects anomalies such as jailbroken or rooted devices, the company says.
Ingenico Mobile Solutions

All Ingenicos mPOS devices are PCI-certified and encrypt cardholder data
at the point of capture, Ingenicos Boudier said.
Ingenico offers the On-Guard P2PE solution, which consists of three PCI-
certified components: an encryption module, a decryption module and an
encryption key-management solution.
The encryption module is available across the complete range of Ingenico

POS terminals including mobile acceptance devices such as the iCMP chip-
and-PIN mobile card reader. The decryption module is hosted in the infra-
structure of any service provider, processor or retailer.
On-Guard can be complemented by a tokenization add-on that allows

merchants to identify their customers without storing sensitive data such as
account numbers.
Ingenico announced a partnership in April 2015 withIntelto jointly develop

a mobile tablet that supports EMVand NFC payments.
The partnership will result in IntelData Protection Technology for Transac-

tions being combined with Ingenico payment acceptance capabilities in mo-
bile and future productsin the U.S.and Canada, beginning with the jointly
developed mobile tablets based on the IntelAtomprocessor.

Jumio
In February 2015, Jumio, a Palo Alto, California-based online/mobile cre-
dentials management company, launched a new version of its ID card scan-
ning service, Netverify. The service provides businesses usingmobile and
online channels with an accurate way to authenticate their customers and
prospects identity credentials.
The new release features a new ID image-capturing technology, which

allows users to position their ID any way within their camera view. This
enhanced template-matching capability automatically detects the ID edges,
rotates the ID and accurately crops it in the frame, regardless of the angle
at which the user holds the ID. This results in a higher scan-acquisition rate.
To ensure the person presenting the ID to the device camera is the indi-
vidual featured in the ID,JumiosFace Match technology compares the
customers face with the photo on the ID and produces a likelihood-of-
match score.
The latest Netverify release includes enhanced liveness-detection technol-

ogy, which is designed to detect even the slightest facial movements when
a customer presentshis or her face to the devices camera. This guards
against use of IDs that are bona fide but have been stolen.
Liveness detection ensures that the person is actually present and pre-
cludes a criminals attempt to beat Face Match by presenting a static photo
image of the fraud victim, Jumio says.
Jumio also offers BAM Checkout, which enables consumers to scan their
payment cards and drivers licenses when using a mobile shopping app.
Kaspersky Lab
In February 2015, anti-virus firm Kaspersky Lab launched a free mobile
app, Kaspersky QR Scanner. Theprogram not only reads information in QR
codes, but also warns users about potentially dangerous links such as
phishing links embedded by cybercriminals within them. The app is avail-
able for both Google Android and Apple iOS apps.
Kaspersky says cybercriminals can insert malicious code into a QR code

online in place of a legitimate image or by covering over a genuine code on
a poster.
When reading QR codes, its important to check that the QR code isnt
spoofed, says Ingenicos Boudier.

Kaspersky QR Scanner scans the QR code and checks it against a current

extensive database of known malicious links. If the code is valid, the scanner
will open the page. If not, the app will send the user a warning notification.
In addition to website addresses, the scanner detects text messages en-

crypted in QR codes as well as contact information.
MagTek
Seal Beach, California-based transaction security company MagTek
launched the Qwick Codes Mobile Wallet in 2012. Qwick Codes are dy-
namic, one-time-use tokens that replace payment card information for ATM,
POS and online transactions.
The Qwick Codes Mobile Wallet is a subscription-based application that

resides in the cloud at Magensa, MagTeks PCI-certified subsidiary.
To use the Qwick Codes Mobile Wallet, consumers open the Qwick Codes
app, swipe their card through a complimentary MagneSafe reader they
receive with a paid subscription and enter the transaction details such as
maximum dollar amount and an expiration date. A Qwick Code, which con-
sumers can scan from their smartphone or type into a POS terminal or ATM
instead of swiping their card, then is created.
MagTek also manufactures devices and systems for the reliable issuance,
reading, transmission and security of cards, checks, PINs and other identi-
fication documents. Its products include secure card reader authenticators,
check scanners, PIN pads and distributed credential-issuing systems.
MagTeks devices and services are secured using its MagneSafe Security
Architecture technology. By leveraging strong encryption, secure tokeniza-
tion, real-time authentication and dynamic transaction data, MagneSafe-
based products enable users to assess and validate the trustworthiness
of credentials used for online identification, payment processing and other
electronic transactions.
MagTeks QwickPAY solution is a secure mPOS offering for card-present

mobile payment transactions. QwickPAY works on iOS-based devices, in-
cluding iPhone 4, iPhone 3G, iPad and iPod touch; and on the Android and
Windows PC platforms.
Based on MagneSafe, QwickPAY encrypts card data within the card

readers head, reducing the scope of PCI compliance by eliminating sensi-
tive card data from the application. Decrypted data is delivered only to a
PCI DSS-certified payment processor or gateway. QwickPAY also tokenizes
sensitive transaction data.

Omlis
Newcastle upon Tyne, U.K.-based Omlis has developed encryption technol-
ogy to protect mobile banking and payments transactions. It says that stan-
dard encryption techniques rely on the repeated use of master encryption
keys, which can be intercepted by malicious third parties. Omlis solution
uses randomly generated one-time encryption keys instead of master keys
to prevent hackers from intercepting transactions. It also uses payment
tokens and authentication tokens.
In January 2015, Omlis announced that it had secured $31 million in con-
tracts to implement its services with various partners over the next five years.
OneVisage
OneVisage, aSwiss digital identity products developer, has launched what
it calls the worlds first3D facial-authentication productto operate on stan-
dard smartphones.
OneVisage says itsSelfiLoginproduct is meant to eliminate the two-step

authentication process that it believes is the cause of transaction cancella-
tions and resulting lost revenue for merchants.
A sizeable amount of these abandonments represent security concerns

emphasized by Generation Z, spanning the ages of 16 to 24, said Chris-
tophe Remillet, OneVisages chieftechnology officer.Studies prove that
75 percent of Generation Z is willing to use biometric security solutions like
SelfiLogin instead of passwords or PINs for authentication.
Payfone
In December 2014, New York-based Payfone introduced Identity Certainty,
an authentication product that relies on the same security standards
mobile network operators use to identify their subscribers, Mobile Pay-
ments Today reported.
Payfone launched a pilot of Identity Certainty with three major banks in early
2015 through a partnership with fraud-protection and risk-management
company Early Warning, Mobile Payments Today said.
Payfone didnt reveal which banks are using the service, but Early Warning
is owned by Bank of America, BB&T, Capital One, Chase and Wells Fargo.
Early Warning also is a Payfone investor.
Identity Certainty provides an extra layer of protection that banks can use to
confirm mobile banking customers identity when they log into the service.

Mobile identity authentication has become more important for banks as

consumers migrate from online banking to smartphones or tablets.
Banks have learned that a lot of things that can be done on PCs (for au-
thentication) dont translate well to mobile phones, Roger Desai, Payfones
CEO, told Mobile Payments Today. What the banks wanted us to do was
create a consistent way to identify a phone.
Payfone has 300 million mobile identities in its database, thanks to partner-
ships with all four major U.S. telcos. The company assigns each identity a
unique tokenized ID, known as the Payfone Signature, based on a mobile
subscribers phone number, SIM card and account number. Banks use the
tokenized ID to make sure everything lines up with their systems.
Identity Certainty tracks 400 different lifecycle events to help banks con-
firm a customers mobile identity.Some events occur more often than oth-
ers, such as an address change, a new phone number or a replacement for
a lost device. Other events are less frequent, such as a consumer switching
mobile operating systems or using a company-provided device.
All of these things are critical for the bank to know, Desai said. We elimi-
nate human interaction when it comes to this authentication method. Its
done behind the scenes through the telcos network. This kind of authenti-
cation works because lots of things change with customers that the banks
have a hard time tracking.
According to Payfone, if a customer reports that a mobile phone has been

lost, replaced or stolen, the Payfone Signature is revoked automatically, ter-
minating access to apps and services in real time on the individual device.
Authentify acquisition
In April 2015, Early Warning signed a definitive agreement to acquire
Authentify. Founded in 1999, Authentify providesphone-based, multifactor
authentication products and serves 1,200 financial institutions and e-com-
merce companies.
Early Warning said the acquisition will enable itto offer organizations digital
multifactor authentication and the ability to integrate and manage multiple
digital channel authentication methodsvia one platform.
With its acquisition of Authentify and its exclusive partnership and equity
investment in Payfone, Early Warning says it can provide a suite of
services that:
improves mobile security and reduces consumer friction by leveraging
innovation in biometric and behavioral authentication;

strengthens authentication events, unlike usernames and passwords;

supports the integration, delivery, prioritization and management of current
and future digital authentication technologies enabled by an SDK; and
offers a true, persistent identifier that is authenticated in real time, via
mobile network operators.
ThreatMetrix
ThreatMetrix offers fraud-prevention solutions that leverage its ThreatMe-
trix Global Trust Intelligence Network shared digital identity network and
real-time analytics platform to protect customers against account takeover,
payment fraud, fraudulent account registrations resulting from malware and
data breaches.
TheThreatMetrix Global Trust Intelligence Network analyzes 1 billion monthly

transactions, including 250 million mobile transactions from 200 countries.
Were seeing over 20 million new mobile deployments each month repre-
senting more than 25 percent of the total new devices being added to our
network, said Andreas Baumhof, ThreatMetrixs chief technology officer.
By creating an anonymized digital identity for consumers based on their

device, persona and behavior from every interaction (account origination,
login and access, and purchase) and comparing it in real time to previous
activity, ThreatMetrix clients can accurately identify their customers from
cybercriminals, regardless of channel, ThreatMetrix says.
ThreatMetrix TrustDefender Mobile is a mobile SDK that developers can

include in their mobile apps. The firm says TrustDefender Mobile helps its
customers identify fraudulent behavior and reduce friction for transactions
originating from mobile applications.
The newest version, launched in March 2015, extends ThreatMetrixs

mobile app reputation and integrity capabilities to iOS devices in addition to
Android and widens the breadth of attributes analyzed from mobile devices.
One challenge our customers face in the mobile channel comes with the
explosion of apps from a multitude of different vendors, many of which are
used as vehicles to deliver malware, said Dean Weinert, ThreatMetrixs
director of mobile products. Its important for businesses to distinguish be-
tween real, trusted apps and apps that have been altered, but that requires
a significant amount of data, especially for mobile devices. ThreatMetrix
provides a solution that is lightweight on users devices, putting those de-
vice attributes and threat risks into our digital identity network. The network
is constantly learning about the growing mobile attack surface so our custom-
ers dont have to.

TrustDefender profiles devices for the following information:

Persistent device identification: This feature identifies individual mobile
devices for both iOS and Android platforms, even if the device has been
reset or the application has been reinstalled.
Location services: This feature gathers latitude and longitude information

from the GPS hardware and compares IP addresses with physical loca-
tions to detect the use of proxies and virtual private networks (VPNs).
Detects jailbroken and rooted devices: Dynamic jailbreak and root detec-
tion technologies determine when device security controls have been
thwarted. New jailbreak and root methods are pulled from the TrustDe-
fender server each time a device is profiled, to keep the system up-to-
date without requiring new application releases.
Malware detection: For Android-based systems, TrustDefender Mobile

verifies the integrity of the app in which it is embedded to ensure it hasnt
been compromised or infected. It also analyzes all other apps installed on
the device and reports their reputation and the presence of malicious code.
Anomaly detection: This feature detects device tampering as well as

attempts to masquerade as a different device, along with a number of
other anomalies that may indicate fraud.
Packet fingerprinting: This feature automatically detects device and data

spoofing via analysis of the network traffic packet signatures originating
from the device.
ValidSoft
ValidSoft offers a multifactor user authentication platform including a Voice
Biometric engine and Device Trust technology.
The U.K.-based companys platform authenticates mobile transactions using

four elements:
Something you are voice biometrics;
Something you know a challenge such as a request for a password,
personal data or PIN;
Something you have a personal device such as a smartphone
or tablet;
Somewhere you are/not correlation of registered device to a location.
The ValidSoft Device Trust solution, which is available on a stand-alone

basis, is designed to counteract the growing threat created by fraudsters

who maliciously redirect mobile phone calls and text messages to defeat
out-of-band authentication systems and other anti-fraud measures involving
customer contact via mobile phones.
Out-of-band authentication involves a one-time PIN or passcode being sent

to a mobile device when a customer logs in to another channel such as a PC.
Device Trust helps banks protect their customers data and transactions
by securing their communication channels against account takeover, SIM
swap, call divert and international roaming related fraud.
Veridu
Veridu, a London-based ID verification company, provides an API-based
service that enables banks and retailers to base risk-assessment decisions
on a potential users social media profiles.
Rasmus Groth, Veridus CEO, told Mobile Payments Today that banks and
retailers can use the companys ID verification system in the customer on-
boarding process or as a risk-management tool to flag potential fraudulent
transactions. Groth argues that social media profiles can be a better verifi-
cation method than asking people to scan documents or ID cards, which he
believes can be faked easily.
Once a bank or retailer integrates Veridus API into its online or mobile
channel, it can ask potential users to sign into a combination of social me-
dia networks such as Facebook, Twitter and LinkedIn.
Veridu rates the profiles collectively by using a number system between 0

and 100. Theoretically, a higher score means that the potential user is who
they claim.
The way we gear the service is that 57 percent is what we consider a nor-
mal, trustworthy person,Groth said. Anything below 50, we think some-
thing might be off. Theres always a balance. It depends on what kind of
service you have. If your primary concern is making enrollment or onboard-
ing really easy, you set thresholds quite low in the beginning, but later you
can have the person reverify their identity.
Verifone
All Verifones payment acceptance products, whether mPOS or standard
payment terminal solutions, across all payment types including mag-stripe,
EMV and NFC/contactless, comply with all the PCI standards and support
our P2PE and tokenization solution VeriShield Protect and our Secure Com-
merce Architecture (SCA), said Joe Majka, Verifones chief security officer.

In a data breach, malware steals cardholder information from an integrated

POS system, a vulnerability that SCA and VeriShield Protect are designed
to counteract.
Using SCA and VeriShield Protect, we prevent cardholder data from enter-
ing the POS system, and we deliver this data in encrypted form from the
payment terminal directly to the merchants processor, Majka said. Using
a P2PE solution such as VeriShield Protect with SCA also reduces a mer-
chants PCI and EMV certification burden.
WiseSec
Tel Aviv, Israel-based WiseSec has developed a security technology to
protect Bluetooth-based mobile payments on any type of smartphone,
including Android- and iOS-based smartphones. Its solution uses low-cost
Bluetooth-based beacons to locate and authenticate customers in a store,
enabling them to pay by tapping their smartphone against a touchpad.
WiseSec claims its solution has a lower cost than NFC, as retailers dont
need to install NFC card readers. We provide a plug-and-play solution,
which doesnt require special infrastructure changes to install, said Vadim
Maor, WiseSecs CEO. With our technology, the only players are the cus-
tomer, their card issuer and the merchant.
Our protocol works on BLE (Bluetooth low energy) and on other types of
Bluetooth links, and offers an alternative to NFC, Maor said. It creates a
tokenized communications channel between the server and the touchpad to
simulate full NFC, and can be used for POS payments or cardless transac-
tions at ATMs.
WiseSec creates two types of tokens. First, we tokenize the customers pay-
ment card, and secondly we secure the transaction between the touchpad,
which can be a POS device or an ATM, and the server using tokens, Maor
said. All data is encrypted during transit from the touchpad to the server.
WiseSecs technology verifies a customers identity, device and location

and passes that information to the card issuer to check that the customers
card hasnt been stolen or counterfeited.
To make a cardless cash withdrawal, a consumer needs to tap their smart-

phone against an ATM which is enabled with our technology, Maor said.
Because of our military-grade security protocol, we are the only technology
approved by the Bank of Israel for cardless ATM withdrawals in Israel.
The Bank of Israel, the countrys central bank, acts as a regulatory and ap-
proval body for the Israeli Ministry of Finance.

RE FE RE NCE S
Mobile Payments Today
www.mobilepaymentstoday.com
Mobile Banking and Payments Security: What banks and payment service providers need to know to keep their customers
safe, by Robin Arnfield
Networld Media Group
http://www.networldmediagroup.com/inc/sdetail/12036/18751
Mobile Payments State of the Industry 2015 Omnibus Edition

mPOS 101: What merchants need to know about mobile point-of-sale technology, by Robin Arnfield
Mobile Payments Today
http://www.mobilepaymentstoday.com/whitepapers/mpos-101/
Mobile Payments Today white papers

http://www.mobilepaymentstoday.com/whitepapers/
A look at the PCI guidelines for mobile POS

Mobile Payments Today white paper sponsored by Moki
http://www.mobilepaymentstoday.com/whitepapers/a-look-at-the-pci-guidelines-for-mobile-pos/
Mobile Payments Today directory of suppliers

http://www.mobilepaymentstoday.com/companies/directory/companies-by-category/
Mobile Wallet Comparison Guide, 2015 edition

Accepting Mobile Payments with a Smartphone or Tablet

Mobile Payment Acceptance Security Guidelines for Merchants as End-Users v1.1
Mobile Payment Acceptance Security Guidelines for Developers v1.1
Payment Card Industry Security Standards Council
https://www.pcisecuritystandards.org/security_standards/documents.php?document=pciscc_mobile_payments_0512
End-to-End Security in an Open and Mobile World

Ingenico white paper
http://ingenico.us/wp-content/uploads/2012/07/Ingenico-End-to-End-Security-in-an-Open-and-Mobile-World-EN.pdf

RE FE RE NCE S
Payment Card Industry Security Standards Council (PCI SSC) documents page
https://www.pcisecuritystandards.org/security_standards/documents.php
The LexisNexis 2014 True Cost of Fraud(SM) Mobile Study

LexisNexis Risk Solutions and Javelin Strategy Solutions & Research
http://www.lexisnexis.com/risk/insights/true-cost-fraud-mobile.aspx
Squares EMV information site

https://squareup.com/emv#
PCI SSC Tokenization Product Security Guidelines

https://www.pcisecuritystandards.org/security_standards/documents.php
The iBeacon/BLE vs NFC Debate: Now the Truth

Mobile Payments Today white paper sponsored by Pyrim Technologies
http://www.mobilepaymentstoday.com/whitepapers/the-ibeaconble-vs-nfc-debate-now-the-truth/
Visa Digital Solutions

http://usa.visa.com/clients-partners/technology-and-innovation/visa-digital-solutions/index.jsp?ep=v_sym_digitalsolutions

Guide Mobile Payments Security 101

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Guide Mobile Payments Security 101

Transféré par

Droits d'auteur :

Formats disponibles

GUIDE

Page 22 Chapter 5 | Security Technologies Page 39 References

Published by Networld Media Group

Mobile Payments Security 101| 2015 Networld Media Group 2

installing controls on mPOS devices so only approved and secure

Mobile Payments Security 101| 2015 Networld Media Group 3

Mobile payment methods

Mobile Payments Security 101| 2015 Networld Media Group 4

terminal. The consumers payment credentials are retrieved automatically

Visa believes that (HCE) cloud-based mobile payments represent a

According to the Mobile Payments Today white paper The iBeacon/BLE vs

Mobile Payments Security 101| 2015 Networld Media Group 5

PayPals app shows users a list of retailers who accept PayPal in a

Other mobile wallets offer bill payment, comparison shopping, location-

In July 2014, Visa introduced Visa Checkout, an online payment service

Visa Checkout enables consumers to enter their payment details once

MasterCard launched its MasterPass digital wallet in February 2013. For

In August 2014, MasterCard added support for in-app payments to

Mobile Payments Security 101| 2015 Networld Media Group 6

Vodafone digital wallet

check their mobile payment transaction history using their phones.

Mobile Payments Security 101| 2015 Networld Media Group 7

According to a blog by Forrester Research senior analyst Dene Carrington,

The Federal Reserve Board report Consumers and Mobile Financial

In-person m-payments will grow the fastest, but remote m-payments

Mobile Payments Security 101| 2015 Networld Media Group 8

Apple has signed up a significant number of U.S. financial institutions and

Panera Bread tells us Apple Pay represents nearly 80 percent of their

Apple Pays security features include Apples Touch ID fingerprint-

Apple Pay assigns a unique Device Account Number to each registered

Mobile Payments Security 101| 2015 Networld Media Group 9

LoopPays technology will be embedded in Samsungs new Galaxy S6 and

Michelle Evans, senior consumer finance analyst at Euromonitor Internation-

According to Mobile Payments Today, U.S. retailer-owned Merchant

Mobile Payments Security 101| 2015 Networld Media Group 10

CurrentC is intended to store and automatically apply exclusive offers,

Mobile Payments Security 101| 2015 Networld Media Group 11

In addition, retailers Wi-Fi networks are vulnerable to intrusion, which poses

The Motive Security Labs Malware Report H2 2014 estimates that

Because of Apples walled garden approach to apps, its iOS operating

Consumers should be wary when downloading apps to their mobile devices.

Mobile Payments Security 101| 2015 Networld Media Group 12

Jailbreaking and rooting

Jailbreaking refers to removing the limitations set by Apple in iOS and

Mark Schulze, co-founder of Android tablet-based mPOS vendor Clover

Mobile Payments Security 101| 2015 Networld Media Group 13

When transactions are enacted via traditional desktop browsers or standard

However, native mobile apps downloaded to a smartphone or tablet are

To address those problems, ThreatMetrix (see Chapter 6, ThreatMetrix,

Mobile payments fraud

Mobile Payments Security 101| 2015 Networld Media Group 14

The complexity of additional payment channels such as digital wallets

M-commerce companies have more fraud exposure than other types of

Bloomberg quoted Aaron Press, LexisNexis Risk Solutions director of

Mobile commerce is going to be more widely adopted by merchants

Mobile Payments Security 101| 2015 Networld Media Group 15

Association for Financial Professionals

The survey, underwritten by J.P. Morgan and conducted in January 2015, is

Magnus Carlsson, manager of treasury and payments at the AFP.

Survey respondents suggest that specific security issues are preventing

Finance professionals themselves have numerous questions about the

Apple Pay fraud

Mobile Payments Security 101| 2015 Networld Media Group 16

Richard Crone, Crone Consultings chief executive officer, told Bloomberg