Securing iPhone payment processing
The iPhone is the latest mobile payment processing trend. Merchants and consumers need to understand the risks associated with this emerging technology.
Quite a bit of hype surrounds Square, the mobile payment processing service founded by Twitter co-founder Jack Dorsey. But mobile payment processing is hardly a new concept, as companies like Symbol (now owned by Motorola) have long offering a wide array of devices.
The big deal is not the concept, but the fact that you can turn your iPhone or other mobile device into an on-demand payment processing service.
I spoke to Tom Patterson, chief security officer of MagTek, a provider of electronic devices for the secure transfer of payment data, to understand the implications of this new wave of mobile payment processing from a security perspective. Patterson thinks that 2010 will see an emergence of micropayments and nanomerchants, people who sell occasionally or sell small numbers of items who are not well-served by the credit card industry.
MagTek provides the MagneSafe head, which provides the data encryption capabilities for a number of services including Swipe It, a new offering of software and hardware for the iPhone and iPod Touch that turns the devices into mobile payment services.
Patterson said merchants will want to have more choices for merchant services accounts, and customers will want to ensure that all their data is encrypted, preferably via a technology approach that removes the merchant from actually handling the card numbers.
Patterson highlighted two major security concerns for merchants:
- Liability--when you take someones' credit card info, you are liable and responsible for keeping it safe when it's in your hands.
- Fraud--distinguishing between a genuine card and a counterfeit card.
Patterson asserted that consumers should be very concerned whenever they provide their credit card information--and mobile is just the latest risk, potentially riskier if data is not encrypted because devices can be easily lost or stolen. Just because someone can do a card swipe doesn't mean the transaction is any safer than just keying it in. The encryption needs to be instantaneous in order to assure the highest level of security ensuring that data not be corrupted inadvertently or on purpose.
Mobile payments through consumer smartphones are a very logical extension and should portend a new wave of iPhone (and other devices such as the Droid) dongleware with a multitude of possibilities.
I would have expected to see a lot more of these types of hardware solutions already but mobile software has outpaced the hardware by a wide margin, most likely because hardware requires manufacturing in addition to engineering.