Recommendations for the security of mobile payments
Original Publication Date: 2013-Nov-01
Included in the Prior Art Database: 2015-Dec-30
This document provides a harmonized framework for the security of mobile payments
Page 01 of 26
RECOMMENDATIONS FOR THE SECURITY OF MOBILE PAYMENTS
DRAFT DOCUMENT FOR PUBLIC CONSULTATION
This report presents a set of recommendations to improve the security of mobile payments. These recommendations were developed by the European Forum on the Security of Retail Payments, SecuRe Pay (the "Forum"). The Forum was set up in 2011 as a voluntary cooperative initiative between authorities. It aims to facilitate common knowledge and understanding, in particular between supervisors of payment service providers (PSPs) and overseers, of issues related to the security of electronic retail payment services and instruments provided within the European Union (EU)/European Economic Area (EEA) Member States. The Forum's work focuses on the whole processing chain of electronic retail payment services (excluding cheques and cash), irrespective of the payment channel. The Forum aims to address areas where major weaknesses and vulnerabilities are detected and, where appropriate, makes recommendations. The ultimate aim is to foster the establishment of a harmonised EU/EEA-wide minimum level of security. The authorities participating in the work of the Forum are listed in the annex.
Having started by making recommendations for internet payments, followed by recommendations for payment account access services, the Forum has now turned its attention to mobile payments. Although recently introduced types of mobile payments are still at an early stage of development and deployment, the use of mobile technology for payments may result in additional security exposures attributable to:
− the fact that the current generation of mobile devices and their operating systems were generally not designed with the security of payments in mind;
− the reliance on radio technology (i.e. wireless small range technologies such as Bluetooth and
Near Field Communication (NFC) or the over-the-air (OTA) data channels provided by the mobile network operator) for transmission of sensitive payment data and personal data;
− the involvement of additional actors, such as mobile network operators (MNOs) and trusted service managers (TSMs), compared with traditional payments; and
Recommendations for the security of mobile payments / November 2013
Page 02 of 26
− the general reduced security awareness of mobile device users or unsafe customer behaviour.
The Forum realises that mobile payments, as a new technology for payments, face the particular challenges that customers' perception of security is a basic condition for the use of mobile payment services, and that security incidents could (temporarily) damage the image of mobile payment services.
Moreover, as mobile payment solutions can potentially be deployed more easily than traditional payment instruments, including across borders, a harmonised European approach is warranted.
For the above reasons, the Forum decided to develop recommendations for the security of mobile payments. These reflect the experi...