A Q&A with David Herron, Chief Legal Officer of Hyperwallet
In a 2015 ISACA survey of cybersecurity experts, almost 50 percent of respondents stated that they believed mobile payments are not secure, citing issues like wi-fi, stolen devices and weak passwords as the most prominent worries. I spoke with David Herron, chief legal officer of Hyperwallet, about the reality of mobile payment security and what risk managers should be doing to protect their organizations.
The use of biometrics for unlocking the phone alleviates some fear, but if the phone is open or logged onto wi-fi or its apps are sitting on servers that are not secure, there is still much reason for concern.
What is driving the general pessimism conveyed by this study? Are the concerns valid?
We know that people have many different interactions with phones and that adds up to quite a bit of data. There is, as a result, much uneasiness with the fact that we are literally carrying around a file cabinet of all the most sensitive data we have—passwords, log-ins, phone numbers. Unlike a real, lockable file cabinet, however, the data is not all stored in one easily located place. In fact, the data may not be resident on the phone. It may be in apps or stored in the cloud. Add to that the fact that most people don’t know what cloud is, let alone how it’s secured. And add to that the use of public wi-fi, and the pessimism is quite understandable. The use of biometrics for unlocking the phone alleviates some fear, but if the phone is open or logged onto wi-fi or its apps are sitting on servers that are not secure, there is still much reason for concern.
All of that sensitivity increases when that platform is being used for payments. Now you have credit card data, birth dates and other credentials for ecommerce transactions in the mix. If this data is compromised, it can be used for a lot of bad things.
That being said, given that mobile is newer technology, you can more easily update it and tokenize payment credentials through software updates. Compare that to point-of-sale terminals that need to be upgraded, often physically, and then need to be recertified.
What is the leading cyber liability risk issue for corporate risk managers whose organizations accept mobile payments?
If you’re talking about an existing retailer that wants to offer in-app purchases, then the risk manager should look at it much the same way they would if they were accepting a credit card online. They are still dealing with payment credentials, and the need to secure those credentials is paramount. If I’m a corporate risk manager, I first want to make sure that using a mobile device to conduct payments doesn’t bring my environment into the scope of PCI and, by extension, expose me to PCI compliance issues. In an optimal world, the retailer should never see any card data or credentials. Tokenization and encryption together are great solutions for this. The retailer should not only work with and utilize a payment provider which is itself PCI compliant but which also offers solutions that tokenize and encrypt the data to make it unusable if intercepted. In this way, retailers can help de-scope themselves from PCI compliance issues. Proper vetting of the payment provider by the retailer should be conducted to validate PCI compliance, the security controls utilized by that provider in securing their environment and data, and the existence of appropriate cyber liability insurance. However, the retailer shouldn’t just rely on the insurance of its payment provider but should ensure it has appropriate levels and provisions of coverage based on its payment acceptance. This is particularly true for retailers making their first foray into ecommerce with mobile payments. In that circumstance, I would definitely check with the insurer to make sure their current coverage needs are in line with the risk profile originally established.
What are the best mitigation measures or safeguards to make mobile payments more secure?
Secure the actual device and have strong passwords and/or biometrics, though some people are now starting to express concern that biometrics can be stolen and exploited. Make sure you have tokenization and encrypt the data end to end. Where possible, the company should avoid receiving sensitive payment data. If it does, ensure there’s a compelling reason why it needs to. There’s often an internal conflict between the need to secure data and the desire to access and perform analytics on such data in order to drive more sales. A well formed and internally aligned data management plan is critical for a company to reach the right balance. Do your due diligence on payment providers and other vendors—confirm that they’re PCI compliant and have insurance. Finally, understand your own insurance coverages, particularly the coverage exclusions and review your coverages as your business changes to ensure they meet your business needs.
We want to thank Mr. Herron for his insights into mobile payment cyber risk. He raised important issues that some risk managers are grappling with as their organizations evolve to use mobile technology—issues we all need to be thinking about as both professionals and consumers.
Mr. Herron is a frequent speaker on payment technology risk issues. See him speak inside eRiskHub at Examining the PCI Adjudication Process – NetDiligence Cyber Forum 2015 West //Coast.
He also mentioned tokenization as a security safeguard solution, see more on that important topic from other security experts we have interviewed in past Junto articles:
Safeguarding Data: Encryption, Tokenization and Hashing