Canadian Banking Industry Releases Payments Security White Paper
The Canadian banking industry recently released the Payments Security White Paper, prepared by the six largest Canadian banks (BMO, CIBC, National Bank, RBC, Scotiabank, TD). The white paper outlines the evolution of mobile payments in Canada, reviews risks associated with various types of mobile payments, and explores potential considerations for the future.
The paper was guided by three overarching principles: the need for security, the need for openness (the mobile payment environment should be open to any mobile wallet on any mobile device) and the desire to support innovation in mobile payments.
Mobile Payment Evolution in Canada
The paper discusses the evolution of mobile payments in Canada, and notes that it is currently still estimated that “fewer than 25% of Canadian consumers have all the required elements to participate in mobile payments”. Challenges to mobile payment adoption include the limited penetration of contactless or NFC (near field communication) point of sale devices, and the lack of interoperability between issuers, mobile devices and mobile network operators.
In considering the evolution of mobile payments, the paper describes as "a fundamental paradigm shift for security" the evolution from traditional SIM-based payments (where the secure element is stored on the mobile device) to Host Card Emulation (HCE) solutions (where the secure element is stored in the cloud). According to the paper, risks associated with SIM-based payments can be rated as either low risk (in the case of technology risk), low to medium risk (reputational risk) or medium risk (operational risk). In contrast, risks associated with HCE mobile payment solutions are rated either as either medium to high (technology risk) or medium (operational risk, reputational risk). Therefore, as HCE-based mobile payment solutions become more prevalent, security risks will likely increase and will need to be managed accordingly.
Open Mobile Wallets: Potential Additional Risks
Open mobile wallets, which would include Apple Pay, Google Wallet, Samsung Pay and, in Canada, UGO Wallet, are mobile wallets that are open to multiple participant issuers (in contrast to proprietary single issuer solutions, such as the Starbucks payment app, or traditional bank apps).
Open mobile wallets involve interactions between many unrelated third parties and could be subject to additional risks as a result, such as the possibility of a higher potential of fraud (due to risks relating to customer identification and verification), risks arising as a result of reliance on third parties (including any token service provider where tokenization is being used) and data privacy and data ownership issues (given the additional data being generated and potentially shared, such as transactional data, location data, etc.). This is particularly the case given the lack of existing standards and certification processes in the industry.
By way of example, Apple Pay earlier this year suffered incidents of fraud, not because of a breach to its security but because the Apple Pay customer verification process allowed fraudsters to register and use stolen cards through Apple Pay. Customer verification will be an ongoing challenge as issuers develop ways to better integrate third party providers into their existing verification processes. With respect to the emergence of new customer identification and validation techniques, such as biometrics, the white paper argues that, at least until the reliability of new techniques is proven, something the “customer knows”, such as a traditional PIN or password, is preferable to something the "customer is", such as a biometric read.
Proposed Path Forward
The paper indicates that, in order to achieve the guiding principles described above (security, openness, innovation):
- Mobile payments should provide at least the same level of security as traditional chip-and-PIN payments.
- Robust customer identification and verification processes (both at the time of enrollment and at the time of a transaction) are required to protect against payment fraud.
- There needs to be a compelling value proposition to customers. The experience of using mobile payments needs to be as good as, or better, than using traditional plastic cards, for customers to migrate to mobile payments.
The mobile payment landscape has evolved significantly in the past few years in Canada, with banks and non-financial institutions launching both proprietary and open mobile wallets and payment applications, and is expected to continue to evolve quickly, with the anticipated arrival of new payment solutions in Canada (including Apple Pay), continuing developments relating to cloud-based payment solutions, advances in tokenization, and the development of novel customer verification and identification methods (biometrically-based or otherwise). As outlined in the white paper, there remain many risks and challenges in this area which will continue to need to be carefully addressed going forward in connection with such developments.
Cybersecurity mobile payments;