The governing council of the European Central Bank has launched a new initiative aimed at improving the security of mobile payments, underscoring the increasing use of m-payment services by individuals and businesses in Europe and beyond – and the crucial importance of making such services as safe and secure as possible.
The ECB – which oversees the European single currency as well as certain financial regulations in the 17-nation “eurozone” – released 14 draft recommendations last week, which will now undergo a period of public consultation until late January. All are aimed at enhancing m-payment security as well as trust in m-payments.
The proposals cover a range of issues relating to m-payment security, including customer authentication and data protection in transactions initiated using contactless technology or via mobile operators’ channels or “in-app” purchases. Not covered in the initiative are payments made using a web browser on a mobile device, which are considered “Internet payments,” and fall under a different set of recommendations.
The ECBs’ recommendations are based on five “guiding principles” for companies and other institutions in the m-payment area:
- To “identify, assess and mitigate” risks associated with providing such services and consider mobile devices to be “inherently vulnerable” to security issues.
- To ensure robust customer authentication and secure data handling, including a multi-step authentication process involving a mix of knowledge (e.g. password), ownership (possession of a device) and inheritance (a fingerprint or some other biometric data).
- To implement a robust mechanism to protect sensitive data during transmission, processing and storage.
- To implement secure processes for monitoring abnormal transaction patterns to detect and prevent attempted fraud.
- To engage in “enhancing customer understanding” related to m-security.
The ECB also recommended that banks and other firms in the m-payment area make it a practice of informing regulators if they suffer any “major payment security incidents.”
While the new guidelines will mean additional work for some companies in the m-payment area, pioneers in the area of m-payment security like Cellum are welcoming them as a necessary step towards making mobile financial transactions as common as cash or card-based payments.
“We started our work more than a decade ago with a very straightforward policy on m-payment security – that the only acceptable level of fraud is zero percent,” said Cellum Founder and Chief Visionary Balázs Inotay. “And we are happy to see the ECB encouraging others in the industry to adopt some of the many safeguards we have been deploying for our customers.”
As for how the ECB’s 14 recommendations and five guiding principles match up with Cellum’s more compact “three golden rules of secure mobile payment” one might argue that more is less, as Cellum has to date compiled a record of over 30 million m-payment transactions without a single chargeback or fraudulent transaction.