Monday, October 5, 2015


American consumers are falling hard for mobile payment apps. They’re undoubtedly fast and convenient, and seem to point the way towards the future of sales transactions - but are they safe? 

The recent alleged hack of Starbucks’ mobile payment app (an allegation the company has strenuously denied took place) highlighted the potential risks involved with using apps that permanently store credit card information. As mobile technology grows more sophisticated, so too do cyber hackers. The challenge of defending mobile devices from attack is securing multiple kinds of technology at each stage of the transaction. Firstly, the phone itself can be accessed by anyone who picks it up, which is where password protection comes in. Secondly, the apps contained on the phone are different types of software, each with their own vulnerabilities. Most crucially, the wireless networks we all take for granted are certainly convenient, but they offer another way for hackers to access private data.

Because mobile payment apps are in their infancy, they haven’t had long enough to consolidate the type of loyalty that’s important to every brand, but absolutely essential for financial services. Without consumer trust, apps like Google Wallet, Apple Pay and Kash won’t have much of a future, no matter how convenient and attractive. 

A recent report from The Clearing House - a commercial banking advocacy group - argues that although mobile wallet providers are subject to certain data-security requirements, they fall short of the stringent regulations applicable to banks. So until a breach actually takes place, it becomes harder to detect security flaws. The report identifies several ways in which alternative payment providers could bring their cybersecurity in line with banks: 

  • Data Security Act of 2015. This proposed law would establish security standards for handling financial data in order to minimize the chances of a breach. The law would give the Federal Trade Commission (FTC) power to enforce the law.
  • More resources. The FTC would need further resources in order to staff investigations.
  • Better security. Additional legislation would make it clear that alternative-payment providers are subject to the same scrutiny as banks. Again, the FTC could be granted authority to govern this.

Although mobile payment providers aren’t currently subject to the same level of regulation as banks, that doesn’t mean they aren’t already doing everything they can to maximize security. Failing to get out in front of potentially brand-destroying data breaches is risky, and, given Starbucks’ flat denial of any breach, there’s no evidence to suggest mobile payment providers aren’t being security-conscious. 

For app developers, there are tools available to heighten security. AppShield SDK, for instance, offers cloaking and firewall technology that promises to shield mobile wallet apps from other apps on a device. For users, it’s a case of remaining vigilant about your transactions, especially small transactions that hackers rely on in large numbers in order to escape detection. Until our smartphones have the same level of security reassurance we expect from banks, customer awareness regarding the limitations - legal and technical - of mobile payment apps is our best protection.