There are many different options available to companies, services and apps when initiating a mobile transaction. These include:
Web-based transactions (through the browser)
SMS (via text messages)
NFC (near-field communications, usually a sticker put on the phone and newly popularized because Apple and Google are rumored to be putting NFC inside of their next-generation phones)
Tokenization (like paying for a ticket at a theme park, i.e. converting first into an alternate currency)
And many more options.
These technologies will all succeed in completing a transaction, but they all rely on some type of encryption to enforce security along the way.
For all intents and purposes, encryption is a process by which information is transformed so that it is unreadable to anyone except those possessing the key or the decryption process. A wide variety of encryption processes or schemes have been developed and employed to safeguard our payment data.
To set your fears at bay, companies offer assurances of the “best” encryption technology, the best-guarded servers, or the standard certifications by McAfee and Symantec.
The truth is that today’s dominant approaches to mobile security date back to 1995 or earlier and seek to conduct mobile transactions in the same way as traditional transactions -- by treating the phone like it is just another computer, adding in some extra encryption for good measure.
But, mobile has very different vulnerabilities, and although encryption is an important piece of the puzzle, it isn’t the whole solution.
Ask About Intermediaries
What you should look for is establishing a direct connection between your phone and the venue’s point-of-sale (POS) system (e.g. a cash register or payment console). Companies that do this mitigate threats from middlemen, and the fewer intermediaries, the better.
Also, you should care about whether your information is processed locally at a venue or pushed to a larger, third-party server farm somewhere else. The bottom line is that fewer steps and company touches is better. You might not always know explicitly whether this is the case, but you should get in the habit of asking.
Better Understand Where Your Data Lives
Above and beyond everything else, common sense dictates: If there’s enough money in the bank, someone will try to steal it. 7-Eleven only carries $20 cash at night for a reason.
Your payment data should solely be stored on your phone and not in someone else’s database with tens of thousands of other credit card numbers. It’s hard to steal from someone if there’s no money in the safe. This is the only thing that truly deters hackers from going after a big score.
Keeping your payment data solely in your phone is equivalent to keeping your credit card in your wallet.
For consumers, you can usually find out where data is being stored by perusing a website carefully or reading well-researched articles and reviews. Journalists are doing a better and better job of ferreting out where your data lives, and how it is being passed around.
For app developers and payments services, keeping the data out of their servers absolutely involves more work and clever engineering. It’s hard to avoid any third parties (whether for processing or hardware), because those third parties can make things a lot easier on a startup. It’s worth it to start down this path if you haven’t already, since consumers will increasingly demand it.
Be Confident the Data’s Encrypted
The very best approaches to mobile security never send your payment information in any way that an enabled hacker in proximity could intercept your data.
It should be a priority to have industry-standard encryption. Customer smartphones talk directly to the POS. Ideally vendors and companies won't even need this extra data in the first place.
Your Cheat Sheet
In sum, the stakes are high when the smartphone replaces the wallet. We have to rethink where the data lives and who has access to it, convenience notwithstanding. We’re all responsible for asking the hard questions to be informed consumers when we support a carrier, manufacturer, vendor network and technology.
Here’s your cheat sheet for owning your mobile transaction financial health. I urge you to ensure that your credit card information is:
Only sent to the venue’s POS system, rather than passing through third party services.
Only stored on your phone, where it’s safest, and not in the cloud.
Always encrypted when it is sent to the POS system, where the transaction is taking place.
More Mobile Resources from Mashable:
- Why Your Smartphone Will Replace Your Wallet
- NFC Technology: 6 Ways It Could Change Our Daily Lives
- HOW TO: Accept Credit Card Payments on Mobile Devices
- Why Small Businesses Should Care About Mobile Payments
- Linking the Real World to the Web: 3 Emerging Technologies Compared