I was at one of many Christmas parties and conversation topics, of course, covered “where will you be for Christmas” and “are you done with your shopping.” Almost everyone was done with their shopping, but the big follow up question was “Well, did you end up shopping at Target?” There were a handful of people at this gathering that did shop at Target over the ill-fated shopping period.
The conversation very quickly involved everyone around the buffet table and included comments like, “I can’t believe hackers actually were able to break into a huge chain like Target” and “your credit card information is not safe anywhere!” Clearly EVERYONE at this party will be checking their credit card statements very closely in January!
However, one comment made really grabbed me. “If my credit card can be swiped by hackers at Target, I’m sure as hell not going to want to use my phone to pay for stuff.” Obviously this exclamation sparked another round of fervent debate and discourse. A few well-known coffee and pastry shops in the area were called out in conversation as using new mobile payments technologies and were “flagged” as potential places to monitor for card fraud.
The implications of the Target data breach on the mobile payments vertical are HUGE. There are serious challenges that must be addressed both on the consumer and business side of the equation for the many emerging mobile payments technology providers.
First of all, consumers have the perception that it’s no longer safe to use even debit or credit cards at physical retail stores. According to one account of the Target breach, a security analyst at a major bank was made aware that cybercriminals were planning to sell online a new stock of stolen credit/debit cards. The analyst bought the stolen card numbers of his/her bank customers using Bitcoin. Presumably, these transactions lead to the discovery that these card numbers were stolen from Target.
One could easily make the assumption that Target was not even aware of the breach until the bank analyst made these card number purchases from the cybercriminals. Yikes! This lack of awareness of the problem scares me deeply at the consumer level. Would Square be able to quickly inform a merchant that consumer’s payment data has been swiped and is being sold by cybercriminals? Could Square inform users that their data was stolen?
Secondly, business and IT executives at Target and all major retailers are wondering how and why the Target payments system was hacked. Obviously, there are fast and furious internal investigations within Target as their legal and technical teams prepare for a barrage of lawsuits coming their way from banks and consumers. These Target executives will be pounding on the doors of their payment system providers and their 3rd party vendors as well.
The discovery phase of these lawsuits will get UGLY FAST. Moving forward post breach, all physical and online retail payment platform providers will be evaluated with much greater scrutiny with a focus on platform security, ability to detect a data breach and processes to quickly inform users that data has been compromised.
Emerging payment providers such as Square, Dwolla and PayPal need to address these implications head-on to address consumer and business needs in a post Target data breach world.
Platform security is now a big focus. Yes, each provider does have website messaging that talks to how secure their platform is. However, security requirements and technology must be increased especially as the payments platforms are being sold into individual SMBs and at the enterprise level that use multiple mobile devices to process transactions.
Mobile payment providers can quickly equip themselves with cutting edge mobile platform security technology through strategic partnerships. Industry leaders include MobileIron, Good Technology, or AirWatch. For example, by partnering with MobileIron, Square can provide a layer of mobile platform security to their SMB customers who use the payment platform across multiple mobile devices (payment terminals).
Addressing the mobile platform security needs will help address consumer concerns as well that their payment data and money are safe at the payment platform level. Square, Dwolla and PayPal must educate consumers on WHY their payment data and money are safe. Providers must clearly explain what happens if a Square account is hacked and the PIN number and cash balance is stolen. Can these providers stand behind a guarantee that transactions are safe? Can they back up consumers’ cash balances if the money is stolen? These are all key concerns that must be addressed for consumers to feel safe in using mobile payments technology to pay for items at physical retail.
Personally, I keep a very low balance in my mobile PayPal account that is connected to a low balance bank account. Why? I still don’t trust that the receiving terminal is that secure and nefarious code could somehow steal my account numbers and distribute across the world…all through an unsecured wireless connection at the SMB’s business location. Maybe I’m just paranoid and uneducated.