August 19, 2016
Guest Perspective: Unlocking the Riddle of Cardholder Authentication—Mobile Payments Opens the Way
By Bill Clark, President and CEO, Spindle
It used to be that the consumer signature was the primary authentication tool used at point-of-sale. You transacted a purchase by card, you signed a slip of paper, and the clerk matched your signature, on the spot, with the one on the back of your card, thus authenticating your identity. Have you—or has anyone you know—made such a purchase lately? Most clerks don’t even look at your signature, let alone match it to the scribble on the back of the card. Instead, they sometimes ask consumers to present a driver’s license for identification during the transaction; and, in some cases, CVV numbers are even being asked for at point-of-sale. It’s all in an effort to ensure a cardholder’s identity, which is a process more easily and flexibly handled on a secure mobile payments platform.
Authenticate the Cardholder, Not Just the Card
Today, there is a growing concern among merchants that the need to improve authentication is paramount, but the extra steps they seem to be taking are hardly airtight measures for reliably verifying consumer identity. In reality, such market-wide inconsistency and basic lack of procedural discipline in authentication has rendered credit-card purchases nearly as non-restrictive and unprotected as regular cash purchases, with no one effectively verifying that the true cardholder is the person who is actually present and holding the card.
If fraud crimes like the recent Target breach teach us anything, it is that cyber criminals are becoming much more brazen and sophisticated in exploiting the vulnerabilities of the payments system. These threats are apparent on a systemic level at the data center as well as on an individual basis at checkout. The industry must affect genuine steps toward providing a creative and effective authentication solution, one that will serve as the basic foundation for all non-cash purchase transactions moving forward, no matter what form those transactions may take.
From many perspectives, the currently accepted security premise has been flawed from the outset. Since the early days, when card-based transactions took a firm foothold in the payments industry, the process has always focused on card authentication—verifying the validity of the card. What we should really be authenticating is the card holder , meaning the verification of whether the individual present is actually authorized to use the card. The original idea behind signature verification was to authenticate the cardholder, but that practice has gone by the wayside. Today, cardholders are not being verified; and in practice neither are the cards. We need a better system that allows us to return to reliable cardholder authentication, and payments via mobile device offer the best combination of technology, form factor, and behavioral familiarity to make that security goal a daily operational reality.
Mobile Is the New Normal
The mobile device, whether smartphone or tablet, has emerged as the ubiquitous technology companion for persons of virtually any age in the 21 st century. You’ve heard it before: People would leave their wallets at home before leaving their mobile phones. That’s a fact. What better platform then from which to conduct secure, cardholder-authenticated, non-cash payments than through the very object that is with us all the time: our mobile device? It has already established itself as the single and central command center for all our essential technologies, serving as our primary communication device, our mobile Internet, our on-the-go multimedia center, our camera, our video recorder, our stereo and mobile radio, our GPS unit and more. The list goes on and surprisingly expands with each groundbreaking innovation.
Not only is it the next logical step that smartphones and tablets become the fundamental centers of mobile commerce in our lives, but the inevitability of the prospect continues to be proven with each successful step we take in that direction. Mobile wallet, NFC, QR scanning, digital coupons—each component of the payments industry that manifests itself onto a mobile platform represents another step toward where our digital society is surely and inexorably headed: to the establishment of a mobile payments ecosystem where payment cards are obsolete, and with them, their inherent security vulnerabilities.
A Higher Level of Payments Security
Let’s run through a few basic but compelling security measures which a mobile device delivers that a plastic credit- or debit-card-based payments system—even with EMV chip embedded—simply cannot. Mobile devices can be made to require passcode entry to turn them on or to reactivate them from sleep. Additional multi-digit password requirements can be introduced during a mobile payments transaction. Mobile devices can be geo-pinged to verify authorized physical locations and their connected cellular towers can validate the GPS. Voice authentication based on dollar amounts can be integrated into payment transactions that are conducted on a mobile device—and now with the new iPhones, fingerprint authentications can be implemented as well.
Additional biometric measures such as retina scanning, iris reading and facial recognition are also being introduced onto emerging mobile devices, all of which can easily be deployed to authenticate the identity of mobile shoppers. When security measures such as these are applied to a mobile payments transaction—or, better still, when several of these measures are stacked—the odds are much greater that the person transacting on that mobile device has been accurately authenticated as the true authorized party.
Also, with mobile payments, the common access to and sharing of bank information and financial records that is required to conduct a standard purchase transaction is all handled behind the scenes—securely hidden in the cloud—unlike card-based systems, where such information is readily vulnerable, either at point-of-sale or at the merchants’ data centers. Payments conducted in the cloud and account holders authenticated via mobile devices eliminate this easily exploitable middle step, making mobile payment transactions inherently more secure. In short, mobile payment has the potential to eliminate payments fraud.
Embracing the Inevitable Move to Mobile Payments
For this all to take effect, will legacy equipment at the merchant need to change? Yes. Of course. Will capital investments need to be made as this future unfolds and takes hold? Absolutely, as with all new technologies. However, in this case, there are two major points to remember:
- Authentication will continue to prove itself the fundamental anchor point for all payment transaction security
- No other platform is as intrinsically capable of delivering more effective cardholder authentication than today’s mobile devices—let alone tomorrow’s.
Just as mobile computing and communication devices have become the cultural center of our lives, so will mobile payments become the center of retail commerce. It’s time to accept that inevitable fact, and for the industry to stop settling for stopgaps, and to start moving—both with creativity and conviction—in that sure direction.
Bill Clark, president and CEO of Spindle, has more than 20 years of experience in business operations, sales, marketing and product development in the payments industry. Spindle provides white-label mobile payment solutions for banks, financial institutions, telecommunication innovators.