Web payments have been available since the mid 1990s, while mobile payments have been available for less than a decade. Both payment methods can be valuable tools for small-business owners to enhance customer convenience, payment flexibility and operational efficiency — but is one more secure than the other? Here’s a look behind both payment technologies, and the security they stand to offer.
Mobile payment security is contingent on the user. As Vanessa Pegueros of The SANS Institutes writes in the white paper, Security of Mobile Banking and Payments, “… the aspects of mobile that make it particularly appealing to marketing are the very personal nature of mobile devices.”
Ironically, that very benefit presents security vulnerabilities into mobile payment transactions. Despite the safeguards mobile payment processors incorporate into their transaction and data-storage processes, mobile devices have evolved into minicomputers of sorts that travel in the pockets or purses of the more than 80 percent of the adult population, according to recent figures reported by TechCrunch.
However, mobile technology is complex, and ever changing. To ensure security, all parties involved in mobile device use, including hardware manufacturers, wireless carriers, developers and end users, must be proactive and adaptive to new security demands. As Pegueros points out, “the basic mobile software framework consists of the kernel, libraries, the application framework and the applications themselves.”
Though one of the appealing aspects mobile payments offer small-business owners is the fact that a personal mobile device can transform into a merchant’s mobile payment processing equipment when needed, that flexibility of use creates a security vulnerability that the customer is not able to control.
Despite the security features the mobile payment processor might offer, including compliance with payment card industry (PCI) standards, merchants ultimately facilitate mobile payment transactions. They provide the equipment and bear the responsibility for ensuring that it’s secure. Mobile devices must be kept current with the latest iteration of the appropriate operating system software. The mobile device owner is also tasked with ensuring that malware and similarly fraudulent apps haven’t been downloaded onto the device.
Particularly in the case of mobile payment transactions that take place outside of a merchant’s place of business, like at conferences, festivals and trade shows, transactions should be processed via a secure and password protected Wi-Fi connection. Though most mobile payment providers are equipped to allow the merchant to accept payment in an “offline” mode if the only available connection is an unsecured public Wi-Fi hot spot, the merchant must be aware of this standard and proceed accordingly. Customers are essentially left vulnerable to trust that the merchant understands the risk associated with mobile payment security, has kept the device up to that standard, and follows proper processing protocol.
Web-based payments. By contrast, Web-based payments typically take place without the direct involvement of a merchant. In e-commerce transactions, for example, the customer directs the payment experience throughout. Despite that the payment transaction may ultimately involve a third-party payment processor and subsequent redirect to a payment gateway, the customer maintains control over the security aspects of the transaction.
Likewise, the consumer, not the merchant, is in control of the equipment used to facilitate Web-based payments, whether it takes place via a mobile device or a private desktop computer. The consumer is empowered to visually confirm that the proper security measures are in place throughout the transaction, including confirming an https:// prefix in the browser exists before entering sensitive payment data, and ensuring that firewalls and anti-virus software are current. Unlike a mobile payment transaction, the customer is also aware of who has interacted with the device, and where it has traveled.
When it comes to whether Web or mobile payments offer superior security, human error may have more impact than the differences in the technology itself. Merchants who accept mobile payments should be aware of the security vulnerabilities that exist, to appropriately manage risk, and ensure a secure payment transaction.
When it comes to making online payments, do you have a preference for using web-based or mobile payments?