SlideShare a Scribd company logo

ISACA Mobile Payments Forum presentation

Marc Vael, profile picture
Marc Vael

The document discusses mobile payments, outlining definitions, types, benefits, challenges, risks, and governance issues. It emphasizes the importance of security and assurance within a multi-party ecosystem, including roles of banks, mobile network operators, and third-party service providers. The document concludes that a collaborative approach with strong assurance mechanisms is necessary for the effective deployment and adoption of mobile payment services.

Mobile
1 of 36
Downloaded 50 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
MOBILE PAYMENTS: 
 RISK, SECURITY AND ASSURANCE ISSUES MARC VAEL, BRUSSELS, JUNE 2014
AGENDA ! Definition of mobile payment ! Mobile payment types ! Mobile payment category & ecosystem ! Mobile payment benefits & challenges ! Mobile payment risks ! Mobile payment governance & change ! Mobile payment assurance ! Conclusions
3
DEFINITION OF MOBILE PAYMENT Payment for products or services between two parties 
 for which a mobile device
 plays a key role 
 in the realization of the payment.
5
MOBILE PAYMENT TYPES 1/ Proximity payment Contactless payments in which payment credential is stored in mobile device and is exchanged over the air, based on NFC technology, with dedicated & compatible payment terminal. 
 Mobile device acts as contactless payment card (new payment form factor). Contactless payment could be used remotely; for example, to make online purchase by swiping mobile device over contactless NFC reader plugged into computer. 2/ Remote payment Payments take place either via mobile web browser or resident smartphone application, in which mobile phone is used as device to authenticate personal information stored remotely. Remote payments can be used for transactions such as face-to-face and vending machine transactions.
MOBILE PAYMENT CATEGORY Financial institutions & mobile network operators (MNOs) are competing for entity that will hold customer account and receive biggest portion of fees. This environment has created another categorization: • Bank-centric model: customer account is held by bank. 
 Issues involving matters such as liability, anti-money laundering, transaction monitoring for fraud detection and compliance fall under appropriate local, national and international banking laws & regulations. 
 When payment is initiated, consumer’s bank must authorize transaction. Payment networks are traditional ones (like Visa, MasterCard) and differences are at transaction endpoints. • Non-bank-centric model: customer account is held at nonfinancial organizations such as MNO or third-party payment service (like PayPal, Google Wallet, Ripple). 
 Important regulatory, security and even profit sharing questions arise: which entity will be responsible for regulation of these services—respective national telecommunication authority or respective national bank?
MOBILE PAYMENT ECOSYSTEM • Consumers • Financial service providers (FSPs) • Payment service providers (PSPs) • In-service providers (merchants), including content providers • Network service providers (NSPs) • Device manufacturers • Regulators • Standardization & Industry bodies • Trusted service managers (TSMs) • Application developers
Life cycle of a bank-centric NFC mobile payment
MOBILE PAYMENTS BENEFITS 1 Speed & convenience for customers (no need to carry cash or credit cards). 2 Cost-effective coverage available in rural areas where no financial institutions exist. 3 Capability to send money abroad via person-to-person (P2P) mobile payment services. 
 191 million migrant workers worldwide & potential for international remittance of $257 billion in 2005 (according to UN & World Bank), international fund transfers via mobile phone represent significant opportunity for mobile operators. 4 Mobile wallet can consolidate many cards (no physical cards and providing one type of device for all NFC applications). 5 Improved authentication via PIN-based service (enhanced layer of security). 6 Opportunity to reach large proportion of earth’s population without need for large investment in technology. Mobile phones are more widespread than bank accounts, particularly in rural areas. 7 No need for cash for merchants & clients (reduces risk of carrying and transferring cash, particularly in high-risk or volatile environments).
MOBILE PAYMENTS BENEFITS 8 Amount of required stored data to meet compliance requirements is reduced. 9 Smartphone capabilities (such as geo-location) and Internet connection can be used to improve transaction security & improve fraud-detection capabilities (combination creates “geomarketing” where merchant can use geo-location & mobile payment data to build a customer profile and provide a personalized experience). 10 Better realization in case of theft of mobile phone vs. theft of credit card. 11 Mobile payments open market for professionals and low-segment merchants without point-of-sale (POS) terminals. 12 Use of smartphones counters skimming methods that account for significant portion of card fraud. They also provide protection against so-called pickpocketing of information from cards equipped with radio frequency identification (RFID) tags. 13 Remote wipe functionality is widely available on smartphones & tablet devices either by default or as application. (protection of user personal & financial information should mobile device be lost or stolen)
MOBILE PAYMENTS CHALLENGES 1. agreement on business model to be used for revenue sharing & customer ownership 2. retooling costs to support mobile payments (such as deploying NFC capability) 3. current regulatory uncertainty.
MOBILE PAYMENTS RISKS Fraudsters have always targeted various payment vehicles and so are mobile payments: upfront analysis & counter measures are needed to mitigate mobile payment risks. Risk from mobile payments can be categorized: • Traditional risk: denial/theft of services and loss of revenue, brand reputation and customer base • Emerging risk: money laundering & terrorist funding. Risk for participants in mobile payments ecosystem depends on role of the entity user, network or communication provider or payment service provider.
http://siteresources.worldbank.org/INTAML/Resources/WP146_Web.pdf
MOBILE PAYMENTS RISKS
MOBILE PAYMENTS RISKS
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS Mobile payment transaction can be more exposed to risk because several parties are involved in performing the payment service jointly. This may worsen if important services are outsourced to potentially unregulated third parties without clear lines of accountability & oversight, or which are located abroad. 
 This multiparty transaction environment is conducive to exploitation by fraudsters using technological & sociological attacks IF appropriate protection mechanisms & accountability controls are not established throughout mobile payment ecosystem. 
 
 With careful planning that includes all stakeholders, processes and technologies involved, opportunity exists to make security an intrinsic element of all mobile payment systems.
http://www.isaca.org/bookstore/extras/Pages/Securing-Mobile-Devices-Using-COBIT-5-for-Information-Security.aspx
Layers of Existing Security Controls
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS 4 initial comments: • Financial, Payment and Network Service Providers (FSPs, PSPs, NSPs) should implement appropriate safeguards, privacy and security governance programs. • Lack of clear regulation should not be used by organizations as excuse for not being proactive. • Risk from misuse by authorized users exist such as money laundering and risk of illegal use (latter area may require support from new laws that will evolve to ensure adequate protection). • Each organization involved in transaction data chain should put in place strong positive controls to protect data while in its custody.
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS A. Identity Protection: ensuring transaction being undertaken is most likely being carried out by the person authorized or registered to carry it out. 
 
 B. Data classification during data transmission & storage at the various nodes. Organizations should identify data which are considered personal & sensitive and should ensure appropriate mechanisms are in place. C. Data integrity: Organizations should take this into account. D. Privacy: In case mobile payment data will be used for marketing services, organizations could be found liable for unfair business practices if they use customer data for purposes not included in customer notices.
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS E. POS system security for proximity payments. Organizations should ensure that third parties with which they interact have robust security governance projects in place. F. TSM security: which acts as entity that “personalizes” TSM-compatible chip on vendor supplied mobile device. In such a collaborative cross- platform environment, an organization’s risk control program should strongly focus on third-party services management. G. User security awareness: users should be educated to understand corresponding risks.
STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS H. Secure mobile interoperability: Mobile device manufactures should collaborate with payment industry for development of platforms ensuring secure environment for conducting mobile transactions + interoperability between different smartphone models as users tend to frequently change/update their mobile phones. Seamless provision of secure interoperable services is of critical importance for mobile payment success. I. Leverage control mechanisms developed by banks: those controls, when used in conjunction with technological countermeasures & information that can be derived from mobile transactions—such as geo- location—can raise confidence that a transaction is not fraudulent. J. Transactions security: transactions should be segmented by purchase amount, location and merchant category, and risk should be managed accordingly.
ISACA Mobile Payments Forum presentation
MOBILE PAYMENTS GOVERNANCE & CHANGE Training & new internal controls should be designed & monitored. 
 Major driver in mobile payment services adoption = business model that delivers value to all players in the ecosystem. Business models can be bank-centric, mobile operator-centric, independent service provider- centric or hybrid-collaborative. 
 Today we focus on bank-centric aspects of the mobile ecosystem. From business model perspective for B2B and B2C activities, there will need to be provision for fair access to consumer segments among mobile payment stakeholders & adequate customer protection and privacy. Sound CRM will require adequate & timely disclosure of risk, responsibilities and liabilities associated with mobile transactions to customers; and identification of recourse for customers and establishment of grievance handling procedures for both internal and cross-platform and cross-organizational transactions.
MOBILE PAYMENTS GOVERNANCE & CHANGE There will be a need to modify existing networks or develop new network structures to provide seamless interoperability needed among participants in mobile payments ecosystem. Due to mobile payments nature, individual organization countermeasures will not be sufficient so specific attention should be given to inter- organization relationships within mobile payments ecosystem. For example, until now payment cards had been controlled by financial organization or institution. Now, card information is stored on chips, e.g., SIM cards, that can be moved from device to device. And customers change mobile phones, lose phones and buy from various vendors that are not controlled by banks. 
 This situation requires that new entity be put in place to govern uncontrolled chip & ensure trusted distribution of payment card information.
MOBILE PAYMENTS GOVERNANCE & CHANGE Possible solution = deploy TSM architecture that is collaborative across technical and business boundaries to provide core of secure mobile payment ecosystem. 
 TSM would be neutral intermediary to oversee business & operational requirements for large-scale deployment of mobile payments. Its functions would include things as management of business rules and authentication, providing connectivity between MNOs and service providers, ensuring end-to-end security, providing application life cycle management for MNOs, handsets and customers, and end-to-end customer support. 
 Caveats = TSM would not participate in actual NFC contactless transaction processes, i.e., transactions would be processed over existing payment channels and TSM would facilitate secure authentication to network edge prior to transmission 
 over existing channels.
MOBILE PAYMENTS ASSURANCE
MOBILE PAYMENTS ASSURANCE Optimal way to determine what assurance criteria should be applied (and in what context) = consider 2 assurance levels: • Applying banking-level compliance scrutiny to service providers handling distribution of money as well as payment services 
 (e.g., PayPal, Western Union, Google Checkout, lottery systems) • Applying standard audit models & standards for payment systems associated with purchase of goods & services 
 (e.g., MNOs, transit system authorities, retail merchants)
MOBILE PAYMENTS ASSURANCE When reviewing mobile payment services providers, auditors should consider following: • COBIT5 framework as basis for risk management, compliance and proper protection and use of mobile payment information. • Ensuring compliance with pertinent regulations governing both payment industry & telecommunication industry • Contractual relationship of organization with TSM, particularly mutual assurance obligations & representations • Trust transfer points of mobile payment transaction process and how these are protected to ensure end-to-end trust from consumer initiation of transaction to purchase fulfillment, payment and settlement • Privacy protection & integrity of transaction data and customer data account details • Awareness training of organization members for new risk & responsibilities for handling mobile payments
MOBILE PAYMENTS ASSURANCE
MOBILE PAYMENTS ASSURANCE
http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/Mobile-Computing-Security-Audit-Assurance-Program.aspx
CONCLUSIONS Mobile payments market is undergoing transformation and holds a promising future for both consumers & providers. 
 Some key points for mobile payments are: 1 Collaborative & competitive models for mobile payment services are created. 2 Security & privacy as well as convenience are key drivers from consumer perspective. 3 Strong assurance from independent trusted third parties & development of, and adherence to, best business practices within mobile payments ecosystem will be required to encourage widespread consumer adoption. 4 Right now the future is promising and seductive, but uncertain.
ISACA Mobile Payments Forum presentation

More Related Content

PPTX
Best Practices in Risk Management for Mobile Payments - MRC 2011
Hill Ferguson
 
PPT
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
PPTX
Secure mobile payment
Ahmed Kamel Taha
 
PDF
Mobile payment
Software Park Thailand
 
PDF
Mobile Payments: An IBM Point of View
Mark Sherman
 
PPT
Overview of Mobile Payment Systems
Amit Naik
 
PDF
Mobile Payments
Mike Batton
 
PDF
Future of mobile payment and mobile commerce may 2013
Tarang Shah
 
Best Practices in Risk Management for Mobile Payments - MRC 2011
Hill Ferguson
 
Mobile Payment fraud & risk assessment
Stefano Maria De' Rossi
 
Secure mobile payment
Ahmed Kamel Taha
 
Mobile payment
Software Park Thailand
 
Mobile Payments: An IBM Point of View
Mark Sherman
 
Overview of Mobile Payment Systems
Amit Naik
 
Mobile Payments
Mike Batton
 
Future of mobile payment and mobile commerce may 2013
Tarang Shah
 

What's hot (20)

PDF
Mobile Payments Framework
Lakshmana Kattula
 
PPTX
Mobile money, a development tool for benin powerpoint
AJAVON Samuel
 
PPTX
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
 
PDF
Report
Massimo Salvato
 
PPTX
Mobile Money: Banks & Telcos, who’s the Boss?
Isabelle Berner
 
PPT
Mobile Money Business Track: understanding the Model and Market
Arief Gunawan
 
PDF
Mobile payment technology 8.11.2014 final
Audrey M Lehr SCPM, CSM, MS Information Systems
 
PDF
Mobile Financial Services
mgopik
 
PPTX
Mobile Payments revolution
Pragati Rai
 
PDF
Security issues in_mobile_payment
Prof. Dr. K. Adisesha
 
PDF
Sample Report: Global Mobile Payment Methods: Full Year 2015
yStats.com
 
PDF
Mobile Money Business Models
NetHopeOrg
 
PDF
Mobile Money Overview
Gabriele Farei
 
PPTX
Payment revolution by Yoav Elgrichi
Siti Aishah Zahari
 
PPTX
Mobile Commerce: A Security Perspective
Pragati Rai
 
PDF
contactless mobile payments
Boni
 
PDF
Gemalto NFC
MobileMonday Beijing
 
PPTX
MasterCard and Penrillian Partnership in NFC
NFC Forum
 
PDF
Mobile Financial Services
Softweb Solutions
 
PDF
Mobile Banking – A Transformation of Traditional Banking
Infosys Finacle
 
Mobile Payments Framework
Lakshmana Kattula
 
Mobile money, a development tool for benin powerpoint
AJAVON Samuel
 
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
 
Report
Massimo Salvato
 
Mobile Money: Banks & Telcos, who’s the Boss?
Isabelle Berner
 
Mobile Money Business Track: understanding the Model and Market
Arief Gunawan
 
Mobile payment technology 8.11.2014 final
Audrey M Lehr SCPM, CSM, MS Information Systems
 
Mobile Financial Services
mgopik
 
Mobile Payments revolution
Pragati Rai
 
Security issues in_mobile_payment
Prof. Dr. K. Adisesha
 
Sample Report: Global Mobile Payment Methods: Full Year 2015
yStats.com
 
Mobile Money Business Models
NetHopeOrg
 
Mobile Money Overview
Gabriele Farei
 
Payment revolution by Yoav Elgrichi
Siti Aishah Zahari
 
Mobile Commerce: A Security Perspective
Pragati Rai
 
contactless mobile payments
Boni
 
Gemalto NFC
MobileMonday Beijing
 
MasterCard and Penrillian Partnership in NFC
NFC Forum
 
Mobile Financial Services
Softweb Solutions
 
Mobile Banking – A Transformation of Traditional Banking
Infosys Finacle
 
Ad

Similar to ISACA Mobile Payments Forum presentation (20)

PDF
A need for peer to-peer strong local authentication protocol (p2 pslap) in mo...
IJNSA Journal
 
PDF
A NEED FOR PEER-TO-PEER STRONG LOCAL AUTHENTICATION PROTOCOL (P2PSLAP) IN MOB...
IJNSA Journal
 
PDF
26 legal issues in mobile money transactions
Ojijo P
 
PDF
5 Powerful Applications of Mobile Payments in Everyday Life
civil hospital parasia
 
PDF
Future of Payment Systems_ Fintech and Mobile Wallets.pdf
CIOWomenMagazine
 
PDF
Mobile Payments Market.pdf
pavanjanawade1
 
PDF
Paul Mcnea - paythru
James Cameron
 
PDF
Digital Wallets & Mobile Payments Shaping the Future of Transactions.pdf
SeasiaInfotech2
 
PPTX
H imanshu final mcs ppt 20147
Himanshu Phatnani
 
PPTX
H imanshu final mcs ppt 20147
Himanshu Phatnani
 
PDF
Mobile payment systems and services
Saketh guggilla
 
PPTX
MIS 11 M-Commerce
Tushar B Kute
 
PDF
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
IJECEIAES
 
PDF
Mobile Practices European Release Final 27 04 11
Neira Jones
 
PDF
What to Expect from a Mobile Banking Solution? (Whitepaper)
Thinksoft Global
 
PPTX
Overview of Digital Financial Services Landscape
John Owens
 
PPTX
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
Smart Payment Association
 
PDF
Mob banking product
2great
 
PPTX
Mobile banking issues in banking and insurance
Kumarrebal
 
PDF
Tap to Pay- The Future of Technological Payments
itio Innovex Pvt Ltv
 
A need for peer to-peer strong local authentication protocol (p2 pslap) in mo...
IJNSA Journal
 
A NEED FOR PEER-TO-PEER STRONG LOCAL AUTHENTICATION PROTOCOL (P2PSLAP) IN MOB...
IJNSA Journal
 
26 legal issues in mobile money transactions
Ojijo P
 
5 Powerful Applications of Mobile Payments in Everyday Life
civil hospital parasia
 
Future of Payment Systems_ Fintech and Mobile Wallets.pdf
CIOWomenMagazine
 
Mobile Payments Market.pdf
pavanjanawade1
 
Paul Mcnea - paythru
James Cameron
 
Digital Wallets & Mobile Payments Shaping the Future of Transactions.pdf
SeasiaInfotech2
 
H imanshu final mcs ppt 20147
Himanshu Phatnani
 
H imanshu final mcs ppt 20147
Himanshu Phatnani
 
Mobile payment systems and services
Saketh guggilla
 
MIS 11 M-Commerce
Tushar B Kute
 
The Fact-Finding Security Examination in NFC-enabled Mobile Payment System
IJECEIAES
 
Mobile Practices European Release Final 27 04 11
Neira Jones
 
What to Expect from a Mobile Banking Solution? (Whitepaper)
Thinksoft Global
 
Overview of Digital Financial Services Landscape
John Owens
 
How we will be paying in 2020 - SPA Technical Director, Lorenzo Gaston at EPC...
Smart Payment Association
 
Mob banking product
2great
 
Mobile banking issues in banking and insurance
Kumarrebal
 
Tap to Pay- The Future of Technological Payments
itio Innovex Pvt Ltv
 
Ad

More from Marc Vael (20)

PDF
How secure are chat and webconf tools
Marc Vael
 
PDF
my experience as ciso
Marc Vael
 
PDF
Advantages of privacy by design in IoE
Marc Vael
 
PDF
Cybersecurity governance existing frameworks (nov 2015)
Marc Vael
 
PDF
Cybersecurity nexus vision
Marc Vael
 
PDF
ISACA Reporting relevant IT risks to stakeholders
Marc Vael
 
PDF
Cloud security lessons learned and audit
Marc Vael
 
PDF
Value-added it auditing
Marc Vael
 
PDF
ISACA Internet of Things open forum presentation
Marc Vael
 
PDF
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
Marc Vael
 
PDF
The value of big data analytics
Marc Vael
 
PDF
Social media risks and controls
Marc Vael
 
PDF
The view of auditor on cybercrime
Marc Vael
 
PDF
Belgian Data Protection Commission's new audit programme
Marc Vael
 
PDF
ISACA Cloud Computing Risks
Marc Vael
 
PDF
Information security awareness (sept 2012) bis handout
Marc Vael
 
PPTX
ISACA smart security for smart devices
Marc Vael
 
PPTX
Securing big data (july 2012)
Marc Vael
 
PDF
Valuendo cyberwar and security (jan 2012) handout
Marc Vael
 
PDF
How to handle multilayered IT security today
Marc Vael
 
How secure are chat and webconf tools
Marc Vael
 
my experience as ciso
Marc Vael
 
Advantages of privacy by design in IoE
Marc Vael
 
Cybersecurity governance existing frameworks (nov 2015)
Marc Vael
 
Cybersecurity nexus vision
Marc Vael
 
ISACA Reporting relevant IT risks to stakeholders
Marc Vael
 
Cloud security lessons learned and audit
Marc Vael
 
Value-added it auditing
Marc Vael
 
ISACA Internet of Things open forum presentation
Marc Vael
 
hoe kan u vandaag informatie veiligheid realiseren op een praktische manier?
Marc Vael
 
The value of big data analytics
Marc Vael
 
Social media risks and controls
Marc Vael
 
The view of auditor on cybercrime
Marc Vael
 
Belgian Data Protection Commission's new audit programme
Marc Vael
 
ISACA Cloud Computing Risks
Marc Vael
 
Information security awareness (sept 2012) bis handout
Marc Vael
 
ISACA smart security for smart devices
Marc Vael
 
Securing big data (july 2012)
Marc Vael
 
Valuendo cyberwar and security (jan 2012) handout
Marc Vael
 
How to handle multilayered IT security today
Marc Vael
 

ISACA Mobile Payments Forum presentation

  • 1. MOBILE PAYMENTS: 
 RISK, SECURITY AND ASSURANCE ISSUES MARC VAEL, BRUSSELS, JUNE 2014
  • 2. AGENDA ! Definition of mobile payment ! Mobile payment types ! Mobile payment category & ecosystem ! Mobile payment benefits & challenges ! Mobile payment risks ! Mobile payment governance & change ! Mobile payment assurance ! Conclusions
  • 3. 3
  • 4. DEFINITION OF MOBILE PAYMENT Payment for products or services between two parties 
 for which a mobile device
 plays a key role 
 in the realization of the payment.
  • 5. 5
  • 6. MOBILE PAYMENT TYPES 1/ Proximity payment Contactless payments in which payment credential is stored in mobile device and is exchanged over the air, based on NFC technology, with dedicated & compatible payment terminal. 
 Mobile device acts as contactless payment card (new payment form factor). Contactless payment could be used remotely; for example, to make online purchase by swiping mobile device over contactless NFC reader plugged into computer. 2/ Remote payment Payments take place either via mobile web browser or resident smartphone application, in which mobile phone is used as device to authenticate personal information stored remotely. Remote payments can be used for transactions such as face-to-face and vending machine transactions.
  • 7. MOBILE PAYMENT CATEGORY Financial institutions & mobile network operators (MNOs) are competing for entity that will hold customer account and receive biggest portion of fees. This environment has created another categorization: • Bank-centric model: customer account is held by bank. 
 Issues involving matters such as liability, anti-money laundering, transaction monitoring for fraud detection and compliance fall under appropriate local, national and international banking laws & regulations. 
 When payment is initiated, consumer’s bank must authorize transaction. Payment networks are traditional ones (like Visa, MasterCard) and differences are at transaction endpoints. • Non-bank-centric model: customer account is held at nonfinancial organizations such as MNO or third-party payment service (like PayPal, Google Wallet, Ripple). 
 Important regulatory, security and even profit sharing questions arise: which entity will be responsible for regulation of these services—respective national telecommunication authority or respective national bank?
  • 8. MOBILE PAYMENT ECOSYSTEM • Consumers • Financial service providers (FSPs) • Payment service providers (PSPs) • In-service providers (merchants), including content providers • Network service providers (NSPs) • Device manufacturers • Regulators • Standardization & Industry bodies • Trusted service managers (TSMs) • Application developers
  • 9. Life cycle of a bank-centric NFC mobile payment
  • 10. MOBILE PAYMENTS BENEFITS 1 Speed & convenience for customers (no need to carry cash or credit cards). 2 Cost-effective coverage available in rural areas where no financial institutions exist. 3 Capability to send money abroad via person-to-person (P2P) mobile payment services. 
 191 million migrant workers worldwide & potential for international remittance of $257 billion in 2005 (according to UN & World Bank), international fund transfers via mobile phone represent significant opportunity for mobile operators. 4 Mobile wallet can consolidate many cards (no physical cards and providing one type of device for all NFC applications). 5 Improved authentication via PIN-based service (enhanced layer of security). 6 Opportunity to reach large proportion of earth’s population without need for large investment in technology. Mobile phones are more widespread than bank accounts, particularly in rural areas. 7 No need for cash for merchants & clients (reduces risk of carrying and transferring cash, particularly in high-risk or volatile environments).
  • 11. MOBILE PAYMENTS BENEFITS 8 Amount of required stored data to meet compliance requirements is reduced. 9 Smartphone capabilities (such as geo-location) and Internet connection can be used to improve transaction security & improve fraud-detection capabilities (combination creates “geomarketing” where merchant can use geo-location & mobile payment data to build a customer profile and provide a personalized experience). 10 Better realization in case of theft of mobile phone vs. theft of credit card. 11 Mobile payments open market for professionals and low-segment merchants without point-of-sale (POS) terminals. 12 Use of smartphones counters skimming methods that account for significant portion of card fraud. They also provide protection against so-called pickpocketing of information from cards equipped with radio frequency identification (RFID) tags. 13 Remote wipe functionality is widely available on smartphones & tablet devices either by default or as application. (protection of user personal & financial information should mobile device be lost or stolen)
  • 12. MOBILE PAYMENTS CHALLENGES 1. agreement on business model to be used for revenue sharing & customer ownership 2. retooling costs to support mobile payments (such as deploying NFC capability) 3. current regulatory uncertainty.
  • 13. MOBILE PAYMENTS RISKS Fraudsters have always targeted various payment vehicles and so are mobile payments: upfront analysis & counter measures are needed to mitigate mobile payment risks. Risk from mobile payments can be categorized: • Traditional risk: denial/theft of services and loss of revenue, brand reputation and customer base • Emerging risk: money laundering & terrorist funding. Risk for participants in mobile payments ecosystem depends on role of the entity user, network or communication provider or payment service provider.
  • 17. STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS
  • 18. STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS Mobile payment transaction can be more exposed to risk because several parties are involved in performing the payment service jointly. This may worsen if important services are outsourced to potentially unregulated third parties without clear lines of accountability & oversight, or which are located abroad. 
 This multiparty transaction environment is conducive to exploitation by fraudsters using technological & sociological attacks IF appropriate protection mechanisms & accountability controls are not established throughout mobile payment ecosystem. 
 
 With careful planning that includes all stakeholders, processes and technologies involved, opportunity exists to make security an intrinsic element of all mobile payment systems.
  • 20. Layers of Existing Security Controls
  • 21. STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS 4 initial comments: • Financial, Payment and Network Service Providers (FSPs, PSPs, NSPs) should implement appropriate safeguards, privacy and security governance programs. • Lack of clear regulation should not be used by organizations as excuse for not being proactive. • Risk from misuse by authorized users exist such as money laundering and risk of illegal use (latter area may require support from new laws that will evolve to ensure adequate protection). • Each organization involved in transaction data chain should put in place strong positive controls to protect data while in its custody.
  • 22. STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS A. Identity Protection: ensuring transaction being undertaken is most likely being carried out by the person authorized or registered to carry it out. 
 
 B. Data classification during data transmission & storage at the various nodes. Organizations should identify data which are considered personal & sensitive and should ensure appropriate mechanisms are in place. C. Data integrity: Organizations should take this into account. D. Privacy: In case mobile payment data will be used for marketing services, organizations could be found liable for unfair business practices if they use customer data for purposes not included in customer notices.
  • 23. STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS E. POS system security for proximity payments. Organizations should ensure that third parties with which they interact have robust security governance projects in place. F. TSM security: which acts as entity that “personalizes” TSM-compatible chip on vendor supplied mobile device. In such a collaborative cross- platform environment, an organization’s risk control program should strongly focus on third-party services management. G. User security awareness: users should be educated to understand corresponding risks.
  • 24. STRATEGIES FOR ADDRESSING MOBILE PAYMENT RISKS H. Secure mobile interoperability: Mobile device manufactures should collaborate with payment industry for development of platforms ensuring secure environment for conducting mobile transactions + interoperability between different smartphone models as users tend to frequently change/update their mobile phones. Seamless provision of secure interoperable services is of critical importance for mobile payment success. I. Leverage control mechanisms developed by banks: those controls, when used in conjunction with technological countermeasures & information that can be derived from mobile transactions—such as geo- location—can raise confidence that a transaction is not fraudulent. J. Transactions security: transactions should be segmented by purchase amount, location and merchant category, and risk should be managed accordingly.
  • 26. MOBILE PAYMENTS GOVERNANCE & CHANGE Training & new internal controls should be designed & monitored. 
 Major driver in mobile payment services adoption = business model that delivers value to all players in the ecosystem. Business models can be bank-centric, mobile operator-centric, independent service provider- centric or hybrid-collaborative. 
 Today we focus on bank-centric aspects of the mobile ecosystem. From business model perspective for B2B and B2C activities, there will need to be provision for fair access to consumer segments among mobile payment stakeholders & adequate customer protection and privacy. Sound CRM will require adequate & timely disclosure of risk, responsibilities and liabilities associated with mobile transactions to customers; and identification of recourse for customers and establishment of grievance handling procedures for both internal and cross-platform and cross-organizational transactions.
  • 27. MOBILE PAYMENTS GOVERNANCE & CHANGE There will be a need to modify existing networks or develop new network structures to provide seamless interoperability needed among participants in mobile payments ecosystem. Due to mobile payments nature, individual organization countermeasures will not be sufficient so specific attention should be given to inter- organization relationships within mobile payments ecosystem. For example, until now payment cards had been controlled by financial organization or institution. Now, card information is stored on chips, e.g., SIM cards, that can be moved from device to device. And customers change mobile phones, lose phones and buy from various vendors that are not controlled by banks. 
 This situation requires that new entity be put in place to govern uncontrolled chip & ensure trusted distribution of payment card information.
  • 28. MOBILE PAYMENTS GOVERNANCE & CHANGE Possible solution = deploy TSM architecture that is collaborative across technical and business boundaries to provide core of secure mobile payment ecosystem. 
 TSM would be neutral intermediary to oversee business & operational requirements for large-scale deployment of mobile payments. Its functions would include things as management of business rules and authentication, providing connectivity between MNOs and service providers, ensuring end-to-end security, providing application life cycle management for MNOs, handsets and customers, and end-to-end customer support. 
 Caveats = TSM would not participate in actual NFC contactless transaction processes, i.e., transactions would be processed over existing payment channels and TSM would facilitate secure authentication to network edge prior to transmission 
 over existing channels.
  • 30. MOBILE PAYMENTS ASSURANCE Optimal way to determine what assurance criteria should be applied (and in what context) = consider 2 assurance levels: • Applying banking-level compliance scrutiny to service providers handling distribution of money as well as payment services 
 (e.g., PayPal, Western Union, Google Checkout, lottery systems) • Applying standard audit models & standards for payment systems associated with purchase of goods & services 
 (e.g., MNOs, transit system authorities, retail merchants)
  • 31. MOBILE PAYMENTS ASSURANCE When reviewing mobile payment services providers, auditors should consider following: • COBIT5 framework as basis for risk management, compliance and proper protection and use of mobile payment information. • Ensuring compliance with pertinent regulations governing both payment industry & telecommunication industry • Contractual relationship of organization with TSM, particularly mutual assurance obligations & representations • Trust transfer points of mobile payment transaction process and how these are protected to ensure end-to-end trust from consumer initiation of transaction to purchase fulfillment, payment and settlement • Privacy protection & integrity of transaction data and customer data account details • Awareness training of organization members for new risk & responsibilities for handling mobile payments
  • 35. CONCLUSIONS Mobile payments market is undergoing transformation and holds a promising future for both consumers & providers. 
 Some key points for mobile payments are: 1 Collaborative & competitive models for mobile payment services are created. 2 Security & privacy as well as convenience are key drivers from consumer perspective. 3 Strong assurance from independent trusted third parties & development of, and adherence to, best business practices within mobile payments ecosystem will be required to encourage widespread consumer adoption. 4 Right now the future is promising and seductive, but uncertain.