RBTE 2015: Mobile payments security still a work in progress

If ever there was any doubt that next generation and mobile payment technologies are hot, then the exposition floor at this year's RBTE event in London has settled the issue.

The event brochure listed over 200 solutions providers that have something to do with electronic payments, and approximately 75 that specifically offer mobile payment capabilities. With all that focus, it's no surprise that the conference track for 'Payments in a Mobile World' was standing-room-only. Attendees wanted to know if mobile payments are ready for prime time.

I had the opportunity to participate in a panel discussion on the subject 'Improving The Customer Experience And Security Of Mobile Payments', hosted by payments expert Mark McMurtrie, and including Tesco's manager of digital payment strategies Paul Haberer, Stephane Jacquis, VP of solution & product marketing for Ingenico Group, and the PCI Security Standards Council's international director, Jeremy King

McMurtrie started the conversation off with a seemingly non-controversial question to the panellists: "What can retailers do to create an excellent customer mobile payment experience?" Each participant offered variations on a theme, mentioning desirable attributes such as "frictionless" and "invisible" (Haberer); "one-click", "mobile-specific" and "adaptive to the device" (Jacquis); "easy", "effortless", and "secure" (King). I added a truism from my own CIO days that "technology must be easier to use than to ignore".

In an earlier session, Starbucks EMEA IT director Robert Teagle had pointed out that while a recent Worldpay survey found that 75% of shoppers like the idea of loyalty points being linked to mobile payments, mobile adoption has been very slow and is likely to take "decades, not years".  In fact, 16% of all Starbucks payment transactions are from mobile devices – but that's after the company built in loyalty incentives to create a win-win for both the customer and Starbucks.

While the panellists didn't disagree with that concept, they clearly were of the opinion that mobile payments would take off when and only when they were nearly invisible to the consumer. The group discussed "one-click" vs. "no clicks", mentioned emerging technologies like the "Internet of Things" and smart trolleys that could essentially build the transaction as shoppers go through the aisles, wearable technologies (an inferential nod to this week's Apple Watch announcement), tokenisation and the revitalisation of NFC (another nod to the power of Apple).

In other words, the future of mobile payments from a customer experience perspective is still very much a work in progress, according to the panellists, and likely will take time to get resolved. The PCI Council's King even suggested that a basic problem facing mobile adoption is that "older consumers – those with money – prefer cards", the inference being that retailers are going to have to wait for a generation of shoppers to pass on before critical mass is achieved. 

The elephant in the room was security. King asserted that retailers are collecting far too much about consumers, and they have only considered data security and privacy as an afterthought. He pointed out that as card present transaction security has improved, card-not-present fraud is on the rise. King then went further to say that the industry shouldn't have needed a PCI mandate to get going – that full consideration of the customer's right to privacy and security should be top-of-mind. 

Host McMurtrie followed up on that by asking the panel to comment about the level of involvement that retailers' board of directors should have. According to Tesco's Haberer, the company's board is already fully engaged. Jacquis suggested that the board would pay attention when it better understood the risks associated with payment fraud. I added my own two cents' worth that managing fiduciary risk is the board's responsibility and that payment fraud represents the potential for real and long-lasting harm to the brand (thus creating fiduciary risk). 

As to what's next for PCI-DSS and data security standards, King said that the focus of the council is shifting to mobile, and he specifically mentioned that a PCI taskforce is being created (with Barclays and the US-based National Retail Federation participating) to help address challenges that smaller retailers specifically face. In that context, he said retailers needed to understand that not all third-party payment providers are necessarily secure, and that even if a retailer chooses to use a third party, it still must ensure the security of the transactions.

In other words, just like the mobile payments customer experience, mobile payments security is also a work in progress.

Netting the panel discussion out, there is undeniably a lot for the industry still to accomplish. From a customer experience perspective, the jury is still out on what the most favoured technologies will be. From a security standpoint, there's still much work to be done by retailers and their payment processing partners. And so I for one expect that we'll hear much more on the subject at RBTE 2016.