What’s the magic number for knowledge based authentication (KBA) in the mobile payments industry? According to a report by Aite Group, a Boston-based research and consulting firm, it’s 40…40% of payments executives are using KBA already and another 40% plan to use it in the next 2 years.
I saw this information in the June edition of Digital Transactions. The cover story, Cybercrime Eyes Mobile, is, as the title implies, about securing the mobile channel and it’s an interesting read for anyone involved with mobile payments.
Basically the article discusses how security for this emerging channel is still all over the place because of the different devices (smartphones, tablets), operating systems (e.g. Apple, Android), and, perhaps most importantly, the human factor (people not securing their phone with a passcode.) While the PCI Council is moving toward having common standards for mobile payments, there is still work to be done before it will begin to approve software under the Payment Application data-security standard (PA-DSS).
The council released guidelines back in May for merchants on how they can accept mobile payments, as well as issued a roadmap for purpose built software for mobile payments hardware, but applications for devices that serve as both a personal tool and mobile card acceptance tool are yet to be approved. One of the reasons for this is the threat of malware and viruses being planted on smartphones through bar scans, emails and text links.
This summer it’s expected that the Council will release a set of best practices for both vendors and merchants that will move such approvals along. But the Council isn’t the only one with regulatory authority over the mobile channel. Bank regulators, the FTC, and Federal Communications Commission are sure to all weigh-in in some fashion.