MasterCard, Apple Reveal Mobile Payment Services
A recently-unveiled MasterCard biometrics pilot, Apple P2P patent and new Payment Card Industry Security Standards Council (PCI SSC) encryption standard are continuing to evolve payment technology and security on mobile and POS devices.
In an effort to manage digital fraud, the Purchase, N.Y.-based MasterCard will enable 500 pilot users to utilize a smartphone app this fall to confirm their identity and authenticate online transactions via fingerprints or facial scans.
During fingerprint authentication, the user simply touches the device. For facial recognition, the user takes a selfie, but must also blink to become authenticated. MasterCard's security researchers determined blinking prevents crooks from just holding up a picture and tricking the system.
"The new generation, which is into selfies, I think they'll find it cool. They'll embrace it," Ajay Bhalla, president, enterprise safety and security, told CNN Money.
Bhalla said MasterCard doesn't actually retain individual fingerprints or face images. Instead, the process converts fingerprint scans to codes retained on the device. The facial recognition instrument maps out faces, converts them to a series of 1s and 0s and transmits it over the Internet to MasterCard.
MasterCard said it has partnered with smartphone makers, including Apple, BlackBerry, Google, Microsoft and Samsung. The credit card company is finalizing deals with two major financial institutions, so it isn’t quite ready to say who gets to test the system.
Meanwhile, the Cupertino, Calif.-based Apple filed for a new patent, which details a P2P money transmission method that could potentially snatch market share from PayPal, Venmo and Square, and also impact financial institutions.
“Apple’s invention generally relates to wireless communications, wireless electronic devices, and more specifically to techniques for conducting financial transactions by communicating encrypted financial credentials between the wireless electronic devices,” Apple stated in regard to the patent.
The new patent allows iPhone users to activate their Wallet app, select a stored card to make the money transfer and type in the amount. The payment authentication takes place using Touch ID or the iPhone’s passcode. The wallet system would also let the individual select the funds recipient from nearby iPhone users.
Then, an encrypted "packet" is sent to the person receiving the payment, including the amount, verification and a payment "credential," which could embody the sender's credit card details. A third party, the user's financial institution or credit-card provider, would complete the transaction, and the payee would receive a notification that the payment had gone through successfully.
“We have been proponents of stronger authentication for online interaction of all types since 2001,” John Zurawski, vice president of Authentify, an arm of the fraud prevention and risk management firm Early Warning, said. “Clearly, the credit card networks and issuing banks have finally come around to that way of thinking, and it’s likely because consumers are tired of the persistent threat of online fraud. The power of mobile devices has improved to make biometrics easier and more accurate, so why wouldn’t they take advantage of the authentication strength to restore consumer faith?”
In addition, the Wakefield, Mass.-based PCI SSC published a significant update to one of its eight security standards, simplifying the development and use of point-to-point encryption (P2PE) that make payment card data unreadable and less valuable to criminals if stolen in a breach.
The updated standard, documented as PCI P2PE Solution Requirements and Testing Procedures Version 2.0., provides more flexibility to solution providers that supply P2PE components and services. One of the major features of the council’s new P2PE Version 2.0 is a stipulation that allows covered entities to employ and manage their own encryption tools at their POS systems provided the tools are compliant with PCI requirements.
“Malware that captures and steals data at the point-of-sale continues to threaten businesses and their ability to protect consumers’ payment information,” PCI Security Standards Council Chief Technology Officer Troy Leach said. “As these attacks become more sophisticated, it’s critical to find ways to devalue payment card data.”
Use of a PCI-approved P2PE solution can also allow merchants to reduce where and how the PCI Data Security Standard (PCI DSS) applies within their retail environment, increasing the security of customer data while simplifying compliance with the PCI DSS.