PayPal casts doubt on Near Field mobile payments systems
Juliette Garside at the Mobile World Congress in Barcelona, 28 Feb 2012.

Epic fail for confusing banks with payment providers in the first paragraph, but otherwise interesting despite being a press release. NFC has been struggling to get off the ground for a long time now, and mobile operators really need to look at other interfaces. Scanning a barcode looks really promising - two ways to implement both getting really good user feedback:

1. Starbucks app - scan barcode on smartphone screen to pay for coffee; money taken from pre-loaded credit

2. Apple Store app - use app to scan barcode of thing you want to buy; payment taken through your iTunes account (stored credit card).

Wonder which one will win out? But perhaps they both have strengths for low vs high value transactions.

Plus useful comment from modelportfolio2003:

it is an oversimplification to assume PayPal approach would be so much simpler for most merchants to incorporate. While a software update to an existing POS terminal sounds (ie front end) simpler than a complete replacement to the terminal (required for NFC payments), getting the back-end to successfully accept and settle a PayPal transaction requires additional resources by the merchant. This could deter smaller merchants (the huge numbers are smaller merchants) from implementing despite lower acceptance costs.

I was directed to this Ars Technica article by Aden Davies (banking innovation chap at HSBC), who pointed out the comments thread as rather more insightful than the article itself.

Indeed it was, and I’m just starting a new mobile payment project, so I wanted to aggregate the key points into one post for reference. What might actually be the solution to secure card payment?

First, the idea in the article: dynamic credit card numbers.

How much do you worry about your credit card information falling into the wrong hands, either due to online security breaches or a lost or stolen card? Dynamics Inc. is a company that claims to have the solution: a credit card that generates a one-time use code every time it is used, both for online and physical transactions. The company showed off a number of credit card options here at CES, including the ability to keep a single card for multiple accounts. The secret lies in the company’s innovative magnetic strip, which can be programmed in real time, and—more importantly—wiped clean just as quickly.

Some useful clarification from Syon (in comments): for this to be secure, what you want is both a hidden credit card number and also a dynamic one that changes for each use.

The advantage of this technology over other security measures is that it doesn’t require any change to merchant terminals or systems - dramatically decreasing cost of uptake. [It is of course this issue that’s holding back NFC.]

Looking at other security solutions, there’s a key thing I have to remember: The US (still) doesn’t have chip & PIN - they’re mag-stripe only. However a few years ago Amex Blue “*did* put a chip on the cards, and you could order a chip reader, plug the card into the reader, and then do chip & pin on your own PC.” [ZPrime]. What a faff - at least as bad as those little caclulator/dongle things UK banking customers have as an additional security layer for setting up new online transfers.

For one commenter, the “checkout” option is the obvious security fix:

IMO the solution to fraud online is to stop allowing sites to have any access to card details, and make all processing have to go thru third parties like paypal etc, IMO its time that anyone accepting online payments has to foward you offsite to an accredited processor, and get handed back to the merchant as paypal does.
[RichMS]

It’s interesting to see it advocated, because I’m pretty skeptical. I don’t feel this is an especially compelling offer, because most people are making online purchases relatively infrequently and mostly from the same set of big-name providers (Amazon, ASOS, etc). These brands are trusted as much as any check-out provider (Google, Amazon), and rather more than Paypal. So how much of a need is there? If I were regularly more under-the-counter Ritalin or fake designer handbags from China - I’d want this layer. Mostly though it seems an additional hassle to set up a new Google Checkout account rather than using my existing ASOS or Topshop one to pay…

A much more interesting idea: stop merchants being able to “pull” money off the customer’s card at all:

Why [are we] even bothering with this? [More secure credit cards] The basic enabler of fraud is the idea that random parties can at any time order a withdrawal from someone’s account. Why are we even doing “pull” transactions where the merchant orders the withdrawal from your account? Why aren’t we doing “push” transactions where the merchant tells *you* their receiving account number and a transaction code and you order your bank to send the payment to the merchant? For on-line purchases it should be easy enough. If you’ve got a cell phone you can do it via the Web or a text message or if all else fails a voice call to your bank
[Todd Knarr]

Now this is a really interesting idea, potentially a real game-changer. As stands setting up new payment recipients is quite a hassle in the UK at least (the joys of dongle verification), but for offline purchases there have to be ways to streamline it by using proximity in the verification mechanism - e.g. bump to confim? Enter a code on the other phone’s screen?

A more detailed walk-through of the security requirements for push transactions - anything connected to the internet is potentially hackable. So how to structure a system around that?

The ultimate thing is just a card that has private key in it and a keyboard so that you can type in a code and see how much you are being charged before pressing ok. If customer and bank have 100% control over the keys and the card there is no possible fraud as all the stuff in between is just there to allow the card to communicate with the bank servers.

Breaking public crypto is not going to be easy any time soon so danger of criminals doing anything is low or non existent. Sure the cards are a bit more expensive but it might be cheaper to go for a truly secure system as compared to snake oil stuff they are doing now.

[AxMi-24]

It’s even potentially a business-model disrupter:

“Interesting ideas. The thing about ‘push’ transactions like that is that they require both parties to be online. This is not really an issue - just build it into phones. However, once you’ve required everyone to be online there is a LOT you could do. e.g. You could then standardise the protocol so that money goes between the two banks directly - mastercard and visa can be dis-intermediated. I’d be very happy to remove those monopoly players.”
[Lliwynd]

But is this possible? “I’m afraid your plan won’t really work. In Europe alone, there are over 4000 issuers. Suggesting that each and every one of them makes a connection to 3999 others in order to have a workable payment service doesn’t make any sense. That’s why you have payment processors.” [mrsilver]

Still need to stop & note the consumer objection: “Sounds like a lot of work on the part of the consumer. I’d rather take the risk that my card be stolen then go to my bank’s website every time I want to make a purchase online.” [Eupfhoria]