Mobile Payments: Is the Convenience Worth the Risk?

You may not have noticed, but there’s a war raging over what’s in your pocket. And we don’t mean Android versus iPhone. This battle is about who will convince consumers to use their smartphone instead of cash or credit cards to make retail purchases. A long list of corporate heavyweights are vying for a position in mobile payments, including all four national cellular carriers, software giants such as Google, and credit card companies Citibank, Mastercard, and Visa. Mega retailers want in as well, with Gap, Starbucks, and Target already testing these uncharted waters. 

Why the sudden gold rush? Because the necessary technology is finally falling into place—and the potential payoff is huge. In fact, smartphone-aided purchases represent perhaps the biggest sea change in product sales since online shopping disrupted the market back in the mid 1990s.

In a recent report, Generator Research stated that the global market for mobile payments will grow from $68 billion in 2009 to an astounding $630 billion by 2014. Generator also predicted that the number of users of mobile-payment systems will reach 490 million in 2014, up from just 81.3 million two years ago. With projections like this, it’s no wonder that corporations are salivating.

Since much of what makes this technology so valuable is the ability to link your identity to your location and shopping history, mobile payments may cause privacy-conscious consumers to think twice about signing up. Security is another big issue. In today’s world of hacktivists and electronic warfare, waving your mobile device to check out isn’t so risk-free as it seems.    

The Mobile Wallet Vision

So how does using your phone as a wallet work? A customer’s handset, likely running Google’s Android operating system, will contain an NFC (Near Field Communication) chip. The chip stores data for multiple bank or credit card accounts (the same info written on standard plastic cards). What’s different is that the NFC circuitry can wirelessly transmit this data on command when in range of specially equipped retail registers. The NFC electronics are in turn controlled by software—namely, an app.

Many of the major banks already issue cards that use contactless payment technology, but they haven’t been heavily marketed. NFC will harness this already-installed base of contactless infrastructure.

According to Richard K. Crone of Crone Consulting, who has more than 30 years of experience in the financial and retail payment business, acceptance and use of contactless cards by merchants has been low due to the expense of equipment and the higher fees charged by banks. “Sure, you may have seen contactless readers at CVS drugstores in New York or in a taxi, and even tried to use them. And a lot of times it doesn’t work,” Crone explained. “The reason for that is the merchant actually turns them off because those payments go for a higher rate.”

Google’s Mobile Payment Move

Google is undeterred by the hurdles to deploying retail NFC technology. The company started rolling out its own mobile payment service, called Google Wallet, this summer. First, Google Wallet will be field-tested in two urban markets, New York and San Francisco, with plans to bring the service nationwide as quickly as possible.

Google’s partners include large financial institutions Citigroup and Mastercard along with such retail merchants as American Eagle Outfitters, Bloomingdales, and Macy’s. Duane Reade and Walgreens are also participating, as are Peet’s Coffee & Tea and Subway restaurants. Another key partner is Sprint, which sells the Samsung Nexus S 4G smartphone with NFC capabilities.

Here’s how Google expects its Wallet app and service to work: A customer who owns an NFC-equipped handset, such as the Nexus S 4G, will download the Google Wallet app. Clicking the app’s W-shaped logo opens the software and starts the setup process. Users have the option to add two payment methods to the wallet: either a Citi Mastercard that is PayPass-enabled (PayPass is Mastercard’s marketing term for its implementation of contactless technology) or what Google calls a Google Prepaid card.

The Prepaid card is essentially a virtual way to store funds within Google Wallet without needing to own a PayPass Citi MasterCard. At launch, the Prepaid card will come with an initial balance of $10, which users can top off with the credit card of their choice.

In an effort to lure potential customers to Google Wallet, the service will also offer some key features to enhance the shopping experience. The first enticement is support for loyalty cards, so if you use your phone to shop at a participating store, purchases are automatically tracked against that merchant’s program. In a nutshell, the app will remember how many cups away you are from a free latte.

Offers and coupon features are also built in, aggregated into a My Offers area. These offers or special discounts come in three forms, the first being tied to Google’s Place Pages, listings for businesses such as restaurants or retail stores that show up in Google searches. The second type of offer are ads that appear when users conduct Google searches, which can be saved for redemption later.

The most high-profile initiative is the Google Offers service, currently in beta. Tied to a person’s location, Google Offers will highlight nearby deals of the day. According to Nate Tyler, primary spokesperson for Google Wallet, these abilities add up to a real benefit for the consumer. “We’ve outlined a scenario where a person can easily spend, but also redeem, loyalty points and coupons or offers all at the same time,” Tyler said. “This keeps them from having to store all that information in their wallet and goes beyond what a traditional card can do.”

Visa’s PayWave

In addition to Citigroup and Mastercard, who have signed on with Google, Visa has also been aggressively pursuing wireless payments. To supplement its contactless solution called PayWave, the firm plans on pitching its own digital wallet app to potential partners and customers. This app, which will also use NFC technology, is currently under development and is expected to hit the U.S. and Canadian market by the fall.

According to Bill Gajda, head of global mobile products at Visa, the company “is actively involved with getting the PayWave app onto as many devices as possible.” He told us that Visa’s app will allow customers to virtualize their Visa card to make contactless payments via smartphones at the point of sale. Gajda also sees a bright future for NFC, stating that “most of the elements are now coming together in developed markets. With a lot of smartphones being switched on every year, we’re really going to see NFC take off.” 

It’s understandable why Visa is pushing its own app. Providing a new way for customers to use its products on mobile devices is imperative for the company to stay relevant in the post-credit card world and to open up new and more lucrative revenue streams. That said, Gajda is certainly willing to have customers use Visa’s payment products within other apps. “Just like today in the physical world, people have multiple payment methods loaded into their phone [wallets], whether that’s Visa, Mastercard, loyalty cards, etc.—just like they do with their leather wallets,” he said.

Visa recognizes the value of location-based data as well, having recently partnered with the Gap clothing store chain to offer a program called Gap Mobile4U. After signing up and registering a Visa card on the program website, customers receive Gap offers based on their location and purchase history sent via e-mail or SMS. “Based on our experience with the Gap, we’ve got data that indicates these kinds of relevant and real-time [locational] programs drive a tremendous amount of traffic to those stores,” Gajda said.         

Here Comes ISIS

Thus far, the Google Wallet service has only one wireless carrier signed up as a partner: Sprint. That leaves the three remaining major U.S. mobile operators. But AT&T, T-Mobile, and Verizon Wireless aren’t sitting still. They’re members of another industry group, called ISIS, that’s looking to roll out a different mobile payment network based on NFC technology.

Having the backing of three out of the four major carriers certainly carries a lot of weight. Recently, American Express, MasterCard, and Visa all announced that they were partnering with ISIS. “If you are a bank and you want to get your debit or credit cards into the phones of your customers with the one-stop shop integration of ISIS, you can reach 220 million consumers,” said Jaymee Johnson, head of marketing for ISIS.

For now at least, it sounds as though ISIS has no interest in integrating with Google Wallet. In fact, Johnson hinted at the possibility of ISIS acting as a gatekeeper to all players wishing to enter the mobile payment business, saying, “Hardware is controlled by the people who buy it, and in the case of the U.S. [wireless] market that is the carriers.” No doubt ISIS feels confident that it can offer a digital wallet app that its carrier partners can customize.        

Are Mobile Payments Secure ?

When dealing with bank and credit card information, security is always a concern, and some experts say that storing sensitive data on a phone’s NFC chip is a recipe for disaster. “Software-only approaches that don’t store payment credentials in the phone, that don’t give them to a merchant, are likely to gain much faster traction than hardware-based NFC approaches.” Crone said. “There are lots of videos on YouTube showing people [who] have devised readers that can scan payment credentials right from back pockets.”

The NFC proponents we spoke to adamantly defended the technology. The technology uses a one-time encryption method, essentially scrambling the sensitive info at the point of sale, what Visa referred to as “dynamic authentication.” Visa’s Gajda also explained, “We’ve devised PayWave in such a way that you can’t skim or [illegally] intercept an NFC payment. The read range is about two or three inches, so you have to physically tap or bump the phone to the merchant’s terminal.” Gajda also told us that you can never have two receivers trying to complete a transaction at the point of sale. And because users must activate the application and press a button to make a payment, it’s not always on.

Google offered a similar defense, telling us that its Wallet app will first require a PIN. And since card data is locked on the phone, it’s considered a card-present solution. This means that banks regard Google Wallet as identical—if not safer—to using a physical card and encrypted magnetic strip. Google confirmed that card information is not stored in the Wallet app or the Android OS at all, but rather in an NXP chip. This chip, part of the NFC circuitry, is also referred to as the “secure element” and only communicates payment data with the bank and the merchant.

We asked security expert John Herring, CEO and co-founder of software firm Lookout Mobile Security, just how secure Google’s Wallet app is. He agreed that it looks like a tight solution. “The secure element cannont be tampered with. If a user tries to remove it, it will self-destruct,” Herring said. Even so, Herring admitted that, “Until we see the product and witness a significant amount of people using it, we won’t fully understand how secure it is.” He warned that smartphone users will need to regard and protect their phone as they do their physical wallet.

Shoppers for Sale     

For companies looking to kick your leather wallet to the curb, the wealth of data your smartphone wallet can share is one of the biggest incentives for jumping on the mobile payments bandwagon. In fact, it’s a marketer’s dream, with intensely valuable, detailed information about individual shoppers served up with each purchase. Crone summed up what’s at stake: “The one who enrolls is the one who controls. Merchants want to reach you, know your preferences, and influence sales before, during, and after payment.” And that’s exactly where a mobile wallet comes into play.     

The more specific information is known about a customer—especially in real time and when compared against past purchases—the better a marketer can predict future behavior.

As you might imagine, a digital wallet app contains intensely valuable data about you. “A known, registered user with [declared] preferences in a known geography could command ad rates that have never been seen before, with CPMs of $500, unheard of in the market today,” said Crone.

The access to this treasure trove of personal data raises red flags with consumer privacy advocates, even if mobile phone users offer this information willingly. “Applications may be sharing more data than the user comprehends,” said Craig D. Spiezle, executive director of the Online Trust Alliance. “On mobile devices particularly, an IP [address] is tied to an identity, which creates a new paradigm.”

Spiezle also pointed out that while all of our private information lives in separate apps or separate web services, all of it could be cobbled together to form a very detailed picture of a person’s day-to-day personal activities. “At what point does the data no longer become anonymous?”

Checking Out

Certainly, the convenience of having all your credit and debit cards, loyalty cards, and special offers tailor-made to your individual tastes in one place is appealing. However, the companies putting their money behind mobile wallets clearly aren’t doing it just to make shoppers’ lives easier. It’s also about getting a cut of the next big thing, whether that’s taking a piece of each transaction or profiting from marketing of our personal information.

The question mobile shoppers must ask themselves is whether getting a killer discount on their favorite brand of jeans or next cup of coffee will be worth it.

LAPTOP Senior Writer