Why has mobile payment not become popular after so many years?

January 8 news, why has mobile payment technology not been popularized for many years? Wired magazine recently published an article by an industry insider, explaining the reasons from a security perspective, introducing the industry's efforts to this end, and proposing new ideas. The following is an excerpt from the article:

Why are consumers still reluctant to accept mobile payments? Concerns about security are the number one obstacle. Scandals involving the theft of user information by big-name retailers have left consumers feeling terrified, so it is impossible for people to truly trust mobile payment technology.

What needs to happen in order for this technology to be widely accepted is to build trust. EMV credit cards (Eurocard, MasterCard, Visa) use a secure microchip to transmit data, but this is a physical device. The key is to create a similarly secure environment in the virtual world.

The field of protecting user payment credentials has changed with the advent of Host Card Emulation (HCE). Before HCE, people only had two options. One was to store the credentials in a special secure chip in the phone, the Secure Element (SE). This created a mobile wallet with a Secure Element that could protect sensitive data transmission like an EMV credit card. The other option was to use a "Card On File" credential in the cloud - essentially storing basic payment information online.

Host card emulation is the best example of using software to ensure credit card security. All data related to credit card payment no longer needs to rely on a physical chip, which ends the role of secure elements. The previous debate on the ownership of secure elements has also been resolved, and the market has opened the door to new entrants.

From the current practice, the operation steps involved in transferring the credit card data stored on the chip to a secure cloud environment are problematic. To complete a transaction, your mobile phone needs to be connected to the Internet and wait for the response sent after the data is encrypted. Even in an ideal situation, this is difficult to complete within the time required by the issuing organization. And if there is no signal, all of this is out of the question. To solve this problem, people have designed a concept called "Tokenization". When you spend, you don't need to connect to the Internet every time, but store a virtual credit card with limited use in your mobile phone.

Tokenization has its own problems. To steal your money, an online thief doesn’t necessarily have to take your wallet or even your phone. A hacker can clone a phone and get credit card information, or simply install malware on the phone that sends a virtual card directly to the thief.

In the long run, mobile payments can only be secure if a strong authentication mechanism is in place. We must be able to bind the user's identity information to the transaction authorization. Although banks are familiar with data protection requirements, new market entrants with less experience still need to be very careful about authentication and risk assessment.

It turns out that smartphones themselves can play a role in ensuring mobile payments are secure.

WiFi positioning, 3G positioning, GPS data, and the number and type of applications on the device can form a unique user profile. Although this is not a panacea, it can be used to determine whether a fraudulent transaction has occurred. At the same time, since the threshold for authentication is lowered, as long as the consumer can be determined to be trustworthy, he or she can have a better shopping experience. In addition, the threshold for transactions can be set up when it feels suspicious.

In an age of increasingly intelligent cybercrime, all Internet activities are subject to security risks. The risk-based authentication method created in the above way is no exception. This method requires a large amount of personal information, which will undoubtedly attract the attention of hackers. This data must be protected, but in terms of quantity and sensitivity, it is much more difficult to properly protect this data than a general password database.

Authentication is becoming a big data problem. To reduce hackers’ interest in personal sensitive information, encryption should be enabled. If data is encrypted, even if it is stolen or lost, the damage will be less.

As the mobile payment industry develops, host card emulation has proven to be a welcome and worthwhile new approach. If industry players want to see mobile payments become popular, they need to create a secure transaction environment and foster user trust. Ironically, a device that can pose security issues, such as smartphones, can also serve security by helping users authenticate. Data encryption is another aspect of security, which can add another lock to data protection and further encourage the public to accept mobile payments.

Author Richard Moulds is vice president of product management and strategy at Thales e-Security.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.