MasterCard talks up security in NFC payments

MasterCard talks up security in NFC payments

MasterCard has been talking about the security involved in NFC mobile wallets, initially with the Google Wallet and then on the grander scale of the PayPass system itself. Poll after poll has shown that consumers are worried about security when it comes to NFC payments, whether that comes in the form of an NFC mobile wallet or an EMV card. Consumers are right to be concerned about the security of a nascent payment method and they are right to seek education on safety systems that are applied to any payment forms. Peace of mind is a wonderful thing.

We have discussed before on NFC Rumors that NFC payments are probably more secure than any form of currency or payment that has come before. Does that mean NFC payments are infallible? No, but the point of security is to make it sufficiently difficult that no one would bother attempting to steal a few bucks from an account. Does it mean that consumers should be more protective of their NFC phones if they have them set up for payments? Absolutely, just as you wouldn’t leave cash laying out around strangers, the same would apply to you phone if it is the way in which you pay for goods and services. That is true if you use your phone for mobile banking also.

The fact is security with NFC payments doesn’t just fall to the card issuer or the NFC mobile wallet provider. We the consumers also have our responsibility to ensure security is kept tight. But let’s assume that you are security minded about your NFC phone and payment device. What is MasterCard doing to keep you secure, your transactions and your accounts secure on their end of things?

MasterCard PayPass security in NFC payments

MasterCard listed out five ways in which security is deployed in its NFC payments. Below you will find the five points, we have just substituted the word “we” for MasterCard in the listed items below, other than that it is exactly what MasterCard stated on its blog:

• MasterCard chose NFC technology as the basis for secure mobile contactless payments because of its very short range (less than 4cm). MasterCard wanted to make sure that consumers still made conscious decisions to pay — we don’t want payment happening accidentally.
• MasterCard requires that the PayPass application on the phone be housed within a tamper-resistant chip known as a Secure Element. The Secure Element has various physical and logical security components that controls access to sensitive data regardless of the phone’s own operating environment.
• MasterCard built into the PayPass protocol, technology that generates dynamic data every time a transaction is made. This dynamic data means that in the event transaction data is captured by a bad actor, the data has no value and cannot be used in replay attacks.
• Developers of wallet software on the phones often provide an option for consumers to enter a code prior to accessing the wallet. Therefore, the wallet itself could be locked preventing any payments.
• Once a transaction is made it traverses the MasterCard Worldwide Network, the same network that supports billions of card transactions today, and the consumer is afforded the same protections (e.g., zero liability guarantee) as card-based transactions.

So, in theory the security sounds pretty tight from the perspective of the NFC payments transaction. Can it be hacked? Probably. Anything that people can make, other people may be able to hack in time. Although that said, to be able to duplicate the perishable transaction identifier that accompanies each payment would probably require a breach of security in the MasterCard system itself. Whereas that is possible, it is unlikely. MasterCard is pretty confident about the security layers involved in NFC payments. If it ever did get hacked successfully their business could fall apart and consumers would likely flee MasterCard’s service. So MasterCard has as much to gain or lose as consumers when it comes to security, and even if you weren’t confident that they would look after your money (which we think they do care about that) you would probably find solace in the realization they care a lot about their money and reputation.

Sadiq Mohammed said in a post on the MasterCard blog, “If we were not confident that the system is secure we would not be associating the MasterCard brand to it.”

That is great to hear that the company would go on record to state its confidence in security of its NFC payments. What is invariably better is that they have a zero liability guarantee which means they would take the hit if anything happened and consumers would not. There is something to be said about putting your money where your mouth is and it appears MasterCard is confident enough to do so. What MasterCard didn’t go into was the ability to use a virtual card that consumers can credit with a balance which also mitigates risk. Another form of security is also gaining traction which is biometric security so only you could access your phone via a fingerprint, retina scan or facial or voice recognition security.

We have an upcoming meeting with a non-affiliated credit card or mobile wallet NFC security pro and will be sharing all we learn later next week. If you have questions about NFC payment security, jot them down in the comments below and we will be happy to pose them in our interview. If you would like to read Sadiq Mohammed’s MasterCard NFC payment security post on the MasterCard blog, hit this link.