Article Lead Image

IT pros don’t think they can keep your mobile payments safe

‘It’s not as secure as they’d like it to be.’


Aaron Sankin


Over the next few years, mobile payments will explode.

While a report by Accenture found that only 18 percent of Americans use their smartphones to directly pay for goods and services through platforms like Apple Pay or Google‘s Android Pay, it’s important to remember the technology is still in its infancy. According to a recent study by eMarketer, the total volume of mobile payments in the United States is expected to more than triple over the course of 2016 with the average user of the technology expected spend more than $700 throughout the year.

However, as smartphones are poised to move us into the post-credit card age, there are some discontents—namely the people tasked with keeping all that personal information secure. According to a study released last week by the Ponemon Institute, only about one-quarter of IT and IT security professionals around the world are particularly confident in their ability ensure the security of those mobile payments.

The Ponemon Institute, which has been measuring perceptions of online security for more than a dozen years, surveyed 3,773 IT professions in countries stretching from the United States to South Africa about the state of payment security. The survey asked respondents to rate the effectiveness of the companies they work for in securing mobile payment data. Only 26 percent rated their firms at a seven or above. This number is two points lower than the percentage that rated their organization at a four or below.

Even so, most of the companies with employees who responded to the survey indicated they currently or eventually plan on accepting mobile payments, even though they “do not believe existing security protocols are capable of supporting these platforms.”

“It seems like payments have been an issue for many companies because, you would assume, generally speaking, if you look at where security needs to play a significant role, it’s in the payment ecosystem,” said Ponemon Institute founder Larry Ponemon. “A lot of companies recognize the fact that it’s not as secure as they’d like it to be.”

Ponemon laid out a number of reasons why the survey, which was sponsored by the cybersecurity firm Gemalto, found confidence in mobile payment security was so low. Primarily, he explained, is the relative paucity of talented people with a background in mobile payments security. “Payment security is a very specialized area. Even without the umbrella of security, people who do payment security have a different skill set and there unfortunately are not a lot of people with that skill set who are on the market looking for jobs,” Ponemon explained.

He added that many IT security professionals often feel a disconnect between developing new products, especially in a hot new area like mobile payments, and ensuring the data collected and transmitted by those products is secure. “This is all very new for companies; it requires quite a bit of innovation in order to get it right,” Ponemon said. “There’s this pressure to release our of a fear of losing market share if they wait. The people who are developing these applications feel a sense of panic in some case because they’re put in a pressure cooker to get this done.”

Since mobile payments are still a relatively new phenomenon, most companies still aren’t using them, which is why the study used screening questions to ensure only people whose firms are in some way involved in mobile payments answer this particular question.

The results of similar questions about the security of other payment methods are also troubling. A mere 36 percent rated their companies’ effectiveness for any kind of Internet payments at a seven for above. For traditional point-of-sale, credit card, and check payments, that number was 53 percent.

Stop and think about that for a second. You may have never used a mobile payment in your life, but you’ve probably bought something online and you’ve definitively made a transaction using either a credit card or a check. At best, only about half of the people surveyed have a lot of confidence in their ability to keep customer data safe.

Confidence around mobile payments is low, but confidence across the board isn’t particularly high, which is an indication that doing any type of IT security right now is like fighting a simultaneous uphill battle against hackers.

Nevertheless, any statements about cybersecurity coming from this industry should be viewed with a certain skepticism. Making the public believe that the sky is falling is how security folks get bigger budgets; yet Ponemon argues that, in the wake of large-scale, high-profile data breaches at organizations like SonyHome Depot, and the Office of Personnel Management, that level of attention is happening on its own. Instead, the environment for anyone doing cybersecurity right now is one where the people trying to keep data safe are consistently playing at a disadvantage.

Illustration via Max Fleishman

The Daily Dot