The slow but steady rollout of mobile point-of-sale systems in retail stores, the growth of mobile wallets, and the ongoing need for stronger data security are among the major trends today in mobile payments.
This is clearly a still-emerging market overall, based on industry research. The total global user base for mobile payments will rise from an estimated 690 million users in 2014 to 4.77 billion users by 2019, according to research firm Ovum.
“Mobile payment technology and deployment is still in its infancy,” but is poised for rapid growth, says John Pironti, president of IP Architects and risk adviser with ISACA, an association serving IT governance professionals.
Helping to drive the growth of m-commerce is the widespread adoption of increasingly powerful smartphones with larger screens, the research firm says. Also, a growing number of retailers are optimizing their sites for mobile shopping.
Mobile proximity payments are the smallest but fastest-growing segment of the mobile payments market, Ovum says. The global user base for mobile proximity payments — both near-field communications (NFC) and non-NFC — is expected to rise from 44.6 million in 2014 to 1.09 billion in 2019, with most of the base using NFC technology.
Still, despite growing awareness of mobile payments, less than 20% of consumers in North America are actually using them regularly, according to a 2015 Accenture survey of 4,000 smartphone users in the United States and Canada. Fewer than one in five (18%) use their mobile phones to make at least one payment a week, the report says, with mobile-payment usage growing just 1% from 2014.
The survey identified two groups that are driving mobile-payments usage: high-income consumers, and millennials — people between the ages of 18 and 34.
Efforts to make point-of-sale transactions more secure in general are contributing to the adoption of mobile POS technology. U.S. retailers are slowly but surely migrating to new systems to align with chip-and-PIN requirements for card transactions. The technology, also known as EMV (for Europay, Mastercard, and Visa, which created the EMV technical standard), involves the use of embedded chips in cards, which encrypt account information and personal identification numbers.
While much of the world has had chip-and-PIN in place for years, the United States has lagged in deploying the necessary infrastructure. Starting on October 1, 2015, retailers that have not deployed new POS terminals to accept EMV cards assume liability for card fraud. Despite this liability shift, the rollout of EMV-compliant terminals has a way to go. According to a January survey by The Strawhecker Group, only 37% of retailers were EMV ready, with 72% expected to be compliant by the end of 2016.
For mobile payments, the good news is that “retailers are using this opportunity to purchase or upgrade systems that will allow them to not only take chip-and-PIN cards but also near-field communications capabilities,” Pironti says. “One of the key challenges to adoption of this technology has been the lack of infrastructure to support it. With this new adoption this challenge [can] be overcome.”
EMV “is accelerating adoption of mobile payments [by] helping with distribution of NFC-capable terminals,” agrees Thad Peterson, senior analyst at Aite Group, a research and consulting firm specializing in financial services. Nearly all EMV terminals also include NFC capability, he notes. “Also, EMV transactions can take longer than traditional card transactions at the POS, and this increased latency adds to the value of mobile payments, which are very fast.”
Still, others see the proximity payments market as remaining sluggish.
“There’s some limited use, but consumers generally don’t see the advantage and the use case isn’t compelling,” says Gilles Ubaghs, senior analyst, financial services technology, at Ovum. “The U.S. in particular still has a pretty poor contactless infrastructure.”
Most consumers “are fundamentally pretty conservative when it comes to payments, and will need a fairly big push to change what they do,” Ubaghs says. “If it’s a slower or clunkier process, including on the initial signup, then it has no chance. On the flip side, it really needs a lot of merchant buy-in to control that other end of the experience, and help push it in store, amongst staff, and so on.”
The rollout of mobile POS is a generational consideration, Pironti adds. “Consumers do not necessary like change, especially when they are not sure it is necessary,” he says. “The use of mobile POS represents significant change to the traditional consumer.”
As younger generations are becoming valuable consumers, they will expect the option of mobile POS to be available and might be dismissive if it is not available for their transactions.
“If providers and retailers want to speed up the rollout and adoption of mobile POS, they are going to have to provide incentives that will be beneficial not only to the merchant but also to the consumer,” Pironti says. “It will take both to drive faster adoption.”
Indeed, a key to adoption of mobile payments is to provide a user experience that is simpler, easier, and more convenient then using a traditional payment card, Pironti says. Smartphone payment systems are getting easier to use, but the ease of use and lack of complexity needed to swipe or insert a card is still easier.
“The consumer will go to the path of least resistance,” Pironti says. “Mobile payments based on phones still require the phone to be charged, available [for example, the user can’t be on a call when making a payment], and properly configured.”
Securing mobile payments against hacker attacks and other intrusions — and assuring consumers that these types of transactions are indeed secure — remain among the biggest challenges facing the market.
“Electronic security measures, like those included in Apple Pay, provide commercially reasonable security capabilities given the current state of technology available for consumer use,” Pironti says. “The challenge is more in user perception and user activities. If the user does not believe it is secure, then perception will often outweigh reality.”
Also, if the user is not willing to be an active partner and participant in providing security in the transaction, then the payment process will be only as strong as the user’s behavior, Pironti says.
“For instance, if the user does not use strong passwords or properly shield their payment information from their screen, they make it easier for an adversary to observe them from afar, steal their device, and use it for illegal transactions,” Pironti says. “There will never be a perfect security solution. The trick is to make the security capabilities good enough to make it too hard for an adversary to take interest in a particular payment method or user.”
A survey of more than 900 cybersecurity experts published by ISACA in September 2015 showed that a large majority (87%) expected to see an increase in mobile payment data breaches over the next 12 months. The study showed that only 23% of the security professionals think mobile payments are secure in keeping personal information safe. Nearly half (47%) say mobile payments are not secure, and 30% are unsure.
Among the major vulnerabilities associated with mobile payments are the use of public Wi-Fi, lost or stolen devices, phishing or “shmishing” (phishing attacks via text messages), weak passwords, and user error.
In the emerging mobile payment landscape, ISACA states that there is no generally accepted understanding of which entity is responsible for keeping mobile payments secure —consumers, payment providers, or retailers.
Experts say good mobile payments security requires layers of data protection for both the hardware and software components, and must be adaptable to address the fact that adversaries evolve their methods, practices, and technologies. It’s not something that can be stagnant, but requires constant attention and evolution to adapt to changing threat scenarios.
A critical technology that is transforming mobile payments is tokenization, Ubaghs says. Tokenization makes it possible to put payment credentials securely anywhere, from wearables to smart goods of any kind, he says. “In terms of mobile payments, that really opens up the capacity to add payments into all sorts of apps and services securely,” Ubaghs says.
Some are optimistic about the progress being made in securing mobile payment transactions.
“While consumers’ security concerns are well documented, two important trends should be allaying those fears,” says Peter Olynick, retail banking practice lead at Carlisle & Gallagher Consulting Group, a management-technology consulting firm. One is that improved authentication technologies such as biometrics and tokenization are more widespread. The other is that payment card issuers and consumers are becoming more comfortable with transaction-level security.
The concept of the mobile wallet — a way to carry credit card or debit card information in digital form on a smartphone, tablet, or other mobile device in order to make purchases — is expected to gain steam, although usage has so far been slow, primarily because of the limited distribution of NFC-capable devices.
The iPhone 6 was the first device to offer Apple Pay and it’s only been out for about 16 months, Peterson notes, while both Android Pay and Samsung Pay are less than eight months old. “Growth will continue to be fairly slow for the next two years, but then expect to see rapid growth once critical mass has been achieved for devices and terminals,” says Peterson.
Among the leading mobile wallets available today are Android Pay, Apple Pay, Chase Pay, MCX, PayPal, Samsung Pay, and Wal-Mart Pay.
A new development in this area is the emergence of bank wallets. For example, Capital One and RBC have launched their own mobile wallets linked to their mobile banking apps. “This trend will continue for the next several years and we expect that most major banks and many smaller banks will offer their own branded wallets,” Peterson says. “Most banks will offer their proprietary wallet in addition to enabling access to Apple, Samsung, and Android pay, so the customer can choose the alternative that best meets their needs.”
There is no clear winner on the mobile wallet front at this point, Pironti says. “I think that the mobile platform providers [for example, Apple and Google] have the distinct advantage in this race compared to independent software developers,” he says.
Consumers are looking for a seamless user experience with wallets, Pironti says. If they have to navigate multiple applications or be concerned about an application’s ability to interact with their smartphone, they are less likely to be interested in using a wallet. It comes down to ease of use.
The consensus among those who follow the market is that mobile payments are destined to become far more commonplace in coming years, as the number of mobile POS terminals and providers of payment solutions, such as mobile wallets, continues to increase.
Not to mention the number of smartphones. The Mobility Report released by Ericsson in June 2015 predicted that advanced mobile technology will be globally ubiquitous by 2020, with 70% of people using smartphones and 90% covered by mobile broadband networks. Smartphone subscriptions will more than double by 2020, reaching 6.1 billion, the report says, and by 2020 80% of all mobile data traffic will come from smartphones.
In addition, says Olynick, wallet providers are implementing three types of reuse incentives: rewards, better shopping and ordering experiences, and intelligent payment account selection. Wallets will be able to help customers determine the best account to pay for each transaction, he says.
“We believe we are close to the inflection point for mobile payment volume and will see large increases over the next five years,” Olynick says.
Bob Violino is a freelance writer based in Massapequa Park, N.Y.