 "Interoperability, Security: Challenges To Mobile Payments")
As the mobile subscriber base in India grows to reach new heights (it stood at 261 million at the end of March 2008 and is growing at about 8 million a month as per RBI figures), mobile payment is becoming a compelling customer service option for companies in general and banks in particular. The RBI, realising the growing significance of this medium, issued mobile payment norms for banks in July this year. The RBI has included mobile payment service providers and mobile network operators (MNOs) in the draft. It has detailed how these players can co-operate with banks and play an effective role in offering secure mobile payment services to customers.
The mobile payment movement is quickly gaining momentum and with increased competition, the service provider model offers a faster go-to-market approach than banks trying to develop mobile payment technologies independently. However, the service is still in its infancy in the Indian market and thus, it is natural that any bank or organisation wishing to offer this service could face certain fundamental challenges on the security front.
Mobile Payment Architecture
Basically, there are two mobile payment architectures – the first being the bank directly providing the service to its customers and the second being the offering of the service through a third party (the mobile payment service provider). Banks can choose either of these two architectures after weighing the pros and cons of each.
“It depends upon the customer base of the bank. Banks having a large customer base (more than 100 branches) should go for the application service provider or ASP model and those with a smaller base should develop the solution in house,” says Yateen Chodnekar, head-IT, Deutsche bank. The bank has developed an in-house solution for its mobile payment services offering. Deutsche Bank currently operates in the country through 10 branches.
“The problem with banks opting to develop the mobile payment solution in house is that it would be a costly affair in addition to being a time consuming one. Time to market for service is extremely important and this can get affected by the in-house effort,” says Aditya Gautam, executive director, Obopay. “In contrast, the mobile payment service provider can deploy the solution in a couple of weeks and for the user it will be a plug and play from there on.”
“The ASP model is more sensible; companies also have the necessary leverage in that case to formulate customisations jointly with the ASPs. Going further, the customisations provided by the ASPs will facilitate standardisation in the mobile payment industry as the service providers can offer similar customisation features to other clients,” says Abhijeet Upponi, IT head – Fullerton. “This also makes things simpler for the RBI as it would have to track lesser number of companies for adhering to regulations.”
Interoperability
Regarding interoperability, the key is letting a customer of any bank or credit card company make a payment to a customer of any other bank or credit card company. “The top mPayment service providers need to have open access / relationships with all banks and credit cards to provide true interoperability,” says Abhijit Bose, VP, ngpay, an m-commerce company.
Generally, people have more than one bank account. The customer has to download the application from all the banks. This adds to the inconvenience of the user.
Security Concern
“The security of a typical mobile payment transaction depends on the type of the handset used. As mobile devices often contain confidential user data and are prone to theft and destruction, they need to be protected accordingly,” says Ravishankar Subramanian, vice president – IT, ING Vysya Life. Prevention of unauthorised access can be achieved by user authentication mechanisms {i.e. Personal Identification Number (PIN), Personal Unblocking Key (PUK) or passwords} and secure storage of data and security of the operating system.
Another technique used for protection is SIM cloning, which consists of duplicating the GSM SIM card, which allows calls or other services to use the identification of the cloned SIM and to be charged to that account.
A large part of Indian mobile subscribers use the GSM standard. This highlights the importance of the security level provided in GSM handsets across the country. According to the set standards, the calls made via a GSM handset are encrypted with 8a3 or 8a5 level encryption; however, it depends upon the telecom service provider whether the encryption is limited to the call set up level or it goes on till the end of the call.
“On the security front, the advantage of having an independent mobile payment application is that even if one application is compromised, the security of the other applications remains intact,” says John Kattakayam, co-founder, head - Operations and CISO, mchek. “In case of the service provider model, the security compromise of one application may jeopardise the other applications as well.”
Mobile Payment Delivery Formats and Channels
SMS and mobile applications (installed in the user’s phone and provided by banks) are the more prominent options that are currently used for mobile payments. “The mobile application planted on the mobile is a safer option as the information packet is encrypted with a hash from both sides and cannot be decrypted by either the vendor or the bank,” says Japjit Singh Sandhu, CISO, Yes Bank.
The NEFT is the universal payment channel in India that is offered by the RBI free of charge for funds transfer with a turnaround time of one business day. Visa processes the payment in 48 to 72 hours while MasterCard takes about one business day. Obopay offers mobile payment with bi-lateral settlement in real time. As soon as the user sends an SMS to Obopay, he will receive an IVR call asking for PIN, which helps the call authentication process to avoid fraud.
Paymate is a PCI DSS 1.1 compliant company and offers a hybrid SMS – IVR mobile payment service to assure customer security. “We offer three layers of security using SMS as a medium. The first layer uses the mobile number as an authentication tool, the second layer uses a PIN for registration and the third layer uses a dynamic PIN that changes with every mobile payment transaction before validation,” concludes Ajay Adiseshann, MD and CEO, PayMate.
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
 "Israel targets top Hamas leaders in Doha; Qatar, Iran condemn strike as violation of sovereignty")
 "Nepal: Oli to continue until new PM is sworn in, nation on edge as all branches of govt torched")
 "Who is CP Radhakrishnan, India's next vice-president?")
 "Israel informed US ahead of strikes on Hamas leaders in Doha, says White House")
