When it comes to accepting payments, retail stores, companies are faced with Payment Card Industry (PCI) and Personally Identifiable Information (PII) concerns. CNET recently published an article on Google’s newest product, Wallet. The product allows consumers to use their Android device to send contact-less payments to retailers via Near Field Communication (NFC) technology. In the article, Elinor Mills illustrates potential security concerns regarding Wallet using data provided by ViaForensics.
After analysis of on the unencrypted data stored in a rooted device — Wallet passed for securely storing passwords, however, there were concerns as the following data was recoverable after transactions were deleted and the Wallet application data was cleared and reset:
- Name on the card
- Expiration date
- Last four card digits
- E-mail account
So should retailers be concerned about the security of mobile payments? Mobile payment services are becoming increasingly popular with PayPal, Wallet, Square Up, Intuit GoPayment, MasterCard Mobile Payment and others jumping on the bandwagon.
It’s likely a safe assumption that if Wallet has application vulnerabilities in their platform, that other competitors do as well.
Do retail stores need to worry that a malicious cyber security expert could sniff mobile payment traffic in a retail store? Is a man-in-the-middle attack possible? Even if credit cards and passwords are secured – is personally identifiable information for customers secured? Could a competitor bleed sales data?
History is on my side when I predict that – there will be business impacting breaches before these issues are fully resolved.