REPRINTED WITH PERMISSION OF TRANSACTION WORLD MAGAZINE   Despite the apparent contradictions,       architecture, the Sec...
Upcoming SlideShare
Loading in …5

Social Security: Can You Marry Social Media and Payment Security?


Published on

In this Transaction World Magazine article Dr. Heather Mark, PhD examines the matter of security in relation to marrying social media with payments technology. Can the openess associated with social networking somehow be connected to the security of a payment instrument? Help us examine these questions and more at Social : Mobile : Payments | Conference & Exhibition April 11-12, 2012 at the Orlando World Center Marriott Resort & Convention Center in Orlando Florida. For information and registration please visit

Published in: Technology, Economy & Finance
1 Comment
  • Yes, if the proper steps are taken to educate the consumer . If you're going to profit from collecting the information, spend some to educate the consumer - ROI: Return On Initiative!
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Social Security: Can You Marry Social Media and Payment Security?

  1. 1. REPRINTED WITH PERMISSION OF TRANSACTION WORLD MAGAZINE SECURITY SOCIAL SECURITY CAN YOU MARRY SOCIAL MEDIA AND PAYMENT SECURITY? By Heather Mark The pace of innovation in payments their high school classmates than they today is almost staggering. Companies ever imagined or ever wanted to know. striving to keep up with the changing Additionally, privacy settings on social consumer behaviors have found them- network sites are still evolving, as the selves changing the way they market and boundaries of this new technology are the way they sell and even the way that still being tested. Many consumers find they accept payments. One of the most the management of privacy settings on discussed, yet probably least understood social networks to be confusing. The topics, today is the notion of social pay- result is that sometimes, people are more ments. The concept has been variously open than they really intend. Further, dubbed “social media payments,” “social while payment industry stakeholders payments,” or “social mobile payments.” (merchants and service providers, The important concepts for the sake of for example) are explicitly regulated security are “social” and “payments.” in terms of data security and consumer These are not, at first blush, “two great privacy, social networks are still relative- things that go great together.” However, ly unregulated. they could be. On the other hand, the payment In looking at the two concepts inde- environment is one in which robust pendently, they would appear to be protections and confidentiality are inherently at odds. Social platforms are expected, from both a regulatory and a supposed to be open and encourage reputational standpoint. Industry regu- sharing. People tend to treat social plat- lation demands that specific, stringent forms as a “trusted” network, assuming a protections be in place to protect con- level of security and privacy simply sumers against any accidental, or because they may know the people to intentional, disclosure of their personal whom they are “connected.” Certainly, information. It is a necessity, in fact, for there are downsides to this apparent the smooth functioning of the payment naïveté, not the least of which is a laissez- system itself. Consumers must trust Dr. Heather Mark, PhD is the Senior Vice faire attitude with information that most that their data will not be stolen, President for Market Strategy at ProPay, would usually be hesitant to share. at least not on a regular basis. In the Inc. ProPay is a leading provider of complete, end-to-end payment security When we are going on vacation, for event that a compromise does occur, solutions. Dr. Mark can be reached example, and for how long are things that consumers must be able to rely on the at most people typically wouldn’t broad- protections in place that limit consumer cast. Suddenly people know more about liability for any fraudulent actions.
  2. 2. REPRINTED WITH PERMISSION OF TRANSACTION WORLD MAGAZINE Despite the apparent contradictions, architecture, the Secure Element will by passing the merchant a “token.” Nohowever, there is a growing trend embed contactless and NFC-related data is stored on the consumer’s phone,towards combining the two. Social applications and is connected to the NFC nor is it stored in the merchant environ-Mobile payments are gaining such trac- chip acting as the contactless front end.” ment. The onus for protecting the datation that there is a conference scheduled In the Secure Element scenario, the rests with the service provider, and bothfor next spring that is dedicated solely to sensitive data is stored on the NFC the merchant and the consumer can sig-the discussion of the issue. This is an chip embedded in the handset, though nificantly mitigate, if not remove, any lia-interesting development in that, much it can also be SIM based or even placed bility associated with a potential early discussions around mobile pay- on a removable Secure Element Card. The idea of social payments also opensment, different companies seem to have The question, from a practical security the door to the idea of exchanging virtu-different notions around exactly what standpoint, is “who owns the Secure al currencies. A previous article detailedSocial Mobile payments are. Is it a virtu- Element?” The answer to that question some of the issues associated with virtualal currency type of application that can vary considerably, but has very real currencies, irrespective of security. Itallows people to buy credits or virtual implications with respect to who is should be said, however, that if the virtu-goods? Is it a payment platform that responsible for ensuring the security of al currency does have value then it is like-allows for integration into social network the data stored on that element. ly deserving of the same level of dataplatforms? On the other hand, it could The other prominent implementation security as “real” currency. Companiesbe something entirely different, in which of social mobile payments is the use of a seeking to circumvent the regulationsmultiple parties are involved in the pay- web-based application. Some providers facing these “real-world” payment meth-ment transaction and no social platforms will store the data in the application ods by using virtual currencies face aare involved at all. on the user’s Smartphone. The rationale variety of legal issues regarding gift cards The issue is ripe for debate, but what behind this storage scheme is that one and money laundering. In addition, theyis not in question is that regardless of person’s data is far less of a target than a will not be able to escape the duty to pro-the form of the payment, the payment bank of servers might be. Therefore, they tect this data. Precedent is being set todata must still be protected according to reason, the service provider that actually create an obligation to protect sensitivestate, federal and industry regulations. does not store the data on the phone, but data in general. Clever plaintiffs’ attor-Therefore, the new question becomes, rather stores them on hardened server, in neys will surely be able to make the argu-“how does one enable social payments a secure location, poses a greater risk to ment that, because virtual currency can(whatever that might be) with the same the consumer, because they present a be exchanged for goods, it should be con-level of security that is required by more greater target to data thieves. This rea- sidered a “financial account” and there-traditional payment methods?” soning does not consider the possibility fore subject to the same data protection Just as there are differing opinions on of a targeted, mass attack on application and breach notification requirementsthe form that Social Mobile payments users, though. Nor does it consider the of actual currency.will take, there are a myriad of opinions necessity of transmitting the payment Social Mobile payments present signif-on how to secure those payments. Will data between the merchant and the con- icant opportunity to companies in thethe Social Mobile payments be facilitated sumer, leaving the merchant vulnerable payments space. The crux of the matter,through NFC in the handset or through to an attack on the data in its environ- though, is whether companies will beweb-based applications on the phone? ment. able to successfully marry the seeminglyThis question alone has major implica- Conversely, the use of an application different objectives of social networkstions for the manner in which the data also lends itself to the possibility of allow- and payment platforms. Providing thewill be secured. Most frequently when ing the user to store the data securely at a ability to connect to friends andNFC is discussed, security is centered on PCI DSS compliant, validated service merchants, to make payments while alsothe notion of the “Secure Element.” provider. In this scenario, the user sets providing adequate security The secure element is defined by up a profile, including payment informa- sufficient to meet government andEuroSmart as “a tamper-proof Smart tion, but that information is stored industry regulation, will be the determin-Card chip capable to embed smart securely at the service provider’s location. ing factor for success among socialcard-grade applications (e.g., payment, When a payment is initiated, the applica- mobile payment providers. ntransport …) with the required level tion sends a message to the serviceof security and features. In the NFC provider, who facilitates the transactions