If your business relies on selling anything online, payment is central to your company’s success. A web security strategy is no longer enough – the following are seven factors to consider when securing mobile payment apps.
1.Invest in Native Mobile Not Just for Better UX, but Also for the Best Security
Businesses have spent countless dollars and hours building security into their web-based ecommerce solutions. Many are tempted to skip retraining and retooling and just create a mobile-optimized version of their website. But there is a world of difference between native mobile payment applications and mobile-optimized websites.
For starters, native mobile applications are inherently more secure than web applications. When you install an app on your phone, it has been screened by Google or Apple and is running within a more secure container (than a typical browser or PC installation provides). The app stores require developers to follow security best practices, enabling the platforms from Apple and Google to carry much of the security load.
2.Rely on the Platform for Your Payments
You also can rely on the platform for payments. You do pay for that privilege when relying on the payment schemes from Apple and Google. These big players will charge between 15% and 30% of the purchase while Amex might charge 4%. But users love the experience - they can simply click the “buy now” button, provide their thumb or face for verification, and payment is processed through Apple’s iTunes or Google Play. It can be worth it to trade a lower margin for a superior customer experience and significantly better security. The usability investment could pay off over time. The cost of integration and maintenance of these payment solutions are also lower upfront so better for early minimal viable product (MVP) test launches.
3.Explore Mobile Encryption Methods
Every time you require a user to type in their credit card, Social Security, or drivers’ license number, you might be adding data to their device or browser storage that you must protect. On mobile platforms, you can rely more on biometric fingerprint scans or encrypted photos of credit cards rather than ever capturing users’ personally identifiable data.
4.Secretly Store Sensitive Information
There are many specific security practices available and that should be followed on mobile devices. Examples for that review include:
If you must store sensitive information, add security protocols. When using temporary memory, cleanups to be performed right after the data is processed. To ensure an even higher standard, apply an extra layer of encryption such as the AES algorithm for symmetric encryption / decryption and RSA public-key algorithms. For one-way verification encryption, use a one-way hashing algorithm like SHA-1.
5.Safely Transfer Data
Completed transaction data must be passed to your payment gateway. Add extra levels of security on top of the communication protocol and use a function such as certificate pinning to help check that the gateway itself is not compromised. From the mobile side, to prevent attacks when data is repeated (so-called replay attacks), send some unique data such as a fingerprint that expires after the response is received.
6.Invest in Penetration Testing
Once your mobile application is ready, hire someone other than your developer to test it. Make sure it is a team or company well versed in mobile security – deep expertise in web-based banking apps doesn’t count. To test a native mobile app, you need a mobile expert. Eliminate security concerns and discover security issues before they creep into production. Consider dedicating a part of your budget for a bug bounty program to discover bugs in the production environment and help prevent any types of exploits.
7.Balance Risks Against Regulations
While everything in this article is designed to urge you to implement tight security protocols, when you create your own checklist be sure to think pragmatically through the security risks of your specific app; don’t just check off boxes for regulatory compliance reasons.
Match the level of security with the business function you are protecting, and don’t get distracted by deep theoretical security flaws that are not applicable to your case. For your app, should you be concerned if the OS itself is compromised by users rooting it or some future found vulnerability from Apple or Google? Much of the “mobile security” at tech conferences can cover these extra high security concerns for the platform builders, but might not be applicable for your app.
With planning and focus, you can combine UX improvements and security improvements on a native mobile app. Spending the time up front will help you avoid costly and reputation-busting security breaches while making users more excited to use your app. After all, security is not a side feature of your application, it is a core function. Invest in the people, planning, and testing that will make it pay off over time.
Questions? Fill in the form or schedule a call with FM financial industry experts to discuss solutions meeting your business needs.
At FM we have extensive experience designing and building secure mobile apps. Check out the video of FMCify, our bill splitting banking reference app that gained the attention of CitiBank’s PSD2 challenge.
By Andrew Gauvin, Freeport Metrics
Andrew Gauvin is Founder and CEO of Freeport Metrics. Based in Portland, Maine and Warsaw, Poland. Freeport Metrics develops custom applications and software that helps clients solve challenges and bring ideas to life. The article was featured on Finextra on 19th June 2019, link: https://www.finextra.com/blogposting/17391/mobile-payments-security-seven-things-to-make-users-happy-and-let-you-sleep-at-night.
Not sure where to turn? Let us help you decide.
Or schedule a call via Calendly If we're not a fit, we'll point you to someone who is.