High-risk merchants, such as those specializing in nutra or weight loss products, e-cigarettes, firearms, or another vertical of which banks are wary, already carry a black mark against them when it comes to looking for merchant services. Since such businesses cannot influence the risk that their industry affords at large, their number two strategy for convincing banks to extend the credit they need is to make their individual approach to the industry as safe as possible.
One prong of such an approach has always been to mitigate chargebacks, especially those resulting from fraud. And with recent headline-busting news about customers of large chains becoming victims of cybertheft, such as in the recent Starbucks app hack, many high-risk merchants are wondering – does offering a mobile payment option open them up to similar attacks and heighten their real or perceived risk as a business?
Fraud? There’s an App for That
To answer this question, merchants first need to understand the difference between paying with an app and paying through an app.
Customers who pay with an app, store all the data they need to make payments within the app’s software and/or its cloud. The Starbucks app, for instance, links directly to the customer’s bank account, PayPal account, or credit card, and this information is stored within the app itself. Hackers who are looking for a quick payday need only to infiltrate the program through a backdoor or a stolen username and password to begin remotely draining funds from your account.
Most traditional mobile wallets, such as PayPal, Lemon Wallet, and Square Wallet operate under similar principals.
Paying through an app, however, requires the use of both software and physical components on your device. ApplePay, for example, is not only an application, but part of the iPhone and iPad’s infrastructure. A software hack is not enough to gain access to a customer’s credit card. A thief needs to have all or part of the physical device.
In the case of ApplePay, one of the newest forms of widespread mobile payment, the credit card number on file is never even transferred to the vendor. Instead, a method called “tokenization” creates a nonsense string of alphanumeric characters and assigns it to your credit card. Only this string is transferred during a transaction, which means even if the encryption was broken during the transaction or accessed on the receiving end, the hacker would receive no credit card number.
What Are the Risks?
Neither mobile wallets nor tokenized methods of mobile payment are considered high-risk payment methods, and if offered alongside widely-accepted payment options, such as credit and debit card processing, are unlikely to increase a bank’s perception of risk.
Apps that directly store your credit card information, however, are not foolproof. Just as credit card numbers can be stolen, so can usernames and passwords. The same people who can hack into a credit card database can also hack into an app – and in most cases, accessing an app is by far the easier task.
Tokenized payment methods that require both software and hardware access, are far more secure, and although new technology often brings with it unknown challenges, by design and by virtue of available data, these payment methods are far less prone to fraudulent attacks than even traditional credit cards.
The moral of the story for high-risk vendors? While horror stories about very real cases of fraud do occur, offering a form of mobile payment is unlikely to lose you points with potential banking partners. For day-to-day transactions, tokenized hardward and software-dependent payment methods are a way to satisfy both your customer’s demands and your need for fraud protection, especially when coupled with conventional fraud-detection methods.