ISACA guide offers advice on secure mobile payments

The paper – entitled `Mobile Payments: Risk, Security and Assurance Issues’ - notes that a study by Juniper Research found that the value of mobile payments for digital and physical goods, money transfers and other transactions will reach almost $630 billion by 2014.

MasterCard’s Ipsos MORI survey, meanwhile, took in responses from more than 8,000 people in France, Germany, Italy, Netherlands, Spain, Russia, Turkey and the UK.

To date, 31% of Russians had completed a transaction using a mobile phone, a figure standing at 13% for Turkey, in second place on this measure, ahead of Spain with a score of 11%. The Netherlands and Italy were further back on 8%, beating Germany's 7% uptake level, the UK's 6% penetration rate and France's even more modest 4%.

ISACA’s mobile payments white paper is available as a free download from the not-for-profit IT security association and identifies consumer benefits, including the speed and convenience of not carrying cash and credit cards, the consolidation of many cards and an enhanced layer of security.

Enterprises, says the association, benefit by reaching more consumers, reducing the amount of stored data needed to meet compliance requirements, improving transaction security and fraud detection, and engaging in location-based marketing (aka geo-marketing).

Nikolaos Zacharopoulos, CISA, CISSP, chair of ISACA’s project development team for the white paper, said that mobile payments offer many benefits, but that industry also needs pro-active planning and measures to manage risk, which can include anything from theft of identities and services; loss of revenue, brand reputation and customer information; and money laundering plus terrorist funding.

“This guidance identifies the risk types and the countermeasures that should be in place to mitigate them”, he said.

The mobile payments white paper is billed as providing practical advice for enterprises that includes building robust controls into the planning process and ensuring that transactions are carried out only by the authorized person.

IT security professionals should also, says the paper, identify the data that are considered personal and sensitive, and ensure it is protected, as well as ensuring that third parties involved have robust security governance in place.

Finally, says the paper, IT security professionals need to pay specific attention to the originating point of a mobile transaction—the customer device and the user.

What’s Hot on Infosecurity Magazine?