Mobile Payments
Content
FACULTY OF CYBERNETICS, STATISTICS AND
ECONOMIC INFORMATICS – IT&C SECURITY
MASTER
E-Payment &
E-Commerce Security
Mobile Payments
Student:
Mihalache
Alexandru-Costin
2
Mobile payment referred to mobile money, mobile money transfer, and mobile
wallet generally refer to payment services operated under financial regulation and
performed from or via a mobile device. Instead of paying with cash, cheque, or
credit cards, a consumer can use a mobile phone to pay for a wide range of services
and digital or hard goods.
Recent developments of communications technologies and business models raised
concerns about mobile payment systems in terms of usability and security.
Rising smart mobile devices with variety of usage and privacy and easy access to
communication protocols have provided the potentials for growing development of
mobile commerce. Furthermore, new business models in daily activities have
increased the need of comprehensive mobile e-commerce system.
The main desire in mobile payments is providing a convenient way of payment so
that a customer can perform payment anytime, anywhere for any available
services.
Depending on interaction model, m-commerce applications could be classified into
three types: client to server, client to proxy server, and peer-to-peer. Also, m-
commerce applications inevitably require essential underlying connectivity
features, mobile access adaptation, mobile user profile and mobile security . On the
other hand, new technologies usually bring new risk and challenges despite new
capabilities and services. In order to design a desired payment method, the
inherited risks of new technologies must be overcome in order to leverage their
capabilities in handling existing obstacles of payment transactions in
corresponding markets.
Mobile payment methods have always been critical, since they are dealing with
credits or money. So, providing an adequate security would be mandatory and an
inevitable aspect of mobile payments. On the other hand, there has been an issue to
preserve a trade-off between usability and security of mobile payments, so that
providing maximum security can affect or even violate the usability of mobile
payments in practice. The art of work will be combining security and usability to
provide a smooth, fast and comprehensive mobile e-payment for end-users. This
artifact would be able to evolve into a financial system supporting transaction
environments which eliminates or minimizes physical cash handling, as a potential
in eliminating criminal activities.
3
Basically, m-payment process may be implemented in different scenarios, but it
includes some fundamental steps: registration, payment submission, authentication
and authorization of parties by system service provider, and the final confirmation.
In order to provide a secure and comprehensive m-payment, the payment scenario
should be designed so that it performs fast and simple for the end-user, but secure
and comprehensive for the provider.
Different mobile payment systems have been considered and evaluated relevant to
our proposed system design. There are two groups of criteria that ought to be
considered relevant: functional and architectural. The functional criteria basically
should enforce the system policy and what the system should be able to do to
satisfy the system requirements and the architectural criteria; Interoperability,
Usability, Simplicity, Security, Privacy, Trust, Cost and Availability define how
the system should be constructed. Also, the system design and architecture support
various financial mobile applications and transactions. Since all the functions and
transactions are basically financial operations, the main concern must be their
security. Therefore, one of the most distinguished features of the whole system
architecture is its comprehensive security. In fact, system architecture is designed
in such a way that existing components can be enhanced with security
countermeasures, so that the integrity and availability of the whole system would
be preserved.
As mobile devices have been transforming into personal trust devices, mobile
payment is recognized as interactions between parties in a e-payment system with
specific context (e.g.business models, player relationships) and capabilities (mobile
device capabilities) so that there is at least one party as a mobile user.
Basically, the context of m-payments includes any payment in which a mobile
device is used in order to “initiate, activate, and confirm” the payment.
There are three initiatives that could be considered to best suit mobile payments.
First, a mobile device is the most convenient and possible payment technology for
mobile context and service purchases. Second, the diminishing use of cash
provides the potentials to develop new substitute payment approaches for low
value transactions using financial service stations. Third, need of a cost-effective
means to charge macro-payments in m-commerce environment.
4
Fig.1
As Figure.1 shows, m-payment system is merely registering and forwarding the
authorized and validated payment transactions. Payment system life-cycle includes
payment request creation, payment request authorization, and payment request
committal.
Principally, m-payments occur between four stakeholders: mobile consumers
subscribe to a service, merchants, who provide product or service to consumers,
payment service provider, which controls the payment process and the trusted third
party that administers the authentication of other players and the authorization of
payment settlement. Note that different roles can be merged into one party and act
as one player. For example, payment service provider, which controls payment
process and trusted third party, can act as the same stakeholder.
Mobile Payment Models
Mobile payment models can be characterized based on some important features,
such as: payment amount, payment settlement mechanism, and the technologies
which support the complete m-payment system.
There are four primary models for mobile payments:
1. Premium SMS based transactional payments
2. Direct Mobile Billing
3. Mobile web payments (WAP)
4. Contactless NFC (Near Field Communication)
5
1. Premium SMS / Premium MMS
In the predominant model for SMS payments, the consumer sends a payment
request via an SMS text message or an USSD to a short code and a premium
charge is applied to their phone bill or their online wallet. The merchant involved
is informed of the payment success and can then release the paid for goods.
Here is the typical end user payment process:
-User sends SMS with keyword and unique number to a premium short code.
-User receives a PIN (User billed via the short code on receipt of the PIN)
-User uses PIN to access content or services.
Inhibiting factors of Premium SMS include:
Poor reliability - transactional premium SMS payments can easily fail as
messages get lost.
6
Slow speed - sending messages can be slow and it can take hours for a
merchant to get receipt of payment. Consumers do not want to be kept
waiting more than a few seconds.
Security - The SMS/USSD encryption ends in the radio interface, then the
message is a plaintext.
High cost - There are many high costs associated with this method of
payment. The cost of setting up short codes and paying for the delivery of
media via a Multimedia Messaging Service and the resulting customer
support costs to account for the number of messages that get lost or are
delayed.
Low payout rates - operators also see high costs in running and supporting
transactional payments which results in payout rates to the merchant being
as low as 30%. Usually around 50%
Low follow-on sales - once the payment message has been sent and the
goods received there is little else the consumer can do. It is difficult for
them to remember where something was purchased or how to buy it again.
This also makes it difficult to tell a friend.
2. Direct mobile billing
The consumer uses the mobile billing option during checkout at an e-commerce
site-such as an online gaming site-to make a payment.
After two-factor authentication involving a PIN and One-Time-Password, the
consumer's mobile account is charged for the purchase. It is a true alternative
payment method that does not require the use of credit/debit cards or pre-
registration at an online payment solution such as PayPal, thus bypassing banks
and credit card companies altogether. This type of mobile payment
methodprovides the following benefits:
Security - Two-factor authentication and a risk management engine prevents
fraud
Convenience - No pre-registration and no new mobile software is required.
Easy - It's just another option during the checkout process
Fast - Most transactions are completed in less than 10 seconds
Proven - 70% of all digital content purchased online in some parts of Asia uses
the Direct Mobile Billing method
7
3. Mobile web payments
The consumer uses web pages displayed or additional applications downloaded
and installed on the mobile phone to make a payment. It uses WAP (Wireless
Application Protocol) as underlying technology.
Benefits include:
Follow-on sales where the mobile web payment can lead back to a store or to
other goods the consumer may like. These pages have a URL and can be
bookmarked making it easy to re-visit or share.
High customer satisfaction from quick and predictable payments
Ease of use from a familiar set of online payment pages
Unless the mobile account is directly charged through a mobile network operator,
the use of a credit/debit card or pre-registration at online payment solution such as
PayPal is still required just as in a desktop environment.
Direct operator billing
Direct operator billing, also known as mobile content billing, WAP billing, and
carrier billing, requires integration with the operator.
It provides certain benefits:
The operators already have a billing relationship with the consumers, the
payment will be added to their bill.
Provides instantaneous payment
Protect payment details and consumer identity
Better conversion rates
Reduced customer support costs for merchants
4. Contactless Near Field Communication
Near Field Communication (NFC) is used mostly in paying for purchases made in
physical stores or transportation services. A consumer using a special mobile
phone equipped with a smartcard waves his/her phone near a reader module. Most
8
transactions do not require authentication, but some require authentication using
PIN, before transaction is completed. The payment could be deducted from a
pre-paid account or charged to a mobile or bank account directly.
Mobile payment method via NFC faces significant challenges for wide and fast
adoption, due to lack of supporting infrastructure, complex ecosystem of
stakeholders, and standards.
There are four potential mobile payment models:
1. Operator-Centric Model: The mobile operator acts independently to
deploy mobile payment service. The operator could provide an independent
mobile wallet from the user mobile account(airtime). A large deployment of
the Operator-Centric Model is severely challenged by the lack of connection
to existing payment networks. Mobile network operator should handle the
interfacing with the banking network to provide advanced mobile payment
service in banked and under banked environment. Pilots using this model
have been launched in emerging countries but they did not cover most of the
mobile payment service use cases. Payments were limited to remittance and
airtime top up.
2. Bank-Centric Model: A bank deploys mobile payment applications or
devices to customers and ensures merchants have the required point-of-sale
(POS) acceptance capability. Mobile network operator are used as a simple
carrier, they bring their experience to provide Quality of service (QOS)
assurance.
9
3. Collaboration Model: This model involves collaboration among banks,
mobile operators and a trusted third party.
4. Peer-to-Peer Model: The mobile payment service provider acts
independently from financial institutions and mobile network operators to
provide mobile payment. For example the MHITS SMS payment service
uses a peer-to-peer model.
Conclusion
Mobile Payments represent an opportunity for operators that they can ill
afford to ignore. However, when assessing whether to enter this segment,
MNOs need to very carefully consider which mode of payment they would
like to implement, be it NFC/RFID based, SMSbased or WAP-based. At the
same time they need to look at the markets for the various relationship
models and then decide whether they would like to enter the B2B, B2C, C2C
or P2P segment.
While reviewing the kinds of payment to target – micro or macro – operators
need to keep in mind that while customers might be willing to embrace
micro mobile payments much faster than they would in the case of macro
payments, it might result in a “low value-large volume” scenario. Such a
situation might place a strain on network resources but not bring in the
anticipated revenues. However, in the case of macro payments, while the
potential revenue might be high, users might not be as willing to switch to
mobile payments, hence resulting in slow uptake of the technology.
In addition to the above, while deciding on whether to implement remote or
in-store mobile payment methods, the investment involved needs to be kept
weighed against the potential gains that a particular implementation method
can bring in.
Also, while deciding on the implementation models, operators need to keep
in mind the relative position of the telecom operators and financial
institutions in the particular market before opting for a particular
implementation model.
10
Finally, to ensure that mobile payments live up to expectations worldwide,
operators need to make mobile payments widely accepted by merchants so
as to speed up user uptake of these services.
Reference
Fourati, H. Ayed, and A. Benzekri. A SET based approach to secure the payment in mobile
commerce. In Proceedings of the Annual IEEE Conference, November 6-8, 2006
Romao and M. da Silva. An agent-based secure internet pay- ment system. Lecture Notes in
Computer Science,2008
R.L. Rivest and A. Shamir. PayWord and Micromint: Two sim-ple micropayment schemes.
Cryptobytes, 2008
