Remember when you had no clue what separated BPAY from eBay from eWAY? When you’d rather stand in bank queues than bank online? When punching in your credit card details online seemed equivalent to gifting your VISA to a fraudster?
They were confronting times. Confronting, that is, until Australians got used to the whole thing and happily transferred $145 billion worth of funds via BPAY in 2010.
Now, as electronic payments fade more and more into the enveloping world of the familiar, there’s a new payment option raising some people’s security fears. It’s mobile commerce, or m-commerce for short, and it’s already been embraced by fashion retailers including Sportsgirl, Marks and Spencer and Asos. Additional retailers including Cotton On are planning to join the ranks of those offering mobile optimised online stores by the close of 2011.
What is it about the mobile shopping sites of these retailers that has some so nervous? It is the security of the transactions made on those sites. In a study commissioned by online payment system PayPal and published in March 2011, The Nielson Company found 51 per cent of Australians are not convinced the current security measures for mobile transactions are adequate. In the ‘Mobile Commerce Guide 2011’, published by software provider Sybase, Tom Wills describes the apparently common fear people have that, “someone will hack the mobile communications channel and steal bank account numbers or sensitive personal information”.
Andrew Fisher, general manager of technology at digital development firm Citrus, is having none of it.
“I think [security concerns] are largely perception driven rather than anything else,” Fisher begins. “I think on the retailer side of things it’s a convenient excuse, largely. That’s how it’s being used: ‘Ooh, mobile commerce, it’s really insecure’. It’s the same argument they used 10 years ago with e-commerce: ‘No-one will use their credit card online’. It’s a fear of fraud and all that sort of stuff.
“I did a panel a couple of months ago with one of the guys from eBay, and they were saying that something like 10 or 15 per cent of the sales coming through eBay now in Australia are via mobile. When you’re starting to talk about literally tens – if not hundreds – of millions of dollars of transactions, clearly the consumer is not worried about it.”
Jeff Bullas, sales and marketing manager for web development firm Infinity Technologies, agrees.
“You’ve got two sides of the coin. You’ve got the consumers who are buying – their idea of risk I think is fairly minimal unless they’re an older generation. A lot of people understand that their credit card is quite often protected from fraud by the credit card provider. Then on top of that you’ve got people like PayPal who offer an additional level of security as well. I don’t think on the consumer side we’re striking that as a big issue.
“On the retailer or online store owner’s position, a lot of them work very hard on getting VeriSign and others security features added to their site to make sure they actually offer all those types of security that makes it safe for consumers to buy. They’re trying to make sure the customers feel comfortable when they turn up to the site that it’s secure, that it’s not just a fake landing page or that it takes them somewhere else. Retailers can lose a lot of money if they’re not careful with fraud but a lot of them are quite aware of risks and have put in place measures to [avoid it].”
In Sybase’s Mobile Commerce Guide, Andrew Mikesell is more acknowledging of the many elements that have to combine to secure a mobile commerce site.
“Security is complex because every member of the mobile ecosystem – financial institutions, application developers, enterprise/brands/retailers and customers – must make comprehensive efforts to protect financial and personal data at every level, including the physical premise, the network, the transaction and the user activity,” Mikesell writes.
While retailers may worry about the security of network connections they don’t understand or encryption methods that make as much sense as reading Russian, Mikesell says it’s actually the consumer that is the most unpredictable and hard to manage security risk.
“When considering how to secure the physical premises, network and transaction, the industry can rely on the tried-and-true technology and security best practices known and widely used in IT departments,” Mikesell explains.
“User activity is an entirely different challenge. End users commonly engage in unsafe practices for the sake of convenience.”
Fisher points out that m-commerce allows consumers to shop in a much more public way than ever before, and that poses its own risks.
“It’s very convenient to be sitting on the tram and buying something, but you’re sitting there with your phone in one hand and your credit card in the other. That’s a bit dodgy.”
The biggest security risks, then, appear to be applicable to the consumer rather than the retailer. Yet as Fisher points out, many of those risks already exist in other tried-and-true mediums. We’ve all just become a little numb to them.
“I had an incident on a tram a few weeks ago where I was listening to someone buy something over the phone and they were reading out their credit card number whilst they were on the tram! I thought, ‘Wow, there are 20 people on this tram that could be writing that number down, and they just haven’t clocked that fact, they’re obviously so used to [buying over the phone].”
For both retailers and consumers keen to see the security measures they’ve become used to via e-commerce replicated in m-commerce, they need not fear: big names like PayPal are already making the transition. PayPal Australia’s head of mobile strategy, Paul Buchanan, explains how the company is moving with the times.
“What we’ve done is we’ve optimised the PayPal [payment] option so the buttons are bigger, the process is very easy. As soon as you click a PayPal button and you’re using a phone, you’ll be given a mobile friendly version. You’ll log in using your password code and basically in as little as two clicks you can pay for an item,” Buchanan says.
“The other key thing to mention here is whether it is mobile or PC, it sticks to the core principle of PayPal’s business and that’s security. No financial data is stored on the mobile phone at any point, the same case using your computer as well... . If you’re using a credit card to pay for an item and PayPal is your payment mechanism, none of your financial information goes to the merchant. You agree to pay using PayPal, PayPal manages the transaction on your behalf, never shares your financial data with the merchant who might be overseas or it might be local, irrespective, none of that data is shared with them.”
The same protections exist for retailers:
“It’s secure for the merchant as well,” Buchanan affirms. For fashion brands or retailers wanting to talk to a developer about getting a mobile enabled online store up and running, Andrew Fisher – who helped build transactional stores for Sportsgirl, Ripe Maternity and Cotton On, among many others – says it is the developer’s previous work experience that will most likely ensure a smooth, secure passage into the mobile channel.
“I think any retailer would be well advised that if a company hasn’t got any experience working with e-commerce at all, then they’re going to struggle to build a mobile site as well,” Fisher says. “The skills are largely the same but also it’s knowing all the other stuff that goes on around it. When I go and talk to clients that want to do e-commerce, the first thing I say is, ‘The website build component of this is actually the easiest part because it’s been done so many times before. What hasn’t been done before is you changing your business to support e-commerce’. That’s actually where a lot of the issues crop up because e-commerce touches every single part of the business, from legal to supply chain to HR to marketing to IT to finance – you name it, they get touched by it. If you’ve gone through that change, mobile will be very easy. But if you haven’t, I’d say start with e-commerce and then move to mobile.”
For retailers wanting to go the freelance developer route rather than use a big and possibly expensive digital agency, Fisher believes the risks are much the same.
“Having been a developer who’s worked on Freelancer.com, I’ve been on both sides... [it’s] no more or less risky than it is any type of development, whether you’re doing commerce or any type of application build.”
From Infinity Technologies, Bullas says the key to a secure mobile commerce build is reference checks.
“Make sure you speak to current customers of theirs. We are finding a lot of one-man-bands or freelancers out there doing a lot of Magneto sites and we get a lot of calls from people who have a site that doesn’t work very well. The challenge with any buying decision is people sometimes buy for price over quality and at the end of the day, they do get what they pay for.”