In light of the recent external audit of Padgett-Beale’s financial operations
and the discovery of unapproved Shadow IT within the company being used
to conduct mobile payments, we have taken the liberty to review and address
any suspected compliance and potential privacy and security issues. The
Payment Card Industry Data Security Standards (PCI-DSS) was established
by several financial institutions, namely American Express, Discover
Financial Services, JCB International, MasterCard, and Visa, Inc. It comprises
technical and operations prerequisites to safeguard cardholder information and
pertains to all organizations or systems that save, process, or relay it (Wills,
2019). If a company experiences a financial security violation due to not
being compliant with PCI DSS, it could result in penalties being enforced on
their bank by the payment card brands. Penalties can cost anywhere from
$5000 to $500,000 per month, and if the violations continue and are not
adequately addressed, the company’s right to process transactions with these
cards can be rescinded by the card brands (Wills, 2019).
The company facilitates eCommerce technologies and provides cashless
payment options, including mobile payment, to guests to pay for services
such as spa treatments, childcare, and tours in an effort to enhance the total
guest experience. Electronic commerce, otherwise known as eCommerce,
refers to the buying and selling of products and services via the Internet, and
is transmitted through various avenues. Such avenues include tablets,
smartphones, and other mobile devices (Ecommerce Guide, n.d.).
Mobile pay, otherwise known as mobile payment systems, is a common term
used to describe payment made for a product or service via a portable
electronic device, for example, a smartphone or tablet, or other mobile
devices, and is an alternate payment method to cash. The following are the
most common types of mobile payments:
c c c c c c c c c c c c 1. Near Field Communication (NFC) mobile wallet payment
enables users to tap or wave their mobile device near a reader on a vending
machine or cash register, etc. The payment information is sent by a radio
signal with a short range of about four inches and stored in a chip in the
mobile device or a secure file server linked to the mobile wallet app such as
Google Pay or Apple Pay (Mobile Payments, n.d).
c c c c c c c c c c c c 2. Mobile web payments (WAP) refer to the user making a
purchase on the Internet using the web browser on their mobile device or
mobile app and having it charged to their debit or credit card, or bank
account (Mobile Payments, n.d).
c c c c c c c c c c c c 3. QR code (quick response) scans are typically created by
downloading a mobile app for the merchant, such as Target or a mobile
wallet. The QR code is produced on the screen by the mobile device to be
scanned at the register, and the link to the payment information is provided
by the QR code (Mobile Payments, n.d).
Mobile payments usually involve disclosing some amount of personal
information, and some mobile payment apps will only collect and share the
information required to make the payment (CardConnect, n.d). The type of
information may include, but is not limited to, name, mailing address, email
address, mobile phone number, contacts, calls, texts, websites visited, and
account information, and may be shared with other companies (Mobile
Payments, n.d). Information could also be collected by the mobile device
manufacturer, the payment provider, advertising network, wireless carrier, or
the business being paid (Mobile Payments, n.d). Mobile payments can be
safeguarded by using various methods such as tokenization, device-specific
cryptograms, and two-factor authentication. Tokenization is a technology that
protects sensitive consumer information by encrypting it and transmitting a
token to the POS instead of the actual account information. Device-specific
cryptograms ensure the authenticity of a payment generated from a user’s
mobile device and are unique to that device and cannot be used with any
other. Two-factor authentication, or ‘2FA’, is a form of security that requires
two forms of identification for authentication and can be in any combination,
for instance, voice or facial recognition and a password (CardConnect, n.d).
Various privacy and security issues could occur from the use of mobile
payment technologies. Highlighted below are five of these issues:
1. Cyberthreat actors can 'spoof' mobile wallets. If cards are added to a
mobile wallet, and the transaction is conducted over an unsecured public Wi-
Fi network, hackers can re-create the registration system of the wallet
prompting the user to reenter their information (CreditCards.com, 2017).
2. Malware is increasingly becoming more apparent and is used by
cybercriminals to steal the users’ information by sending them a fake link or
ad (CreditCards.com, 2017).
3. Eavesdropping data or man-in-the-middle attacks (MitM) occur when an
attacker acquires personally identifiable information (PII), passwords, and
other sensitive information by intercepting data from a sender to the recipient.
4. Using Multiple Software Options to complete mobile payments, especially
if the software is outdated, will increase the vulnerability of the device to
cyber-attacks from hackers as there is no end-to-end protection of your
payments and accounts (Shastri, 2019).
5. Phishing scams occur when a cyber threat actor contacts a user by email or
phone, asking them to verify their account credentials to rectify an issue with
their account in an attempt to steal their information.
To conclude, the security of all financial operations of Padgett-Beale Inc.
(PBI) is essential to the CFO and the Finance Department, and any
unauthorized attempts to interfere with these transactions and processes are
not taken likely. It is, therefore, our primary intention to ensure the
independent providers, and all other parties involved uphold and follow
financial safety guidelines when conducting these transactions. Mobile
payments have transformed the way payments are made, and with the
increase in the use of these devices, it would prove beneficial to handle
sensitive data appropriately while providing frictionless and seamless
payments.
References
CardConnect. (n.d.). How to solve mobile payment security concerns.
CardConnect. Retrieved from https://cardconnect.com/launchpointe/payment-
security/mobile-payment-security
CreditCards.com. (2017). 3 major mobile payment security risks, and how to
avoid them. Nasdaq. Retrieved from https://www.nasdaq.com/articles/3-major-
mobile-payment-security-risks-and-how-avoid-them-2017-12-14
Ecommerce Guide. (n.d.). What is ecommerce? benefits, stats and history of
Electronic Commerce. Ecommerce Guide. Retrieved from
https://ecommerceguide.com/guides/what-is-ecommerce/
Grant, M. (2021). Mobile payments: What you should know. Investopedia.
Retrieved from https://www.investopedia.com/terms/m/mobile-payment.asp
Mobile Payments. (n.d.). Consumer Federation of America. Retrieved from
https://consumerfed.org/mobilepayments/
Shastri, N. (2019). 5 mobile payment security concerns to consider.
PaymentsJournal. Retrieved from https://www.paymentsjournal.com/5-mobile-
payment-security-concerns-to-consider/
Wills, L. (2019). Americanbar.org. Retrieved from
https://www.americanbar.org/groups/litigation/committees/minority-trial-
lawyer/practice/2019/the-payment-card-industry-data-security-standard/
less