Instead of reaching for your wallet in the next few years, you'll be able to pull out your cellphone and wave it over a scanner to make a payment.
Convenient? You bet. Secure? Companies working on this new system say it is rock solid. Encrypted payment information travels through the air from the phone to the scanner. The system is based on "contactless" technology already in some smart cards — credit cards and key fobs embedded with chips so they can be used instead of swiping a magnetic credit card. Chips are finding their way into driver's licenses, passports and other forms of identification, and contactless cards are used in many transit systems.
"It's relatively easy to make cellphones very secure devices," said Allen Weinberg, managing partner at Glenbrook Partners, a Menlo Park, Calif., financial services and electronic payments consulting firm. He said the encryption is "as good as or better than what you do with an ATM or at-home banking. No one is going to pick up your phone and start moving money around the world. It's just not going to happen."
MasterCard ma introduced contactless cards in 2002 under its PayPass program, which allows for transactions of $25 or less without a signature, said Simon Pugh, head of MasterCard's mobile group. With more than 19 million PayPass cards in use, MasterCard has simply taken the PayPass card proposition, in Pugh's words, and moved it to the phone. PayPass is now available in cellphones in South Korea, Taiwan and Japan, as well as in trials in the USA in Dallas, New York, Chicago, Wilmington, Del., and other cities. "We built security and encryption into the protocol," Pugh said. A cellphone transaction is "equally secure," he said.
The convenience of whipping out your phone as a payment mechanism is driving the transition. You wouldn't need to fumble for change at a parking meter, in a taxicab or at the ballpark.
"This is how consumers want to pay," Pugh said. "As we look at how behavior is evolving, what are the three things people take as they leave their house? Their car keys, their phone and their wallet. If they only had to take two — if their phone becomes their wallet — and it's MasterCard and it's secure, we think that's something consumers will want."
Weinberg, the Glenbrook consultant, said Apple's iPhone woke the mobile industry up to consumers' desire for an easy way to access the Internet. Once they're online, they're using their connection to buy things on Amazon, eBay and other sites. "It really lit a fire under Apple's competitors to bring out better, more useful mobile devices," he said.
"I would say the big hurdle is not security," Weinberg said. "The big hurdle is continuing to improve ease of use and consumer awareness."
With all that convenience, however, consumers want to know that their data are secure. The solution is in the chip. Because the chip in the card is communicating directly with a chip in the scanner, it's easier to encrypt and harder to crack.
It's already working in contactless cards, says Randy Vanderhoof, executive director of the Smart Card Alliance, an organization in Princeton Junction, N.J., with more than 180 members, including major card associations, banks and security technology companies.
"We're taking the same core functionality that's in the cards and embedding that in a mobile handset," Vanderhoof said. "The chip in the mobile handset acts like the chip in the card."
The cards use a dynamic key generated for each transaction, he said, meaning a random set of numbers are communicated from chip to chip, and then disappear. So even if someone was able to hack the transaction, it could not be duplicated.
In addition, said Vanderhoof, the same theft protections extended to people who use credit or debit cards will be extended to people who pay by phone. "One assumes that if someone took my phone and made a payment, I could make a claim to the bank that that wasn't me, and I would not be charged," he said.
The new system is much more secure than the traditional method, according to Jack Jania, vice president and general manager of secure transactions for Gemalto, a technology company based in France that specializes in making security for passports and personal devices such as smart cards and cellphones.
Think of the printed receipts that you get in credit card transactions today. Jania got one not long ago that highlighted the risk. "The merchant printed my name and credit card number on the receipt," Jania said, somewhat astonished. "They're not supposed to do that. That's how identity theft happens. That's where you see security issues coming. It's not a technology-based problem."