Another device, another application ported to it for processing payments.  This is the natural evolution of any technology and like any new deployment there are advocates on either side yelling ‘tastes great’ or ‘less filling’.  So I decided to weigh in on the conversation, let you know who feels what and what the real risks are.  I actually wrote about this back in January 2009 which you can read here (and check out other posts while you’re at it.)

One on side we have Forrester researchers yelling, “Stop the Madness! Payment Apps Are On The iPad Too Soon”.

On the other hand you have the payment processors who are rolling out payment apps for the iPhone/iPad as fast as their customers demand them.  Although there are a plethora of payment apps for your iPhone/iPad there are only two, that I know of, that accept swiped credit cards magnetic stripe or track data.

I’m happy to see VeriFone having their application undergo PA-DSS validation and I’m sure Square will do the same, if not for security then for marketing power.  It is these situations that I feel the naysayers are most concerned – applications that accept sensitive authentication data (ala. track data, CVV2, or PIN block data).  The reasoning is that theft or compromise of this data is what leads to the highest instance of credit card fraud in the industry.  The reason for this is that it is hard to perpetrate high-dollar credit card fraud with only the PAN and expiration data.  This is directly reflected in the resale value of PAN information which is sometimes 10-100 times less than that of the lucrative sensitive authentication data.

But let’s get real here.  The vast majority of payment applications for the iPhone/iPad only accept PAN and expiration date.  What is the real risk here?  I’m not as much worried about one of these applications being compromised as I am about the potential for iSkimming.  That’s right, did I just coin a term?

iSkimming: The sale of an altered or fradulent mobile phone payment application that sends credit card details to an attacker before routing them to an authorized payment vendor.  The attacker is able to collect or harvest the payment card details, and potentially collect a fee for the payment application itself.

Much like the physical credit card skimming in the physical world, we could see iSkimming in the virtual world.  The best way to protect against this is to NOT download an off-brand payment application.  I mean, would you use your credit card at a white-label ATM? I try not to.

If I wanted to accept mobile payments and reduce the risk of fraud, I would research the available market space and only use payment applications from vendors with a current good stranding in the industry.

Let’s not slow innovation, just be smart about it.