Last updated: 16 February 2015
Payment via mobile platforms is becoming a trend in Brazil, as more users experience the practicality and convenience of this method.
Payment via mobile platforms is becoming a trend in Brazil, as more users experience the practicality and convenience of this method. In this article we will look at the market and highlight the vulnerabilities for mobile payments in Brazil.
Current Status of Mobile Payment in Brazil
The Brazilian public are getting more acquainted with transactions operated from mobile devices, according to recent reports. The e-commerce sector, for example, has grown by over 85% between 2013 to 2014, holding 7% of the total e-commerce market and expected to reach 10% by 2015.
While these numbers might seem small compared to other established markets, where mobile payments have wider adoption, the potential for rapid expansion in this sector in the near future is undeniable. Market specialists and consulting firms report that the user base for mobile payments in Brazil could reach 80 million by 2018.
Much of this potential is directly linked with the ubiquity smartphone usage has found with the Brazilian population in recent years. The Lei do Bem, a Brazilian tax reduction law specific to smartphones assembled in Brazil and loaded with national apps, led to a surge in sales for these devices. In 2013, sales for smartphones in Brazil grew by 122%, a trend that emcompasses all Brazilian social segments.
The current Brazilian user base for smartphones sits at around 40 million and is expected to steadily increase in the near future along with the number of mobile payment users. Brazilian commerce establishments, payment gateways, credit card operators and acquirers, all of which are aware of the potential in this market, have implemented new solutions and systems to facilitate these types of transactions.
PCI Compliance to Mobile Payment
The implementation of mobile payment support for credit cards is in fact quite similar to what is found on other platforms, like desktop PC’s.
Companies must first be compliant with the regulation of PCI DSS, or the Payment Card Industry Data Security Standard to be granted the rights to receive clients information and credit card numbers used for payment processing. This requires the following specifications:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
With all these requirements fulfilled, companies must contact a PCI Approved Scanning Vendor, that will be responsible for monitoring and checking compliance requisites and also granting the rights to operate credit card transactions online. None of these vendors are based in Brazil, however companies can contract a foreign ASV.
This works in the regular chain of online transactions, where clients credit card information is sent to the merchant's servers and later to payment gateways, where the transaction is approved and the merchant is notified.
Vulnerabilities for Mobile Payments in Brazil
Many researches point to serious vulnerabilities commonly found in Brazilian networks and caused by imprudent user behavior. Brazilian smartphone users, for example are known for not securing their devices with passwords or screen locks.
Stolen credit card information is one of the main concerns of internet payment users in general and the driving cause for the implementation of requirements for companies to take part in these transactions.
Man-in-the Middle attacks, or in this case the interception of credit card information during the process in which it is sent to the merchant’s servers, is perhaps the biggest threat during online transactions, not only for its frequency but for the general simplicity of this method, depending on the network type and configuration.
Wireless networks in Brazil, for example, tend to remain unsecured, or don’t require a password or encryption for users to gain access. This opens up major vulnerabilities for the interception of sensitive data by attackers who can easily enter these networks and monitor all the information passing through them. As Brazilian commercial and public establishments follow the worldwide trend of offering free network access to their customers, the dangers of these types of attacks increases significantly.
Another vulnerable aspect of mobile transactions refers to cultural behaviors of the country’s internet users. Brazilians tend to seek publicly available networks and disregard security standards, preferring unsecured networks even when not in public spaces. Some reports also point out that users tend to ignore security warnings, such as lack of SSL certification, causing profound security compromises in their connections.