This article from a Nigerian media group perfectly captures today’s mobile security zeitgeist. The technology options it discusses, the differing points of view presented, and the uncertainty over which way to proceed exemplifies similar uncertainties in other developed (and developing) markets. The article discusses Subscriber Information Module (SIM) registration at some length. The idea is to connect the mobile phone owner to the Subscriber Information Module through an identity authentication step. This is classic Know Your Customer (KYC) activity. In Nigeria, however, this is made especially difficult because there is no national ID card system (there is in Kenya, M-Pesa’s home ground) and the country has a huge rural –and sometimes illiterate –population. Identity proofing is very difficult. When a security scheme cannot vouch for the identity of the user, then reliable authentication becomes problematic and, sometimes, the entire scheme can fall to the ground.
For Nigeria, an identity proofing scheme can certainly be found. If nothing else, fraud models for new users will keep transaction velocity and sizes down until a history of valid behavior has been established. That’s the approach here, as well. But some hardware-based authentication at the edge of the network is needed and, ironically, Nigeria’s use of the SIM may well provide that country with a solution long before the U.S. settles on NFC and the secure element embedded therein.
A major challenge before the Central Bank of Nigeria (CBN) and the 16 mobile payment licensees is how to prevent the use of mobile payment services for criminal activities. This however requires an acceptable standard of verifying the identity of mobile payment users so as to ensure adherence to the Know Your Customer (KYC) requirement. The ongoing SIM registration by the Nigerian Communication Commission (NCC) is seen as potential solution to this challenge. Electronic payment experts and regulators gathered at the eNNOVATORs Breakfast series agree that while SIM registration has crime prevention benefits for mobile payment, it also has its limitations, Babajide Komolafe writes.
Just a reminder as to the extent of the uncertainty around mobile payments: here’s the copy of the PCI Security Standards Council (SSC) on merchant mobile applications. The PCI SSC is looking into it, and hopefully will have something in 2011. We needed something last year.