Mobile payments have become a mainstream option for shopping online, and it’s easy to see why. It is a fast and convenient way to purchase items online and pay for them directly from your smartphone. While ecommerce websites are still ruling the game of online sales, mobile apps with integrated payment options are catching up. For the consumer, it’s the best of both worlds – offering simplified design, quick login options, customizations which make the app user-friendly, and the option to take advantage of special offers, and complete purchases directly through the mobile app.
The Road Paved with Good Intentions
“The road to hell is paved with good intentions” is a saying that should be printed out and prominently displayed in every office of every manager and app developer who works on adding mobile payments to business apps.
When your mobile app takes on the role of processing payments, the privacy and security rules and regulations you used to comply with need to be upgraded a hundredfold. We are no longer simply protecting people’s names, email addresses and phone numbers, but their bank accounts and credit card details, as well.
This is why, before you consider implementing mobile payments into your existing corporate apps or creating a new app with this functionality, your organization needs to develop, audit and implement a solid code of best practices around two central factors: security and user interface. Both of these elements are critical because one guarantees the safeguarding of financial data and the other helps the user complete a transaction securely, without making errors which may expose their private data to malicious third parties.
Best Practices Concerning Mobile Payment Security
The Payment Card Industry (PCI) has updated its policies and guidelines to include the medium of mobile payments. These guidelines are directed mainly at mobile app developers; however, any company which owns or is preparing to develop a corporate app with integrated payment function needs to be aware of them.
Among these, the most important recommendations are:
1. Prevention of Unauthorized Access
The swipe gesture has become a standard means of unlocking mobile phones or accessing apps. It is convenient, as it can be performed with one hand – but, it can expose users to unauthorized use of their accounts by third parties.
Under no circumstance should the payment (shopping) section of a mobile app be made accessible with a simple swipe. Face or print recognition and passwords remain the two safest options for creating a gateway inside the app between general use and the initiation of a transaction.
2. Prevention of Escalated Privileges
Many smartphone users use rootkits (for Android) or jailbreaking (for iPhone) to gain super-user rights over their device. These super-user rights include the ability to uninstall or disable critical functions of the operating system or apps which are not authorized by their respective marketplaces (the App Store and Google Play). Initially, these techniques were available to a restricted number of developers and testers, but can now be easily found on a simple internet search, and even non-technically oriented people often make use of them.
A device which has undergone rootkit or jailbreaking is thus extremely vulnerable to hacking or infection by viruses. As a precaution for any potential issues, you should prevent any mobile app which features a payment system from being installed on such a device.
3. Possibility of Remotely Disabling the Payment Application
If any of your users suspect that their phone has been hacked, or it was stolen while logged on to their app, they should be able to easily contact you and request to have the account disabled. The inclusion of this functionality is optional at the time of this writing, but there are chances it will become regulated, soon.
Best Practices Concerning User Interface
There are two key aspects regarding best practices to implement in designing your mobile app user interface.
1. Enable Auto-Formatting
There are always questions as to the best way to enter card data and mobile numbers. Should you leave blanks between groups of numbers? Do you separate them by dashes? Or do you input them in a continuous string? By programming your app to create automatic blank spaces or include dashes, you make the purchasing process simpler for the user.
2. Do Not Make Access Too Simple
As we discussed earlier, it is never a good idea to let users go to the checkout without a validation of their identity. Most professional apps require 2-step validation (print scan and password, or mobile number) which reduces the risk of unauthorized usage. Even though it may reduce the user experience index, a 2-step validation process has security benefits which greatly outbalance it.