Canada: Mobile Payments: Is Security The Key To Consumer Uptake? Banking Review: Fall 2012

Last Updated: December 4 2012
Article by Diane Kazarian and John MacKinlay


Smartphones are increasingly becoming an indispensable tool in daily life. A third of Canadians own smartphones and the numbers are growing exponentially. A vast majority may leave their wallets behind but can't think of going anywhere without their phones. As new services emerge, Canadians are starting to research and shop using their smartphones, with 20% of smartphone users having made a purchase on their phone.1 In fact, smartphone market penetration has grown from 5% to 40%, despite the economic downturn.2 The implication is clear: mobile will become pervasive and having a coherent strategy is critical to customer engagement.

Canadian banks have started going down this path and have introduced mobile banking on major smartphone platforms: BlackBerry, Apple and Android. However, adoption of mobile banking has been slow. According to a PwC survey of Canadian consumers3, just 13% of Canadians use mobile banking applications on their smartphones. That said, online traffic has begun shifting from personal computers to mobile devices, and tablets are replacing desktops. A range of players, including PayPal, Google and Starbucks, have begun offering mobile payments and launched mobile payment platforms in 2011.

A mobile payment transaction allows the transfer of value from one entity to another —person to person, person to a merchant or between merchants. The use of the word 'value' is deliberate – besides funds, value transfers can encompass coupons, offers and loyalty points. In the past, payments were the exclusive domain of banks. Bank-owned or bank-participated networks were the primary basis for funds transfers. With smartphone adoption, a range of new players – telephone companies, technology providers and device manufacturers – see an opportunity to provide services and secure their share of transaction rewards. This is important to banks, which have never had to trust someone else's systems to carry out their customers' payment transactions. More importantly, as a channel, mobile awards less exclusivity to banks when interacting with their customers. This is an uncomfortable position for banks to be in, but this is an issue they'll have to address head-on to succeed with mobile payments.

There's potential for Canadian banks to gain a competitive advantage as consumers already hold their banks to high standards of accountability, with 84% holding banks responsible for safeguarding privacy while a similar percentage expressing that they don't fully trust their phone company or handset manufacturer with their financial information.4,5 The 2011 PwC financial mobile services survey also shows that 67% of those surveyed from Canada and the US would prefer that their mobile payments be enabled by their banks. And 76% say that regardless of who provides the service, they want the money to come out of their bank account and go into the receiving party's bank account. They appear generally apprehensive of funds sitting in intermediate locations before being settled via the banking system – giving rise to trust and security issues.

Trust then is the key in unlocking the potential of mobile payments. With traditional boundaries being extended, participation and collaboration in an extended ecosystem—banks, mobile networks, device manufacturers, technology companies and other service providers—become critical. There are now many more touch points where a consumer's private and confidential information can be compromised. And consumers are worried.

The challenge

Our survey of Canadian consumers also reveals that security risk and fraud is a top concern for 74% of respondents when it comes to mobile payments, while 67% are worried about the privacy of their data.6 Participants were also asked if they trust smartphone manufacturers and wireless carriers with their financial data – the overwhelming response was "no".

These responses are not surprising and hold the key to how financial institutions, or for that matter service providers, should move forward to secure their place in the mobile payments ecosystem. Canadian banks start from a position of strength: they've proven they can safeguard their customers' financial data and in turn have secured their trust.

But can this trust be maintained? Until recently, payments have been managed within tight boundaries, where banks could exercise influence. With mobile payments, the ecosystem is extended. No single organization will be able to control all forms of value transfers from an end-to-end perspective, single handedly guarantee the security of the transaction, and in turn seek the associated rewards.

For banks to secure and even extend their revenue potential from mobile payments, they'll have to play an active role in the enforcement of standards across the ecosystem. End-to-end security hinges on all the participants collaborating to create these standards that can evolve as technology changes and as risk and potential threats emerge. An excellent illustration of this collaboration is the near field communications (NFC) voluntary guidelines, known as the Mobile Reference Model, supported by the Canadian Bankers Association (CBA). But key questions remain:

  • How will consumers be protected when fraudulent payments occur?
  • Who will indemnify them?
  • Up to what amount will they be indemnified?
  • Will some of these costs be borne by merchants?
  • How will costs be apportioned between participating ecosystem players?

Mobile payments in Canada

The CBA has been asked by the Canadian financial institutions to help coordinate the development of the mobile guidelines because of the CBA's broad membership which includes 54 domestic banks, foreign bank subsidiaries and foreign bank branches operating in Canada.

Excerpt from a CBA announcement:7

Canadians continue to adopt mobile technology and demand for mobile payments capability continues to grow. As a result, in May 2012 the banking industry and credit union system announced a set of voluntary, secure, open guidelines for the development of mobile payments at the point-of-sale in Canada.

The voluntary guidelines, technically known as the Mobile Reference Model, will serve as a blueprint for how mobile payment capabilities can be offered in the Canadian market.

The 133-page model begins with a set of guiding principles for mobile payments in Canada, explaining that they must be8:


  • Allow for different business models
  • Foster innovation
  • Ensure competition among market participants

Safe and secure

  • Protect confidential personal, financial and transactional information within the mobile payments ecosystem
  • Facilitate secure interactions between financial institutions and the mobile payments ecosystem

Responsive to end user and merchant needs

  • Provide for ease of use, speed, availability, security, transparency, choice and consistency for users


  • Establish clearly defined standards essential for interactions between financial institutions and the mobile payments ecosystem
  • Align with the Canadian regulatory environment and avoid overlap with existing standards
  • Consider and respect international standards as a means of facilitating interoperability


  • Create a path forward for standards to support the long-term viability of mobile payments in Canada
  • Encompass activities between financial institutions and the mobile payments ecosystem
  • Adapt over time as technology and the ecosystem evolve
  • Allow for economically viable business models that accelerate mobile payments adoption for the mobile payments ecosystem

What about the US?

On March 22, 2012, the Congressional subcommittee on Financial Institutions and Consumer Credit hosted a hearing titled 'The Future of Money: How Mobile Payments Could Change Financial Services.' This was one of the first meetings hosted by Congress on the topic, and expert panelists ranging from the Federal Reserve to industry participants (MasterCard, PCI Security Standards Council (PCI SSC), Smart Card Alliance) were brought in to explain the basics of mobile payments and address concerns.9

Chief among the concerns of many Members of Congress were questions surrounding security.

Today, according to PCI SSC, mobile payment security can be divided into two categories:10

  • Merchant acceptance applications where phones, tablets, and other mobile devices are used by merchants as POS terminals in place of traditional hardware terminals
  • Consumer facing applications where the phone is used in place of a traditional payment card by a consumer to initiate payments

Notably, the PCI SSC has only concentrated on providing requirements and guidance to the first category — securing the use of mobile devices as a point of sale acceptance tool. As for the second category of applications, there are no regulators, forums, roadmaps or industry standards that wallet providers can refer or adhere to.11,12 This is likely to change in the coming years and represents a potential area of growth for trusted mobile security players.

This is an excerpt from Opportunity calls: An update on the evolution of mobile payments.

To read the rest of this publication please go to:


Within many banks, risk and finance are still worlds apart, making it very difficult to generate integrated information and insights. Why is this?

Banks need fundamentally new approaches to manage security and privacy, given the growing reliance on partners and third-party service providers to deliver the same degree of assurance to customers as provided by Canadian banks. This is by no means a small task and banks will be increasingly under pressure to play the role of the gate keeper in keeping their customers' data secure – even when customers use third-party services.

What can banks do? The first step is to help establish and propagate a set of standards that is both robust and widely accepted by the expanded ecosystem— banks, cell phone makers, mobile networks, technology companies—and to constantly evolve those standards. Security threats do not stay idle and all participants will need to embrace a coordinated approach when dealing with new fraud and security threats.

The next step is to ensure standards are enforced and demonstrate this enforcement. This will go a long way in building trust with consumers. Some banks are considering third-party assurance to critique standards and review how banks and their partners will jointly deliver these standards. This third-party assurance seal can serve two purposes:

  1. Provide executive management consolation that the bank's risk assessment and control procedures align with those of the service providers
  2. Together, the bank and its partners will provide business processes that deliver the required degree of security and trust

Such assurance may also be critical from a regulatory perspective and may provide a competitive differentiation for banks in the short term.

Maintaining trust: The key in making mobile payments mainstream

The message from consumers is clear: concerns over the security and privacy of their personal data pose a significant barrier to the adoption of mobile payments technology. One vehicle for building consumers' trust already exists in the form of a well-recognized North American framework, the Trust Services Principles. This framework can be leveraged through assurance reporting on existing governance structures, processes and controls to provide an independent assessment of banks' mobile payment operations. As the use of technology and the number of players delivering ecommerce increases, trust reporting and independent assurance around non-financial risk is becoming increasingly important to all stakeholders and will likely become standard operating procedure in the near future.

To use the Trust Services Principles, you should first identify the five criteria to report to your stakeholders about:

  1. privacy
  2. confidentiality
  3. processing integrity
  4. availability
  5. security

Different stakeholders will have different concerns. For example, a merchant would be most concerned that the system is available for operation and use, while an individual will want to be reassured that their privacy and data are protected. Banks can then tailor their reports to satisfy the needs of each category of client and build the confidence necessary to encourage adoption.

The mobile payments ecosystem has grown to include new players including mobile networks, and banks should ensure that new entrants are equally trustworthy and as controlled as the banks to maintain the level of trust. The mobile payments process will only be as strong as each individual player. Banks must have confidence in each of those players as they can impact the trust that banks have created with their customers. That means obtaining assurance from those entities regarding their processes and controls. The Trust Services Principles can be utilized for this purpose as well.

The Trust Services framework also provides the opportunity for the banks and their business partners to obtain third-party Trust Services seals (WebTrustTM and SysTrustSM) to demonstrate to end users that their systems and processes are reliable and comply with ecommerce standards. The seals can be placed on their websites to give a visual representation that there's been an independent evaluation. By clicking on the seal, stakeholders will have access to the report and the measures put in place to protect their data.

Implementing a Trust Services framework will give early adopters a competitive advantage by providing a means to enhance trust and transparency— a critical success factor in allaying the concerns of consumers around mobile payments.


Payment transactions constitute an important source of revenue for banks worldwide. For Canadian banks, this opportunity is even more pronounced given the degree of trust established with their customers.

While standards continue to evolve and expand beyond NFC, two dimensional (2D) code and cloud processing technologies, banks can adopt several key practices to ensure they secure their fair share of revenues generated within the mobile ecosystem:

  • Know your risks: Focus on new points in the transaction life cycle where customer data can be compromised. Some of these break points will be outside the domain of the banks.
  • Develop a collaboration model to interact with ecosystem participants, both known and emerging: Clarify how trust will be managed, what controls will be deployed, what assurance can be obtained that such controls are functioning and effective and how risks will be shared. Embrace a formal due diligence model to certify third-party service providers.
  • Educate consumers: The risks associated with the use of wallets and other services, such as couponing, offers, loyalty points and in general sharing of personal information, need to be clarified together with liability disclosures. Mobile payments allow for the collection of a significant volume of information, and not all customers may want this information divulged.
  • Be technology agnostic: Mobile technologies are still in their infancy and will mature over time. With new tools come new risks of inadvertent disclosures and opportunities for deliberate intrusions. Validate new technologies critically with a focus on customer information protection.

What about merchants?

Merchants will exert significant influence on the pace of adoption of mobile payments. While significantly encouraged by the potential to improve customer interaction with targeted offers, location aware services, coupons and loyalty rewards, merchants continue to be concerned about the costs associated with payment transactions.

Merchants are important banking customers and in growing their mobile portfolio, banks will have to balance the needs of the merchants and the needs of their customers. A universally beneficial approach is for banks to combine the silos of information with the explicit permission of its customers to deliver focused services. Banks will need to deploy sophisticated analytics capabilities to make the vision of mobile payment a reality.


1. Google. Our Mobile Planet: Canada, Understanding the Mobile Consumer. May 2012. Retrieved from

2. MIT Technology Review. Are Smart Phones Spreading Faster than Any Technology in Human History? May 9, 2012. Retrieved from

3. PwC. Canadian consumer survey 2012.

4. PwC. Citizen Compass: Next generation of eservices. 2012.

5. PwC. Canadian consumer survey 2012.

6. PwC. Canadian consumer survey 2012.

7. Canadian Bankers Association. Mobile Payments in Canada. July 19, 2012. Retrieved from

8. NFC World. Canadian banks issue landmark NFC payments guideline. May 14, 2012. Retrieved from

9. United States Congress Committee on Financial Services. Hearing entitled "The Future of Money: How Mobile Payments Could Change Financial Services." March 22, 2012. Retrieved from

10. Troy Leach, PCI Security Standards Council. Prepared Remarks for "The Future of Money: How Mobile Payments Could Change Financial Services." March 22, 2012. Retrieved from

11. Darin Contini, Marianne Crowe, Cynthia Merritt, and Richard Oliver, Federal Reserve. Mobile Payments in the United States: Mapping Out the Road Ahead. March 25, 2011. Retrieved from

12. Richard Oliver. Prepared Remarks for "The Future of Money: How Mobile Payments Could Change Financial Services." March 22, 2012. Retrieved from

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.


Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.


Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.


A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.


This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.


If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.


This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at and we will use commercially reasonable efforts to determine and correct the problem promptly.