CurrentC—a mobile payment system developed by a consortium of major retail chains—has made headlines lately for brazenly blocking Apple Pay transactions. The heat CurrentC faced from that poor strategic move is nothing, though, compared to the trouble the embryonic payment system is in now, thanks to news of a data breach.
CurrentC isn’t even officially launched yet. It's currently pilot testing with a handful of early adopters, and it's projected to be available to the masses sometime in 2015. Merchants Customer Exchange (MCX)—the organization behind CurrentC—confirmed Wednesday that it was the victim of a hack, though, compromising the email addresses of the early adopters.
No financial information was exposed, and attackers did not intercept transaction data, so it could definitely have been worse. Tim Erlin, director of IT risk and security strategy for Tripwire, says, “As long as this incident is constrained to the loss of email addresses, I wouldn’t expect it to be material to their business plans. There are enough big name retailers involved to weather that kind of an incident.”
Some CurrentC retailers have a rep for breaches
That is true to an extent, but a data breach of the nascent mobile payment system before it has even launched doesn’t exactly instill confidence. This is a payment system that seeks to bypass the major credit card providers and avoid transaction processing fees by linking directly to customers’ bank accounts and debiting transactions directly. If they can’t protect email addresses, do we really want to trust them with our bank account information?
It also doesn’t help that many of the retailers that comprise the membership of MCX have damaged reputations and tarnished trust with customers as a result of past data breaches. Kmart, Michael’s, Lowe’s, Old Navy, Target and other MCX members have already made headlines this year for allowing customer data to be compromised or exposed.
“Over the last year, we've seen a lot of high profile credit card hacks at retailers, and it’s clear that consumer sensitivity in this space is high,” exclaimed Geoff Webb, senior direction of solution strategy for NetIQ. “This kind of hack isn't likely to instill a lot of confidence among skittish customers looking for reassurance that they can safely buy at retailers.”
Tom Gorup, Security Operation Center (SOC) manager at Rook Security, explains, “This dramatically complicates the battle CurrentC has with Apple Pay. They want your bank account information, potentially your Social Security number and driver’s license number just to set up the service. Before they even go live, they are compromised. On the other side of this, Apple Pay hits over 1 million accounts within 72 hours of release and there is barely any place to use it. That's huge! This just shows the type of following Apple has and the battle CurrentC has ahead of them.”
Even if we forgive the previous transgressions of many of the biggest MCX members, and we accept that the CurrentC hack revealed only email addresses rather than actual financial data, it still doesn’t bode well. There are larger issues involved with CurrentC when it comes to privacy, and fraud protection for customers.
“CurrentC’s approach raises questions as to liability if there is a compromise of the system,” suggested Ken Westin, security analyst with Tripwire. “The Apple Pay model has been a bit more focused on privacy and security with their technology to help gain traction and trust in the market place. The CurrentC system is tied to loyalty programs with the retailer and that raises a whole host of privacy and security concerns.”