José Manuel Villa: "We make sizeable investments in securing both customer data and their interactions with the bank"
Using a mobile phone to pay for purchases in any store is possible thanks to apps such as BBVA Wallet. A trend that has been made possible thanks to the NFC technology of smartphones, which does not put security aside. We clarify all possible doubts to pay with your mobile.
BBVA Wallet is an app that allows users to pay using their mobile phones in any physical store equipped with contactless technology. Since it was launched in Spain in 2013, the app has been downloaded more than 3 million times in all the countries in which it is available.
José Manuel Villa, Head of Solutions Engineering, explains BBVA Wallet’s commitment to security and the future of an app that offers other functionalities besides mobile payments.
Q: How is it possible to make a payment through the BBVA Wallet App by bringing a smartphone close to a POS terminal?
A: The technology is the same that contactless cards use. Smartphone manufacturers and software developers have enabled the use of a NFC antenna which transfers the payment method-related information to the POS terminal. The transferred user data includes the numbering, expiration date, holder… along with much more non-visible information that secures the transaction. The exchange that takes place is the same as with any credit card we may carry in our pockets.
It is even safer, because the world of Internet makes it possible for the card used to be alive. It can be activated or deactivated, it is possible to set or remove limits in real time, and thanks to apps such as BBVA Wallet which leverages the internet connection of the mobile device. This is a significant improvement with respect to the physical card, where the profile is stored in the card itself and cannot be updated in real time.
Q: There is a certain level of concern surrounding contactless technology, what measures do BBVA apps incorporate to secure customer data?
A: When BBVA Wallet launched for the first time to be used as a means of payment through the smartphone, Visa and Mastercard, the two leading card issuers, increased even more their security levels. Thanks to them, users can make contactless payments under €20 without the need to type in their PINs. However BBVA Wallet requires users to enter their PIN number for all transactions, regardless of the amount. A security measure that enhances the groundbreaking service that BBVA
Security is a key element in our business model or approach to customers
Wallet offers. It is true that, over time, and as customer confidence has grown, this limitation has been set at the same level as the one applied to cards, and today customers can choose the transaction threshold as of which the POS terminal will request them to enter the PIN
Beyond mobile payments, being the bank we are, security is a key element in our business model or approach to customers. We make sizeable investments in securing both customer data and their interactions with the bank through digital means.
Q: Over the last year, a series of new functions have been enabled in BBVA Wallet such as switching cards on and off, changing the daily limit… is the purpose to allow customers to manage more functionalities through the app?
A: Indeed. BBVA Wallet is what I would call a living product. As time goes by, it is enriched with more and more functionalities devised to meet our customers’ needs.
We have a double expansion. The first one with respect to the number of functionalities, allowing customers to do more and more things through their device. The other one is international, as BBVA Wallet is BBVA’s first global product. Besides Spain, Mexico, U.S. and Chile, it will be launched in Colombia and in other countries in which the Group operates in short.
Some of the new features that we are considering from a functional standpoint are P2P payments or the implementation and improvement of the loyalty-building functionality, through promotions and discounts. We have a defined a comprehensive roadmap.
Security is a key element for BBVA Wallet, and, as payment method, it is safer than traditional contactless cards. Carlos Rosa, Innovation and Development Technician, emphasizes some of the security mechanisms of the app, and how the data exchange between the bank and the smartphone takes place.
Q: Can any trace of these transactions be stored in the smartphone?
A: The information stored in the device is an information that is never clear, i.e., the data of a card can never be obtained. Not even by modifying the phone would it be possible to obtained, because they are packaged in a security library. Almost all this information is stored in the cloud. The mobile only stores other user data which are not that confidential.
Q: A few days ago, the media started reporting about a Trojan in Android devices that collects online banking data from banking apps, could a type of virus such as this affect BBVA Wallet? Any recommendations?
A: Even if a Trojan was capable of retrieving Wallet data, most of the data in the phone are not only non-sensitive, but are stored in the memory that is deleted once the user’s session is closed. When making a payment, if the Trojan modifies or uses these data, we have two mechanisms to prevent the fraud:
1.- They expire after a specific number of hours
2.- If the data do not coincide with the data stored in the Bank’s servers, the payment will not go through.
Q: And what if a user’s phone gets stolen? Could it be used to make payments?
A: Just as it would with a stolen contactless card. They would be able to make payments under €20 without PIN, but with a 10-payment limit. If somebody drops his/her phone and someone else gets it, they would be able to spend up to €200 in stores, and that amount would be, apparently, lost (10x 20€ payments). And I say apparently because banks have closed a deal with VISA and have assumed that fraud. If the bank is notified about the loss of the phone and there have been operations under that €20 limit, these transactions are stored in a record, and therefore the money would be refunded to the user.
In such case, the first thing the user would have to do is cancel the mobile payment. And this can be done through BBVA’s call center. However, users don’t need to be concerned about losing their phones. In fact, in average, users notice they’ve lost their phones faster than they notice that they lost their physical wallets.
Q: An image that’s been shared in the social media has raised many concerns regarding security in contactless payments. Could something similar happen with BBVA Wallet?
A: A POS terminal could process a payment with a card or mobile without entering the PIN, but a person would have to be so close to it that he/she would be touching the terminal, and therefore the person would notice. However, this POS is registered with the name of the store in the bank requested, and it would be quite easy to detect the person making all these transactions.
It is important to point out that the smartphone and a contactless card work the same. In other words, a mobile may generate more insecurity, but people are not aware that the new cards work just the same. Therefore, the process is the same. Not because we carry a phone in our hand makes the payment method more insecure compared to a card we carry in our pocket.
Other interesting stories