M-commerce ecosystem is challenged by diversity in terms of mobile device, computing system, application, communication channel, banks and service providers.
As a result banks needs to focus on building a more secure, inclusive financial framework, bring uniformity, synergy and enriched customer experience.
Some of the critical issues that banks need to keep in mind while choosing their framework will involve:
System Integration of Mobile Clients with Core banking Processes.
A bank’s core banking system, the system that houses the consumer’s account and related transaction management and history, would require a means to translate banking instructions, received from consumers, through one of the bank channels such as ATMs or the internet, into a format that the core banking system can process.
This translation is normally performed by an EFT channel switch. The EFT channel switch would switch transactions from the channel to the appropriate area within the core banking system. An Electronic Funds Transfer, EFT, or Financial Switch accepts, translates and forwards transactions from multiple channels to the bank’s core systems. This can sit within the bank or the bank’s third party processor.
Choice of mobile gateway
When we talk about mobile banking technologies, it can either be on server side or client side. Client-side applications are applications that reside on the consumers SIM card or on their actual mobile phone device. Client-side technologies include J2ME and S@T.
Server-side applications are developed on a server away from the consumer mobile phone or SIM card. Server-side technologies include USSD2, IVR, SSMS and WAP.
Different operators worldwide have used these technologies, e.g., G-Cash (Philippines), Wizzit (South Africa), and FNB (South Africa) use SMS, IVR and USSD. Obopay (US) and FNB (SouthAfrica) use J2ME, WAP and HTTP. STK is used by G-Cash (Philippines), M-pesa (Kenya), Smart (Philippines) and MTN (South Africa).
Every technology mentioned above both in the client side as well as on the server side has its advantages and disadvantages. As we talk about the rural markets it is very important to consider the characteristics of that market and select a technology that caters to its needs effectively and the basic financial services are delivered up to the last mile.
When we look at the provisioning requirements for SMS, IVR, USSD and STK, they are none for the service providers as the existing handsets have these technologies inbuilt and people are familiar with them. USSD may not be available on all standard handsets and in case of STK the service provider has to install the application on a sim card and the customer needs to change his/her sim card in order to take benefit of mobile banking in a completely secured manner.
While the other three technologies, namely, WAP, HTTPS and J2ME, require skills sets on the customers side as to how to set up a download and operate a WAP browser or GPRS. These technologies require an advanced mobile handset and hence these technologies cannot be targeted at the entire population. 65% of the population has mobile phones; out of 30% have bank accounts. Of these financially included, only 30% have smart phones which support these technologies.
They anyway have access to banking facilities in some or the other way.It can be through a branch or ATM. However, only around 65% of the top 30% is using the modern banking technologies such as internet banking, ATMs, etc. The issue still remains: how to target the unbanked rural population large numbers of who may not be able to afford high end handsets.
This population mostly carries standard handsets which only support the SMS, IVR, USSD (in most cases) and STK applications. These are easier to use and convenient to use for the customers. The standard handsets do not provide facilities to secure or encrypt data before sending it to server based applications at MSP and do not have the ability to run programs on the handset. This is a compromise on the security part but we may see that if proper security levels are built at various stages then it would be difficult to for a mobile hacker to get into the channel communication and access the confidential information of the customer.
The flow of information through the SMS channel is not encrypted when the information flows from the customer’s handsets to the bank. At the MNO level too data is stored in an unencrypted manner. But the transactions which occur are over an encrypted line of communication which is protected by standard GSM security protocols.
The subscriber identity is also protected. So there is a security present at that level. This would make it difficult for anyone to get into the channel of communication; however, the unencrypted data is at risk. At the bank the data remains secured.
IVR is more secured as compared to SMS because it is a voice call and is protected by the communication layer. It goes directly to the banks IVR and is same.
In USSD too, there is a single session in which data is exchanged between the customer and the MNO. The only way in which is different from sms that in sms the data gets stored and here the data is stored and the communication is not broken into different pieces.
Therefore the only risk in the data that is carried which in unencrypted because the communication layer is secured.
The data carried across these channels is stored on a bank server and not on the handset. This data is encrypted. The threat remains when the handset and and sim along with authentication pins are stolen.
With J2ME the data is encrypted the moment it leaves the handset because it has security around the handset and is sent across the GPRS channel. The data travels encrypted and can be decrypted only at the bank. Customers have to careful while downloading the application, that it is downloaded from a genuine source.
WAP is just similar to the internet browser the difference being it is used for mobile internet and hence faces the same threats as internet banking faces. However it is more secure than internet because the WAP allows for a GPRS session to be opened between the handset web browser and the web application at the bank. The data travels through an encrypted communication layer.
STK is the most secure method of mobile banking. It allows the bank to load its own encryption keys onto the SIM card with the bank’s own developed application. Thus the consumer’s data can be stored on the SIM Card and the consumer can be authenticated on the handset prior to having to carry any data across the mobile network. The data is also encrypted prior to leaving the handset and only decrypted using the banks encryption keys within the bank.
We still await to see how Mobile banking picks up in India as it is the most cost effective channel amongst all the banking channels namely branch, ATM, Internet, POS etc. As the traditional ‘brick and mortar’ branches can penetrate into remote areas of our vast country only to a limited extent, this model presents banks with a workable option to provide banking services in hitherto inaccessible areas in a cost-effective manner. The increasing penetration of mobile phones and the increasing incomes of the Indian customers will prove to be complementary in achieving the financial inclusion.
About The Author
Nikita Khubchandani is Subject Matter Expert for m-commerce at InCights Mobile Solution. Her past and current association also include HDFC Bank and IIMA Idea Telecom Centre of Excellence.InCights has recently been acknowledged as best start-up for the year 2011 by IIM Calcutta.