Mobile donations are not new. But the unprecedented success of recent mobile fundraising efforts, such as the Red Cross Haiti earthquake mobile fundraising campaign that raised over $32 million, has increased activity and interest in all aspects of mobile donations – including security.

This article describes the mobile donation ecosystem and security considerations for security professionals to keep in mind as they evaluate increasingly popular mobile charity and campaign donation programs.

Mobile Donations Fall Within Established, Yet Evolving, Mobile Marketing Ecosystem

Mobile donations involve unique charity and donation issues, such as compliance with commercial co-venture laws that require state registrations and consumer disclosures when raising money for a charity. However, at a basic level, mobile donations are just another type of mobile commerce facilitated through mobile shortcodes and short message service ("SMS") as part of the established mobile marketing ecosystem that sells mobile content and subscription services to millions of wireless subscribers every year. In the United States, mobile commerce sales hit $1.2 billion in 2009 and are project to grow to over $2.4 billion in 2010 and almost $24 billion in 2015. That established mobile marketing ecosystem, though not without challenges, imposes detailed privacy, security and consumer protection requirements on participants in the ecosystem - including those promoting and administering mobile donation programs. For example, see the Mobile Marketing Association's U.S. Consumer Best Practice Guidelines for Cross-Carrier Mobile Content Programs, and CTIA – The Wireless Association's Best Practices and Guidelines for Mobile Financial Services.

The mobile marketing ecosystem is rapidly evolving in ways that likely will impact mobile donations. The explosion of smart phones, third party app stores, and sales of virtual goods has increased consumer confidence and appetite for all types of mobile commerce and is driving new mobile commerce business models. As mobile commerce shifts from virtual goods with no marginal cost of goods to tangible goods, fraud detection systems and chargeback policies will become further refined.

Wireless Security

Wireless security applicable to mobile donations presents many of the same considerations encountered in the online environment. CDMA, GSM, WAP and SMS are simply standards and protocols analogous to those used online. As the wireless ecosystem develops similar commercial functionality as the Internet, it is attracting similar concerns as Internet commerce, including identity theft, viruses, and data breaches.

Like Internet donations, mobile donations should focus on either minimizing the transmission and storage of financial and sensitive information, or providing end-to-end security of the wireless communication from its inception at the subscriber's handset to its end destination, including handset security, network security and software security.

No Financial Account or Sensitive Information

Most mobile donation programs do not require a wireless subscriber to transmit any payment card information, financial account information, or other sensitive personal information. Instead, bill-to-mobile solutions enable subscribers to make donations using their mobile phone numbers, and have the charges billed directly to their monthly wireless service bills. Subscribers remit payment to their wireless service providers as part of their monthly charges. Mobile operators then remit payment to the bill-to-mobile provider, who in-turn remits payment to the charity or campaign.

Any mobile donation program that requires a wireless subscriber to transmit any payment card information, financial account information, or other sensitive information should be closely scrutinized. SMS protocol should not be used to transmit financial or sensitive information because it does not support encryption. Secure SMS protocol or unique mobile client applications that support encryption may be used in certain circumstances, although payment associations take varying positions on this security issue in their rules - including the Payment Card Industry Data Security Standard and the recently adopted mobile ACH rules of NACHA – The Electronic Payments Association.

Conclusion

Fundraisers and consumers have embraced mobile donations as an accepted form of mobile commerce, guided by the privacy, security and consumer protection requirements of the established mobile marketing ecosystem. The mobile marketing ecosystem and wireless security are undergoing evolutions that will impact all forms of mobile commerce, including donations. Although current mobile donation programs usually involve little or no financial account or sensitive personal information, security professionals should evaluate each particular program structure for security compliance, including the wireless protocols used and relevant payment association rules and industry guidelines.