Are your Organization’s Donation’s Secure?
This article describes the mobile donation ecosystem and security considerations for security professionals to keep in mind as they evaluate increasingly popular mobile charity and campaign donation programs.
Mobile Donations Fall Within Established, Yet Evolving, Mobile Marketing EcosystemMobile donations involve unique charity and donation issues, such as compliance with commercial co-venture laws that require state registrations and consumer disclosures when raising money for a charity. However, at a basic level, mobile donations are just another type of mobile commerce facilitated through mobile shortcodes and short message service ("SMS") as part of the established mobile marketing ecosystem that sells mobile content and subscription services to millions of wireless subscribers every year. In the United States, mobile commerce sales hit $1.2 billion in 2009 and are project to grow to over $2.4 billion in 2010 and almost $24 billion in 2015. That established mobile marketing ecosystem, though not without challenges, imposes detailed privacy, security and consumer protection requirements on participants in the ecosystem - including those promoting and administering mobile donation programs. For example, see the Mobile Marketing Association's U.S. Consumer Best Practice Guidelines for Cross-Carrier Mobile Content Programs, and CTIA – The Wireless Association's Best Practices and Guidelines for Mobile Financial Services.
The mobile marketing ecosystem is rapidly evolving in ways that likely will impact mobile donations. The explosion of smart phones, third party app stores, and sales of virtual goods has increased consumer confidence and appetite for all types of mobile commerce and is driving new mobile commerce business models. As mobile commerce shifts from virtual goods with no marginal cost of goods to tangible goods, fraud detection systems and chargeback policies will become further refined.
Wireless SecurityWireless security applicable to mobile donations presents many of the same considerations encountered in the online environment. CDMA, GSM, WAP and SMS are simply standards and protocols analogous to those used online. As the wireless ecosystem develops similar commercial functionality as the Internet, it is attracting similar concerns as Internet commerce, including identity theft, viruses, and data breaches.
Like Internet donations, mobile donations should focus on either minimizing the transmission and storage of financial and sensitive information, or providing end-to-end security of the wireless communication from its inception at the subscriber's handset to its end destination, including handset security, network security and software security.
No Financial Account or Sensitive InformationMost mobile donation programs do not require a wireless subscriber to transmit any payment card information, financial account information, or other sensitive personal information. Instead, bill-to-mobile solutions enable subscribers to make donations using their mobile phone numbers, and have the charges billed directly to their monthly wireless service bills. Subscribers remit payment to their wireless service providers as part of their monthly charges. Mobile operators then remit payment to the bill-to-mobile provider, who in-turn remits payment to the charity or campaign.
Any mobile donation program that requires a wireless subscriber to transmit any payment card information, financial account information, or other sensitive information should be closely scrutinized. SMS protocol should not be used to transmit financial or sensitive information because it does not support encryption. Secure SMS protocol or unique mobile client applications that support encryption may be used in certain circumstances, although payment associations take varying positions on this security issue in their rules - including the Payment Card Industry Data Security Standard and the recently adopted mobile ACH rules of NACHA – The Electronic Payments Association.