Based on mobile Fintech payment service trend analysis, this chapter organized requirements and challenges for mobile Fintech payment services as shown in Fig. 3.
Requirements for mobile payments in Fintech
As Fintech technology develops, various forms of mobile payment services are being provided based on IT technology. These mobile payment services can deliver services in various forms such as HW makers based, OS makers based, payment platform providers based, and financial institutions based, but commonly, they must satisfy the following requirements.
Convenience
Mobile Fintech payment services must be more convenient than traditional payment services [32,33,34]. For example, an existing payment service tries to provide the convenience to the user, but since the payment platform, User Interface (UI), or additional benefit is dependent on the financial institution, there is a limitation in meeting needs of the users. If the user must go through various procedures through the payment service, it is not appropriate for Fintech mobile payment service. Fintech mobile payment services, unlike traditional payment services, must provide customized payment services based on user’s needs and convenience minimizing conscious billing procedures through convenient payment procedures such as simple password or biometric authentication.
Mobile payment infrastructure
Mobile Fintech payment services must have mobile Fintech payment infrastructure where desired services can be paid through mobile anywhere and anytime [35, 36]. Even if a Fintech mobile payment service has superior convenience or function compared to traditional payment service, if it does not have the infrastructure to use the payment service, the service cannot be used. For example, if certain communication protocols such as NFC must be used or if it can only be used on certain services, the versatility of mobile Fintech payment service becomes very limited. Especially, current mobile Fintech payment services have incomplete infrastructure compared to traditional payment infrastructure and sometimes it lacks availability compared to traditional human systems.
Compatibility
Mobile Fintech payment services must be compatible with traditional payment services and financial environment such as banks and card companies [37,38,39]. Introduction of mobile Fintech payment service is not a simple replacement but convergence with existing payment service and it must have compatibility to utilize existing payment services and infrastructure. Through this compatibility, without the need for changing existing payment service based systems and infrastructure, both can be used and it can be widely used without resistance from users. Also by minimizing changes in existing payment services, it must minimize the costs to implement the new environment.
Mobility
Mobile Fintech payment services must be supported by the mobility of mobile devices [3, 40, 41]. Due to the nature of mobile devices, they need to be continuously on the move with the user and communicate externally based on wireless networks. Existing payment service was made through a designated reader or external device at a designated place for payment. Mobile Fintech payment services should not require additional devices, apart from external devices that was already used for existing payment services, regardless of where the mobile device is and where the payment is made. Thus, by maximizing utilization of the infrastructure provided by the existing payment system to ensure the mobility of the payment service, the convenience of the user can be maximized.
Security
Because payment services are directly related to the assets of users, security is a requirement in mobile Fintech payment service [42,43,44]. So that sensitive security information of the user is not exposed to malicious attackers, mobile payment services must be constructed securely in terms of both HW and SW, and even if multiple payments have been made with the same payment service, information about the payment method must not be exposed to unauthorized third parties. Also from information used during the use of mobile Fintech payment service, the user or user information must not be exposed. If secure payment service is not provided, it cannot only cause monetary damages to users but also invade user privacy based on payment information the user used.
Simplicity
Mobile devices are becoming lighter and smaller with the development of IoT technology [45, 46]. This trend will lead to the development of various wearable devices, and many users will wear 3–4 wearable devices in the future. The current mobile payment service is optimized for smartphones, but it should also be able to make payments on wearable devices that do not have a small screen or screen. In addition, since wearable devices are small in size, most of them are poor in computing performance, so it is necessary to develop a light payment system to provide a simple payment service.
In order for mobile payment service to be successful, mobile payment infrastructure, compatibility, mobility, security, and simplicity should be ready as mentioned above. You can still launch mobile payment services, even if you do not meet all of these requirements. But they will not be available to users at the end of the day, because the other competitors will have. In particular, security factors are background areas that users can not see or experience directly, but once a security incident occurs, users will lose trust and will no longer be used even if they meet other conditions.
Security challenges for mobile Fintech payment services
In this chapter, security challenges that must be solved for mobile Fintech payment services to develop in the future was classified divided into mutual authentication, authorization, integrity, privacy, atomicity, and availability.
Mutual authentication
In mobile Fintech payment service, mutual authentication between mobile Fintech payment service providers and existing financial infrastructures must be conducted before conducting payment. The absence of mutual authentication can cause critical financial damage not only to the user and service subject but also the payment financial institution. If a malicious attacker assumes the identity of a mobile user, it can deliver false payment information to the service subject to avoid payment and if it assumes the identity of service subject, payment can be received from the user and not provide the service. Because in mobile Fintech payment service, not only face-to-face but also remote Internet payments can be made, mobile devices must be authenticated as well as the user during authentication. However, if the procedures of mutual authentication become complex due to security, it can rather make mobile Fintech payment services more complex compared to traditional payment services which can greatly reduce convenience. Due to recent developments in IT technology, biometric authentication such as fingerprint or iris recognition is being widely used to conveniently authenticate remote users.
Authorization
Mobile Fintech payment must be accessible only for authorized users and also the information exchanged for the payment must be accessible only to the authorized subjects. Also payment subjects must not be able to see information other than approved information even if it participates in the payment process. For example, users must provide passwords for payment method information to the service provider to proceed with mobile Fintech payment service but sensitive payment information should be accessed and seen only at the financial institution that actually deals with money. If authorization on information is not appropriately given to payment subjects, hackers can easily intercept the payment information of users without mutual authentication and furthermore, they can control the information. In addition, even service subjects can claim excessive fees without the knowledge of users and financial institutions can figure out conception patterns of users without the agreement of users.
Integrity
Mobile Fintech payment services must have integrity. If the payment information or information exchanged by mobile devices to make payments are modified by malicious attackers or external factors, it can have direct damage to financial assets of the users. Also, unlike actual cash or checks, mobile Fintech payment services exchange digital currency which means users cannot immediately be alerted of damages and if integrity is not kept, users can continuously be exposed to repeated damage. Also, to indicate to both the user and payment service that normal payment has been made, it needs to be able to prove the integrity of the payment.
Privacy
If malicious attackers can figure out payment information or patterns of users, on top of financial damage on users and payment subjects, it can greatly invade the privacy of users. Also because mobile Fintech payment goes through payment service of an IT company rather than directly through a financial institution, it has the problem that regardless of the will of the user, payment information can be delivered to all subjects participating in the payment which can harm the privacy of the users. Information used in payment must be delivered encrypted, divided into purpose and sensitivity, and payment subjects must not be able to figure out information excluding the minimum information necessary to proceed with the payment. For example, when a user pays for a service using card information through mobile Fintech payment service, the merchants must not know the card information and the card company must not know the user purchased service history. One-time card information or tokens are being widely used to protect user privacy.
Atomicity
Mobile Fintech payment service must completely conduct a payment or not at all. Due to the development of IT technology, payment methods have been simplified but due to the increase of subjects participating in the process of payment, it has become more complex. During the process of payment, if payment is halted during the process due to external factors or internal error, even if the user attempted payment, determination subject might not properly receive the payment request and the user might not be able to receive service even after processing payment or the service provider might not be able to receive payment even after providing service. Mobile Fintech payment service providers must make it so that payment is made only when the payment process is completely conducted from start to finish to prevent these types of damages and must indicate to the participating subjects that the payment has been successfully made.
Availability
While mobile Fintech payment service simplifies payment and expands the domain of availability compared to traditional payment services, it must not provide lower security compared to traditional payment services. Also, while maintaining the same level of security as traditional payment services, it must have the availability where payment can be made simply whenever and wherever the user wants. However, because it does not directly go through financial institutions to conduct payment, it is not easy to maintain the same level of security as traditional payment services. Also, if various security procedures are demanded on the user to have high security, it can rather have reduced convenience compared to traditional payment services. Mobile Fintech payment service must have the availability that satisfies both the security requirements of subjects participating in payment and user convenience.
In order for a mobile payment service to be securely provided, it must have mutual authentication, authorization, integrity, privacy, atomicity, and availability as mentioned above. Financial services should be more rigorous than other services because it directly affects property if one vulnerability is found in the service. If you do not meet those requirements, it will cause not only a simple service error but also a catastrophic property damage to the user. While the existing payment services and the mobile payment service security requirements are similar in many respects, mobile payment services run on a variety of devices and operating systems and lack the resources to run security programs. In addition, since it is mobile, it is not fixed in one location, so it is difficult to build a security system than existing payment system. Many companies are constantly releasing mobile payment services, so in order to survive the competition, it is necessary to develop services in consideration of all these aspects.