Basically there are four types of mobile payment models, the Operator-Centric Model, the Bank-Centric Model, the Collaboration Model (collaboration among banks, mobile operators and a third party) and the Peer-to-Peer Model, where the mobile payment service provider acts independently from financial institutions and mobile network operators.
In the following we‘ve summarized the mPayment methods available today, along with potential risks:
Premium SMS/USSD Based Transactional Payments
The consumer sends a payment request via an SMS text message or an “Unstructured Supplementary Service Data” (USSD) to a short code and a premium charge is applied to their phone bill or their online wallet. The merchant involved is informed of the payment success and can then release the paid for goods. However, reliability is poor, speed is slow, costs are high, pay-out rates are low, and follow on sales is low.
Security is not too good as SMS/USSD encryption ends in the radio interface - then the message is a plaintext.
Direct Mobile Billing
The consumer uses the mobile billing option during checkout at an e-commerce site—such as an online gaming site—to make a payment. After two-factor authentication involving a PIN and One-Time-Password (often abbreviated as OTP), the consumer's mobile account is charged for the purchase. This type of mobile payment method is extremely prevalent and popular in Asia. It is convenient and easy to use, fast and proven - 70% of all digital content purchased online in some parts of Asia uses the Direct Mobile Billing method.
Security is good, with two-factor authentication and a risk management engine which prevents fraud.
Mobile Web Payments
The consumer uses web pages displayed or additional applications downloaded and installed on the mobile phone to make a payment. It uses WAP (Wireless Application Protocol) as underlying technology and thus inherits all the advantages and disadvantages of WAP. However, unless the mobile account is directly charged through a mobile network operator, the use of a credit/debit card or pre-registration at online payment solution such as PayPal is still required just as in a desktop environment.
Security issue: „The WAP Gap“, i.e. encrypted messages may temporarily become clear text during processing. WAP connectivity is another security issue.
Direct Operator Billing / Mobile Content Billing / Carrier Billing
A direct connection to the operator billing platform requires integration with the operator and is simple, payment transactions are completed instantly. More recently, Direct operator billing is being deployed in an in-app environment, where mobile application developers are taking advantage of the one-click payment option that Direct operator billing provides for monetising mobile applications. This is a logical alternative to credit card and Premium SMS billing.
Security is good in protecting payment details and consumer identity.
A simple mobile web payment system can also include a credit card payment flow allowing a consumer to enter their card details to make purchases. This process is familiar but any entry of details on a mobile phone is known to reduce the success rate (conversion) of payments. In addition, if the payment vendor can automatically and securely identify customers then card details can be recalled for future purchases turning credit card payments into simple single click-to-buy giving higher conversion rates for additional purchases.
The possible risk here lies in the security of the data connection, when credit card data is transferred.
Online companies like PayPal, Amazon Payments and Google Wallet also have mobile options. The process usually is registration, entering the phone number, receiving the PIN via SMS, entering the PIN, entering credit card information or another payment type to validate the payment. In subsequent payment only the PIN number is needed. Requesting a PIN is known to lower the success rate (conversion) for payments. These systems can be integrated with directly or can be combined with operator and credit card payments through a unified mobile web payment platform.
The security issue here is vulnerability to PIN hacking.
QR Code for Mobile Payment
QR codes are an easy way to inject information into mobile phones, and to access information on mobile phones.
The security issue here lies in giving uncontrolled access to company who provided the QR code. It is really an issue of whether the QR code itself is trustworthy.
Contactless Near Field Communication (NFC)
NFC is used mostly in paying for purchases made in physical stores or transportation services. A consumer using a special mobile phone equipped with a smartcard waves his/her phone near a reader module. Most transactions do not require authentication, but some require authentication using PIN, before transaction is completed. The payment could be deducted from a pre-paid account or charged to a mobile or bank account directly. Mobile payment method via NFC faces significant challenges for wide and fast adoption, due to lack of supporting infrastructure, complex ecosystem of stakeholders, and standards.
This method seems quite secure, as data is transmitted across a short distance using low frequency radio signals.
Cloud Based Mobile Payment
Google, PayPal and GoPago have developed a cloud-based approach to in-store mobile payment. The cloud based approach places the mobile payment provider in the middle of the transaction, which involves two separate steps. First, a cloud-linked payment method is selected and payment is authorized via NFC or an alternative method. During this step, the payment provider automatically covers the cost of the purchase with issuer linked funds. Second, in a separate transaction, the payment provider charges the purchaser's selected, cloud-linked account in a card-not-present environment to recoup its losses on the first transaction.
The security issue here is vulnerability to PIN hacking.
Audio Signal Mobile Payments (NSDT)
The audio channel of the cell phone is another wireless interface that is used to make mobile payments. Several companies have created technology to use the acoustic features of cell phones to support mobile payments and other applications that are not chip-based. The technologies Near sound data transfer (NSDT), Data Over Voice and NFC 2.0 produce audio signatures that the microphone of the cell phone can pick up to enable electronic transactions.
Gives the server complete control over security and transaction management, and is protected by several patents.
Direct Carrier / Bank Co-operation
In the T-Cash model the mobile phone and the phone carrier is the front end interface to the consumers. The consumer can purchase goods, transfer money to a peer, cash-out, and cash-in. A 'mini wallet' account can be opened as simply as entering *700# on the mobile phone, presumably by depositing money at a participating local merchant and the mobile phone number. Presumably other transactions are similarly accomplished by entering special codes and the phone number of the other party on the consumer's mobile phone.
Quite secure as the only information used is a mobile phone number. The actual phone is needed to complete the purchase, making the risk of unauthorized purchases very low compared to data breaches involving credit cards.
All operators and countries have different rules and regulations for mobile payments. Content classified as "U" (universal) rated in Europe may be classified as "R" (Restricted) in the USA. These rules affect which payment methods can be used for any given transaction. (Source: Wikipedia)