(NBC) – Millions of Americans use peer-to-peer payment services such as Venmo or Apple Pay for on-the-spot money transfers — but is your data safe and are your transactions private?
Consumer Reports decided to find out. The editors tested five popular services and found significant differences in data privacy and security practices.
Apple Pay blew away the competition with an overall score of 76 out of 100, based on its data privacy and payment authentication practices.
“We think Apple Pay does a better job in that area because they appear to collect less information about you when you’re using their service and Apple is adamant that they’re not selling that data to others,” said Christina Tetreault, Consumer Reports financial services expert.
Venmo (69), Square’s Cash App (64), Facebook P2P Payments in Messenger (63) lost points for data privacy. Zelle (50) was downgraded for both data privacy and data security.
“While all the services we evaluated are safe to use, we would like to see the providers do better and take additional steps to make sure every way to pay is safe,” Tetreault told NBC News. For those who don’t use Apple products, Venmo, Cash App and Facebook P2P payments were rated “very good performers,” but all three of these services (whether iOS or Android versions) received “fair” scores for data privacy.
This was CR’s first test-based ratings of P2P services. Disconnect, a data privacy firm in San Francisco, did the back-end work — analyzing the code, checking the connections and looking for anything shady. Disconnect did not find anything to suggest these products would threaten the security of your financial or personal data.
Consumer Reports tested the stand-alone Zelle app, not the version used by about 150 U.S. financial institutions. And even with its low score, the app was rated “good” overall, getting high marks for customer support. CR said Zelle has good error-resolution policies.
Early Warning Services, the network operator behind Zelle, said Consumer Reports analysis was flawed. Because CR’s methodology was based on publicly available operations detail and data policies, elements of Zelle’s data security and data privacy practices were excluded from consideration which lead to a lower score, the company said.
“Millions of consumers are using Zelle app successfully every day to send and receive money,” the company said in a statement to NBC News. “As a steward of banking data for more than 25 years, Early Warning takes its role in securing data and maintaining privacy very seriously, and we operate in full accordance with governing laws and regulations.”
Recent news stories have raised serious questions about the lack of buyer protection for Zelle users who get tricked by scammers. As the New York Times recently noted, “the same features that make Zelle so useful for customers, its speed and ubiquity, have made it irresistible to thieves.”
CR criticized the Zelle app for not having a way to keep users from accidentally sending money to the wrong person, if they mistype a phone number. Zelle told NBC News that by the end of October, that confirmation step would be added to the app and used by all financial institutions that offer the service.
Venmo does something different from the other P2P services — it has a social aspect. Unless you opt out, the service’s public feed shows the comments and emoji that accompany your payments by default. The amounts are not listed, but anyone — even non-Venmo users — can see when you’ve paid the rent or split the tab for lunch or transferred funds to someone.
Eason Goodale, lead engineer at Disconnect, calls this sharing “silly” and totally unnecessary.
“You can actually get quite a bit of information from public transactions,” Goodale told NBC News. “Say you went through a nasty breakup and your ex-boyfriend or girlfriend moves in with a new person and pays some of the rent to them with Venmo. Your ex can see and could start to bother you about it.”
Venmo sees the criticism about sharing information as unjustified. The first thing people see when they open the app is the news feed, the company pointed out in a statement to NBC News. “This is the first step in educating users that Venmo is a social forum, and the news feed allows you to see what others have chosen to share on Venmo and the experiences that are happening on Venmo.”
Venmo stressed that it gives users the “ability to choose” exactly what they want to share publicly, between friends and with those involved in the transaction.
“Sensitive transactions” default to private, the company noted. A user can retroactively limit the visibility of payments — even after they’ve been sent — by updating the privacy settings.
TIPS ON USING P2P SERVICES
Consumer Reports offers these tips to get the most out of any peer-to-peer payment app or service and reduce your risk of problems:
- Opt in to stronger security: Except for Apple Pay, which requires users to confirm every payment, most other services require users to take extra steps to take advantage of the highest level of security offered. It takes only a few seconds to set up protections, such as a PIN, and it’s worth it.
- Send money only to people you know: Many peer-to-peer transactions are instantaneous and irreversible — a fact scammers know and exploit. The Federal Trade Commission has a tip sheet on how to use these services and apps safely.
- Slow down and make sure all of your recipient’s details are correct: Before you press “send” or “pay,” make sure you have the right username, phone number, photo or other identifier. These services treat these like cash transactions — once the money is transferred it’s gone.
- Some services, such as Venmo, offer the opportunity to receive a special code to confirm that the person you’re sending money to is your intended recipient. CR suggests choosing services that offer these features — and use them.
- Keep your app up to date: Hackers are always exploiting vulnerabilities. If you have old software, you’re missing the latest security protection. Make sure you have auto-updates turned on.
- Don’t use P2P services for business purposes: Most apps prohibit commercial use; look instead for a payment app specifically meant for business users, such as Square Cash for Business or PayPal.