A person using a smartphone making a mobile peer-to-peer payment

Update: In mid-September, the Zelle mobile peer-to-peer service was updated by its operator, Early Warning Services, to add measures to help prevent users from inadvertently sending money to the wrong person.

CR tested the Zelle stand-alone app and found that it now includes a pop-up warning for users that send money to someone not in their contacts. When CR first tested the stand-alone Zelle app earlier this year, we found it lacked that security feature. 

An Early Warning spokesperson said the new security pop-ups also are available on Zelle apps that are sponsored by individual banks. The spokesperson said participating banks are required to display a message that says, "Money should only be sent to people you trust." It also says, "Once payments are sent, they cannot be reversed."


Whether you're sharing rent or splitting a dinner tab, paying people you know by app seems a breeze next to checks or cash. Mobile peer-to-peer payment services used on smartphones, tablets—and even smartwatches—have revolutionized on-the-spot money transfers.

But what if that money doesn't go where you intended? And how do you know your P2P data is safe?

In light of the quick rise of P2P—and its potential financial and privacy risks—Consumer Reports tested five mobile P2P services to see how they stacked up for user protections.

In our first-ever test-based ratings of P2P mobile services, CR rated Apple Pay the highest overall, with excellent or very good marks in the key consumer-protection measures of payment authentication and data privacy. Apple's overall rating was significantly higher than for the other services we tested: Venmo, Square's Cash App, Facebook P2P Payments in Messenger, and Zelle.

More on Cashless Payments

We rated each of the five services good enough to use.

Zelle, a service used by about 150 U.S. banks and credit unions, was rated good overall. But it was the only service that ranked below average on data security and data privacy, which were weighted heavily in our ratings. The Zelle app lacks features that keep you from accidentally sending money to the wrong person. That could happen if you mistype a phone number. 

Contacted by CR for this report, Zelle said it would soon adopt the practice of asking senders to confirm recipients before transferring the money, the current practice of some banks and credit unions that offer the Zelle service.

“By the end of October, these enhancements will be consistent across all Zelle participating financial institutions, and in the Zelle app,” said Jeremiah Glodoveza, a spokesman for Early Warning, the company that operates Zelle.

On the plus side, CR rated Zelle well for customer support. Zelle has good error-resolution policies, and users can easily find help in the app, earning Zelle high marks in this area, CR found.

It's important to note that we rated the stand-alone Zelle mobile service, not the version you might enter from your bank’s website or mobile app. 

For those who don’t use Apple products, we found Venmo, Cash App, and Facebook P2P Payments in Messenger to be very good performers. However, all three of these iOS and Android-friendly services received only fair scores for data privacy.

An estimated 79 million adult Americans will use P2P payment services this year, an increase of 24 percent over last year, according to eMarketer, a market research company.

Mobile Peer-to-Peer Payment Services
Service Overall
Score
Payment
Authentication
Data Security Data Privacy Customer Support Broad Access
Apple Pay 76
Venmo 69
Cash App (Square) 64
Facebook P2P Payments
in Messenger
63
Zelle (standalone app) 50
GUIDE TO THE RATINGS Ratings are based on analyses of operations and data policies of mobile versions of peer-to-peer payment services performed by Consumer Reports between December 2017 and July 2018. The Overall Score is based on the criteria shown in the table, and on other factors related to fee disclosure and arbitration. A score of 81 to 100 is excellent, 61 to 80 is very good, and 41 to 60 is good. Payment authentication evaluates controls available to users to prevent fraud and error. Data security evaluates encryption, authentication, security oversight, security over time, and vulnerability disclosure. Data privacy analyzes data control, data retention and deletion, data collection, minimal data collection, privacy by default, and data use. Customer support looks at providers’ error resolution policies, ease of finding in-app help, and whether providers ensure that funds they hold are covered by deposit insurance. Broad access rewards services that do not limit use to those with a bank account or particular mobile device.

Mobile Peer-to-Peer
Payment Services
Service Ratings Overall Score
Apple Pay Payment authentication
76
Data Security
Data Privacy
Customer Support
Broad Access
Venmo Payment authentication
69
Data Security
Data Privacy
Customer Support
Broad Access
Cash App (Square) Payment authentication
64
Data Security
Data Privacy
Customer Support
Broad Access
Facebook
P2P Payments
in Messenger
Payment authentication
63
Data Security
Data Privacy
Customer Support
Broad Access
Zelle (standalone app) Payment authentication
50
Data Security
Data Privacy
Customer Support
Broad Access


GUIDE TO THE RATINGS Ratings are based on analyses of operations and data policies of mobile versions of peer-to-peer payment services performed by Consumer Reports between December 2017 and July 2018. The Overall Score is based on the criteria shown in the table, and on other factors related to fee disclosure and arbitration. A score of 81 to 100 is excellent, 61 to 80 is very good, and 41 to 60 is good. Payment authentication evaluates controls available to users to prevent fraud and error. Data security evaluates encryption, authentication, security oversight, security over time, and vulnerability disclosure. Data privacy analyzes data control, data retention and deletion, data collection, minimal data collection, privacy by default, and data use. Customer support looks at providers’ error resolution policies, ease of finding in-app help, and whether providers ensure that funds they hold are covered by deposit insurance. Broad access rewards services that do not limit use to those with a bank account or particular mobile device.

The Digital Standard

Our ratings focus on how well the services authenticate payments to prevent fraud and error, secure user data, and protect privacy, but we also looked at the quality of customer support, how clearly they disclose fees, and whether users are bound by mandatory arbitration, among other factors.

Our goal in testing the services was to give consumers shopping for a mobile P2P service more to go on than just a friend’s invitation—a frequent way consumers told us they currently choose a P2P service, says Justin Brookman, director of consumer privacy and technology at Consumers Union, the advocacy division of Consumer Reports.

“We’re trying to help people make informed choices and think about safety elements they might not have previously,” says Brookman. “Our test results are also intended to push P2P developers to be more accountable regarding security and privacy matters.”

To judge data privacy and security, Consumer Reports convened a group of national privacy and security experts to help develop a set of criteria we’re calling The Digital Standard. We plan to use the standard in future ratings of internet-connected products. Our partners include Cyber Independent Testing Lab, which is a nonprofit software security testing organization; Disconnect, which makes privacy-enhancing software for consumers; and Ranking Digital Rights, which is a nonprofit that evaluates company privacy policies and their terms of service.  

(Like most websites, ConsumerReports.org collects user data. You can get the details on our privacy policy and our approach to privacy, including our policy positions.)

Apple Pay was the only service that got top marks from CR for data privacy, because its policies state that it limits the information it collects and shares on users and their transactions. It doesn’t store credit card or debit card numbers, and it states in the terms and conditions that it doesn’t sell users’ personal information to third parties, CR found.

But Apple Pay has a major drawback: It requires specific later-generation Apple hardware and software.

An Apple spokesperson told CR that “Apple Pay Cash is unique from an ease of use, privacy, and security standpoint, as Apple Pay Cash functions seamlessly through hardware, software, and the service all combined.”

5 Consumer Tips

A Simple Process

You don’t have to be tech-savvy to get started using a mobile P2P service. Download a free app, create a user profile, and input the account number of a payment source (depending on the service, you can use a checking account, credit or debit card, prepaid card, PayPal, or a combination). Find your recipient—through a smartphone number, email address, or special identifying tag in the service’s user network. Or invite that person to sign up for the same service; both parties must enroll to send and accept funds. Then choose how much money to send. Press “send” or “pay” to complete your transaction.

Behind the scenes the services move your money in different ways. Facebook P2P Payments in Messenger and Zelle transfer funds directly between users’ bank accounts. With Apple Pay, Cash App, and Venmo, you can pay directly from a credit card or other source. When you receive the funds, you can store the funds—then move them in and out—using a dedicated personal account associated with the service. 

Consumers we interviewed raved about how easy it is to settle a debt, give a gift, or pay rent with P2P services. Some also liked the social aspect of Venmo: Unless you opt out, by default the service’s rolling public feed shows the comments and emojis that accompany your payments (though not the cash amount). Anyone—not just Venmo users—can see those comments and know about it when you reimburse a friend for spotting you lunch or when you ante up for your rental share.

“You probably wouldn’t even realize it’s public until, say, an ex-boyfriend sees your payments to a new guy and starts to bother you,” says Eason Goodale, lead engineer at Disconnect, the startup based in San Francisco that helped CR evaluate P2P services.

Privacy and Security Concerns

We contacted Venmo to ask about privacy within the service's social feed.

"Venmo users have always had the ability to control their privacy setting before they make a transaction," says Erin Mackey, a spokeswoman for PayPal, which owns Venmo. Users can set default privacy settings in the app for all future payments and limit who can see what they've paid or received in the past, she adds.

But if you don't already have a Venmo account and accept Venmo funds through a phone number or email address, you have no control over whether that first payment to you is public.

"A user can retroactively limit the visibility of this payment by updating the privacy setting immediately after accepting the payment," Mackey says. "New users are also presented with the privacy tutorial when they open an account."

P2P users can expose their data and money to more than prying eyes. Search Reddit and Twitter feeds, and you'll find complaints from P2Pers who lost funds they sent to the wrong person—either by mistake or due to fraud. The services treat those transfers like cash, so once the money is sent, there’s not much you can do unless the recipient agrees to send back the money.

"Scammers try to get consumers to pay in a variety of ways, including by having consumers send money through these services," says Lisa Rothfarb, an attorney in the Federal Trade Commission’s Division of Financial Practices. "Consumers should make sure they know who they’re sending money to."

Disclosure is Key

We found that the best way to determine the effectiveness of P2P services at protecting customer privacy and security was to examine the apps and their disclosures and documentation.

“Disclosure is the best tool we have to hold these services to account,” says Robert Richter, program manager of electronics privacy testing at Consumer Reports.

We found nothing to suggest that using these products would threaten the security of your financial and personal data. For instance, all the services we tested use an acceptable level of data encryption. But Venmo and Zelle got marked down because they don’t do a good job of explaining how they protect user data.

Concerning data privacy, Apple and Facebook got good marks for offering detailed terms of service and end-user agreements that explain how they use consumers’ data.

In terms of authenticating your payments properly, most of the services we tested let you set up extra layers of security for access, such as PINs and two-factor authentication. But with the exception of Apple Pay, they all require you to opt in to those controls.

While Consumer Reports was researching this story, Google announced that its own peer-to-peer payment app, Google Pay Send, would be merged into its comprehensive wallet service, Google Pay. The service's P2P function seems similar to others we tested: Users can opt to use a PIN or fingerprint for each payment.

Though Google Pay leverages your contact list to protect you from misdirecting a payment, you can still mess up easily by sending money to arbitrary—or wrong—phone numbers. Google Pay's error-resolution policy is easily accessible. Google reserves broad rights to collect and use your data for its own purposes, though its policies state that it typically doesn’t share your information with third parties, CR found. 

What You Can Do

Follow these tips to get the most out of your P2P service with the least risk.

• Opt-in to stronger security. Except for Apple Pay, which requires users to confirm every payment, the services in our ratings require users to take extra steps to take advantage of the highest level of security offered. It takes only a few seconds to set up protections, such as a PIN, and it's worth it.

• Send money only to people you know. Many peer-to-peer transactions are instantaneous and irreversible—a fact scammers know and exploit.

• Get all of your recipient’s details correct from the get-go. Before you press “send” or “pay,” make sure that you have the right username, phone number, photo, or other identifier. Some services, such as Venmo, offer the opportunity to receive a special code to confirm that the person you’re sending money to is your intended recipient. Choose services that offer these features, and use them.

• Don’t use P2P services for business purposes. Most apps’ terms of service prohibit commercial use, such as using them to get paid for selling goods or services. Look instead for a payment app specifically meant for business users, such as Square Cash for Business, or PayPal.

• Confirm that you can find help if things go wrong. Some P2P apps make users resolve their own disputes. Others offer significant help to resolve issues. Before using any P2P service, search through the app for customer service contacts and procedures so that you know where to go and what kind of help to expect.

• Keep your app up to date. Hackers are always exploiting more vulnerabilities, while security pros play nonstop malware whack-a-mole. If you have old software, you’re missing the latest protections. Make sure you have auto-updates turned on across the board. 

Editor’s Note: Our work on privacy, security, and data issues is made possible by the vision and support of Craig Newmark Philanthropies and Ford Foundation. Craig Newmark is a former board member of Consumer Reports.