BCLP Banking Blog

Bank Bryan Cave

Mobile Payments

Main Content

Mobile Wallets and Tokenization: Banks are Catching On

On April 20, 2017, the American Banker reported that U.S. Bank’s new high-end credit card features an interesting differentiator from the high-end cards recently introduced by other large credit card issuers.  U.S. Bank’s new high-end credit card significantly incents mobile usage over conventional swipe or chip dip for purchases.  While the other card offerings typically provide triple miles for travel and entertainment purchases, the U.S. Bank “Altitude Reserve Visa Infinite” card puts its money on getting cardholders to enroll their cards in mobile wallets – Apple Pay, Android Pay, Samsung Pay and Microsoft Wallet.

For a generation of customers who want to do everything, or as much as possible, on their phones, millennials have not adopted mobile payments as quickly as expected. Personally, I constantly encourage everyone to enroll their cards in the mobile wallet on their phone ASAP and use it that way at every opportunity.

I do that for two reasons –  1) it is much more secure than swiping your stripe or dipping your chip and 2) it is much faster than inserting your chip card at the terminal to complete the transaction.

Plus, it looks really cool to wave your phone at the terminal and “boing” you’re done. I smugly watch the people in line behind me watching this transaction with interest.

The transaction is more secure because the phone wallets keep card credentials in a secure element on the phone, which is highly resistant to hacking, and more importantly, does not transmit real card credentials to the merchant. Instead, the merchant only receives a one-time use tokenized version of your card credentials. This means that if the merchant’s database is hacked, the tokenized version of your card credentials that are exposed are just useless gibberish.

This saves the card issuer from eating losses under Reg Z for unauthorized transactions and crediting your account for charges the hacker racked up on a spending spree for fenceable goods. Actually, most of those unauthorized charges flow back to the merchant who was hacked, but the issuers whose cards are exposed typically do not recover their full costs.

Read More

Check It Out: The FTC Zeroes in on Mobile Payments

Bryan Cave attorneys discuss guidance from the Federal Trade Commission and its impact on banks.

Banks have an important role to play in development of mobile banking and mobile payment technologies. Although nearly 45 percent of all mobile phone users have a smartphone, only 12 percent are using mobile devices to make payments, according to a new report from the Federal Trade Commission (FTC).  The primary reason for not using mobile payments is security concerns (42 percent).

Currently, the Federal Trade Commission is leading the charge to explore the need for mobile payments regulation. For banks interested in mobile banking, its actions and publications are very instructive.

Over the last two years, the FTC’s actions include: bringing law enforcement actions, obtaining high-profile settlements with Google and Facebook and issuing policy reports for mobile businesses and policymakers. Although financial institutions are not directly regulated by the FTC in this area, the FTC does regulate all other mobile providers including merchants, payment card networks, and payment processors. Further, the FTC will likely influence and coordinate with other regulators, particularly with respect to data security and privacy.

 During a teleconference on February 1, 2013, discussing the FTC report, “Mobile Privacy Disclosures Building Trust through Transparency,” the outgoing FTC Chairman, Jon Leibowitz, called on the industry to adopt strong privacy and data security measures for mobile technologies or face increased regulation.  Most recently, the FTC issued a Staff Report on March 8, 2013, entitled “Payments,” which outlines a number of key concerns and recommendations for businesses implementing mobile payments:

(1)  develop clear policies for disputes for fraudulent or unauthorized mobile payments that address:

  • the confusing landscape for consumers when selecting a payment method since each product has a different means, as well as different levels of protection, for disputing payments;
  • the potential need to incorporate FTC Act and potential Consumer Financial Protection Bureau protections. At this time, unless Regulation E applies to a payment method, Reg E type protections for fraudulent or unauthorized payments are offered on a contractual or voluntary basis only; and
  • mobile “cramming,” where companies place unauthorized charges on mobile phone bills.

(2)  adopt strong security measures throughout the mobile payment process to:

  • receive, transmit and store financial data using “end-to-end” encryption;
  • incorporate security measures such as dynamic data authentication and separate secure element storage of data to prevent hackers from accessing financial information on mobile devices;
  • comply with federal and state data security laws such as the FTC Safeguards Rule 16 C.F.R. § 314.1 et seq. and the FTC Act prohibition against unfair, deceptive and abusive practices;
  • require strong data security measures by all companies in the mobile payments chain; and
  • implement additional consumer security protections such as second level passwords and a means to immediately disable apps if a phone is lost or stolen.

(3)  Implement “privacy by design” as set forth in the FTC’s report “Protecting Consumer Privacy in an Era of Rapid Change,” including at a minimum:

  • strong privacy practices at every stage of product development covering:
    —reasonable security
    —data collection limited to the context of consumer interaction with your business (e.g., no geolocation data unless needed)
  • simplified consumer choice:
    —allowing consumers to restrict unnecessary information disclosure
    —discouraging “pre-checked” boxes to obtain consumer consent for the use of data for non-processing purposes
  • transparency regarding data collection, storage and use to strengthen consumer trust.

To enable mobile to reach its full potential, financial institutions can play a lead role, including by responding to the FTC chairman’s call for industry self-regulation and the recommendations noted in the Staff Report. Taking the security and privacy obligations that already exist under the Gramm-Leach-Bliley Act, with further guidance from sources like the FTC, financial institutions can move the industry forward by developing meaningful mobile disclosures and transparent privacy policies and practices and by requiring similar compliance of their mobile payment service providers.

Banks should implement, and require their service providers to implement, data security safeguards for sensitive financial information at all segments of the payment chain and allocate responsibilities and liability among them. Banks should develop data breach response plans including notifications and consider purchasing cyber-security insurance.

This article was originally published on BankDirector.com.

Read More
The attorneys of Bryan Cave Leighton Paisner make this site available to you only for the educational purposes of imparting general information and a general understanding of the law. This site does not offer specific legal advice. Your use of this site does not create an attorney-client relationship between you and Bryan Cave LLP or any of its attorneys. Do not use this site as a substitute for specific legal advice from a licensed attorney. Much of the information on this site is based upon preliminary discussions in the absence of definitive advice or policy statements and therefore may change as soon as more definitive advice is available. Please review our full disclaimer.