Mobile Payments: Key IT Law Issues Sony Gokhale October 26, 2015 31021146
Presentation Summary What is mobile payment? A high level overview of the mobile payment ecosystem and its participants (as of today) Understanding the key mobile payment activities Key regulatory, privacy and security issues
What is Mobile Payment? Mobile payment is a very broad term and includes many different types of services, such as: Mobile credit card apps CIBC - “Mobile Payment App” (with Bell, Telus and Rogers) TD - “TD Mobile Wallet” (with Bell, Telus and Rogers) RBC - “RBC Wallet” / “Secure Cloud” (with Bell Bell and Virgin Mobile but allows credit and debit) ScotiaBank - “My Mobile Wallet” (with Bell, Telus and Rogers) BMO - “Paypass” / “Tap and Go” (sticker affixed to a mobile device and not tied to a specific Telco)
What is Mobile Payment? (continued) Closed loop mobile payment services Starbucks, Tim Hortons Direct carrier billing Google Play on Telco bill Mobile devices as a point-of-sale device Square Open wallets UGO Apple Pay Google Wallet Android Pay Suretap Each mobile payment offering is implemented through different technologies and may involve a variety of different players The landscape is changing at a rapid pace, both in terms of the expanding service offerings (credit, debit, prepaid, loyalty, etc.) and the technology used to implement them
A Mobile Payment Ecosystem BANKS/CREDENTIAL ISSUERS MNO/TELCO SERVICE PROVIDER TSM SECURE ELEMENT MANAGER WALLET APP SECURE ELEMENT SIM Secure SD Card Proximity Infrastructure Embedded Chip Contactless Services Others
Understanding Key Mobile Payment Activities (and their legal implications) Eligibility Provisioning Transaction processing Life cycle events (e.g. lost phones, suspended accounts, etc.)
Key Privacy and Security Issues Understanding the data flows and who controls the data The importance of understanding how and when data is exchanged and accessed Who is responsible for the consents? Understanding the consent process Allocating responsibility for obtaining
Key Privacy and Security Issues (continued) Managing disclosure and consent in a mobile world Presenting a suitable consent on a mobile device When and how to obtain consent Obtaining consent now and for the future New security risks to consider Lost or stolen devices NFC standards: password protection is optional Privacy compliance for the future Credential storage in the cloud Open wallets Loyalty Programs Geo-location data
Key Regulatory Issues Understanding the fragmented regulation of payments Financial institution regulation (Bank Act, trust companies legislation) Canadian Payments Association (CPA) Payment Card Networks Act (PCNA) Proceeds of Crime (Money Laundering) and Terrorist Financing Act Provincial Consumer Protection legislation (regulates gift cards)
Key Regulatory Issues – continued Informal regulation and Industry Standards Merchant agreements Acquirer agreements Interac Rules Card Brand Networks Rules Payment Card Industry Data Security Standard (PCI DSS) GlobalPlatform
A Glossary of Key Mobile Payment Terms Applet: An Applet allows a Credential to be used in a functional context. An example would be PayWave, which is an applet that allows a subscriber to use his/her Credit Card Credentials to make a payment using VISA. Credential: Personalized subscriber data (e.g. credit card information) issued by the Credential Issuer. Credentials can also include Applets for the purposes of provisioning. An issuer of Credentials. For example, a financial institution, retailer, government, transit authority, etc. Credential Issuer: An issuer of Credentials. For example, a financial institution, retailer, government, transit authority, etc. GUI (Graphical User Interface): The visual layer of an application that a subscriber interacts with. Also referred to as the “Wallet Application” or “Wallet”. HCE (Host Card Emulation): The software architecture that allows mobile applications to offer NFC payment solutions without the need for a Secure Element on the phone (UIC / SIM card). MNO (Mobile Network Operator): Also known as mobile phone operator (or simply mobile operator), carrier service provider (CSP), wireless service provider, wireless carrier, or cellular company, or mobile network carrier.
A Glossary of Key Mobile Payment Terms (cont’d) NFC (Near Field Communication): Short range radio communication technology. POS (Point of Sale): The location where a business transaction occurs. A POS terminal is a device by which sales transactions can be directly debited from the customer's bank account. Provisioning: The process to load the wallet on the mobile device and personalize the wallet for use. SD (Security Domain): The SD is an entity on the Secure Element which provides the support framework for the control, security and communication requirements of the Credential Issuer. SE (Secure Element): A platform that allows the installation, personalization and management of Credentials. It is a combination of hardware, software, interfaces and protocols that enable secure storage and usage of Credentials for payment, authentication and other services. The SE can be a portion of a UIC / SIM card, an embedded chip a SD card, or linked to a cloud solution. SEM (Secure Element Manager): The SEM enables the mobile network operator to provide a secure management framework to allow its Credential Issuer’s customers to manage their multiple Credentials within a Secure Element. The SEM controls access to the SE.
A Glossary of Key Mobile Payment Terms (cont’d) SIM (Subscriber Identity Module): An integrated circuit that securely stores the service-subscriber keys (IMSI) used to identify a subscriber on mobile devices. The SE can be a SIM card. SSD (Supplementary Security Domain): The SSD is a specific area on the SE designated specifically for the Credential Issuer that includes Credentials of such Credential Issuer. Tokenization: The process of substituting a sensitive data element (e.g. card data) with a non-sensitive equivalent (the token) that has no extrinsic or exploitable meaning or value. The token is an identifier that maps back to the sensitive data through a tokenization system. TSM (Trusted Service Manager): The TSM’s role is to establish a technical connection with the SEM or MNOs and to enable Credential Issuers to distribute and manage their Credentials remotely by allowing access to the Secure Element (via authentication by the SEM) in NFC-enabled handsets. The TSM is a hardware module that enables a link between the Credential Issuer and the Secure Element Manager. UICC (Universal Integrated Circuit Card): A smart card used in mobile devices. The UICC is commonly referred to as the SIM Card.
Contact Information: Sony Gokhale 416.862.6813 sgokhale@osler.com Osler, Hoskin & Harcourt LLP Box 50, 1 First Canadian Place Toronto, Ontario, Canada M5X 1B8