Congress investigates security of mobile payments
With testimonies from PayPal, Samsung Pay and the Merchant Customer Exchange, the hearing’s main takeaway was that while most mobile payments options offer stronger user authentication and convenience, they fail to provide the same legal and legislative protections as other methods.
Though the committee did not reveal any plans to take legislative action regarding this issue, it called on stakeholders to provide additional comments and concerns about mobile security over the next 30 days.
“We want to explore the new ways consumers are paying for goods through their mobile devices, and how consumer information is being secured on mobile devices,” said Rep. Frank Pallone Jr., D-N.J. “We want to be sure that information saved on mobile devices is secure, even if data on mobile devices can still be hacked.”
Meanwhile, Sarah Jane Hughes of the Maurer School of Law at Indiana University said that lawmakers will need to determine whether Congress should enforce the same regulations regarding consumer fraud protections and privacy on mobile carriers, payments gateways and mobile service providers as they do with banking institutions.
Hughes mentioned the federal regulatory requirements imposed under the Electronic Fund Transfer Act [Regulation E] and the – EFT and [Dodd-Frank Wall Street Reform and] Consumer Protection Act, which only apply to banking institutions.
“Protections for mobile do not exist, and that is a big issue for the unbanked and underbanked, who don’t have credit or debit cards,” said Hughes. “Consumers who bill to a mobile phone statement, as opposed to a financial institution, do not have the same level of protections.”
In addition to these legal requirements, banking institutions have also expressed their concerns about the security practices of non-bank payments providers and processors, Hughes said.
“The potential for a mobile payment provider and the downstream payments participants necessary for clearing and settlement of the payment back to the merchant involved to collect and use information about the customer’s spending habits and vendors of choice is, and will continue to be, substantial,” Hughes said. “Whenever additional entities handle payment and user information, the risks of capture and improper use of these data grow. Thus, a multiparty, mobile-payments downstream network could create privacy risks in a degree comparable to or greater than privacy risks experienced in credit and debit transactions.”
John Muller, PayPal’s VP of global payments policy, told the committee that the multiparty networks that often process mobile payments have a fair share of security challenges. For this reason, stronger authentication practices, such as biometrics, are becoming a necessary component of mobile payments.
“Biometric authentication features on mobile devices are radically changing this [mobile] model and, subsequently, are minimizing damage done in a breach or hack,” Muller said. “Through PayPal’s leadership and collaboration with Samsung and the FIDO Alliance, PayPal was the first payment company to introduce fingerprint biometric payment authentication on Android mobile devices.”
Sang Ahn, chief commercial officer for Samsung Pay in the U.S., told the committee that Samsung Pay also uses biometric fingerprint authentication for transactions.
Ahn added that Samsung’s “smartphones incorporate the Samsung KNOX security platform, keeping all payment data locked and secure” while “other mobile payment solutions employ tokenized transactions… [but] these solutions only work in the small fraction of stores with NFC-equipped terminals.”
Despite a lack of regulations oversight, mobile payments providers are given enough guidance to put into place a set of best practices that can effectively protect consumer privacy and provide greater security for transactions, Hughes testified.