Claude Goetz Davis Wright Tremaine LLPSep 28, 2015 · Tokenization is a data security technique...
Transcript of Claude Goetz Davis Wright Tremaine LLPSep 28, 2015 · Tokenization is a data security technique...
Prepaid Cards, New Technologies, and Emerging Payment Systems, Including Mobile Wallets, Virtual Currencies, and EMV
Cards: New Opportunities and Overcoming Regulatory and Compliance Challenges
ACI Prepaid Card Compliance Conference
September 30th – October 1st, 2015
Chicago, Illinois
Claude Goetz Davis Wright Tremaine LLP
Mobile Devices are Changing Retail Payments
Includes:
• Purchases, Bill payments, Charitable donations, Payments to another person, or Any other payments using a mobile phone
Access points:
• Web page through mobile browser, SMS, or downloadable app on phone
Payment:
• Charged to credit card, deducted from prepaid account, or withdrawn directly from bank account
Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 2
Consumers Using Their Phones to Make Payments
Growth in consumer use of mobile payments
11% 15% 17%
23% 24% 24%
0%
5%
10%
15%
20%
25%
30%
2011 2012 2013
Mobile phoneusers reportedusing mobilepayments
Smartphone usersreported usingmobile payments
Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 3
How are Consumers Using Mobile Payments?
Paying bills, 66%
Online purchases, 59%
Paying for product or service
at store, 39%
Transferring money from
another person using a mobile
phone, 39%
Made payment via text message,
13%
Paid for parking, a taxi or public transit using
mobile phone, 9%
Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 4
How are Consumers Using Mobile Payments?
1% 6%
17%
0%2%4%6%8%
10%12%14%16%18%
2011 2012 2013
Share of smartphone users who reported making a POS purchase with their smartphone in the past 12 months
Growth in use of POS mobile payments services
Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 5
Mobile Phones: Gateway to the Unbanked?
Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014)
0%10%20%30%40%50%60%70%80%90%
100%
Unbanked Underbanked
50% Smartphones
69% 88%
Mobile phones, including smartphones, are prevalent among unbanked and underbanked
6
64% Smartphones
Cell Phone Usage Among Unbanked & Underbanked
Mobile Phones: Gateway to the Unbanked?
Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014)
High penetration among younger generations, minorities, and low-income offers potential for expanding financial access
7
64% Smartphones
bought
8
Point of Sale Innovations
Catalyst: Growth in Alternative Payment Providers
Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 9
In January 2014, it was estimated that APPs will account for 59% of online transactions and
that e-wallets will equal cards in
terms of market share in 2017
Peer-to-peer payment market
expected to reach $17 billion in 2019
Growth of P2P Market, APPs for
online transactions, e-wallets, mobile
payments, “Buy” Buttons
Business of banking / Deposit-Taking
Truth in Lending Act / Reg Z
Reg
ulat
ion
B
Bank Secrecy Act
OFAC Reg D
Truth in Savings Act
Regulation II
Gramm-Leach-Bliley Act Fair Credit Reporting Act
Data breach/security FDIC Deposit Insurance
E-SIGN Act
Unfair, Deceptive or Abusive Acts and Practices Laws
State Money Transmitter Laws
State Privacy and Security Statutes
Card brand rules Gift
car
d
Anti-Money Laundering Compliance
OFAC
TISA/Reg DD
Reg CC
Escheat
Durbin Amendment Identity-Theft Red Flags
Check 21
Truth in Billing Electronic Fund Transfer Act / Regulation E
Regulation DD
10
The Clearing House Diagnosis: An Uneven Playing Field in Data Privacy and Security
“Financial Institutions” are subject to extensive regulatory, supervisory and enforcement scrutiny by their prudential regulators
GLBA Interagency Guidelines
More stringent implementing regulations and consequences
Safety and soundness
Banks ultimately bear customer service and fraud costs
Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 11
Alternative Payment Providers (APPs) provide products and services utilizing “backbone of existing payment systems” and avoid the reach of prudential regulators
GLBA FTC Safeguards Rule
Not subject to regular examinations, enforcement actions or oversight
– Lighter substantive requirements
– Lower odds of facing enforcement actions or sanctions
“Banks and APPs engaging in functionally similar activities should be subject to similar
regulatory regimes.” The Clearing House
Impact of Apple Pay on the Mobile Payments Market
Apple Pay adoption – a mixed story
– Recent Pymnts and InfoScout survey data show declines in use:
• Consumers that have tried Apple Pay:
– March 2015 – 15.1% of eligible iPhone 6 & 6 Plus users
– June 2015 – 13.1%
• Consumers using Apple Pay in a store where its accepted:
– March 2015 – 48% of eligible iPhone 6 & 6 Plus users
– June 2015 – 33%
• Consumer not using Apple Pay because they are not familiar with how it works:
– March 2015 – 31% of eligible iPhone 6 & 6 Plus users
– June 2015 – 34%
12
Source: Pymnts.com, available at http://www.pymnts.com/in-depth/2015/apple-pay-adoption-the-falling-side-of-the-bell-curve/ (August 5, 2015).
Impact of Other Mobile Payment Technologies
Non-Apple mobile payment solutions
– Samsung Pay / Loop Pay
– Android Pay
– Others
Will mobile payment adoption rates significantly increase?
– In-store payment isn’t a consumer pain point – swiping works
Tokenization and Host Card Emulation
13
How Tokenization Works
Tokenization is a data security technique that replaces sensitive data (e.g., credit card number) with surrogate data (token) that has no or little value. Tokenization limits the scope of where the sensitive data needs to be processed or stored.
14
TOKEN SYSTEM
1234 = 0001 2345 = 0002 3456 = 0003 4567 = 0004
TOKEN VAULT
1234 1234 1234 1234 0000 0000 0000 0001
Sensitive Value Inert Token
Benefits of Tokenization
15
Continued …
Easier, cheaper and more secure
Easier and Cheaper:
– Tokenization can be managed internally or outsourced
– Format interoperates with existing systems and applications
– Puts less technical overhead on infrastructure
– Reduces compliance obligations by allowing fewer systems to audit and lower security controls
Benefits of Tokenization (cont’d)
16
Easier, cheaper and more secure
More Secure:
– Reduces exposure by centralizing sensitive data in one location (token vault)
– Unlike encryption, tokens cannot be reversed without access to the token vault
– Reduces burden of encryption key management
– Provides data masking by default
Limitations of Tokenization
17
Continued …
– Tokenization cannot be used on all types of data (e.g., emails, Internet transmissions, databases, files)
– Just like encryption, cannot protect data before it is tokenized (e.g., RAM scraper problem) or if a party is able to de-tokenize the data
– Similarly formatted tokens may not be distinguishable from the real data type
Limitations of Tokenization (cont’d)
18
– Tokens are not meaningful to third parties unless they have access to the token vault or are provided a means to associate the token back to the sensitive data
– Tokenization can result in duplicative tokens unless the token system is set up to prevent collision
– Tokens do not validate the underlying data or its source, and should be coupled with assurance methods to validate identity
How Host Card Emulation (HCE) Works
Host Card Emulation (HCE) creates a software-based virtual smart card that does not rely on the device’s Secure Element. First introduced in 2011 by SimplyTapp but popularized by Google’s Android phone.
19
Use of Tokenization in HCE
Tokenization may be used in conjunction with HCE
Tokens can be used in place of the PAN on the device, or other sensitive data, to add an additional layer of security
Google Wallet uses tokenization and does not store the PAN on the device or pass the PAN to the merchant
20
HCE Security Supplements
The following can be used to supplement the security of a HCE deployment:
Encryption or tokenization of sensitive data stored on the device or in the cloud
Use of tamper-proof software to stop all transactions if external changes are attempted
Device fingerprinting to uniquely identify the authorized device and disallow any transactions from other devices
The primary criticism of HCE is that it is not as secure as using the Secure Element.
21
Disclaimer
23
This presentation is a publication of Davis Wright Tremaine LLP. Our purpose in making this presentation is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Attorney advertising. Prior results do not guarantee a similar outcome. Davis Wright Tremaine, the D logo, and Defining Success Together are registered trademarks of Davis Wright Tremaine LLP. © 2015 Davis Wright Tremaine LLP.