Prepaid Cards, New Technologies, and Emerging Payment Systems, Including Mobile Wallets, Virtual Currencies, and EMV

Cards: New Opportunities and Overcoming Regulatory and Compliance Challenges

ACI Prepaid Card Compliance Conference

September 30th – October 1st, 2015

Chicago, Illinois

Claude Goetz Davis Wright Tremaine LLP

Mobile Devices are Changing Retail Payments

Includes:

• Purchases, Bill payments, Charitable donations, Payments to another person, or Any other payments using a mobile phone

Access points:

• Web page through mobile browser, SMS, or downloadable app on phone

Payment:

• Charged to credit card, deducted from prepaid account, or withdrawn directly from bank account

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 2

Consumers Using Their Phones to Make Payments

Growth in consumer use of mobile payments

11% 15% 17%

23% 24% 24%

0%

5%

10%

15%

20%

25%

30%

2011 2012 2013

Mobile phoneusers reportedusing mobilepayments

Smartphone usersreported usingmobile payments

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 3

How are Consumers Using Mobile Payments?

Paying bills, 66%

Online purchases, 59%

Paying for product or service

at store, 39%

Transferring money from

another person using a mobile

phone, 39%

Made payment via text message,

13%

Paid for parking, a taxi or public transit using

mobile phone, 9%

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 4

How are Consumers Using Mobile Payments?

1% 6%

17%

0%2%4%6%8%

10%12%14%16%18%

2011 2012 2013

Share of smartphone users who reported making a POS purchase with their smartphone in the past 12 months

Growth in use of POS mobile payments services

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 5

Mobile Phones: Gateway to the Unbanked?

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014)

0%10%20%30%40%50%60%70%80%90%

100%

Unbanked Underbanked

50% Smartphones

69% 88%

Mobile phones, including smartphones, are prevalent among unbanked and underbanked

6

64% Smartphones

Cell Phone Usage Among Unbanked & Underbanked

Mobile Phones: Gateway to the Unbanked?

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014)

High penetration among younger generations, minorities, and low-income offers potential for expanding financial access

7

64% Smartphones

bought

8

Point of Sale Innovations

Catalyst: Growth in Alternative Payment Providers

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 9

In January 2014, it was estimated that APPs will account for 59% of online transactions and

that e-wallets will equal cards in

terms of market share in 2017

Peer-to-peer payment market

expected to reach $17 billion in 2019

Growth of P2P Market, APPs for

online transactions, e-wallets, mobile

payments, “Buy” Buttons

Business of banking / Deposit-Taking

Truth in Lending Act / Reg Z

Reg

ulat

ion

B

Bank Secrecy Act

OFAC Reg D

Truth in Savings Act

Regulation II

Gramm-Leach-Bliley Act Fair Credit Reporting Act

Data breach/security FDIC Deposit Insurance

E-SIGN Act

Unfair, Deceptive or Abusive Acts and Practices Laws

State Money Transmitter Laws

State Privacy and Security Statutes

Card brand rules Gift

car

d

Anti-Money Laundering Compliance

OFAC

TISA/Reg DD

Reg CC

Escheat

Durbin Amendment Identity-Theft Red Flags

Check 21

Truth in Billing Electronic Fund Transfer Act / Regulation E

Regulation DD

10

The Clearing House Diagnosis: An Uneven Playing Field in Data Privacy and Security

“Financial Institutions” are subject to extensive regulatory, supervisory and enforcement scrutiny by their prudential regulators

GLBA Interagency Guidelines

More stringent implementing regulations and consequences

Safety and soundness

Banks ultimately bear customer service and fraud costs

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major Banks vs. Alternative Payment Providers (August 2015) 11

Alternative Payment Providers (APPs) provide products and services utilizing “backbone of existing payment systems” and avoid the reach of prudential regulators

GLBA FTC Safeguards Rule

Not subject to regular examinations, enforcement actions or oversight

– Lighter substantive requirements

– Lower odds of facing enforcement actions or sanctions

“Banks and APPs engaging in functionally similar activities should be subject to similar

regulatory regimes.” The Clearing House

Impact of Apple Pay on the Mobile Payments Market

Apple Pay adoption – a mixed story

– Recent Pymnts and InfoScout survey data show declines in use:

• Consumers that have tried Apple Pay:

– March 2015 – 15.1% of eligible iPhone 6 & 6 Plus users

– June 2015 – 13.1%

• Consumers using Apple Pay in a store where its accepted:

– March 2015 – 48% of eligible iPhone 6 & 6 Plus users

– June 2015 – 33%

• Consumer not using Apple Pay because they are not familiar with how it works:

– March 2015 – 31% of eligible iPhone 6 & 6 Plus users

– June 2015 – 34%

12

Source: Pymnts.com, available at http://www.pymnts.com/in-depth/2015/apple-pay-adoption-the-falling-side-of-the-bell-curve/ (August 5, 2015).

Impact of Other Mobile Payment Technologies

Non-Apple mobile payment solutions

– Samsung Pay / Loop Pay

– Android Pay

– Others

Will mobile payment adoption rates significantly increase?

– In-store payment isn’t a consumer pain point – swiping works

Tokenization and Host Card Emulation

13

How Tokenization Works

Tokenization is a data security technique that replaces sensitive data (e.g., credit card number) with surrogate data (token) that has no or little value. Tokenization limits the scope of where the sensitive data needs to be processed or stored.

14

TOKEN SYSTEM

1234 = 0001 2345 = 0002 3456 = 0003 4567 = 0004

TOKEN VAULT

1234 1234 1234 1234 0000 0000 0000 0001

Sensitive Value Inert Token

Benefits of Tokenization

15

Continued …

Easier, cheaper and more secure

Easier and Cheaper:

– Tokenization can be managed internally or outsourced

– Format interoperates with existing systems and applications

– Puts less technical overhead on infrastructure

– Reduces compliance obligations by allowing fewer systems to audit and lower security controls

Benefits of Tokenization (cont’d)

16

Easier, cheaper and more secure

More Secure:

– Reduces exposure by centralizing sensitive data in one location (token vault)

– Unlike encryption, tokens cannot be reversed without access to the token vault

– Reduces burden of encryption key management

– Provides data masking by default

Limitations of Tokenization

17

Continued …

– Tokenization cannot be used on all types of data (e.g., emails, Internet transmissions, databases, files)

– Just like encryption, cannot protect data before it is tokenized (e.g., RAM scraper problem) or if a party is able to de-tokenize the data

– Similarly formatted tokens may not be distinguishable from the real data type

Limitations of Tokenization (cont’d)

18

– Tokens are not meaningful to third parties unless they have access to the token vault or are provided a means to associate the token back to the sensitive data

– Tokenization can result in duplicative tokens unless the token system is set up to prevent collision

– Tokens do not validate the underlying data or its source, and should be coupled with assurance methods to validate identity

How Host Card Emulation (HCE) Works

Host Card Emulation (HCE) creates a software-based virtual smart card that does not rely on the device’s Secure Element. First introduced in 2011 by SimplyTapp but popularized by Google’s Android phone.

19

Use of Tokenization in HCE

Tokenization may be used in conjunction with HCE

Tokens can be used in place of the PAN on the device, or other sensitive data, to add an additional layer of security

Google Wallet uses tokenization and does not store the PAN on the device or pass the PAN to the merchant

20

HCE Security Supplements

The following can be used to supplement the security of a HCE deployment:

Encryption or tokenization of sensitive data stored on the device or in the cloud

Use of tamper-proof software to stop all transactions if external changes are attempted

Device fingerprinting to uniquely identify the authorized device and disallow any transactions from other devices

The primary criticism of HCE is that it is not as secure as using the Secure Element.

21

THANK YOU! THANK YOU!

22

Claude Goetz claudegoetz@dwt.com

212.603.6415

Disclaimer

23

This presentation is a publication of Davis Wright Tremaine LLP. Our purpose in making this presentation is to inform our clients and friends of recent legal developments. It is not intended, nor should it be used, as a substitute for specific legal advice as legal counsel may only be given in response to inquiries regarding particular situations. Attorney advertising. Prior results do not guarantee a similar outcome. Davis Wright Tremaine, the D logo, and Defining Success Together are registered trademarks of Davis Wright Tremaine LLP. © 2015 Davis Wright Tremaine LLP.