LEXPERT'S REVOLUTIONARY PAYMENT SOLUTIONS 2013 & BEYOND: LEGAL & REGULATORY COMPLIANCE PRIMER Lisa Abe-Oldenburg, Partner, Milos Barutciski, Partner, Stephen Burns, Partner Duncan Card, Partner Bennett Jones LLP June 3, 2012 Introduction Welcome! Program Overview 1. Our Faculty Lisa Abe-Oldenburg, Partner, Bennett Jones LLP Milos Barutciski, Partner, Bennett Jones LLP Stephen Burns, Partner, Bennett Jones LLP Duncan Card, Partner, Bennett Jones LLP Derek Colfer, Head of Mobile Innovation, Visa Canada Catherine Johnston, President and CEO, ACT Canada 2. Course Focus • • Both the "current state" of, and the future trends in, payment solution commercial, legal and regulatory issues Particular focus on: − Security & Privacy − Regulation Issues and Trends − Payment Solution Commercialization 3. Review of Particular Class Interests -2- Recent Payment Solution Developments Lisa Abe-Oldenburg -3- Introduction • • • • Mobile and Prepaid payment developments – apps and systems Who are the solution providers and what alliances are being formed The changing range of stakeholders The technologies involved: how are they being leveraged for added security and user flexibility? -4- Mobile and Prepaid payment developments • • • • • • TechNavio: Global NFC chip market to grow 135.63% over the period 2011-2015 ABI Research: 102 million NFC handsets shipped in 2012; 285M will ship in 2013; 500M in 2014; NFC-enabled smartphone shipments are anticipated to increase by 481% from 2012 to 2015 Deloitte: Expect 300 million NFC smartphones, tablets and eReaders sold in 2013 Frost & Sullivan: By 2015, NFC will be the most-used solution for mobile payment, enabling worldwide transactions totaling about $151.7 billion Gartner Research: 50% of smartphones will have NFC capability by 2015 Berg Insight: 86% of POS terminals in North America will accept NFC payments by 2017 -5- Mobile and Prepaid payment developments – apps and systems • • What is NFC? – near-field communication (e.g. 13.56MHz near- field radio) – Secure, close range, fast (advanced antennas) – Credentials can be exchanged or communicated via NFC technology – Card emulation mode, reader mode or both (P2P) Other options: QR Code & Cloud Based credential storage, management and mobile payments, barcode payments, bluetooth payments, passive NFC and RFID (stickers and fobs) payments and peer-to-peer (p2p) payments. -6- Mobile and Prepaid payment developments – apps and systems • Credentials could include not just Payment Credentials, but also Identification Credentials, Ticketing Credentials, Incentive/Reward Program Credentials, etc. • Credentials are stored in a part of a Secure Element (SE) • Secure Elements can be: – integrated/embedded in device hardware or core/motherboard – removable (iOS, USB, micro SD or SIM) – wearable (EMV chips in tags, fobs, bracelets) -7- Apps and Systems • • • • Mobile Payment via Cellphone – Visa’s First NFC Mobile Payments Trial - March 16, 2006 – Visa PayWave applet Mobile wallet Apps (e.g. Google wallet, Enstream's "Zoompass") – Store and access card credentials, e.g. prepaid, credit, debit, loyalty, etc. Square - mobile POS/card reader Digital Retail Apps - in-aisle payment for seamless customer experience -8- Apps and Systems • • • In November 2012, CIBC launched its Mobile Payment App (now available for Android and Blackberry), allowing contactless payment via Rogers smart phone and CIBC Credit Card In March 2013, Interac processed its first NFC mobile or contactless debit transaction in Canada, which was one of the first globally from a domestic debit network. This achievement in mobile innovation was accomplished in partnership with McDonald's Restaurants of Canada, the participating merchant, RBC Royal Bank, the participating financial institution, Moneris Solutions, the payment service provider facilitating the transactions, and BlackBerry, the mobile device provider. -9- Apps and Systems • Just a few weeks ago, 4 Canadian Credit unions announced that they will be the first financial institutions in Canada to offer remote deposit capture – the ability for depositors to use the camera in their mobile device to snap an image of the cheque they want to deposit and use their mobile banking app to deposit the item electronically. No more taking a cheque to a branch or an ATM. • BMO Bank of Montreal recently announced that consumers can sign up for their MasterPass enabled digital wallet called BMO Wallet in the coming weeks. Mobile wallets provide consumers with more payment options, allowing them to securely load branded credit, prepaid or debit cards into their mobile app or device. With banks, merchants and partners offering their own wallets, the competition will be fierce. - 10 - Who are the solution providers and what alliances are being formed • • • • • • NFC Forum – Certification (devices, programs, interoperability, "plug fests") – Specifications • Data exchange formats, Tag types, Record type definition, device interface controller, protocols – Testing and methodologies – Streamlining certification requirements with other industry organizations VISA and MC certification of SIM cards EMVCo , PTCRB, GCF, GSMA, the Smart Card Alliance, Global Platform and the Mobey Forum Education, information, best practices, addressing roadblocks and providing recommendations Merchant Services Business Association ACT Canada - 11 - Who are the solution providers and what alliances are being formed • In Canada, the federally-appointed Payments Systems Task Force asked the Financial Institutions to develop mobile standards, resulting in the publication by the Canadian Bankers Association of the Canadian NFC Mobile Payments Reference Model (or Guidelines) on May 14, 2012 – The guidelines in the Reference Model were developed and have been adopted by major Canadian banks and credit unions. For the rest of the industry, adherence is optional (e.g. by contract) – The Canadian FI's involved in this initiative (“Industry Initiative Participants”) recognized that : • End users trust FI's to provide safe and secure services and expect to be able to maintain control over which type of payment they use, how they access it and whether their payments have pass code protection • Merchants and consumers also expect transparency at point of sale. - 12 - Who are the solution providers and what alliances are being formed • • • The payment ecosystem takes the coordination of many parties to function effectively By providing early clarity on industry participation in the ecosystem, the guidelines will help stabilize and build efficiencies into the future deployment of mobile payments in Canada Through the guidelines, Industry Initiative Participants established a common reference model for NFC based mobile payments and offered a set of expectations for ecosystem participants. These expectations and the associated interactions create a common foundation, based on voluntary adherence, on which NFC mobile payment services in Canada may be built - 13 - The changing range of stakeholders • • • • • • • • • Smartphone/device/hardware manufacturers (OEMs, e.g. Nokia, Samsung, LG, HTC, BlackBerry, Motorola) Mobile OS providers (e.g. Blackberry, Windows, Android) Wireless/mobile telecom network operators (MNOs, e.g. Bell, Rogers, Telus) SIM card manufacturers (e.g. G&D, Gemalto) Cloud service providers (e.g. Google wallet) Financial institutions, card and credential issuers and acquirers Payment (e.g. credit and debit) network operators, e.g. Visa, MC, Interac Terminal (POS reader) manufacturers Payment Processors (e.g. Moneris) - 14 - The changing range of stakeholders • • • • • • • Trusted third parties (TSMs) for credential provisioning and management (authentication, certification), e.g. G&D, EnStream Mobile payment and wallet App developers and providers (e.g. Google) App stores, e.g. Apple Regulators, law enforcement, policy makers, industry associations Merchants, retailers, transportation, municipalities, governments, schools, hospitals, etc. Loyalty service providers Consumers - 15 - The technologies involved: how are they being leveraged for added security and user flexibility? • • Storage, provisioning and management of card credentials NFC vs. QR Code vs. Cloud – ID stored locally/physically (cards and chips) vs. centrally/online (software and databases) – Security issues, issuance, consumer device capabilities, merchant acceptance, transaction characteristic - 16 - The technologies involved: how are they being leveraged for added security and user flexibility? • • NFC: – Complex issuance: TSM and Secure Element ecosystem – Consumer device capabilities growing: 9 out of the top 10 OEMs support it – Merchant acceptance: Standards based; Growing in select developed countries; US migration to EMV may speed adoption – Transactions treated as "Card Present" – liability risk shifts to card issuer QR Codes: – Simpler issuance: Cloud based mobile application – Consumer device capabilities: Ubiquitous – Only requires data connection; may require camera – Merchant acceptance: Fragmented – No standards; numerous solutions available; Security model not yet fully defined; may require wireless connection – Transactions treated as "Card Not Present" – liability risk shifts to acquirer/merchant - 17 - The technologies involved: how are they being leveraged for added security and user flexibility? • • Cloud – Simpler issuance: Cloud based mobile application – Consumer device capabilities: Ubiquitous – Only requires data connection – Merchant acceptance: Fragmented – No standards; Security model not yet fully defined; requires wireless connection – Transactions treated as "Card Not Present" – liability risk shifts to acquirer/merchant Mobile payments levels of transaction: – Convenience vs. high value/risk transactions • Convenience transactions are low value/risk (e.g., under $50) and may be effected just by waving the mobile device at the POS terminal • High value/risk (e.g., $50 and greater) tends to require a combination of a mobile device at the POS and a pass code to be entered - 18 - The technologies involved: how are they being leveraged for added security and user flexibility? • SIM card vs. Hardware chip – Control and cost issues • Who will win the wallet war? – Balance between security and convenience; consumers demand both • Requirements for global scale adoption of mobile payments: – Development of industry standards – Overcoming barriers to acceptance – Device and reader terminal availability – Secure provisioning of card credentials • EMV and ISO standards provide security, reliability and interoperability; align with existing card terminal technology - 19 - Security & Privacy Issues Stephen Burns - 20 - PRIVACY & SECURITY TODAY'S DISCUSSION • • • • • A Privacy Primer The Cyber Threat Why We Care The Changing Face of Reasonable Some Practical Advice - 21 - PRIVACY IN A NUT SHELL - 22 - PERSONAL INFORMATION • Personal information is any information about an identifiable individual, other than the person's business title or business contact information when used or disclosed for the purpose of business communications. For example: – Age, income, marital status, dependents and ethnic origin – Social insurance number, drivers license number, credit card numbers, – Employment applications, resumes, reference letters, transcripts – Leasor information: compensation, lease terms, – Internet activity and computer usage – Emergency Response Plans: contact information, schools, • Personal information does not include anonymous or non-personal information (i.e., information that cannot be associated with or tracked back to a specific individual). - 23 - TEN PRINCIPLES • • • • • • • • • • Accountability Identifying Purposes Consent Limiting Collection Limiting Use, Disclosure & Retention Accuracy Safeguards Openness Individual Access Challenging Compliance - 24 - PRIVACY THRESHOLD An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed. - 25 - FOUR KEY COMPLIANCE QUESTIONS: • • • • Is the collection, use or disclosure of the personal information for a reasonable purpose? Is the personal information to be collected, used or disclosed limited to that which is necessary to meet the purpose? Is the collection, use or disclosure of the personal information authorized by law without the need to obtain consent from or provide notice to the individuals in question? Where collection, use or disclosure without consent from or notice to the individuals in question is not authorized by law, has the organization obtained consent from or provided notice to the individuals in question for such collection, use or disclosure? - 26 - ACCURACY Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. An organization must make a reasonable effort to ensure that any personal information collected, used, or disclosed by or on behalf of an organization is accurate and complete. - 27 - SAFEGUARDS Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. An organization must protect personal information that is in its custody or under its control by making reasonable security arrangements against such risks as unauthorized access, collection, use, disclosure, copying, modification, disposal or destruction - 28 - ACCOUNTABILITY An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party. An organization is responsible for personal information that is in its custody or under its control. Where an organization engages the services of a person, whether as an agent, by contract or otherwise, the organization is, with respect to those services, responsible for that person’s compliance with this Act. - 29 - OUTSOURCING (AB) OUTSIDE CANADA • Service provider: “any organization, including … a parent corporation, subsidiary, affiliate, contractor or subcontractor, that, directly or indirectly, provides a service for or on behalf of another organization” • Policies and practices to include information about: – the countries outside Canada in which the collection, use, disclosure or storage of personal information occurs or may occur – the purposes for which the service provider has been authorized to collect, use or disclose personal information for or on behalf of the organization • Written information must be made available on request - 30 - OUTSOURCING (AB) NOTICE REQUIRED • Notification is required when: – personal information is collected with consent by a service provider outside Canada – an organization transfers personal information collected with consent to a service provider outside Canada • Notification can be in writing or oral. Must include: – the way an individual may obtain access to written information about the organization’s policies and practices – the name or position name or title of a person who can answer questions about the collection, use, disclosure or storage of personal information by service providers outside Canada • Notice is in addition to general notification under s. 13 - 31 - BREACH REPORTING (AB) • Section 34.1 - organizations must notify the Commissioner of any “incident involving the loss of or unauthorized access to or disclosure” of personal information where a reasonable person would consider that there exists a real risk of significant harm to an individual • Must report “without unreasonable delay” • It is an offence not to notify the Commissioner of a breach under s. 34.1 - 32 - BREACH REPORTING (AB) • Section 19, PIPA Regulation: – description of circumstances of the incident – the date / time period of the incident – description of the personal information involved – an assessment of the risk of harm to individuals – estimated # of individuals – steps taken to reduce the risk of harm to individuals – steps taken to notify individuals of the incident – name/contact information of someone who can answer questions • OIPC AB Breach Notification Form: http://www.oipc.ab.ca/Content_Files/Files/Publications/Breach_Report_For m_2010.pdf - 33 - FEDERAL CHANGES COMING? • • The Privacy Commissioner of Canada released a position paper on May 23, 2013 which offers a roadmaps for modernizing Canada's federal private-sector privacy law Recommendations 1. Stronger enforcement powers • e.g. statutory damages to be administered by the Federal Court, providing the Privacy Commissioner with order-making powers and/or the power to impose administrative monetary penalties where the circumstances warrant. 2. Breach notification and application of penalties for breaches in certain cases 3. Increase transparency • Increased public reporting requirements regarding the use of an exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a warrant 4. Promote accountability - 34 - THE CYBER THREAT - 35 - THE CYBER THREAT Numerous potential adversaries with differing motivations using a variety of techniques • Adversaries – Sovereign states (e.g. targeted espionage) – Corporate Espionage – Criminals – Hackers / Hacktivists (hacker activists) • Motivations / Objectives – Stealing competitive intelligence – Stealing intellectual property – Siphoning off money – Disrupting operations – Bragging rights - 36 - NATURE OF CYBER ATTACKS • • Multi-pronged approach to penetrate a targeted company – Socially engineering current employees – Inserting moles into the company – Launching cyber attacks over an extended period New Technologies and New Threats – Social media – Mobile banking – Cloud computing – Bring-your-own-device ("BYOD") – Unstructured or "big data" - 37 - SOME CURRENT DATA • According to Verizon 2012 Data Breach Investigations Report: – 855 incidents in 2012, 174 million compromised records. – 98% of breaches stemmed from external agents – 4% of breaches implicated internal employees – 58% of all data theft tied to activist groups – 81% utilized some form of hacking – 96% of attacks were not highly difficult – 85% of breaches took weeks or more to discover – 92% of incidents were discovered by a third party - 38 - INDUSTRIES TARGETED Compromised records by industry group with breaches >1M records removed Taken from the Verizon 2012 Data Breach Investigations Report - 39 - WHY WE CARE - 40 - WHY WE CARE • • • 3 critical characteristics of information that are at risk from cyber attackers: – Confidentiality – Integrity – Availability Attacks on information assets can have an indirect impact on physical assets A cyber attack can also target physical assets more directly (stuxnet worm) • Accuracy, Safeguards and Accountability - 41 - COST OF A BREACH • • • • Lost opportunities, future revenue and market share Reputational harm – Long-term loss of confidence among customers and business partners – Diminished credibility Data loss / information theft Breach notification and regulatory oversight / investigation - 42 - BREACH RESPONSE COSTS • Expenses associated with a comprehensive breach response – Forensic examination (external or internal) to determine the severity and scope of a breach involving compromised computer systems or networks – Hiring third party vendors specializing in comprehensive breach response to provide call centre services – Credit or identity monitoring – Identity restoration if affected parties suffer actual identity theft – Public relations consultation fees - 43 - SECURITIES LAWS • Companies may be required to disclose when its data has been compromised pursuant to Canadian securities laws • New guidance from the SEC specifically outlining how publicly traded companies should disclose online attacks – Minimal disclosure has resulted from this guidance • Reputation, credibility and the speed of disclosure - 44 - LIABILITY FOR BREACH • • Fines and penalties from regulatory and industry bodies Potential civil liability exposure to numerous potential claimants (e.g. consumers, banks, etc.) – cost of defending claims + cost of settlement – Negligence – Breach of warranty – Failure to protect data – Failure to disclose defects in products or services regarding capabilities of protecting data – Unreasonable delay in remedying suspension of service or loss of data – Violations of applicable laws – Unfair or deceptive trade practices - 45 - "NEW" TORTS OF PRIVACY • Starting Point: – D. Warren & L.D. Brandeis, “The Right to Privacy” (1890) 4 Harv. L. R. 193 – William L. Prosser, “Privacy” (1960), 48 Cal. L. R. 383 • Prosser's Four Torts 1. Intrusion upon the plaintiff’s seclusion or solitude, or into his private affairs. 2. Public disclosure of embarrassing private facts about the plaintiff. 3. Publicity which places the plaintiff in a false light in the public eye. 4. Appropriation, for the defendant’s advantage, of the plaintiff’s name or likeness. – US Restatement (Second) of Torts (2010): General Principle § 652 1. One who invades the right of privacy of another is subject to liability for the resulting harm to the interests of the other. 2. The right of privacy is invaded by: a) unreasonable intrusion upon the seclusion of another, as stated in 652B; or b) appropriation of the other's name or likeness, as stated in 652C; or c) unreasonable publicity given to the other's private life, as stated in 652D; or d) publicity that unreasonably places the other in a false light before the public, as stated in 652E. - 46 - "NEW" TORTS OF PRIVACY • Statutory Torts of Invasion of Privacy – British Columbia, Privacy Act – Manitoba, Privacy Act – Saskatchewan, Privacy Act – Newfoundland, Privacy Act • Damages for Breach of PIPA – Alberta, Personal Information Protection Act – British Columbia, Personal Information Protection Act • Damages for Breach of PIPEDA (Humiliation) – Federal: Personal Information Protection and Electronic Documents Act - 47 - "NEW" TORTS : JONES v TSIGE (ONCA) • One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person. • "The key features of this cause of action are: – first, that the defendant’s conduct must be intentional, within which I would include reckless; – second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and – third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish" • Damages …"proof of harm to a recognized economic interest is not an element of the cause of action … given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum …" - 48 - THE CHANGING FACE OF REASONABLE - 49 - A GROWING THREAT "Terrorism does remain the FBI's top priority, but in the not-too-distant future, we anticipate that the cyber threat will pose the number-one threat to our country" Robert Mueller, Director of the FBI - 50 - LOTS OF EXAMPLES …. - 51 - CANADA'S CYBER SECURITY STRATEGY • • • • • • Three pillars 1. Securing government systems 2. Partnering to secure vital cyber systems outside the federal government (e.g. critical infrastructure) 3. Helping Canadians to be secure online Canadian Cyber Incident Response Centre National Strategy and Action Plan for Critical Infrastructure Canada-United States Action Plan for Critical Infrastructure Council of Europe Convention on Cybercrime RCMP – Integrated Cyber Crime Fusion Centre - 52 - COUNCIL OF EUROPE CONVENTION ON CYBERCRIME • • • • The first international treaty addressing computer crime and internet crimes by harmonizing national laws, improving investigative techniques and increasing cooperation among nations. Entered into force on July 1, 2004 As of May 2013, 39 states had ratified the convention, and a further 11 states had signed the convention but not ratified it. Canada signed the treaty on November 23, 2011, but has not yet ratified the convention. - 53 - CANADA-UNITED STATES ACTION PLAN FOR CRITICAL INFRASTRUCTURE • • • Announced on July 13, 2010 by Janet Napolitano, Secretary of the U.S. Department of Homeland Security, and Vic Toews, Minister of Public Safety Canada Purpose – strengthen the safety, security and resilience of critical infrastructure in the U.S. and Canada through an enhanced cross-border approach – Enhance coordination and cooperation and facilitate continuous dialogue among cross-border stakeholders to better prevent, respond to, and recover from critical infrastructure disruptions Three key elements 1. Partnerships 2. Information Sharing 3. Risk Management - 54 - PCI - DATA SECURITY STANDARDS • • • Payment Card Industry (PCI) Data Security Standards (DSS) apply to all organizations that hold, process or exchange credit card information. On February 5, 2013, the Cloud Special Interest Group of the PCI Security Standards Council released the PCI DSS Cloud Computing Guidelines to provide specific guidance on the use of cloud computing and maintaining PCI controls in cloud environments. The guidelines are intended for use by organizations investigating, adopting or using cloud computing services as part of a cardholder data environment - 55 - OFFICE OF THE SUPERINTENDENT OF FINANCIAL INSTITUTIONS • OSFI is concerned with the rapid evolution of cyber attacks in terms of frequency, fire power and target • OSFI is planning on increasing its resources in the area of operational risk in order to do more reviews of federally regulated financial institutions (FRFIs), including review of technology risk with a focus on cyber security. - 56 - EUROPEAN CENTRAL BANK • Recommendations for the Security of Internet Payments (January 31, 2013) – Developed by the European Forum on the Security of Retail Payments (SecuRe Pay) – Payment Security Providers (PSPs) have until February 1, 2015 to implement the recommendations – Recommendations, key considerations and best practices applicable to governance authorities PSPs – Key Recommendation – The initiation of internet payments as well as access to sensitive payment data should be protected by strong customer authentication – Proposal – PSPs will accept liability for a fraudulent transaction is payment was properly authorized - 57 - US TREASURY DEPARTMENT • Financial Crimes Enforcements Network (FinCEN) – "Application of FinCEN's Regulations to Persons Administering, Exchanging, or Using Virtual Currencies" – March 18, 2013 – Guidance clarifying how regulations by FinCEN pursuant to the Bank Secrecy Act apply to "users", "administrators" and "exchangers" of "convertible virtual currency" - 58 - PRACTICAL STEPS - 59 - PATH FORWARD • • • • • • • • Identify the most sensitive, 'at risk' information Prioritize the protection of such information Limit access Implement policies and practices Implement real-time monitoring to detect and respond to intrusions Balance cyber security measures against other company objectives (e.g. productivity or collaboration across business boundaries) Benchmark internally and externally Monitor for changing standards - 60 - KEY QUESTIONS? • • • How will systems, applications and information be secured (technical, procedural, physical, contractual measures)? Are there obligations to third parties in respect of their information (confidential, privacy, other)? – Is further outsourcing permitted? – Is consent of a third party required? – What amendments to third party notices / agreements will be required? – Will amendments to privacy policies / practices be required? How will incidents be handled? – Breach Notification – Investigation – Mitigation – Reporting - 61 - Market Issues Duncan Card - 62 - Market Issues – from a legal and regulatory perspective: 1. The number (and specialized roles) of payment solution participants seems to be growing exponentially. Long way from handing over a banknote in exchange for goods or services. The days of only credit intermediaries and third party "brand credit services" between the payor, merchant, each of their banks and the "brand creditor" are long gone. NOW…..a host of value-add intermediaries from turn-key payment services for on-line transactions (PayPal), encryption and security services like authentication, chip manufacturers, payment "apps", device manufacturers to facilitate payment information transfer and enable transactions, to payment processors, network solution providers, affinity programs, payment software management tools, and even consulting services related to payment psychology and sociology. - 63 - 2. Contributor/Participant Integration…especially as merchants provide their own credit accounts; telco's form banks to facilitate payment solutions, online and otherwise; mobile telephones have become "wireless handheld devices" that enable direct data transmission for payment, transaction records, and authentification; Internet websites become "web enablers", such as Gmail (which integrates Google Wallet via a "$" icon to, for example, attach money to your email); perhaps "brand creditors" or telcos or large ISPs will acquire and vertically integrate payment processors, like Visa's acquisition of Cyber Source/Authorize.net – many others; there is also sector integration via personnel mobility…e.g., where the co-founder of Google Wallet (Rob von Behren) joined Braintree!; lastly…First Data bought, (then spun-off), Western Union (2006), but KKR was betting on continued consolidation demand when (in 2007) it, through a leveraged buyout, bought First Data for $26 billion – then First Data bought ICICI Bank's POS business ($80 million) – on and on (by the way, First Data's EVP and General Counsel's name…David Money – natch). 3. Consumer Demand • • • • security ease of use mobility speed • • • • integrated into apps accountability – substance – trust payment – "content" integration (Google Wallet) security (again) - 64 - Mobile Payments Regulation Lisa Abe-Oldenburg - 65 - Introduction • • • • • • • • Federal vs. Provincial Regulation Not all payments are regulated Payment Card Networks Act Report of the task Force for the Payments System Review Canadian Bankers Association Guidelines for Mobile Payments Recent amendments to CPA rules and standards Consumer Protection Issues Code of Conduct for the Debit and Credit Industry - 66 - Federal Regulation • • • • • • • Bank Act Federal Act respecting the Canadian Payments Association and the regulation of Systems and arrangements for the making of payments (Canadian "Payments Act") Federal Act respecting payment card networks ("Payment Card Networks Act") Federal Proceeds of Crime (Money Laundering) and Terrorist Financing Act Federal Payment Clearing and Settlement Act Federal Bills of Exchange Act Federal Competition Act - 67 - Federal Regulations • • • • • • The Financial Consumer Agency of Canada, established under section 3 of the Financial Consumer Agency of Canada Act, is responsible for supervising payment card network operators to determine whether they are in compliance with the provisions of this Payment Card Networks Act and the regulations Federallyâappointed Payments Systems Task Force, Canada’s financial institutions (FIs) are taking a leadership role in the area of the emerging field of mobile payments. Canadian Bankers Association (CBA) mobile guidelines Big Data issues – reform is coming Patchwork of Federal and provincial public sector and private sector privacy laws Federal Personal Information Protection and Electronic Documents Act ("PIPEDA") - 68 - Provincial Regulation • Consumer protection laws – provincial statutes and regulations – Most Canadian provinces have enacted laws that govern gift/prepaid and credit cards – BC • Prepaid Purchase Cards Regulation • Business Practices and Consumer Protection Act – Alberta • Reg 146/2008 Gift Card Regulation • Fair Trading Act and Cost of Credit Disclosure Regulation – Manitoba • Consumer Protection Act and Regulations • Prepaid Purchase Card Regulation • Gift Cards Act • Cost of Credit Disclosure Act - 69 - Provincial Regulation • Consumer protection laws – provincial statutes and regulations – Ontario • Consumer Protection Act and Regulations (cover gift and credit cards) – Nova Scotia • Consumer Protection Act and Regulations • Gift Card Regulations – PEI • Consumer Protection Act • Gift Cards Act and Regulations – Quebec • Consumer Protection Act • Money-Services Businesses Act – Also laws in NB, Sask, Nfld, Yukon, Nunavut - 70 - Not all payments are regulated • For example: – mobile p2p payments – loyalty, rewards or points cards, although privacy, ecommerce and advertising laws still apply – AML using prepaid cards • CPA makes rules, bylaws, standards that apply to payments exchanged by members who use these systems for clearing and settlement Voluntary commitments and codes of conduct – for the credit and debit card industry in Canada – to protect the interests of customers of financial institutions • - 71 - Payment Card Networks Act, S.C. 2010, c. 12, s. 1834 • • • • Purpose – to regulate national payment card networks and the commercial practices of payment card network operators "payment card network" means an electronic payment system – other than a prescribed payment system – used to accept, transmit or process transactions made by payment card for money, goods or services and to transfer information and funds among issuers, acquirers, merchants and payment card users. "payment card" means a credit or debit card – or any other prescribed device – used to access a credit or debit account on terms specified by the issuer Does not cover prepaid, loyalty, rewards or points cards - 72 - Payment Card Networks Act • • • "issuer" means an entity or provincial Crown corporation that issues payment cards "acquirer" means an entity that enables merchants to accept payments by payment card by providing merchants with access to a payment card network for the transmission or processing of those payments. "payment card network operator" means an entity that operates or manages a payment card network, including by establishing standards and procedures for the acceptance, transmission or processing of payment transactions and by facilitating the electronic transfer of information and funds - 73 - Report of the Task Force for the Payments System Review • Recommendations – request from the federal government’s Task Force for the Payments System Review that financial institutions develop mobile payment standards – Canadian Banker's Association established guidelines for various participants in the Canadian mobile commerce ecosystem, which most Canadian banks and credit unions have agreed to adhere to - 74 - Canadian Bankers Association Mobile Payments Guidelines (NFC Mobile Payments Reference Model) • • • Objective: to address challenges and provide a framework for the interactions between the different ecosystem participants. Interoperability between the Mobile Network Operators (MNOs, e.g. Rogers, Bell, Telus, Public Mobile, Wind, Videotron) and payment networks (e.g. Visa, MasterCard, Interac) is a key objective for these guidelines. The guidelines outline the functional elements, roles and responsibilities, and interaction models needed for the development of an effective, affordable, and consumer and merchantâfriendly NFC based mobile payments system in Canada Binds only those banks and credit unions that participated in its development (along with their partners), but all participants need to be aware of their requirements - 75 - Canadian Mobile Payments Guidelines (cont.) • Canadian mobile payments solution framework and ecosystem – convenient, open, safe and secure ecosystem – Typically, payment credentials and mobile device hardware are managed by different organizations. This creates a unique challenge as it requires multiple parties to work together to successfully deliver NFC mobile payment services. – The guidelines are limited to the payment model in which payment card credentials are stored on a SIM card or embedded in the secure element of a smartphone, and payment is effected by a user selecting a payment method from the "mobile wallet" stored on the smartphone and tapping the smartphone on an NFC-enabled point-of-sale device. This payment model is presently being rolled out by Canadian financial institutions and mobile network operators. - 76 - Canadian Mobile Payments Guidelines (cont.) • Canadian mobile payments solution framework and ecosystem – Guidelines support Visa, MasterCard and Interac specifications for NFC transactions requiring mobile devices to support the EMV mode and the MSD mode – Guidelines also contain elements from various other guidelines and regimes, including SEPA, GSMA/EPC, EMVCo, GlobalPlatform, PayEz and AFSCM. – focus is on the software required for interoperability of components, NFC mobile devices and POS systems – credential issuers will be able to operate on various NFC mobile devices – NFC contactless reader compliant to ISO 14443 Type A or ISO 14443 Type B will be able to communicate with any NFC mobile device; and any over-the-air platform will be able to communicate with any credential issuer - 77 - Canadian Mobile Payments Guidelines (cont.) • Wallet features and functionality – While the guidelines address both hardware and software issues, the focus is on software; in particular mobile wallet software. The guidelines outline procedures related to mobile wallet design, installation on mobile devices, and execution of mobile payments, including a section on wallet and payment application features, functionality and security – Three types of mobile wallets: • Proprietary wallet design - only payment credentials from the wallet provider may be used to make a payment • Collective wallet design - payment credentials from a group of credential issuers may be used to make a payment • Open wallet design - payment credentials from multiple credential issuers can be used to make payments – Open wallets require agreements and business relationships between credential issuers and wallet providers. - 78 - Canadian Mobile Payments Guidelines (cont.) • Wallet features and functionality – The guideline acknowledges that the industry will gravitate toward proprietary and collective wallets – In order to promote openness, the guideline does not allow mobile wallets, mobile network operators, original equipment manufacturers, secure domain managers and credential issuers to restrict access to payment applications from debit and credit payment networks, prepaid products, transit and loyalty products, and products issued in a foreign currency. – Emphasis on consumer choice for which payment types may be embedded on a smartphone and for whether use will be password protected. - 79 - Canadian Mobile Payments Guidelines (cont.) • Enablement and lifecycle management – Setup steps needed to install, use, maintain and terminate a mobile wallet and payment application on a mobile device, securely bind the applications and manage these applications over customer lifecycle events (e.g. lost or stolen phones) – Importance of sound contractual business relationships among the various participants in the mobile payment ecosystem – Mention possibility of the creation of a central hub organization or central controlling authority to manage those relationships. No detail provided as organization structure, but likely different from the self-regulatory organization proposed by the Task Force for the Payments System Review - 80 - Canadian Mobile Payments Guidelines (cont.) • Transactions – Once the initial setup is complete, an NFC based mobile payment transaction may be performed. – Certain steps are required to perform an NFC mobile payment. The solution is designed to consider low value, high value and high risk transactions. The solution is characterized by a radio frequency short read range distance that requires the mobile handset to be presented close to the contactless reader to enable a transaction. - 81 - Canadian Mobile Payments Guidelines (cont.) • Loyalty and rewards – Loyalty & Rewards is a rapidly evolving space and there are many types of loyalty and reward programs available to consumers (e.g. bonus points and cashâback programs, loyalty rewards redemptions, merchantâfunded discount and promotional programs, coupons and vouchers) – Sets out guidelines for ensuring that these programs can be integrated with NFC mobile payments and how loyalty and rewards programs, couponing rebates and vouchers will operate, whether operated by merchants, issuers or other ecosystem participants – Merchants and application developers must be mindful to follow the standards set out in the guidelines, including the use of ISO/IEC 14443 for the transmission of loyalty and rewards data using NFC - 82 - Canadian Mobile Payments Guidelines (cont.) • Data and security – General guideline that each ecosystem participant should only have access to the minimum information required to perform its primary role. – Default should be to protect consumer and merchant data – It is not clear who would have access to consumer purchasing information that would be of interest to merchants. – Detailed data and security guidelines and standards are set out in the guideline PCI-DSS compliance is the standard for data protection – The data and security standards may affect development and use of wallet and payment apps in Canada, as the guideline allows information about transactions, loyalty programs and consumers to be used only in certain ways - 83 - Canadian Mobile Payments Guidelines (cont.) • Government reaction – The voluntary Code of Conduct for the Credit and Debit Card Industry in Canada (the Code) must be revised for the quickly evolving mobile payment ecosystem – Code amendments would need to anticipate all forms of emerging mobile payment technology – Out-of-scope of the guidelines are remote mobile payments, storing of payment credentials on micro SD memory cards and NFC cases, the use of cloud-based mobile payments (where credentials are stored on a server and accessed by Internet), barcode, bluetooth, passive NFC and RFID and p2p based payments - 84 - Recent amendments to Canadian Payments Association (CPA) rules and standards • • • CPA operates pursuant to a legal framework set out in the federal Canadian Payments Act CPA’s mandate to establish and operate national systems for the clearing and settlement of payments within Canada, principally the Automated Clearing Settlement System (ACSS) and the Large Value Transfer System (LVTS), as well as the US Bulk Exchange (USBE). Pursuant to the Act, the CPA develops and implements rules, standards, and procedures that apply to payments exchanged by CPA members who use these systems for clearing and settlement. - 85 - Recent amendments to CPA rules and standards • Amendments to Automated Clearing and Settlement System (ACSS) Rules and Standards came into effect on April 22, 2013 • The rules that were amended include RULE E3, which governs the Exchange of credit-driven Canadian dollar electronic data interchange (EDI) Payment Items amongst Canadian financial institutions, for the purpose of Clearing and Settlement – Part I sets out the general rules relating to the Exchange of such Items for the purpose of Clearing and Settlement (including systems, software maintenance and disaster recovery) – Part II sets out the technical specifications applicable to the Exchanges. - 86 - Recent amendments to CPA rules and standards • • The amendments deal with the Direct Participant’s reporting obligations to the CPA in the event of encountering a Severity 1 Contingency Situation. A “Severity 1 Contingency Situation” occurs when the Direct Participant cannot receive or process EDI Transmissions. - 87 - Recent amendments to CPA rules and standards • Amendments were also made to Standard 014, the Clearing Replacement Document Design Standard, which sets out the minimum mandatory requirements for the creation and use of Clearing Replacement Documents (CRDs). – “Clearing Replacement Document” or “CRD” means a form of Image Printout that meets the specifications in Standard 014, and which may be used for presentment and return purposes in place of an original paper Payment Item in accordance with Rule A10. – This standard will ensure that all CRDs that are generated for the purpose of replacing an original paper payment item (e.g. a cheque) for presentment to a Drawee may be processed accurately and efficiently by the Drawee. – Compliance with this standard is important for remote deposit of cheques. - 88 - Recent amendments to CPA rules and standards • In addition to financial institutions, Mobile payments processors and software developers need to ensure the images of payment items created by mobile devices will meet the technical requirements of Standard 014. - 89 - Consumer Protection Issues • Consumers with credit cards from banks are protected by Bank Act regulations that require: – Disclosure of the interest rate at the time of solicitation or application, and on every one of your monthly statements – Statements to include itemized transactions, the amount you must pay on or before the due date in order to have the benefit of a grace period – Disclosure of the previous month’s payments and the current month’s purchases, credit advances, as well as interest and non-interest charges – Plain language information for customers – Rules on advertising – Limits on consumer liability in the event of fraud - 90 - Consumer Protection Issues • • Canadian Code of Practice for Consumer Debit Card Services Principles of Consumer Protection for Electronic Commerce – Voluntary code for Canadian Bankers Association members – Provides a framework for commerce over open networks, including the internet • Equivalent protection – “Consumers” should not be afforded any less protection in “electronic commerce” than in other forms of commerce. Consumer protection provisions should be designed to achieve the same results whatever the medium of commerce. • Harmonization – Canadian governments should adapt existing consumer protection laws to apply to electronic commerce, and should strive to harmonize provisions across jurisdictions without requiring any jurisdiction to lower its standards. - 91 - Consumer Protection Issues • • Principles of Consumer Protection for Electronic Commerce (cont.) • International consistency – Without compromising the level of protection provided to consumers under the principles in this document or under existing laws, the Canadian consumer protection framework should be consistent with directions in consumer protection established by international bodies such as the Organisation for Economic Co-operation and Development. Principles in Summary: 1. Consumers should be provided with clear and sufficient information to make an informed choice about whether and how to make a purchase. 2. “Vendors” should take reasonable steps to ensure that the consumer’s agreement to contract is fully informed and intentional. 3. Vendors and “intermediaries” should respect the privacy principles set out in the CSA International’s Model Code for the Protection of Personal Information. - 92 - Consumer Protection Issues • Principles of Consumer Protection for Electronic Commerce (cont.) 4. Vendors and intermediaries should take reasonable steps to ensure that “transactions” in which they are involved are secure. Consumers should act prudently when undertaking transactions. 5. Consumers should have access to fair, timely, effective and affordable means for resolving problems with any transaction. 6. Consumers should be protected from unreasonable liability for payments in transactions. 7. Vendors should not transmit commercial E-mail without the consent of consumers, or unless a vendor has an existing relationship with a consumer. 8. Government, business and consumer groups should promote consumer awareness about the safe use of electronic commerce. - 93 - Consumer Protection Issues • Provincial consumer protection statutes and regulations – Consumer agreements have specific requirements, e.g. minimum payment obligations, disclosure, signature, writing, delivery, content/terms, express opportunity to accept or decline, cooling off periods, cancellation rights, amendment – Internet Agreements are formed by text-based Internet communications have their own unique requirements – Ont. CPA - "Internet" means a decentralized global network connecting networks of computers and similar services to each other for the electronic exchange of information using standardized communication protocols – Not clear how this will apply to mobile computing - 94 - Consumer Protection Issues • Provincial consumer protection statutes and regulations – Also separate requirements for: • Remote Agreements – when the consumer and supplier are not present together • Direct Agreements – when the consumer agreement is negotiated or concluded at a place other than the supplier's place of business or marketplace • Credit, credit card and payday agreements with consumers – E.g. liability for unauthorized credit card charges capped at $50 (CPA, s. 69 and CPAR, s. 58) • Ont. Reg. 17/05 under CPA - Gift card agreements - 95 - Code of Conduct for the Debit and Credit Industry In Canada • • Code came into effect in August 2010 to help merchants and consumers clearly understand the costs and benefits of credit and debit cards When initially developed, the Code underwent extensive consultations with merchant and consumer associations, debit and credit card networks, payment processors, and credit card issuers across Canada - 96 - Code of Conduct for the Debit and Credit Industry In Canada • • • Purpose – to demonstrate the industry's commitment to: – Ensuring that merchants are fully aware of the costs associated with accepting credit and debit card payments thereby allowing merchants to reasonably forecast their monthly costs related to accepting such payments – Providing merchants with increased pricing flexibility to encourage consumers to choose the lowest-cost payment option – Allowing merchants to freely choose which payment options they will accept Code applies to credit and debit card networks and their participants (i.e. card issuers and acquirers) Code incorporated into payment card networks' contracts, governing rules and regulations - 97 - Code of Conduct for the Debit and Credit Industry In Canada • • • • • Task Force for the Payments System Review and the Canadian Guidelines for Mobile Payments called for review of the Code On Sept 18 2012, Harper Government announced Code of Conduct expansion to mobile payments, and released a proposed Addendum to the Code for public consultation, circulated for 60 days comment. Comments were invited on whether the Addendum should apply to other entities enabling mobile payments Elements 1, 2, 3, 5, and 9, will continue to apply to mobile payments as written Clarifications are proposed to Elements 4, 6, 7, 8 and 10 to guide their application to mobile payments. - 98 - Code of Conduct for the Debit and Credit Industry In Canada • • The Code covers several methods of making payments, including point-of-sale, Internet and telephone. The proposed Addendum extends the application of the Code to credit and debit card networks and their participants that offer mobile payments at the point of sale For the purposes of the Addendum, references to “payment card” networks and “payment card” network rules shall be interpreted to include credit and debit payment applications (referred to as “payment apps”) offered by payment card networks which can be accessed by consumers using a mobile device. Payment apps may be stored separately or centrally (i.e., in a digital/mobile wallet) on a mobile device - 99 - Code of Conduct for the Debit and Credit Industry In Canada • • Financial Consumer Agency of Canada (FCAC) monitors and enforces compliance with the code 10 Elements 1. Transparency and disclosure of information to Merchants • Rates and fees, e.g. interchange, discounts • Transaction details, e.g. number, volume, type 2. 90 days notice for rate/fee changes (unless pre-determined schedule in merchant contract), 180 days for structural changes 3. Cancellation of contract by merchant without penalty within 90 day period - 100 - Code of Conduct for the Debit and Credit Industry In Canada 4. Merchant can choose to accept only credit or debit payments from a network, without having to accept both Payment card network rules will ensure that merchants who accept credit or debit card payments from a particular network through a mobile device will not be obligated to accept all products available in that payment network’s mobile wallet. 5. Merchants allowed to provide different discounts for different methods of payment among different networks (e.g. cash, debit card, credit card) - 101 - Code of Conduct for the Debit and Credit Industry In Canada 6. Competing domestic applications from different networks shall not be offered on the same debit card. However, non-competing complementary domestic applications from different networks may exist on the same debit card. • A debit card may contain multiple applications, such as PIN-based and contactless. A card may not have applications from more than one network to process each type of domestic transaction, such as POS, Internet, telephone, etc. This limitation does not apply to ABM or international transactions Competing domestic debit apps can be stored on, or accessed by the same mobile device, provided that they are represented as a separate payment app and consumers can select which payment app shall be used for a transaction. - 102 - Code of Conduct for the Debit and Credit Industry In Canada • 10 Principles (cont.) 7. Co-badged debit cards must be equally branded • Available payment networks on payment cards must be clearly indicated • No preferential branding. Logos must be same size, side and either colour, black or white. The principle of equal branding applies to all representations of payment apps (i.e. credit and debit) available on, or through, a mobile device. Payment card network rules shall ensure that consumers have full discretion to establish any default preference(s) for payment options. Establishing default preferences should be done by users based on a clear and transparent process and users should be able to easily change default settings. - 103 - Code of Conduct for the Debit and Credit Industry In Canada • 10 Principles (cont.) 8. Debit and credit card functions shall not co-reside on the same payment card • Problems with access to different accounts, with different terms, fees and features – consumer confusion Credit and debit card functions shall not co-reside on the same payment app. Credit and debit payment apps can be stored on, or accessed by the same mobile device, provided that they are clearly separate payment apps. 9. Premium cards (which have higher than average interchange rates) may only be given to consumers who apply or consent, and who have certain spending and/or income thresholds - 104 - Code of Conduct for the Debit and Credit Industry In Canada • 10 Principles (cont.) 10. Negative option acceptance is not allowed • If payment card networks introduce new products or services, merchants shall not be obligated to accept those new products or services. Merchants must provide their express consent to accept the new products or services. Stakeholders are invited to provide comments on whether express consent should be required from merchants to accept debit or credit payment applications through a mobile device, where fees to merchants remain unchanged and no new infrastructure purchases are required. - 105 - Code of Conduct for the Debit and Credit Industry In Canada • • • February 13, 2013, the FCAC issued Commissioner's Guidance CG-10 in respect of the Code, to address the lack of transparency in respect of some sales and business practices; a lack of clarity of disclosures where multiple merchant service agreements are required; and multiple contract cancellation fees The Guidance clarifies certain requirements of the Code in respect of payment card networks that operate in Canada and their participants, including, for the first time, independent sales organizations (ISOs) and other service providers (e.g., processors, terminal lessors) Payment card network operators (PCNO) were to incorporate the amendments into their operating rules by May 14, 2013, with all industry participants expected to comply within 180 days of the date that PCNO operating rules were amended - 106 - Regulations on prepaid cards • • • October 24, 2012 - The Minister of Finance and Deputy Commissioner of the Financial Consumer Agency of Canada (FCAC), announced new regulations to protect consumers when using prepaid credit cards The proposed Federal regulation will eliminate expiry dates on non-promotional prepaid credit products (while allowing for alternative funds access mechanisms for phased out products), and prevent the levy of certain fees without express consent of the user Initial fees on the product are allowed, but subject to strict disclosure requirements - 107 - Regulations on prepaid cards • To support informed financial decision making, the proposed Regulations would require disclosure of fees in an information box to appear prominently on the exterior packaging and other documentation prior to issuance. The proposed Regulations would also require that information pertinent to continued usage be available on the product, including where to access the full terms and conditions of usage and a tollfree number to access the remaining balance - 108 - Regulations on prepaid cards • Apply to prepaid payment products that are issued in Canada by an "institution", meaning: (a) a bank, as defined in section 2 of the Bank Act; (b) an authorized foreign bank, as defined in section 2 of the Bank Act; (c) a retail association, as defined in section 2 of the Cooperative Credit Associations Act; (d) a company, as defined in subsection 2(1) of the Insurance Companies Act; (e) a foreign company, as defined in subsection 2(1) of the Insurance Companies Act; or (f) a company, as defined in section 2 of the Trust and Loan Companies Act. - 109 - Payment Card Industry (PCI) Data Security Standard (DSS) • • • • • The PCI Security Standards Council developed standards and supporting materials to enhance payment card data security A framework of specifications, tools, measurements and support resources to help organizations ensure the safe handling of cardholder information at every step including prevention, detection and appropriate reaction to security incidents. Need broad adoption of consistent global data security measures Baseline of technical and operational requirements designed PCIDSS can be licensed from the PCI Security Standards Council, LLC, Wakefield, MA , which owns the copyright in the specifications and materials, under Delaware law - 110 - Payment Card Industry (PCI) Data Security Standard (DSS) • • To help software vendors and others develop secure payment applications, the Council maintains the Payment Application Data Security Standard (PA-DSS) and a list of Validated Payment Applications. The Council also provides training to professional firms and individuals so that they can assist organizations with their compliance efforts. The Council maintains public resources such as lists of Qualified Security Assessors (QSAs), Payment Application Qualified Security Assessors (PA-QSAs), and Approved Scanning Vendors (ASVs). Large firms seeking to educate their employees can take advantage of the Internal Security Assessor (ISA) education program. - 111 - Payment Card Industry (PCI) Data Security Standard (DSS) • Canadian FI's have adopted PCI DSS • PCI DSS requires organizations that collect, process, transmit or store cardholder data to uphold and maintain the data security standards set by the payment industry worldwide and managed by the PCI Security Standards Council (PCI SSC) • FI's typically require all merchants who collect, process, transmit or store cardholder data to comply with PCI DSS. – pursuant to their processing services agreement • Failure to comply with PCI DSS and the Payment Card Networks’ Compliance Programs may result in a Merchant being subject to fines, fees or assessments and/or termination of processing services - 112 - Payment Card Industry (PCI) Data Security Standard (DSS) • • • PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures The result is a comprehensive standard intended to help organizations protect consumer cardholder data Key requirements of PCI DSS: – Build and Maintain a Secure Network • Install and maintain a firewall configuration to protect cardholder data • Do not use vendor-supplied defaults for system passwords and other security parameters - 113 - Payment Card Industry (PCI) Data Security Standard (DSS) – Protect Cardholder Data • Protect stored cardholder data • Encrypt transmission of cardholder data across open, public networks – Maintain a Vulnerability Management Program • Use and regularly update anti-virus software • Develop and maintain secure systems and applications – Implement Strong Access Control Measures • Restrict access to cardholder data by business need-to-know • Assign a unique ID to each person with computer access • Restrict physical access to cardholder data – Regularly Monitor and Test Networks • Track and monitor all access to network resources and cardholder data • Regularly test security systems and processes – Maintain an Information Security Policy - 114 - Payment Card Industry (PCI) Data Security Standard (DSS) • • • • • PCIDSS requirements need to be considered in all contracts with participants in mobile payments Trickle-down effect from merchant obligations - service providers that store, process, or transmit cardholder data on behalf of a merchant or other service providers must comply with PCI DSS and validate their compliance using the appropriate method Merchant levels and the validation requirements for each level, as determined by Visa Canada and MasterCard Data security firms (qualified security assessors) such as Trustwave provide information security and PCI compliance services The PCI DSS and supporting documentation can be found at https://www.pcisecuritystandards.org - 115 - PIN Security Requirements • • For device vendors and manufacturers, the PCI Security Standards Council provides the PIN Transaction Security (PTS) requirements, which contains a single set of requirements for all personal identification number (PIN) terminals, including POS devices, encrypting PIN pads and unattended payment terminals. The Council also provides a list of approved PIN transaction devices - 116 - Payment Application Data Security Standard (PA-DSS) • • Also managed by the PCI SSC. This standard is based on Visa’s Payment Application Best Practices (PABP). Many merchants deploy third party payment applications that are tailored to their business needs to assist them in accepting credit card payments. The goal of PADSS is to assist software vendors in developing secure payment applications that do not store prohibited data, such as full magnetic stripe data, card verification values, or PIN data, and ensure their payment applications support compliance with the PCI DSS standard. Vulnerable payment applications that store prohibited data are the leading cause of account data compromises among small merchants. - 117 - Payment Application Data Security Standard (PA-DSS) • • Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements. In-house payment applications developed by merchants or service providers that are not sold to third parties are not subject to the PA-DSS requirements, but must still be secured in accordance with the PCI DSS. PA-DSS is not applicable to standalone point-of-sale terminals, database software or web server software. Further information on PA-DSS including a list of payment applications that have validated their compliance to PA-DSS can be found at: www.pcisecuritystandards.org - 118 - Mobile Payments Regulation Milos Barutciski - 119 - Anti-Money Laundering Regulation • Background to AML regulation – Financial Action Task Force (FATF) – FATF Recommendations – Proceeds of Crime (Money Laundering) and Terrorist Financing Act (PCTFA) – Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) - 120 - Overview of Money-Laundering • Essential elements of money-laundering – Placement – Layering – Integration • Typologies – FINTRAC Typologies Reports - 121 - Overview of AML Regulation (1) • Scope of application • Reporting entities – Financial entities – Life insurance – Money services businesses – Securities dealers – Real estate brokers – Casinos – Accountants – Other - 122 - Overview of AML Regulation (2) • • • • • Know-your-client (KYC) obligations Verification/Authentification Record-keeping Politically Exposed Foreign Persons Reporting – Large cash transactions – Electronic funds transfers – Cross-border transfers – Suspicious transactions - 123 - Overview of AML Regulation (3) • Mandatory compliance policy • Tipping • Offenses and penalties – Criminal offence – Administrative monetary penalties (AMPs) - 124 - AML and New Payments Methods • Mobile and prepaid payments developments • AML concerns with new payment methods – Identification/Anonymity – Value limits – Funding methods – Geographic scope/cross-border • Gaps in the AML regulatory system • Monitoring and mitigating risk - 125 - AML and New Payment Methods: Policy Responses • 2010 FATF Report on New Payment Methods • 2011 Finance Canada Consultations on Strengthening Canada's Anti-Money Laundering and Anti-Terrorist Financing Regime • 2012 Report of the Senate Standing Committee on Banking, Trade & Commerce - 126 - Commercialization of Payment Solutions Duncan Card - 127 - Commercialization of Payment Solutions A CHALLENGING ENVIRONMENT FOR COMMERCIALIZATION 1. New solutions…continuously: • • • • digital currency, e.g. bitcoin (BTC) cryptocurrencies electronic barter systems merchant currency (often tied to affinity programs, but tradable) technology innovations (hardware, devices, equipment, chips, software, processes) 2. New participants…constantly: • • • • • • • • • value-add intermediaries telco engagement ISP/web engagement tech product/equipment software vendors – payment "apps" network managers consumer devices off-shore services payment integration management - 128 - 3. Context of Security – fast moving target: • privacy legislation, regulatory oversight, and enforcement • enterprise crime – going after information that others have about individuals and companies • "hackers" – both attacking commercial and personal targets • organized crime - 4. physical and online theft of personal and financial information money laundering (e.g. overpayment of merchant accounts, then direction to pay) identity theft • information cyber security – Mandiant Report, State Sponsored unauthorized access to IP and confidential information • Cyber Warfare – mostly third parties (organized crime, "ethical" associations, non-state agents, such as terrorists, state sponsored agents, and governments), attack critical infrastructure, including financial systems of all types = payment system risk Rapid Proliferation of Value-Add Participants • from simply handing over money to a merchant, to a series of credit/debit obligations transacted through a myriad of diverse technologies and global contributors who are both visible and invisible to the consumer • everyone wants a piece of the money trail – as they say, "follow the money" • everyone wants to take a piece of that money trail along the way, one way or another, giving rise to new economies – micro payments are like very small royalties paid over a vast number of transactions - 129 - COMMERCIAL IMPLICATIONS 1. Since micro-royalty structures for intermediaries will be shared over vast numbers of transactions, having a significant market share in your contribution is important. 2. Significant market share means having "the killer app", or owning a particular space in the entire process, or adding up your roles/contributions (e.g. wireless device + the app chip + security and authentification + telco services + billing services + being the consumer's bank in the process) 3. The more intermediaries who come to the party, the harder the "end-to-end solution" is to operate, keep secure and manage – so payment solution governance and management systems are increasing in importance. 4. What are all of the contractual relationships, and which contributors do not have contractual priority with other contributors to the solution? 5. Who will, from a brand management perspective, own the merchant and/or the consumer? Who will be the brand key point of contact? 6. Will the convergence of so many participants be balanced, stable, seamless, wellmanaged (risk and otherwise) or, will it create more "cracks" through which the metaphorical penny might drop? 7. How do regulators (and regulations) keep up to date, hence the risk of ad hoc or de facto legal or regulatory disapproval over an otherwise excellent payment solution (or key parts of it)? - 130 - PAYMENT SOLUTION COMMERCIALIZATION – STRUCTURAL LEGAL ISSUES 1. Sorting Out Who Contributes What, and on what basis. • draw diagrams of both the end-to-end payment solution, and include all of the contributors and the operational (functional) overview of what each contributor brings to the solution • assess which contributor is providing what good/service to which other contributor on a commercial basis – is there privity of contract • which contributors do other contributors depend upon for the delivery of goods/services into the payment solution without any commercial or contractual obligations between them • Real Danger of technology, process, brand alliance and trade-mark flooding and confusion as the market becomes overcrowded with a proliferation of vastly different payment methods – at one point, many predict the payment market will "simplify or narrow down" leaving many excellent consortia by the side of the road - 131 - PAYMENT SOLUTION COMMERCIALIZATION – STRUCTURAL & LEGAL ISSUES 2. Commercial Structure & Risk Management • which participant "owns" the payment solution? Brand or Reputation? • is there a "prime contractor" sponsor? • are there numerous "side deals" coming together in the consortium? • where are the risks and liabilities along the payment chain, and which participants hold which particular risks? • what are the co-opetition risks? Is the telco in the consortium also a competing bank? Will other participants disintermediate banks, e.g. Google $ • what fees will be deducted from the consumer transaction, and of those fees…how much will be paid to "process partners" $100 transaction → reasonable estimate that $3.00 will be deducted along the money trail (credit card interchange, issuing bank, processor, merchant account → of that $3.00, what will be paid for related intermediary services (authentification, technology licensors, device owners, third party processors)? - 132 - PAYMENT SOLUTION COMMERCIALIZATION – STRUCTURAL & LEGAL ISSUES 3. Contract Terms • • • • define the good/service contribution/obligations warrant operational/functional performance warrant compatibility of each good/service with all of consortia "pieces" (fit) stipulate what all of the other pieces are that are required (as a condition precedent) for your piece to fit: • • • • • • • • chip (ID) wireless device security payment apps • • • • network provider payment processor authentification e-commerce app and POS tech • • • • bank/issuer credit card payment app gateway financial compensation personal information: protect; confidential; compliance with laws customer ownership + who keeps what transaction information? brand identification – who will the solution be branded by: the bank; the telco; the credit card • Bell Mobile Wallet • Google Wallet • Vision Mobile Platform • CIBC Mobile Payment App • Rogers Suretap™ ("turns your wireless smart phone into a mobile wallet") - 133 - PAYMENT SOLUTION COMMERCIALIZATION – STRUCTURAL & LEGAL ISSUES 3. Contract Terms (con't) • • • • • • to what extent should contributors/participants be liable for the conduct of their side-deal contractors (to what extent are those products/services included?)) audit rights – performance verification and "problem diagnostics" – how do contract parties get access to non-contract participant information? payment solution problem: identification, assessment, diagnostics, fixes, process revisions, improvements individually and collectively (cooperation) both as between the parties and extending to non-contract contributors (e.g. various solution apps) third party liability and "class damages" – merchants and consumers and both as between the parties how does the "brand prime" contractually limit and exclude liability with merchants/consumers to protect entire consortium? LOL Clauses: what is the aggregate transaction value; how does that value relate to the possible harm that could be caused (depending upon the particular contribution); what is reasonable? - 134 - PAYMENT SOLUTION COMMERCIALIZATION – STRUCTURAL LEGAL ISSUES 3. Contract Terms (con't) • • • • • solution-wide audit participation – regulatory, consumer protection, criminal investigations, privacy investigations, participant investigations (e.g. Visa or Master Card) require each of the consortium participants to report any breach of their agreements by them (in writing, promptly, reasonable information, rootcause analysis, what the impact is, and both remediation and avoidance) payment solution multi-party management – regular and organized full consortium meetings; steering committee; minutes (subject to attending legal counsel re: off record information); dispute resolution; change management; providing collective oversight and governance (without any authority to amend the associated contracts!) dispute resolution: ADR = confidential/expert/fast dovetail all of the consortium contracts on key solution issues: e.g., audit, reporting, change management, ADR and other terms where all participants will have to move in the same direction - 135 - In-House Counsel Primer: Oversight, Compliance & Implementation Duncan Card - 136 - In-House Counsel Primer: Oversight, Compliance & Implementation ……taking a very broach approach…… 1. Commercial Context 1.1 Who are all of the participants or parties? 1.2 What goods/services are being provided by whom to whom? 1.3 What are the contractual vs. non-contractual relationships? 1.4 What are the "contribution" pre-conditions – which party must provide what goods/services for client to perform? 1.5 Do the parties have the right/authorization to provide their respective contributions: IP, contractual, regulatory? 1.6 What is your client's business objective? Desired outcome? Business case? Transaction ROI? 1.7 How to fully protect client interests to promote and facilitate that outcome/objective: brand positioning; own the customer; IP ownership; prevent unfair competition by others; exclusivity…etc.? 1.8 Map out any consortium transactions in a diagram to understand all commercial relationships. - 137 - In-House Counsel Primer: Oversight, Compliance & Implementation 2. Legal & Regulatory Assessment 2.1 Trade Association Agreement: standards; affiliation contracts; existing commercial obligations to third parties; trade association guidelines (e.g. CBA Guidelines For Mobile Payments); Federal Government – Code of Conduct for Credit & Debit Cards, Canadian Payments Association rules; codes of conduct; consider applicability of domestic and foreign trade rules; requirements and restrictions. 2.2 Privacy: Domestic federal and provincial; applicability of foreign laws and regulations (e.g. cross-border payment networks); related security measure requirements; "cloud" risks. 2.3 Payment Card Networks Act. 2.4 Anti Money Laundering. 2.5 Records & Data Management Laws/Regulations: on a sector-by-sector basis, depending upon how regulated the industry is; tax records requirements; customs records requirements; GAAP requirements for creation and maintenance of electronic records; vulnerability of data to third party access/interception (e.g. U.S. Patriot Act); "cloud" risks. - 138 - In-House Counsel Primer: Oversight, Compliance & Implementation 2. Legal & Regulatory Assessment (con't.) 2.6 Competition Law: identify the legal concerns (especially for coopetition transactions) and develop a management strategy (if possible). 2.7 International Settlements (Immunity) Act. 2.8 Consumer Protection Laws. 2.9 Federal Payments Act – and any corresponding U.S./foreign laws (e.g. U.S. Electronic Funds Transfer Act, first enacted in 1978). 2.10 Payment Clearing & Settlement Act. 2.11 Currency Act, e.g. section 8 identifies legal tender for payment as coins or banknotes. 2.12 Many emerging provincial laws, e.g. gift cards, pre-pad cards, and "moneyservices" laws. - 139 - In-House Counsel Primer: Oversight, Compliance & Implementation 3. General Contractual Issues 3.1 Define the contribution, goods or services: detailed operational, functional and technical specifications. 3.2 Pre-Conditions: third party product compatibility, inter-operability and connectivity; what other contributions your contributor will require, prefer or request; beta-testing terms/trial; third party contractual rights/participation being secured; regulatory approvals; use/opinions, including guideline/rule/code compliance. 3.3 Term, Right of Extrication, Wind-down transition. 3.4 Financial Issues: compensation; shared cost; audits? 3.5 Brand Control: ownership; recognition or invisible? 3.6 Ownership: results of test; operational data rights (license; customer identity; customer (payment solution) behaviour; each participant's experience as related to your contribution. - 140 - In-House Counsel Primer: Oversight, Compliance & Implementation 3. General Contractual Issues (con't.) 3.7 Risk Management: notice of breach; notice of claims; ADR; cooperate if ADR/litigation with third parties; JMC governance; LOL; indemnities; insurance coverage; inspections/audit for compliance with contract (direct or third party); quality assurance program; compliance with laws, regulation and all applicable codes, guidelines, rules and charters that are included in "Law" definition. 3.8 Security obligations, independent assessment and testing; change management; incident reporting; reputation management plan/policy; critical/crisis response/fix policy; contractual (downstream) liability control (from LOL to class actions). 3.9 Key Person/Management Requirements. 3.10 Non-Competition Provisions: dance partner fidelity. - 141 - Thank you! Question & Answer Lisa Abe-Oldenburg, Partner, Milos Barutciski, Partner, Stephen Burns, Partner Duncan Card, Partner