On February 19, the Electronic Transactions Association’s (ETA) Mobile Payments Committee released three resources to help firms navigate emerging issues in the mobile payments market. The Committee is an industry-wide task force of representatives from credit card networks, processors, mobile network operators, developers, financial institutions, and device manufacturers. The first resource, “Best Practices and Guidelines for Mobile Payment Solutions,” addresses security, privacy and competition issues relevant to merchants, consumers, federal and state legislators, federal regulators, merchant acquirers, credit card issuers, and infrastructure providers. In the second, a white paper entitled “Beyond the Hype: Mobile Payments for Merchants,” the Committee provides a comprehensive overview of the current state of mobile payments, as well as analysis of the risks and costs for merchants to consider before deploying mobile payments solutions. Finally, the Committee issued a “Mobile Payments Glossary of Terms.”
On February 22, the FTC announced that a mobile device manufacturer agreed to settle charges that it failed to employ reasonable and appropriate security practices in the design and customization of the software on its mobile devices. The settlement is the first of its kind obtained by the FTC. The FTC’s complaint alleged that the manufacturer failed to (i) provide its engineering staff with adequate security training, (ii) review or test the software on its mobile devices for potential security vulnerabilities, (iii) follow well-known and commonly accepted secure coding practices, and (iv) establish a process for receiving and addressing vulnerability reports from third parties. The complaint further described several resulting vulnerabilities that allegedly compromised sensitive device functionality and could have permitted malicious applications to send text messages, record audio, and install additional malware onto a consumer’s device. Such malware, according to the FTC, could be used to record and transmit information entered into or stored on the device. The settlement requires the device manufacturer to establish a comprehensive security program and deploy security patches to consumers’ devices. The manufacturer also is prohibited from making any false or misleading statements about the security and privacy of consumers’ data on its devices.
On February 14, the PCI Security Standards Council, the open global forum responsible for setting payment security standards, issued guidelines for merchants on the factors and risks they must address to protect card data when using mobile devices. The guidance addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device. The guidance also (i) provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance, and (ii) recommendations regarding the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer. The PCI Security Standards Council also recently released guidance for securing payment card data in cloud environments, and guidance regarding security for payment transactions conducted over the Internet.
Recently, NACHA – The Electronic Payments Association’s Council for Electronic Billing and Payment, released final guidelines to facilitate the use of Quick Response (QR) codes for a variety of consumer bill payment functions, including viewing bills, making payments, enrolling for eBills, and setting up payees in online banking. The guidelines provide voluntary standards for using QR codes in both biller direct and consolidator/aggregator billing and payment models, and provides recommends for (i) QR code size, (ii) data to be included in the QR code, and (iii) layout of the data represented in the QR code. The guidelines are intended to establish a single QR code format that can be printed on a paper bill and scanned by a consumer’s mobile phone using a biller, mobile banking, or generic QR code reader to allow billers and service providers to enable QR encoding in a standardized format, provide certainty for biller and banking clients, and ensure a consistent consumer experience.
California Supreme Court Holds Online Download Purchase Transactions Not Covered By Song-Beverly Credit Card Act
On February 4, the California Supreme Court held, in a 4-3 split ruling, that the personal privacy protections afforded consumers by the Song-Beverly Credit Card Act do not apply when the item purchased is downloaded via the Internet. Apple Inc. v. Sup. Ct. Los Angeles Cty., No. S199384, 2013 WL 406586 (Cal. Feb. 4, 2013). However, the court did not consider whether the Song-Beverly Act privacy provisions apply to the broader category of online transactions that do not involve a downloadable product. In this case, a customer filed a putative class action against an online digital media retailer, alleging that the retailer’s practice of requiring customers to provide their telephone number and address before accepting credit card payment for downloadable media purchases violates Section 1747.08 of the Song-Beverly Act, which prohibits retailers from requiring personal information as a condition to completing credit card transactions. Citing the statutory language and legislative history, the court explained that while Song-Beverly was intended to protect personal privacy, it was not meant to do so at the risk of increasing fraud. Further, the court determined that fraud protections provided in Song-Beverly, which allow retailers to request proof of identification, are not available to online retailers selling downloadable products. The court also reasoned that in later enacting the California Online Privacy Protection Act, the state legislature demonstrated that it can unambiguously address online transactions, and that it sought to strike a different balance between privacy protections and online commerce than did the Song-Beverly Act. Therefore, the court held, online transactions involving downloadable products fall outside the scope of Song-Beverly. The court invited the legislature to revisit consumer privacy in connection with online transactions.
On February 1, the FTC announced that it is requiring a social networking application company to pay $800,000 and make certain compliance enhancements to resolve allegations that the firm (i) misled and deceived users by automatically collecting and storing personal information from users’ mobile device address books even if the users had not selected that option and despite claims that the application collected only certain non-personal user information, and (ii) violated the Children’s Online Privacy Protection Act Rule by collecting personal information from approximately 3,000 children under the age of 13 without first getting parents’ consent. Pursuant to the consent decree, in addition to the monetary penalty, the company must establish a comprehensive privacy program, and obtain independent privacy assessments every other year for the next 20 years.
Concurrently, the FTC Read more…
On January 28, Maryland Attorney General (AG) Doug Gansler announced a new unit in his office dedicated to online privacy enforcement and policy. The AG stated that the new unit will (i) monitor companies to ensure they are in compliance with state and federal consumer privacy laws, (ii) examine weaknesses in online privacy policies and work alongside major industry stakeholders and privacy advocates to provide outreach and education to businesses and consumers to broaden awareness about privacy rights, and (iii) pursue enforcement actions where appropriate. The unit announced by the AG appears similar to one formed by California Attorney General Kamala Harris, which recently has been active with regard to mobile application privacy. Last year, AG Gansler announced “Privacy in the Digital Age” as his central initiative as President of the National Association of Attorneys General.
On January 22, the FFIEC proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by federally supervised financial institutions, as well as nonbanks supervised by the CFPB. With regard to compliance and legal risks, the guidance addresses (i) the applicability of existing federal laws and regulations to the use of social media for marketing and originating new deposit and lending products and the use of social media to facilitate consumer use of payment systems; (ii) the need to apply BSA/AML internal controls to customers engaging in electronic banking through the use of social media, and e-banking products and services offered in the context of social media, as well as BSA/AML risks emerging through the growing use of social media; (iii) CRA monitoring of social media sites run by an institution; and (vi) customer privacy issues associated with social media. The guidance also reviews reputational risks related to social media, including risks related to (i) fraud and brand identity; (ii) social media vendor monitoring; (iii) privacy; (iv) consumer complaints; and (v) employee use of social media. Finally, the guidance addresses the vulnerability of social media to malware and the resultant operational risk. The FFIEC is accepting comments for 60 days after publication in the Federal Register. After the comment period, the agencies will issue supervisory guidance and will urge state regulators to follow.
On January 21, the Virginia Secretary of the Commonwealth released the Virginia Electronic Notarization Assurance Standard. Citing challenges faced by notaries to “preserve and strengthen the role of the notary in the rapidly emerging digital economy and to ensure reliability and cross-border recognition of notarized electronic documents in a global economy,” the standards are intended to support transition of notaries in Virginia to performing electronic notarizations that have the same legal effect as traditional notarizations. They set forth registration and performance requirements, electronic signature and seal requirements, online notarization procedures, and notarized electronic document requirements. According to the Secretary, the Virginia standards (i) reflect the National Association of Secretaries of State Electronic Notarization Standard for Document Security; (ii) incorporate aspects of standards previously adopted by seven other states; and (iii) are consistent with the federal ESIGN Act, the UETA, and the Uniform Real Property Electronic Recording Act.
On January 11, the U.S. District Court for the Northern District of California approved a settlement between a retailer and a class of customers to resolve allegations that the retailer violated the California Song-Beverly Credit Card Act by collecting customer zip codes as part of credit card purchase transactions and storing that information in a customer databases. Burdewick v. Kohl’s Dep’t Stores, Inc., No. 12-119, Final Order and Judgment (Jan. 11, 2013). The settlement is the most recent in a series following the California Supreme Court’s 2011 decision in Pineda v. Williams-Sonoma Stores Inc. that zip codes constitute “personal identification information” under the Act. In this case, class members can submit claims to obtain a gift card from a common $650,000 fund. The exact amount of the gift card will depend upon the number of valid claims, but actual payments are expected to far exceed the $10-$20 amounts typically provided by most similar settlements to date. Moreover, the settlement places no restriction on the use or transferability of the cards. The court also approved a $215,000 award to class counsel, and a $7,500 incentive award to the class representative.
On January 10, President Obama signed H.R. 6671, which amends the Video Privacy Protection Act to facilitate compliance for modern video service providers. The Act was originally passed in 1988 to limit the disclosure of information about consumers’ “video tape rental or sales records,” and its application to certain modern video service providers (e.g. Netflix) is not clear. The amendments allow such providers to obtain consumer consent to disclosure through electronic means using the Internet. Such consent must be in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer. Consumers can provide consent in advance, but not for more than two years or until consent is withdrawn by the consumer, and service providers must provide an opportunity for the consumer to withdraw consent on a case-by-case basis or to withdraw from ongoing disclosures, at the consumer’s election.
On December 17, the FDIC published the Winter 2012 issues of Supervisory Insights. The two featured articles focus on mobile payments and high-yield checking. In “Mobile Payments: An Evolving Landscape,” FDIC staff (i) review mobile payment technology, (ii) provide guidance regarding understanding and managing risks, and (iii) include a chart explaining the applicability of various federal laws to mobile payments. The article states that, going forward, non-bank mobile payment providers may start to capture greater market share from financial institutions and alter bank/customer relationships. The article describes the potential for banks to gradually be pushed out of the payment transaction, and identifies potential impacts of such disintermediation, including loss of access to key customer data. A second article, “High-Yield Checking Accounts: Know the Rules,” reviews the features of high-yield checking accounts and identifies problematic disclosures that may accompany their promotion. The article identifies what examiners look for when examining high-yield account offerings and provides best practices for banks.