march 26, 2015 #ilaw summit: all things internet, mobile and social march 26, 2015

March 26, 2015

#iLAW Summit: All Things Internet, Mobile and Social

March 26, 2015

| 2#iLAW Summit: All Things Internet, Mobile and Social

Seth Harrington, Ropes & Gray

Jason Brown, Ropes & Gray

Joe Pignato, Swipely

Brian Carroll, LevelUp

What’s NOT in Your Wallet?


Panelists

Jason Brown, Partner, Ropes & Gray LLPJason has over 25 years of experience in white-collar criminal and complex civil litigation. He represents companies in connection with data breaches, including in investigations by U.S. and foreign agencies. He also conducts internal investigations and represents individual and corporate clients for grand jury appearances, trials, sentencings and appeals in federal and state courts.

Seth Harrington, Partner, Ropes & Gray LLPSeth has extensive experience representing clients in connection with claims by credit card brands and financial institutions relating to payment card-related data breaches. He works with clients such as TJX Companies Inc., Wyndham Hotels & Resorts, Genesco Inc., and the Aldo Group Inc. in all aspects of the response to a privacy or data security incident, from directing the forensic investigation of a breach to defending against litigation and regulatory inquiries.


Panelists

Joe Pignato, CFO, Swipely, Inc.Joe Pignato brings to Swipely two decades of financial experience. Prior to joining Swipely, he served in a variety of senior financial and operational positions including Chief Financial Officer at a NASDAQ-listed company and in leadership roles at venture capital funds with over $3B under management including Prism Ventures and Charles River Ventures.

Brian Carroll, General Counsel, LevelUpLevelUp is one of the country's leading mobile payments and customer rewards platforms, accepted at over 14,000 businesses and used by more than 1.5 million consumers. Brian oversees all of the company's legal matters, including merchant partner and partnership agreements; compliance with federal and state laws governing payments, data security, and privacy; intellectual property prosecution and licensing; disputes and litigation; employment; insurance and risk management; and corporate governance and financing.


Overview

I. Traditional Methods of Payment Acceptance

II. Legal Landscape

III. Mobile Payments Technology

IV. Beyond Payment Transactions: Customer Data Collection and Uses


Traditional Methods of Payment Acceptance

Five participants in the card payment process:


Overview


II. Legal Landscape




Legal Landscape

Responsibility for privacy and data security of transaction information are typically set by contract.

Payment Card Industry Data Standard (“PCI DSS”)


Legal Landscape

But increasingly by statute as well.–MN, NV, WA statutes incorporate all or part of PCI DSS

• In 2007, Minnesota enacted a law prohibiting the retention of payment card data. • “No person or entity conducting business in Minnesota that accepts an access

device in connection with a transaction shall retain the card security code data, the PIN verification code number, or the full contents of any track of magnetic stripe data, subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction. A person or entity is in violation of this section if its service provider retains such data subsequent to the authorization of the transaction or in the case of a PIN debit transaction, subsequent to 48 hours after authorization of the transaction.”

Minn. Stat. §325E.64 (2014).


Legal Landscape

In 2009, Nevada required merchants doing business in the state to comply with PCI DSS– If a data collector doing business in this State accepts a payment card in connection with a

sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council ....

Nev. Rev. Stat. § 603A.215 (2014).

In 2010, Washington enacted a similar statutory provision– Processors, businesses, and vendors are not liable under this section if (a) the

account information was encrypted at the time of the breach, or (b) the processor, business, or vendor was certified compliant with the payment card industry data security standards adopted by the payment card industry security standards council, and in force at the time of the breach. A processor, business, or vendor will be considered compliant, if its payment card industry data security compliance was validated by an annual security assessment, and if this assessment took place no more than one year prior to the time of the breach.

Wash. Rev. Code § 19.255.20 (2014).


Legal Landscape

Other laws governing privacy and data security of transactions:

– State data security laws– State consumer protection statutes– FTC Act– Gramm Leach Bliley Act (financial

institutions only)


Legal Landscape – PCI DSS 3.0

PCI 2.0 v. 3.0 Key Themes Education and awareness of security standards – 3.0 adds

clarifications to help organizations better understand the intent of the requirements and proactively implement and maintain controls. – Ex. Clarification that sensitive authentication data must not be stored after authorization

even if card number is not present.

Increased flexibility to address common risks of weak passwords, authentication methods, malware, and poor self-detection. – Ex. flexibility for customized approach to mitigate common risks– Ex. rigorous testing procedures such as penetration tests and audit logging requirements

Shared responsibility for security – defined PCI DSS responsibilities when working with different business partners.– Ex. Maintain information about which PCI DSS requirements are managed by service

providers and which are managed by the entity


EMV chip cards

EMV stands for Europay, MasterCard and Visa, a global standard for inter-operation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions.

Key Security Advantages:

Information stored in a more secure microprocessor chip– Instead of a less secure magnetic stripe

Personalization of EMV cards is done using issuer-specific keys Card creates unique transaction data

– Any captured data cannot be used to execute new transactions (prevents card skimming and card cloning)

Cardholder verification – Terminal will prompt the customer to sign or enter a PIN to validate

their identity. – Also supports other cardholder verification methods: offline PIN,

online PIN, signature, or no cardholder verification method.


EMV chip cards

October 19, 2014, President Obama signs executive order to speed the adoption of EMV cards in the US by October 2015.– Newly issued and existing government credit cards and debit

cards will have chip technology.– All POS terminals at federal agencies will accept EMV.

October 2015: Card Brand Networks’ Liability Shift– The party, either the issuer or merchant, who does not support

EMV, assumes liability for counterfeit card transactions.

– Merchants get: • Relief from requirement to submit PCI compliance validation

documentation. • Effective Oct. 1, 2015, relief from financial liability for card-

present fraud losses processed on EMV terminals.


Overview


II. Legal Landscape




“Mobile Payments” covers many categories:

1. Person – to – Person transfer using mobile device

2. Mobile banking (including deposits and bill payment)

3. POS purchases processed using a mobile device

4. POS purchases made using a mobile device

5. Purchases over the internet using mobile device (use of an app for purchases and purchases of digital content / services)

Mobile Payments


Mobile Payments

Mobile Payments can be funded in different ways, with varying fees paid by the consumer or the merchant.– Directly from bank account– Through a payment card (credit, debit, or prepaid)– Through a mobile carrier– Digitally stored value (i.e. money or value transferred or gift cards

purchased by third-parties)


Potential Advantages of Mobile Payments?

Better Security Lower PCI burden for merchants Convenience Potential Savings for Consumers Additional Data for Merchants


Comparison of Some Payment OptionsApple Pay / Google Wallet / Samsung

PayPayPal / Paydiant Level Up

HOW IT WORKS

Uses NFC PayPal: Uses PayPal network to transmit credit card or debit transactions (if merchant signed up with PayPal).

Paydiant: Cloud-based platform enables merchants and banks to deploy own secure mobile wallet solutions

under their own brands, in their own apps.

Mobile application uses QR code technology to allow for mobile transactions to be made at local

businesses via iPhone, Android and Windows phones

AUTHENTICATION

Fingerprint or PIN for tap-to-pay at new registers

PayPal: Login & password for the app.Pay bill or send money via email or phone number.

Paydiant: Authenticated using customer’s login credentials and mobile device profile.

Pin can be used to secure app on phone

SECURITY OF PAYMENT INFORMATION

Overlay onto traditional credit card system. Payment information is tokenized;

PayPal: Retailers don’t get your credit card info, but PayPal does.

Paydiant: Payment info not stored on phone; device fingerprinting. Payment info is tokenized.

Overlay onto traditional credit card system. Payment information is tokenized; all data is

encrypted

AVAILABILITY

US only (Samsung Pay available in Korea) PayPal: Many countries for money transferPaydiant: US only at present

US only


PCI Considerations

PCI Mobile Payment Acceptance Security Guidelines for Merchants, v.1.1, July 2014

Section 4 - Objectives and Guidance for the Security of a Payment Transaction– Objective 1: Prevent account data from being intercepted when entered into a mobile

device.– Objective 2: Prevent account data from compromise while processed or stored within the

mobile device. – Objective 3: Prevent account data from interception upon transmission out of the mobile

device.

Section 5 - Guidance for Securing the Mobile Device– Prevent unauthorized physical device access– Prevent unauthorized logical device access– Protect the mobile device from malware– Ensure the mobile device is in a secure state– Disable unnecessary device functions– Detect loss or theft– Ensure the secure disposal of old devices


PCI Considerations

PCI Mobile Payment Acceptance Security Guidelines for Merchants, v.1.1, July 2014

Section 6 - Guidance for Securing the Payment-Acceptance Solution– Implement secure solutions– Ensure the secure use of the payment-acceptance solution– Prefer online transactions– Prevent unauthorized use– Inspect system logs and reports– Ensure that customers can validate the merchant / transaction– Issue secure receipts


Legal Considerations

Who is responsible in event of fraud or a data breach? – Merchant? – Mobile payment app / payment acceptance solution? – Data Vault where cardholder data is stored?

Potential State and Federal Regulation– 12 CFR Part 1005 (Regulation E), governing electronic fund transfers. Consumer Financial

Protection Bureau (“CFPB”) has not yet determined how to apply Regulation E in the mobile context.

– FINRA and various states do not have clear guidance on application of Money Services Business rules, Money Transmitter rules, or the Bank Secrecy Act (for Anti-Money Laundering and Combating the Financing of Terrorism purposes).

Potential Enforcement Action– Traditionally, the FTC pursued the company that stored the data it collected from

consumers (e.g., a merchant). It enforced breaches of privacy policies as “consumer deception.”

– With mobile devices, the consumer is storing & creating lots of data on one device. – Manufacturer or application developer.


Other Security Deficiencies Alleged by FTC in its Enforcement Actions

Failure to encrypt personal information, Failure to destroy legacy information, Failure to employ sufficient measures to prevent, detect, and

investigate unauthorized network access,– Examples: failure to properly inventory computers connected to network; failure

to use appropriate firewalls; failure to inspect outgoing transmissions

Failure to implement policies and procedures that physically secured consumer information and failed to train employees regarding such policies,

Failure to maintain a comprehensive written information security program and failure to identify reasonably foreseeable risks to consumer information.


Mobile Payments outside of the U.S.

Many mobile payment apps and services are limited to US only– Apple Pay, Google Wallet, Venmo, LevelUp and others are limited to the US only.

– Currency Cloud allows international business to business payments.

– PayPal payments can be sent to many countries for a fee

If the secure banking and anti-fraud infrastructure is not in place, mobile payments outside of the US can be risky.


Overview


II. Legal Landscape




New Players to the Traditional Payment Method

Card Brand (Visa, MasterCard,

AmEx, etc.)

Acquiring Bank

Merchant / Retailer

Cardholding Consumer

Issuing Bank (Bank that issues credit card to the consumer. Citibank,

Chase, etc.)

1. App presented for payment

2. App collects transaction data.

3. Transaction authorization request4. Transaction

routed to card issuer

5. Authorization response

6. Authorization response routed to acquirer

7. Authorization response routed to merchant

8. Transaction completed; terminal issues receipt.


Beyond Payment Transactions: Collection and Use of Customer Information

Merchants can now know much more about their customers:

• Credit Card No.

• Name

• Zip code

• Address

• Age

• Gender

• Phone Number

• Loyalty Card No.

• Frequency of store visits (which

stores & time of day)

• Location

• Order or Purchase history

• Mobile Phone ID & Model

• Email address

• Twitter / Google+ / TripAdvisor / OpenTable / Yelp Account

• Facebook Account

• Friends list

• Income

• Education

• Photos

• Life events


Beyond Payment Transactions: Collection and Use of Customer Information

Creative Uses of Merchant Payment Data:– Targeted ads and promotions to customers based on frequent or

previous purchases – Personalized customer experience– Managing employee – to – customer interactions to improve customer

service– Beacon messaging based on customers in-store or walking nearby

store locations


Legal Considerations

Collecting information during payment & merchant marketing– Does the consumer fully know and voluntarily consent to the collection and use?– Do state laws prohibit collection of personal information during payment for marketing

purposes?• California – The Song-Beverly Credit Card Act (Cal. Civ. Code Sec. 1747 et seq.) (“Song-

Beverly Act” or “Act”) restricts businesses from requesting, or requiring, as a condition to accepting credit card payments that the card holder provide “personal identification information” that is written or recorded on the credit card transaction form or otherwise. • In 2011, the California Supreme Court ruled that zip codes are “personal identification

information” that merchants cannot ask from customers before the card transaction. See Pineda v. Williams-Sonoma Stores, Inc., 51 Cal. 4th 524 (Cal. 2011).

• In 2013, United States federal district court in California expanded “personal identification information” to include email addresses. See Capp v. Nordstrom, Inc., 2013 U.S. Dist. LEXIS 151867, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013).

• Massachusetts – Massachusett’s consumer privacy statute (MGL Ch. 93, §105(a)) prohibits merchants that accept credit cards from asking for personal identification information in a credit card transaction, unless it is either required by the credit card issuer or requested by the business because it is necessary for shipping and voluntarily provided.• In 2013 the Massachusetts Supreme Court ruled in Tyler v. Michaels Stores that zip codes

are “personal identification information.”


Questions?

Seth Harrington

[email protected]

Jason Brown

[email protected]

Joe Pignato

[email protected]

Brian Carroll

[email protected]

march 26, 2015 #ilaw summit: all things internet, mobile and social march 26, 2015

Documents