2017 was a year of continued innovation in the payments space as the adoption of digital payments continued to increase. Below we highlight recent developments in the payments sector.

Card Network Developments:

Signatures are no longer required at the point of sale.

Will signatures on sales slips go the way of “knuckle-busters” (the original manual “terminals” that created an impression of a credit card) and become obsolete? It appears so!

Historically, card network operating rules required the signature of the cardholder on the charge slip. Over the years, to accommodate merchants seeking greater speed at the cash register, the card networks allowed low-value charges, initially those under $25 and later those under $50, and charges at certain types of merchants, such as quick-service restaurants, to be submitted without a signature.

In the fall of 2017, concluding that signatures are no longer relevant in limiting fraud as a result of advances in security, MasterCard, American Express and Discover Card each amended their rules to remove all signature requirements, starting in April 2018. Can Visa be far behind?

Merchants should keep in mind, however, that a signature is required under Regulation E for “preauthorized debits,” and shows express consent required under federal law and some state laws for negative option plans and recurring billing.

Update on Payments-Related Litigation:

State laws banning credit card surcharges have been attacked as a violation of free speech rights.

Credit card surcharges were once unthinkable because they had been subject to a total ban by the card networks since their inception. However, as part of the 2012 settlement of the merchant interchange litigation, credit card (but not debit card) surcharges were authorized, subject to several conditions.

Most merchants have no interest in passing along the credit card fees to their customers. But those that do must face an additional obstacle because the laws of ten states and Puerto Rico prohibit credit card surcharges.

A group of merchants sued to invalidate the laws in New York, California, Florida and Texas, alleging that they are a violation of free speech rights. The states argued that the laws regulate pricing, not speech.

The first case to reach the U.S. Supreme Court was the New York case. In March 2017, the Supreme Court issued its decision in Expressions Hair Design, et al. v. Schneiderman, Attorney General of New York, et al. In a somewhat inconclusive decision, the court ruled that the New York statute regulated speech because it governed how the merchant could communicate its price, rather than what the merchant could charge. However, the court remanded the case back to New York’s Second Circuit Court of Appeals—which had ruled in favor of the state in upholding the law—to determine whether New York’s law violated the constitutional rights of the merchants. This was an issue that the appellate court did not analyze. The Supreme Court’s ruling applies to the other states where the no-surcharge law is being challenged, but as of yet, there has been no final determination in any of the states. As a result, we can expect more on this question in 2018.

Developments in Privacy and Data Security:

The New York Department of Financial Services (the DFS) passed a regulation imposing data security requirements on New York-chartered or licensed banks, insurance companies, money transmitters, mortgage brokers, and other financial services companies it regulates.

New York regulations now require such entities to comply with several requirements, including having a written cybersecurity program, appointing a chief security officer, having a written incident response plan and notifying the DFS within 72 hours of a cybersecurity event. The requirements have been phased in starting in August 2017, with a transitional period lasting until March 2019 for full compliance with all of the requirements.

Financial institutions may already be in compliance with most, if not all, of these requirements due to their compliance with federal law (the GLBA); other state laws, such as that of Massachusetts; or simply because they are best practices. However, New York-regulated institutions now have another layer of cybersecurity regulation, and potential civil liability, to contend with.

EU General Data Protection Regulation (GDPR)

Starting in May 2018, the GDPR will replace the requirements of the EU Data Directive relating to the privacy rights of citizens of the EU. Compliance with the Data Directive has always been a challenge for U.S. institutions since it is more comprehensive than U.S. law and affords greater (and different) rights to data subjects. Now, the compliance requirements of the GDPR will be even more challenging. Significantly, any company that markets or sells goods or services to residents of the EU is subject to the GDPR, regardless of its location.

State Regulation of Auto-Renewals:

California amended its 2010 law relating to automatic renewal starting in July 2018.

California’s law requires a merchant to make a clear and conspicuous disclosure of auto-renewal terms, cancellation policies and methods; obtain express consumer consent for recurring billing on their credit card accounts; and send a confirmation when a consumer accepts auto-renewal terms.

The law triggered numerous class-action suits challenging the compliance of merchants, due to the somewhat vague requirements. Because the revised law clarifies the requirements, it hopefully will reduce the costly litigation that has plagued merchants in recent years.