On October 25, 2012, McCarthy Tétrault’s national Consumer Retail group held a lunchtime client conference on mobile payment systems and digital wallets. For those of you unable to attend, the following is a few of the highlights.
But first, a little context for the uninitiated:
- Near-field communication technology (NFC) allows a user with a mobile phone, equipped with the necessary mobile application, to pass card data stored on the phone to the point-of-sale device to complete payment and other transactions.
- Mobile payments are often grouped into two levels of transaction: convenience vs. high value/risk transactions. Convenience transactions are characterized by low value/risk (e.g., under $50) and may be effected just by swiping the mobile device at the POS terminal. The other type of transaction involves high value/risk (e.g., $50 and greater), and would require a combination of a swipe of the mobile device at the POS and a pass code to be entered.
Mobile Payments and Financial Regulations
Prompted by the federal government’s Payments Systems Task Force, Canada’s banks and credit unions worked together to develop guidelines to help grow a mobile payment marketplace in Canada. In May 2012, the Canadian Bankers Association released an initial draft of the Canadian NFC Mobile Payments Reference Model.
The Reference Model sets out the roles of each of the participants in the mobile payments industry, including end users (i.e., the consumer making the mobile payment from his/her mobile device), credential issuers (i.e., the bank or financial institution behind the payment application on the end user’s device), trusted service managers (TSMs) (i.e., the entity that loads the payment credentials of the end user into the wallet application on the end user’s device), payment networks (e.g., Visa, MasterCard, Interac), acquirers (e.g., Moneris), merchants, and mobile network operators (MNOs) (e.g., Bell, Rogers, TELUS). For some of these entities, such as the payment networks and acquirers, their roles in the context of the mobile payment “ecosystem” are not expected to change significantly from their traditional roles in processing credit and debit card payments. In contrast, the MNOs, which have a direct relationship with the consumer, supply mobile phones on which the mobile payment application will be installed, and operate the networks across which the mobile transaction will take place may see a more significant transformation of their historical role as mere “carrier” under the new payment process.
In order for a consumer to make a mobile payment using NFC technology, a certain number of agreements and transactions must first be put in place:
- end user applies to credential issuer for credit and/or debit card account which contemplates mobile payment application.
- end user applies to MNO for a wallet application (i.e., a mobile wallet) to be installed on mobile device.
- end user requests credential issuer to install payment application on mobile device and to personalize payment credentials (i.e., personal encrypted information, including a pass code). This could be done through the wallet application, website, telephone or in person.
- credential issuer instructs its TSM to transmit payment credentials to mobile device.
Once these preliminary steps have occurred, the consumer is ready to use his/her mobile device as a payment mechanism. The actual purchase procedure steps are as follows:
- end user opens payment application (NFC mobile device must ensure that only one payment application may be turned on at one time) and passes the mobile device within the range of the POS device.
- convenience transactions (that do not exceed a high value or high risk threshold) will occur automatically. For high value or high risk transactions, a pass code will be prompted which must be verified.
- transaction completed.
Credential issuers, wherein consist primarily of banks, are currently governed by the Bank Act and related regulation (e.g. Cost of Borrowing and Credit Business Practices regulations). On the whole, relatively few changes are required for the legislation to regulate mobile payments in a similar fashion as it does to other modes of payment. In addition, payment card networks (both credit and debit) are currently regulated by various voluntary codes of conduct, including a Code of Conduct for the Credit and Debit Card Industry in Canada (the “Code”), released by the Department of Finance in 2010. In September 2012, the federal government proposed an addendum to the existing Code to address mobile payments. The amendments were necessary, among other reasons, to clarify that both debit and credit transactions may be performed using a single mobile device. In the end, the mobile payments system involves similar relationships and is governed by similar types of credit/debit agreements as those that exist in the conventional payment system. Consequently, it should be possible for mobile payments to occur with only minor regulatory changes to the applicable regulatory regime. By contrast, a mobile payments “ecosystem”, will inevitably result in a fairly extensive range of new contractual relationships (as new “players” participate in the payment process), as well as consequential changes to standard credit and debit account agreements to account for some of the particularities of the new mobile payment services.
Mobile Payments and Digital Wallets
Near-field communication (NFC) is the primary technology being used in mobile phones to implement mobile payment systems. It allows for the two-way transmission of data at very close distances (up to approximately 4 cm). Instead of individual phone manufacturers developing their own proprietary technologies for near-field communication, the NFC Forum has developed uniform technical specifications to facilitate interoperability among devices and services. NFC technology has recently been implemented in new model smartphones, including Nokia, Android, and BlackBerry devices. Noticeably, Apple has chosen to forgo such implementation in their latest iPhone 5 model. In 2010, several U.S. mobile service providers (AT&T, Verizon, T-Mobile) launched a joint venture, Isis, to work with MasterCard Worldwide to develop a point-of-sale payment system for NFC-enabled smartphones. Other NFC initiatives include the launch of Google Wallet (2011), a joint mobile payment initiative between CIBC and Rogers (May 2012), a joint mobile payment initiative between Deutsche Telekom and MasterCard (July 2012), and a recent agreement between Research in Motion (RIM) and Enstream (a Bell, Telus, Rogers joint venture), to have RIM manage security credentials for SIM.
An NFC enabled smartphone requires two software applications in order to execute a payment transaction. The user’s payment credentials are stored in a payment application in a secure element embedded in the device. This payment application is distinct from the user interface application, known as a mobile wallet, which will interact with the payment application to execute a mobile payment. A mobile wallet may be designed for use with only a single provider, a collective of credential issuers, or in the case of an open standard, any number of credential issuers. The possible functions of mobile wallets are endless, as they may incorporate not only credit payment products (e.g., Visa, MasterCard, etc.) but debit payment products (e.g., Interac), prepaid payment products, transit passes (e.g., OPUS), loyalty/reward cards (e.g., Air Miles), and targeted coupons/offers.
Key Elements of a Mobile Wallet
- Credential Provisioning: a mobile wallet may provide end users with the option to request provisioning of payment credentials (i.e. initiate the installation process).
- Mobile Wallet Access: for security, a mobile wallet must provide end users with the option to lock/unlock the wallet using a user defined password. This standard does not require that a wallet password must be used, only that the end user must be given the option to set a password.
- Default Credential Selection: a mobile wallet must provide end users with the option to enable/disable a default payment credential. A default credential allows end users to initiate a payment without having to take the mobile device out of standby mode and without having to manually select a wallet.
- Manual Default Override: a mobile wallet must provide end users with the option to override a default payment credential and manually select a payment credential to present.
- High Value & High Risk Payments: a mobile wallet must have the ability to support entry of a pass code for end user verification of high value and high risk payments.
- Transaction Data: a mobile wallet may capture transaction data for all linked payment applications; however, if it does capture this data, access to and usage of this data must be restricted as per the standards in the Data & Security section of the Reference Model.
- Electronic Receipts: a mobile wallet may store, retrieve and transmit electronic receipts. If the wallet does store electronic receipts, receipts need only be maintained on the instance of the wallet used to make a payment.
- Enabling a Return Transaction: a mobile wallet and payment application must be able to facilitate return transactions. For return transactions, the end user will select the payment application to be used and will then tap the mobile device against the POS reader.
- Loyalty & Reward: a mobile device may be used to store and manage information on loyalty and rewards programs.
Data security is a concern for participants of the mobile payments ecosystem. The guiding principle outlined in the Reference Model is that each participant in the mobile payment process should only have access to those elements of the user’s data that are necessary for it to carry out its functions in relation to the mobile transaction. Further, each ecosystem participant should put in place processes to track, monitor and mitigate fraud and security concerns including malware, hacking and theft of mobile devices. However, no specific standards on fraud and security are specified in the Reference Model. In the event of a lost or stolen mobile device, the end user should be instructed to contact both the MNO and the credential issuer. Once informed of a lost or stolen mobile device, the MNO or the secure domain manager (SDM) (i.e., the entity that manages access to the secure element that stores the end user’s sensitive payment credentials on the mobile phone) should lock the mobile device. Once informed of a lost or stolen mobile device, the credential issuer should lock/block the payment method.
Additional Topics of Discussion
McCarthy Tétrault’s Consumer Retail practice group also had two guest speakers on its mobile payments panel. Mohamed Kahlain, Vice President, Marketing and Product Innovation at Mediative (a division of Yellow Pages Group), provided a marketing perspective on mobile payment business opportunities. Bill Abbott, Senior Counsel and Privacy Ombudsmen at Bell Canada, provided a carrier’s perspective on mobile payment privacy issues.
Over the last two years, the basic regulatory, contractual and technological infrastructure to make mobile payments possible has been put in place. Over the next year or two, we anticipate that mobile payments will go “mainstream”.