Companies, Government Home in on Security, Privacy Protections Around NFC Mobile Commerce

The FTC is increasing its focus on all aspects of mobile commerce, including payments, privacy and applications. In the financial sector, there are a lot of issues related to mobile, said Jessica Rich, who left her position as deputy director of the Consumer Protection Bureau to become associate director of Financial Practices. “It’s a medium where commerce is happening. We want to make sure we're on top of that.” The division’s “mobile lab” will continue generating cases against deceptive app developers, similar to the developers of an app that claimed to cure acne (CD Sept 9 p12), Rich said. It also will hold workshops and coordinate work throughout the consumer protection part of the agency, she added.

The commission has become more involved in the privacy issues that surfaced around mobile, Rich said. In its finalized privacy framework, the FTC “will include how mobile technology raises additional challenges for privacy.” The commission’s review of the Children’s Online Privacy Protection Act rules also addresses applications in the mobile and interactive technology space, she said. “When talking about mobile commerce and payments, the privacy issues are even greater.” Companies can capture searches, and “there’s an even richer profile to draw from,” she said.

The FTC plans to hold a workshop this year with consumer groups, payment service providers, banking agencies and other entities. “Our concern in having this workshop is that the technology has grown faster than the consumer protection,” Rich said. Protections aren’t keeping pace, she added: “They're being turned out so quickly and in some cases there’s not enough thought given to disclosure and protection in mobile.” The FTC plans to collaborate with other agencies, like the FCC and the Consumer Financial Protection Bureau, she said. The Securities and Exchange Commission doesn’t deal with mobile payment issues directly, unless a public company with mobile payment services is involved, a spokeswoman said. “The FCC welcomes the opportunity to work with the FTC on issues affecting consumer mobile data security,” a commission staffer said in response to a request to comment.

Some companies engaging in mobile commerce said they put great effort into ensuring security and trust for customers. Visa relies on existing security standards and protocols that are in the marketplace today, said Eduardo Perez, global head of payment system risk. There are “established protocols and security standards to ensure that apps that are going to conduct payments comply with or are developed in line with those existing industry standards.” However, there are some aspects of mobile payments, like Over the Air personalization, where established standards don’t apply, he said. “We develop our own best practices where we think there’s a gap and existing standards don’t directly apply."

Methods of sharing privacy and security disclosures with customers and resolving problems with unauthorized transactions and other customer disputes also are concerns raised in the mobile commerce space, Rich said. Some banking institutions and mobile providers put practices in place to give customers control when using mobile services, they said. Chase customers are 100 percent reimbursed for unauthorized transfers to or from their personal checking and savings account initiated through the mobile payment service within two business days of discovery of the transaction, a spokeswoman said. However, the Chase guarantee doesn’t cover customer failure to completely log out and exit the mobile service when finished with an online session or leaving a device/computer unattended while logged in, nor does it cover a customer’s negligent handling of user ID and password information, she said: “It is the customer’s responsibility to use care when exiting the system and safely maintain user IDs and passwords.” Chase, which launched its first mobile app in 2010, continued to see significant usage growth for mobile payment apps, she said.

Wells Fargo has more than 7 million active consumer and small business mobile banking customers, a spokeswoman said. The bank, which launched its mobile services in 2007, said its customers will be refunded 100 percent if the transaction is unauthorized. A cardholder isn’t liable for any unauthorized transactions made at merchants, the spokeswoman said. T-Mobile USA has seen significant growth in mobile payment over the last three years, a spokesman said. The carrier said it places spending limits for its Direct Customer Billing transactions to mitigate risks. T-Mobile’s contract includes protections against liability for unauthorized charges, he said.

A Sprint spokeswoman said it has a “consumer-friendly” system to handle customer disputes of third-party charges and a “liberal” refund policy. Upon receiving an initial dispute, Sprint will grant a credit or refund and automatically opt out the customer from the disputed short code campaign or subscription, she said. If a customer re-subscribes and disputes the charge a second time, barring extenuating circumstances, Sprint will typically issue a second credit/adjustment, she said. If the customer continues to opt in to the same program, however, they will be held responsible for the charges, she said.

Meanwhile, Sprint, in cooperation with Google, allows its subscribers to bill Android Market purchases to Sprint’s wireless invoice. Purchases made via the Android Market fall under Google’s Terms of Service, the Sprint spokeswoman said. The carrier places a $50 limit on the total amount of Android Market purchases that customers may place on their Sprint bill per billing cycle. This $50 limit does account for refunds processed from the Android Market -- any refunds processed will be deducted from the total bill.

Consumers Union cited mobile payment regulations recently adopted by the California Public Utilities Commission, urging companies across the country to offer similar consumer protections. The CPUC’s order aims to strengthen the state’s telephone billing rules and consumer protections against cramming and fraud, a CPUC spokesman said. The California commission had weighed in on mobile payment because they are impacted by cramming and fraud issues which are part of CPUC’s jurisdiction, the spokesman said. The CPUC rules limit a consumer’s liability for unauthorized transactions when false charges are made with a lost or stolen phone. CPUC rules also allow consumers to block third-party charges on their accounts.

The consumer protections vary depending on the different carriers and what’s in their cellphone contract, Consumers Union said. A recent report by the consumer group said that all of the major carriers fell short of what consumers need. For example, T-Mobile customers outside California are responsible for charges made before reporting the phone lost or stolen, the Consumers Union report found. Therefore, the consumer could end up paying for more than $50 in fraudulent charges, it said. The carrier declined to comment on the report. The report said Verizon Wireless’s contract provides the needed protections. The carrier’s contract states that its postpaid customers don’t have to pay for disputed charges relating to a lost or stolen device. Though AT&T customer representatives told Consumers Union that customers aren’t responsible for disputed charges during investigation, it’s not made clear in AT&T’s contract, the report said.

Google expects its Wallet service to spur widespread use of mobile payments for in-store purchases, a spokesman said. Citibank, Macy’s and other payment services and retailers are planning to offer Google Wallet as a pay option for customers. The security of Google’s digital wallet “goes well beyond protections of a wallet that goes in your pocket,” he said. Google Wallet is PIN protected and credit card credentials are protected through a Secure Element feature on the phone, he said. “It would be easier to steal someone’s wallet than to get information from a digital wallet."

As payment processor for Google Wallet, MasterCard offers the same protections for Wallet users as it does for traditional cardholders, a MasterCard spokesman said. “It’s more secure to pay with your mobile device” due to the PIN code and the “indestructible” chip that enables the technology, he said. In September, Visa began allowing account holders to add their credit, debit and prepaid accounts to Google Wallet. This week, smartphones from Samsung, LG Electronics and Research in Motion were enabled with near-field communications (NFC) technology for use with Visa’s mobile payment app, Visa said.

Isis, an NFC-based mobile phone payment system, plans to launch this year in Salt Lake City and Austin, Texas, an Isis spokeswoman said. Isis will incorporate multiple layers of security, like pass-code protection and remote activation and deactivation, she said. “A consumer also has complete control over the phone, meaning that it remains in their hand during a transaction and is never handed to a merchant or waiter.” A national rollout is set for 2013.