Download Mobile Payments - Canadian IT Law Association

yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Document related concepts

Merchant account wikipedia, lookup

Mobile business intelligence wikipedia, lookup

Credit card fraud wikipedia, lookup

Verifone wikipedia, lookup

Mobile Payments:
Key IT Law Issues
Sony Gokhale
October 26, 2015
Presentation Summary
 What is mobile payment?
 A high level overview of the mobile
payment ecosystem and its participants (as
of today)
 Understanding the key mobile payment
 Key regulatory, privacy and security issues
What is Mobile Payment?
 Mobile payment is a very broad term and includes
many different types of services, such as:
Mobile credit card apps
 CIBC - “Mobile Payment App” (with Bell, Telus and
 TD - “TD Mobile Wallet” (with Bell, Telus and
 RBC - “RBC Wallet” / “Secure Cloud” (with Bell Bell
and Virgin Mobile but allows credit and debit)
 ScotiaBank - “My Mobile Wallet” (with Bell, Telus
and Rogers)
 BMO - “Paypass” / “Tap and Go” (sticker affixed to a
mobile device and not tied to a specific Telco)
What is Mobile Payment? (continued)
Closed loop mobile payment services
 Starbucks, Tim Hortons
Direct carrier billing
 Google Play on Telco bill
Mobile devices as a point-of-sale device
 Square
Open wallets
 Apple Pay
 Google Wallet
 Android Pay
 Suretap
 Each mobile payment offering is implemented through different
technologies and may involve a variety of different players
 The landscape is changing at a rapid pace, both in terms of the
expanding service offerings (credit, debit, prepaid, loyalty, etc.)
and the technology used to implement them
A Mobile Payment Ecosystem
Secure SD Card
Embedded Chip
Contactless Services
Proximity Infrastructure
Understanding Key Mobile Payment
Activities (and their legal implications)
 Eligibility
 Provisioning
 Transaction processing
 Life cycle events (e.g. lost phones,
suspended accounts, etc.)
Key Privacy and Security Issues
 Understanding the data flows and who
controls the data
 The importance of understanding how and
when data is exchanged and accessed
 Who is responsible for the consents?
Understanding the consent process
 Allocating responsibility for obtaining
Key Privacy and Security Issues (continued)
 Managing disclosure and consent in a mobile
Presenting a suitable consent on a mobile device
 When and how to obtain consent
 Obtaining consent now and for the future
 New security risks to consider
Lost or stolen devices
 NFC standards: password protection is optional
 Privacy compliance for the future
Credential storage in the cloud
 Open wallets
 Loyalty Programs
 Geo-location data
Key Regulatory Issues
Understanding the fragmented regulation of
 Financial institution regulation (Bank Act, trust
companies legislation)
 Canadian Payments Association (CPA)
 Payment Card Networks Act (PCNA)
 Proceeds of Crime (Money Laundering) and
Terrorist Financing Act
 Provincial Consumer Protection legislation
(regulates gift cards)
Key Regulatory Issues – continued
Informal regulation and Industry Standards
 Merchant agreements
 Acquirer agreements
 Interac Rules
 Card Brand Networks Rules
 Payment Card Industry Data Security Standard (PCI
 GlobalPlatform
A Glossary of Key Mobile Payment Terms
 Applet: An Applet allows a Credential to be used in a functional context.
An example would be PayWave, which is an applet that allows a
subscriber to use his/her Credit Card Credentials to make a payment
using VISA.
Credential: Personalized subscriber data (e.g. credit card information)
issued by the Credential Issuer. Credentials can also include Applets for
the purposes of provisioning.
An issuer of Credentials. For example, a financial institution, retailer,
government, transit authority, etc.
Credential Issuer: An issuer of Credentials. For example, a financial
institution, retailer, government, transit authority, etc.
GUI (Graphical User Interface): The visual layer of an application that a
subscriber interacts with. Also referred to as the “Wallet Application” or
HCE (Host Card Emulation): The software architecture that allows
mobile applications to offer NFC payment solutions without the need
for a Secure Element on the phone (UIC / SIM card).
MNO (Mobile Network Operator): Also known as mobile phone
operator (or simply mobile operator), carrier service provider (CSP),
wireless service provider, wireless carrier, or cellular company, or
mobile network carrier.
A Glossary of Key Mobile Payment Terms
 NFC (Near Field Communication): Short range radio communication
POS (Point of Sale): The location where a business transaction occurs.
A POS terminal is a device by which sales transactions can be directly
debited from the customer's bank account.
Provisioning: The process to load the wallet on the mobile device and
personalize the wallet for use.
SD (Security Domain): The SD is an entity on the Secure Element which
provides the support framework for the control, security and
communication requirements of the Credential Issuer.
SE (Secure Element): A platform that allows the installation,
personalization and management of Credentials. It is a combination of
hardware, software, interfaces and protocols that enable secure storage
and usage of Credentials for payment, authentication and other
services. The SE can be a portion of a UIC / SIM card, an embedded chip
a SD card, or linked to a cloud solution.
SEM (Secure Element Manager): The SEM enables the mobile network
operator to provide a secure management framework to allow its
Credential Issuer’s customers to manage their multiple Credentials
within a Secure Element. The SEM controls access to the SE.
A Glossary of Key Mobile Payment Terms
 SIM (Subscriber Identity Module): An integrated circuit that
securely stores the service-subscriber keys (IMSI) used to identify a
subscriber on mobile devices. The SE can be a SIM card.
SSD (Supplementary Security Domain): The SSD is a specific area
on the SE designated specifically for the Credential Issuer that
includes Credentials of such Credential Issuer.
Tokenization: The process of substituting a sensitive data element
(e.g. card data) with a non-sensitive equivalent (the token) that has
no extrinsic or exploitable meaning or value. The token is an
identifier that maps back to the sensitive data through a
tokenization system.
TSM (Trusted Service Manager): The TSM’s role is to establish a
technical connection with the SEM or MNOs and to enable
Credential Issuers to distribute and manage their Credentials
remotely by allowing access to the Secure Element (via
authentication by the SEM) in NFC-enabled handsets. The TSM is a
hardware module that enables a link between the Credential Issuer
and the Secure Element Manager.
UICC (Universal Integrated Circuit Card): A smart card used in
mobile devices. The UICC is commonly referred to as the SIM Card.
Contact Information:
Sony Gokhale
[email protected]
Osler, Hoskin & Harcourt LLP
Box 50, 1 First Canadian Place
Toronto, Ontario, Canada M5X 1B8