Mobile Payments:Key IT Law Issues

Sony Gokhale

October 26, 2015

31021146

Presentation Summary

2

· What is mobile payment?· A high level overview of the mobile

payment ecosystem and its participants (as of today)

· Understanding the key mobile payment activities

· Key regulatory, privacy and security issues

What is Mobile Payment?

3

· Mobile payment is a very broad term and includes many different types of services, such as:

Mobile credit card apps · CIBC - “Mobile Payment App” (with Bell, Telus and

Rogers)· TD - “TD Mobile Wallet” (with Bell, Telus and

Rogers)· RBC - “RBC Wallet” / “Secure Cloud” (with Bell Bell

and Virgin Mobile but allows credit and debit)· ScotiaBank - “My Mobile Wallet” (with Bell, Telus

and Rogers)· BMO - “Paypass” / “Tap and Go” (sticker affixed to a

mobile device and not tied to a specific Telco)

What is Mobile Payment? (continued)

4

Closed loop mobile payment services· Starbucks, Tim Hortons

Direct carrier billing · Google Play on Telco bill

Mobile devices as a point-of-sale device · Square

Open wallets · UGO· Apple Pay· Google Wallet· Android Pay· Suretap

· Each mobile payment offering is implemented through different technologies and may involve a variety of different players

· The landscape is changing at a rapid pace, both in terms of the expanding service offerings (credit, debit, prepaid, loyalty, etc.) and the technology used to implement them

SECUREELEMENT

A Mobile Payment Ecosystem

5

SIM

Secure SD Card

Proximity Infrastructure

Contactless Services

WALLET APP

Embedded Chip

Others

MNO/TELCO

SERVICE PROVIDER TSM

BANKS/CREDENTIAL ISSUERS

SECURE ELEMENT MANAGER

Understanding Key Mobile Payment Activities (and their legal implications)

6

· Eligibility

· Provisioning

· Transaction processing

· Life cycle events (e.g. lost phones, suspended accounts, etc.)

Key Privacy and Security Issues

7

· Understanding the data flows and who controls the data· The importance of understanding how and

when data is exchanged and accessed

· Who is responsible for the consents?Understanding the consent processAllocating responsibility for obtaining

Key Privacy and Security Issues (continued)

8

· Managing disclosure and consent in a mobile world

Presenting a suitable consent on a mobile device When and how to obtain consent Obtaining consent now and for the future

· New security risks to consider Lost or stolen devices NFC standards: password protection is optional

· Privacy compliance for the future Credential storage in the cloud Open wallets Loyalty Programs Geo-location data

Key Regulatory Issues

9

Understanding the fragmented regulation of payments· Financial institution regulation (Bank Act, trust

companies legislation)· Canadian Payments Association (CPA)· Payment Card Networks Act (PCNA)· Proceeds of Crime (Money Laundering) and

Terrorist Financing Act· Provincial Consumer Protection legislation

(regulates gift cards)

Key Regulatory Issues – continued

10

Informal regulation and Industry Standards· Merchant agreements· Acquirer agreements· Interac Rules· Card Brand Networks Rules· Payment Card Industry Data Security Standard (PCI

DSS)· GlobalPlatform

A Glossary of Key Mobile Payment Terms

11

· Applet: An Applet allows a Credential to be used in a functional context. An example would be PayWave, which is an applet that allows a subscriber to use his/her Credit Card Credentials to make a payment using VISA.

· Credential: Personalized subscriber data (e.g. credit card information) issued by the Credential Issuer. Credentials can also include Applets for the purposes of provisioning.

· An issuer of Credentials. For example, a financial institution, retailer, government, transit authority, etc.

· Credential Issuer: An issuer of Credentials. For example, a financial institution, retailer, government, transit authority, etc.

· GUI (Graphical User Interface): The visual layer of an application that a subscriber interacts with. Also referred to as the “Wallet Application” or “Wallet”.

· HCE (Host Card Emulation): The software architecture that allows mobile applications to offer NFC payment solutions without the need for a Secure Element on the phone (UIC / SIM card).

· MNO (Mobile Network Operator): Also known as mobile phone operator (or simply mobile operator), carrier service provider (CSP), wireless service provider, wireless carrier, or cellular company, or mobile network carrier.

A Glossary of Key Mobile Payment Terms (cont’d)

12

· NFC (Near Field Communication): Short range radio communication technology.

· POS (Point of Sale): The location where a business transaction occurs. A POS terminal is a device by which sales transactions can be directly debited from the customer's bank account.

· Provisioning: The process to load the wallet on the mobile device and personalize the wallet for use.

· SD (Security Domain): The SD is an entity on the Secure Element which provides the support framework for the control, security and communication requirements of the Credential Issuer.

· SE (Secure Element): A platform that allows the installation, personalization and management of Credentials. It is a combination of hardware, software, interfaces and protocols that enable secure storage and usage of Credentials for payment, authentication and other services. The SE can be a portion of a UIC / SIM card, an embedded chip a SD card, or linked to a cloud solution.

· SEM (Secure Element Manager): The SEM enables the mobile network operator to provide a secure management framework to allow its Credential Issuer’s customers to manage their multiple Credentials within a Secure Element. The SEM controls access to the SE.

A Glossary of Key Mobile Payment Terms (cont’d)

13

· SIM (Subscriber Identity Module): An integrated circuit that securely stores the service-subscriber keys (IMSI) used to identify a subscriber on mobile devices. The SE can be a SIM card.

· SSD (Supplementary Security Domain): The SSD is a specific area on the SE designated specifically for the Credential Issuer that includes Credentials of such Credential Issuer.

· Tokenization: The process of substituting a sensitive data element (e.g. card data) with a non-sensitive equivalent (the token) that has no extrinsic or exploitable meaning or value. The token is an identifier that maps back to the sensitive data through a tokenization system.

· TSM (Trusted Service Manager): The TSM’s role is to establish a technical connection with the SEM or MNOs and to enable Credential Issuers to distribute and manage their Credentials remotely by allowing access to the Secure Element (via authentication by the SEM) in NFC-enabled handsets. The TSM is a hardware module that enables a link between the Credential Issuer and the Secure Element Manager.

· UICC (Universal Integrated Circuit Card): A smart card used in mobile devices. The UICC is commonly referred to as the SIM Card.

Contact Information:

14

Sony Gokhale 416.862.6813 sgokhale@osler.com

Osler, Hoskin & Harcourt LLPBox 50, 1 First Canadian Place

Toronto, Ontario, Canada M5X 1B8