Mobile point-of-sale payment terminals have experienced explosive growth over the past year. Unlike a traditional point-of-sale terminal, a mobile terminal communicates wirelessly when processing payment cards. There are different types of solutions in the market, but one popular type is an application within a mobile device, like a smartphone or tablet, that uses a hardware attachment to swipe payment cards. Merchants who use these solutions should remember to comply with both existing and evolving legal and card association requirements, particularly as other new payment acceptance solutions, such as integrated chip (IC) and near field communication (NFC) point-of-sale terminals, are adopted widely.
Complying With Existing Requirements
As the use of mobile payment solutions grows, merchants should understand how these solutions affect their existing obligations under the card association rules as well as state and federal law. For example, merchants should consider the following when they accept payments using mobile payment solutions:
Receipts. The card association rules require that merchants provide customers with sales receipts for most transactions at the time of purchase. The rules generally allow merchants to provide sales receipts by email or other electronic means, but merchants still must comply with the card association rules, as well as state and federal laws, that specifically address what information must and must not be included on these sales receipts. For example, under federal law, electronically printed receipts may contain no more than the last five digits of a card account number and may not contain a card’s expiration date. The card association rules may require additional information, such as a description of the purchase, the merchant’s cancellation policies, and a customer service number that cardholders can call if they have questions.
Use of Personal Information. Merchants that request email addresses or mobile phone numbers to provide electronic receipts should be mindful of state laws that prohibit requesting personal information as part of a payment card transaction. Although these laws have applicable exemptions, merchants should understand the restrictions on how they may use personal information that they might have lawfully collected for another purpose. For example, merchants should consult with legal counsel before collecting a mobile number to provide a receipt and then sharing that mobile number with a third party for direct marketing purposes.
Storage of Cardholder Data. Collecting a cardholder’s name and other personal information together with a payment card number can trigger specific – and at times stringent – state laws governing storage and disposal of the information when it is no longer needed. Furthermore, the card associations also impose security requirements on the collection, transmission, and storage of payment card information. Each merchant that accepts a payment card – whether online, in person or through a mobile device – must abide by the PCI Data Security Standard (PCI DSS) requirements to protect cardholder data (such as the card account number, on its own or together with the card’s expiration date and the cardholder’s name). Even merchants that outsource the storage, transmission, and processing of their payment card transactions to mobile payment service providers have obligations under PCI DSS, such as making sure their service providers are themselves PCI-compliant and have contractually agreed to be responsible for cardholder data in their possession.
Complying With New Requirements
As the mobile terminal industry continues to evolve, the requirements governing payment transactions are evolving as well. For example, the PCI Security Standards Council, which creates and maintains PCI DSS, recently published guidelines for developers of mobile payment acceptance solutions and has announced that in 2013 it plans to release further guidance to help merchants securely use mobile payment acceptance. According to the council, one way for merchants to minimize the risk of breaching cardholder data is to use approved external hardware devices that encrypt the payment card information before transmitting it to the mobile device. The council has indicated that it will post a list of such approved external hardware devices on its website in the near future.
Similarly, the card associations are modifying their rules to keep up with the rapid proliferation of mobile payment acceptance solutions. Visa recently revised its operating rules governing merchants and other participants in the Visa payment system. By April of 2013, merchant banks must ensure that merchants using mobile solutions obtain online authorizations from cardholders’ banks to process their mobile transactions. Visa’s rules regarding the new technology indicate that the card association anticipates that the market for mobile payment acceptance solutions will continue to grow.
Indeed, merchants should expect further development of the payment terminal industry in the future, particularly as point-of-sale terminals are upgraded to account for new technologies affecting the payment card industry. These new technologies include the Europay, MasterCard and Visa (EMV) IC standard and the NFC standard. Designed to promote interoperability among IC cards and terminals, the EMV standard for a payment card contemplates the use of cryptographic algorithms to generate card authentication and authorization information instead of relying on the magnetic stripe technology currently used in most U.S. payment cards. This year American Express, Discover and MasterCard joined Visa in offering incentives for merchants that upgrade to chip-reading terminals – and penalties for merchants that fail to upgrade. For example, merchants processing transactions through chip-reading terminals will not have to validate their annual compliance with the PCI DSS rules, whereas merchants that fail to upgrade to chip-reading terminals will, starting in 2015, bear chargeback liability for fraudulent IC card transactions. While adoption of chip-reading mobile payment solutions is prevalent in Europe, Canada, and parts of Asia, most mobile payment solutions in the United States are not yet capable of accepting IC cards.
Merchants also have taken advantage of NFC technology this holiday season. NFC is a standard that allows NFC-enabled devices to interact using radio communications by touching or coming in close proximity. NFC technology allows users to store their payment card information in a secure element of their mobile device and pay for goods and services by simply tapping their mobile devices on an NFC-enabled point-of-sale terminal. A significant development for merchants, mobile wallets enable for the first time the exchange of payment account information with merchant promotions such as coupons, loyalty points and other offerings. The push to upgrade U.S. merchants to support chip cards may hasten the proliferation of NFC transactions, as many point-of-sale terminals that read chip cards also can accept contactless payments through NFC mobile wallets.