Mobile point-of-sale payment terminals have experienced explosive growth over the past year. Unlike a traditional point-of-sale terminal,
a mobile terminal communicates wirelessly when processing payment
cards. There are different types of solutions in the market, but one
popular type is an application within a mobile device, like a smartphone or tablet,
that uses a hardware attachment to swipe payment cards.Merchants who
use these solutions should remember to comply with both existing and
evolving legal and card association requirements, particularly as other
new payment acceptance solutions, such as integrated chip (IC) and near
field communication (NFC) point-of-sale terminals, are adopted widely.
Complying With Existing Requirements
As the use of mobile payment solutions grows, merchants should
understand how these solutions affect their existing obligations under
the card association rules as well as state and federal law. For
example, merchants should consider the following when they accept
payments using mobile payment solutions:
- Receipts. The card association rules require that merchants provide customers with sales receipts for most transactions at the time of purchase. The rules generally allow merchants to provide sales receipts by email or other electronic means, but merchants still must comply with the card association rules, as well as state and federal laws, that specifically address what information must and must not be included on these sales receipts. For example, under federal law, electronically printed receipts may contain no more than the last five digits of a card account number and may not contain a card’s expiration date. The card association rules may require additional information, such as a description of the purchase, the merchant’s cancellation policies, and a customer service number that cardholders can call if they have questions.
- Use of Personal Information. Merchants that request email addresses or mobile phone numbers to provide electronic receipts should be mindful of state laws that prohibit requesting personal information as part of a payment card transaction. Although these laws have applicable exemptions, merchants should understand the restrictions on how they may use personal information that they might have lawfully collected for another purpose. For example, merchants should consult with legal counsel before collecting a mobile number to provide a receipt and then sharing that mobile number with a third party for direct marketing purposes.
- Storage of Cardholder Data. Collecting a cardholder’s name and other personal information together with a payment card number can trigger specific – and at times stringent – state laws governing storage anddisposal of the information when it is no longer needed. Furthermore, the card associations also impose security requirements on the collection, transmission, and storage of payment card information. Each merchant that accepts a payment card – whether online, in person or through a mobile device – must abide by the PCI Data Security Standard (PCI DSS) requirements Perkins Coie LLPto protect cardholder data (such as the card account number, on its own or together with the card’s expiration date and the cardholder’s name). Even merchants that outsource the storage, transmission, and processing of their payment card transactions to mobile payment service providers have obligations under PCI DSS, such as making sure their service providers are themselves PCIcompliant and have contractually agreed to be responsible for cardholder data in their possession.
Complying With New Requirements
As the mobile terminal industry continues to evolve, the requirements
governing payment transactions are evolving as well. For example, the
PCI Security Standards Council, which creates and maintains PCI DSS,
recently published guidelines for developers of mobile payment
acceptance solutions and has announced that in 2013 it plans to release
further guidance to help merchants securely use mobile payment
acceptance. According to the council, one way for merchants to minimize
the risk of breaching cardholder data is to use approved external
hardware devices that encrypt the payment card information before
transmitting it to the mobile device. The council has indicated that it
will post a list of such approved external hardware devices on its
website in the near future.
Similarly, the card associations are modifying their rules to keep up
with the rapid proliferation of mobile payment acceptance solutions.
Visa recently revised its operating rules governing merchants and other
participants in the Visa payment system. By April of 2013, merchant
banks must ensure that merchants using mobile solutions obtain online
authorizations from cardholders’ banks to process their mobile
transactions. Visa’s rules regarding the new technology indicate that
the card association anticipates that the market for mobile payment
acceptance solutions will continue to grow.
Future Developments
Indeed, merchants should expect further development
of the payment terminal industry in the future, particularly as
point-of-sale terminals are upgraded to account for new technologies
affecting the payment card industry. These new technologies include the
Europay, MasterCard and Visa (EMV) IC standard and the NFC standard.
Designed to promote inter-operability among IC cards and terminals, the
EMV standard for a payment card contemplates the use of cryptographic
algorithms to generate card authentication and authorization information
instead of relying on the magnetic stripe technology currently used in
most U.S. payment cards. This year American Express, Discover and
MasterCard joined Visa in offering incentives for merchants that upgrade
to chip-reading terminals – and penalties for merchants that fail to
upgrade. For example, merchants processing transactions through
chip-reading terminals will not have to validate their annual compliance
with the PCI DSS rules, whereas merchants that fail to upgrade to
chip-reading terminals will, starting in 2015, bear chargeback liability
for fraudulent IC card transactions. While adoption of chip-reading
mobile payment solutions is prevalent in Europe, Canada, and parts of
Asia,most mobile payment solutions in the United States are not yet
capable of accepting IC cards.
Merchants also have taken advantage of NFC technology this holiday
season. NFC is a standard that allows NFC-enabled devices to interact
using radio communications by touching or coming in close proximity. NFC
technology allows users to store their payment card information in a
secure element of their mobile device and pay for goods and services by
simply tapping their mobile devices on an NFC enabled point-of-sale
terminal. A significant development for merchants, mobile wallets enable
for the first time the exchange of payment account information with
merchant promotions such as coupons, loyalty points and other offerings.
The push to upgrade U.S. merchants to support chip cards may hasten the
proliferation of NFC transactions, as many point-of-sale terminals that
read chip cards also can accept
contactless payments through NFC mobile wallets.
barcodesinc.com
0 nhận xét
Đăng nhận xét