Claude Goetz Davis Wright Tremaine LLP

Prepaid Cards, New Technologies, and Emerging Payment

Systems, Including Mobile Wallets, Virtual Currencies, and EMV

Cards: New Opportunities and Overcoming Regulatory and

Compliance Challenges

ACI Prepaid Card Compliance Conference

September 30

th

_{– October 1}

st

_{, 2015}

Chicago, Illinois

Claude Goetz

Mobile Devices are Changing Retail Payments

Includes: • Purchases, Bill payments, Charitable donations, Payments to another person, or Any other payments using a mobile phone Access points: • Web page through mobile browser, SMS, or downloadable app on phone Payment: • Charged to credit card, deducted from prepaid account, or withdrawn directly from bank account

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial

Consumers Using Their Phones to Make Payments

Growth in consumer use of mobile payments

11% 15% 17% 23% 24% 24% 0% 5% 10% 15% 20% 25% 30% 2011 2012 2013 Mobile phone users reported using mobile payments Smartphone users reported using mobile payments

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial

How are Consumers Using Mobile Payments?

Paying bills, 66% Online purchases, 59% Paying for product or service at store, 39% Transferring money from another person using a mobile phone, 39% Made payment via text message,

13%

Paid for parking, a taxi or public

transit using mobile phone, 9%

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial

How are Consumers Using Mobile Payments?

1% 6% 17% 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 2011 2012 2013

Share of smartphone users who reported making a POS

purchase with their smartphone in the past 12 months

Growth in use of POS mobile payments services

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial

Mobile Phones: Gateway to the Unbanked?

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014) 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Unbanked Underbanked 50% Smartphones 69% _88%

Mobile phones, including smartphones, are prevalent among

unbanked and underbanked

6

64%

Smartphones Cell Phone Usage Among Unbanked & Underbanked

Mobile Phones: Gateway to the Unbanked?

Source: Board of Governors of the Federal Reserve System, “Consumers and Mobile Financial Services 2014” (March 2014)

High penetration among younger generations, minorities, and

low-income offers potential for expanding financial access

7

64%

bought

8

Catalyst: Growth in Alternative Payment Providers

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major

Banks vs. Alternative Payment Providers (August 2015) 9

In January 2014, it

was estimated that

APPs will account

for 59% of online

transactions and

that e-wallets will

equal cards in

terms of market

share in 2017

Peer-to-peer

payment market

expected to reach

$17 billion in 2019

Growth of P2P

Market, APPs for

online

transactions,

e-wallets, mobile

payments, “Buy”

Business of banking / Deposit-Taking Truth in Lending Act / Reg Z

R

egul

at

ion

B

Bank Secrecy Act

OFAC Reg D

Truth in Savings Act

Regulation II

Gramm-Leach-Bliley Act Fair Credit Reporting Act Data breach/security

FDIC Deposit Insurance

E-SIGN Act Unfair, Deceptive or Abusive Acts and Practices Laws

State Money Transmitter Laws State Privacy and Security Statutes

Card brand rules Gi

ft

c

a

rd

Anti-Money Laundering Compliance

OFAC

TISA/Reg DD Reg CC

Escheat Durbin Amendment Identity-Theft Red Flags

Check 21

Truth in Billing _{Electronic Fund Transfer Act / Regulation E}

Regulation DD

The Clearing House Diagnosis: An Uneven Playing Field in

Data Privacy and Security



_“

Financial Institutions” are subject to extensive regulatory, supervisory and enforcement scrutiny by their prudential regulators

 _{GLBA Interagency Guidelines}  _{More stringent implementing}

regulations and consequences  _{Safety and soundness}

 _{Banks ultimately bear customer} service and fraud costs

Source: The Clearing House, Ensuring Consistent Consumer Protection for Data Security: Major

Banks vs. Alternative Payment Providers (August 2015) 11

 _{Alternative Payment Providers (APPs)} provide products and services

utilizing “backbone of existing payment systems” and avoid the reach of prudential regulators  _{GLBA FTC Safeguards Rule}

 _{Not subject to regular examinations,} enforcement actions or oversight

– Lighter substantive requirements – Lower odds of facing enforcement

actions or sanctions

“Banks and APPs engaging in functionally similar activities should be subject to similar regulatory regimes.” The Clearing House

Impact of Apple Pay on the Mobile Payments Market



_{Apple Pay adoption – a mixed story}

– Recent Pymnts and InfoScout survey data show declines in use:

• Consumers that have tried Apple Pay:

– March 2015 – 15.1% of eligible iPhone 6 & 6 Plus users – June 2015 – 13.1%

• Consumers using Apple Pay in a store where its accepted: – March 2015 – 48% of eligible iPhone 6 & 6 Plus users

– June 2015 – 33%

• Consumer not using Apple Pay because they are not familiar with how it works: – March 2015 – 31% of eligible iPhone 6 & 6 Plus users

– June 2015 – 34%

12

Source: Pymnts.com, available at http://www.pymnts.com/in-depth/2015/apple-pay-adoption-the-falling-side-of-the-bell-curve/ (August 5, 2015).

Impact of Other Mobile Payment Technologies



_{Non-Apple mobile payment solutions}

– Samsung Pay / Loop Pay – Android Pay

– Others



_{Will mobile payment adoption rates significantly increase?}

– In-store payment isn’t a consumer pain point – swiping works



Tokenization and Host Card Emulation

How Tokenization Works

Tokenization is a data security technique that replaces

sensitive

data

(

e.g.

, credit card number) with surrogate data (

token

) that

has

no or little value

. Tokenization limits the scope of where the

sensitive data needs to be processed or stored.

14 TOKEN SYSTEM 1234 = 0001 2345 = 0002 3456 = 0003 4567 = 0004 TOKEN VAULT

1234 1234 1234 1234

0000 0000 0000 0001

Benefits of Tokenization

15

Continued …

Easier, cheaper and more secure

Easier and Cheaper:

– Tokenization can be managed internally or

outsourced

– Format interoperates with existing

systems and applications

– Puts less technical overhead on

infrastructure

– Reduces compliance obligations by

allowing fewer systems to audit and lower security controls

Benefits of Tokenization (cont’d)

16

Easier, cheaper and more secure

More Secure:

– Reduces exposure by centralizing sensitive

data in one location (token vault)

– Unlike encryption, tokens cannot be

reversed without access to the token vault

– Reduces burden of encryption key

management

Limitations of Tokenization

17

Continued …

– Tokenization cannot be used on all

types of data (e.g., emails, Internet transmissions, databases, files)

– Just like encryption, cannot protect

data before it is tokenized (e.g., RAM scraper problem) or if a party is able to de-tokenize the data

– Similarly formatted tokens may not

be distinguishable from the real

Limitations of Tokenization (cont’d)

18

– Tokens are not meaningful to third

parties unless they have access to the token vault or are provided a means to associate the token back to the sensitive data

– Tokenization can result in

duplicative tokens unless the token system is set up to prevent

collision

– Tokens do not validate the

underlying data or its source, and should be coupled with assurance methods to validate identity

How Host Card Emulation (HCE) Works

Host Card Emulation (HCE) creates a software-based

virtual

smart card

that does not rely on the device’s Secure Element.

First introduced in 2011 by SimplyTapp but popularized by

Google’s Android phone.

Use of Tokenization in HCE

 _{Tokenization may be used in} conjunction with HCE

 _{Tokens can be used in place of} the PAN on the device, or other sensitive data, to add an

additional layer of security

 _{Google Wallet uses tokenization} and does not store the PAN on the device or pass the PAN to the merchant

HCE Security Supplements

The following can be used to supplement the security of a HCE deployment:

 _{Encryption or tokenization of sensitive data stored on the} device or in the cloud

 _{Use of tamper-proof software to stop all transactions if} external changes are attempted

 _{Device fingerprinting to uniquely identify the authorized} device and disallow any transactions from other devices

The primary criticism of HCE is that it is not

as secure as using the Secure Element.

THANK YOU!

THANK YOU!

22 Claude Goetz [email protected] 212.603.6415

Disclaimer

23

This presentation is a publication of Davis Wright Tremaine

LLP. Our purpose in making this presentation is to inform our

clients and friends of recent legal developments. It is not

intended, nor should it be used, as a substitute for specific

legal advice as legal counsel may only be given in

response to inquiries regarding particular situations.

Attorney advertising. Prior results do not guarantee a similar

outcome.

Davis Wright Tremaine, the D logo, and Defining Success

Together are registered trademarks of Davis Wright