Viewpoint: Mobile Wallet Myth-Busting Starts Now

Written by FinTech Futures
28th January 2016

By Andrew R. Toftey, Lindquist & Vennum LLP

Even for professionals in the payments space, it can be a challenge to keep up with the rate and variety of changes. For others, it can be bewildering. And, unfortunately, consumer media doesn’t always spread accurate information,

For those of us in prepaid, we’re used to having to set the record straight even now after nearly two decades of being in the market. We still see the annual holiday stories warning consumers about the dangers of gift cards and why retailers are counting on them going unredeemed. Of course, we know retailers love it when customers redeem gift cards because they spend more than the face value, and it’s another store visit or online session a retailer might not have otherwise had. The New Year began with a similarly misinformed news story on Cleveland’s NewsChannel 5 titled “With mobile wallets, banks shift fraud liability to you.”[1] That seems scary! But when you dig into the story—at least if you’re in payments—you easily can spot the flaws. If you’re a consumer new to EMV or considering a mobile wallet, it might lead you astray. As an industry, we have to be ready to do some serious myth-busting if we want to ensure widespread consumer adoption.

Here’s a snapshot of a story gone wrong:

“More stores and restaurants are encouraging customers to ditch their physical wallets in favor of digital wallets, but fine print, buried in some bank terms of service contracts, leaves consumers on the hook for any potential fraud.”

Ok, this would seem to suggest that merchants are working with financial institutions to shift fraud liability to consumers. Setting aside the massive and shadowy anti-trust allegation, issuers are trying to encourage cardholders to move to more secure technologies that decrease issuer risk; from a consumer perspective who would adopt a new technology only to increase their personal risk?

“Mobile payment services like Apple Pay and Android Pay allow people to make purchases in stores and online with a smart phone or smart watch, instead of using a traditional credit card with a magnetic strip. Experts say that strip is outdated and leaves your personal information vulnerable to theft.”

I can live with this statement. We’ve seen worse.

“newsnet5.com found some banks are leaving their customers who opt to use mobile payment systems on the hook for fraud.”

What?!? Can you tell us which banks so we can avoid them?!?

One bank’s terms of service contract even said this: “’We are not responsible if a security breach occurs that affects any information stored in any Wallet.’”

Now we have come across the first real claim which I actually believe, but is seriously misconstrued. We don’t know which bank, but let’s reasonably assume they are talking about a bank offering a card that can be linked to a mobile wallet using Apple Pay, Android Pay or Samsung Pay. Our bank here is not saying the cardholder is “on the hook for fraud.” Rather, the cardholder is not responsible for or liable for data breaches of information stored in the cardholder’s mobile wallet. The parties that should be responsible are either the handset providers (or Google in Android Pay’s case) who actually hold the cardholder data and who experience a data breach, or the cardholder who lost their phone (by accident or theft) and didn’t put any access security in place around the phone. In those cases, the bank was not in control of the data, and shouldn’t be responsible for any related losses. I don’t think this is alarming or unreasonable.

“Ken Stasiak, CEO of Cleveland-based cyber security consulting firm Secure State, said that is a change from how banks used to treat fraud, back when the magnetic strip reigned supreme.

“You’re not going to see big scale breaches, like Target, in 2016 and ’17,” Stasiak said, “with EMV (chip-enabled cards) and these new technologies being rolled out. Because of that, the liability is now being shifted to the consumer because they believe, if it gets breached, it came from the consumer, not the retailer.”

Oh dear. There are obviously a lot of wrong statements here: let me count the ways. Mobile wallets have nothing to do with EMV. They are entirely different technologies. And the EMV liability shift is between card issuers and merchants, it has nothing to do with consumers. Unfortunately, they have become mixed in this story, resulting in the suggestion that consumers are now responsible for fraud committed on accounts when transactions originate from mobile wallets.

This is an expected consequence of lots of big changes in an industry over a short period of time. Education and repetition therefore become our allies: Mobile wallets and tokenization are technologies that are more secure than magnetic stripes. No matter the technology, cardholders can rest easy, they will still enjoy zero liability on fraudulent transactions. By repeating clear messages, the payments community can minimize the confusion around liability shifts and new technologies, and minimize stories like this one.

“Still, Stasiak said mobile payment systems are the best bet for online purchases. He said the encryption makes it more secure than manually entering a credit card number.

Thanks, Ken. I completely agree with you.

Andrew R. Toftey is a partner in the Minneapolis office of Lindquist & Vennum LLP, where he serves in the firm’s financial institutions practice. He advises financial institutions, financial technology companies, merchant processors and other payment providers on legal and regulatory matters, including commercial and consumer credit and prepaid transactions. He can be reached at [email protected].

In Viewpoints, payments professionals share their perspectives on the industry. Paybefore’s goal is to present many points of view to offer readers new insights and information. The opinions expressed in Viewpoints are not necessarily those of Paybefore.

[1] The story can be found here: http://www.newsnet5.com/money/consumer/with-mobile-wallets-banks-shift-fraud-liability-to-you