Contactless Cage Match: FTC meeting debates regulation of RF payments
25 July, 2008
category: Contactless, Financial, Library, NFC
By Andy Williams, Contributing Editor
Uniform standards for contactless and mobile payments and greater security were two of the suggestions made during a Federal Trade Commission-hosted Town Hall meeting in Seattle, Wash. yesterday. The session was co-sponsored with the Technology Law and Public Policy Clinic at the University of Washington and was designed to explore the growth of contactless payment systems and their implications for consumer protection.
“Everyone has an agenda here,” said Tom McAndrew, director of IT governance and compliance services for Coalfire Systems, a cybersecurity firm.
He was right. The meeting featured input from technologists, academicians, consumer protection officials and consumer advocates.
Titled “Pay on the Go: Consumers and Contactless Payment” the meeting ostensibly was a follow up to the FTC‘s November 2006 hearings, “Protecting Consumers in the Next Tech-ade,” which examined technological and business developments as they relate to consumers.
Charles Harwood, director of FTC’s Seattle office, said the FTC wants to determine the “kinds of tradeoffs consumers are being asked to do today. Are they being asked to sacrifice privacy? Do they understand what they’re being told?”
Dan Littman, an economist with the Federal Reserve Bank of Cleveland, said contactless is “far from being top of wallet, not even in Hong Kong” where the Octopus card is making the transition from transit to payments. “I put contactless somewhere between infancy and adolescence.”
Calling the technology a “niche product,” Littman said contactless “aspires to be dominant and maybe in the next 10 years it will be.”
He said the Federal Reserve isn’t “worried about contactless in terms of systemic risk but we are interested in bank risk.”
Randy Vanderhoof, executive director of the Smart Card Alliance, led things off with a contactless overview. He pointed to recent SCA studies and gave conference participants an update on where the technology now stands.
It’s obvious contactless is moving ahead, but at a snail’s pace, despite strong figures given by MasterCard’s Jodi Golinsky, who said that worldwide contactless was now in 109,000 merchant locations in 22 countries.
It’s starting to grow, she said. And since there were consumer advocates present, she reiterated what industry veterans already knew, that the RFID technology is very short-range reading. “It is not a tracking device and it’s not used for inventory control.”
She also said the credit card giant was “reaching out more to consumers to help them understand what contactless is, what it does and how it works.”
That did little to satisfy Jennifer King, University of California’s Berkeley School of Law, who called RFID a “socially disruptive technology.”
Citing some preliminary survey results of her own, she said “none of the people we talked to were aware the cards they received contained a contactless chip.”
Consumer education and consumer choice
That seemed to be a recurring theme, particularly among those pushing for greater oversight from the FTC.
Jean Ann Fox, Consumer Federation of America, said consumers need a choice and the ability to opt out rather than allow banks to automatically send them a contactless card.
She pointed out that card companies are “happy to advertise zero liabilities, but if you look at the footnotes, they’re much more limited than you believe.” For example, she said that cardholders are limited to reporting just two instances,” although another credit card representative later said that no one has ever been forced to pay for something they didn’t buy, regardless of how many times they’ve reported such abuses.
Visa’s Mark MacCarthy agreed that more education was needed. “The key thing consumers have to know is how to hold the card.” He went on to offer assurances that security on contactless cards was improving.
Dan Johnson, Tulley’s Coffee, Seattle, which installed contactless point of sale several years ago, added another: “We have to remind people to tap or wave, not hit the reader. We’ve had to replace several readers,” he said.
Dr. Kevin Fu, University of Massachusetts, Amherst, who found leaks in cards he tested, called for “informed consent. I’m a strong believer that consumers need to have this capability. They need to be aware of not just the benefits, but the risks too…Consumers should not have to remain as unwilling beta testers of new technology.”
However, as Wells Fargo’s Peter Ho, pointed out, “We still have to depend on consumers to read what we give them.”
Employee education is also important. Tulley’s Johnson says employee education is “definitely” part of the merchant’s role. “We do have a high turnover and education can take a little time. And the first time a customer uses (the contactless card), it could take eight times longer” because the customer isn’t familiar with the card. But, he added, “people who have the contactless cards always use them.” Still, that number is small compared to other credit card transactions.
Andras Vilmas, project manager for the pan-European consortium StoLPaN, which stands for Store Logistics and Payment with NFC, spoke of a “frightening scenario” involving mobile viruses. “They’re out there now, but there’s no advantage to them. But once you start putting payment information on phones, this virus market will explode.”
He also suggested, “one credit card inside a mobile phone doesn’t make sense, so let’s talk multiple cards inside one phone.”
But this won’t happen until contactless is the prevailing technology. Calling the NFC trials currently underway “islands,” he noted, “there is currently no way you can get a homogenous solution right now. And the general population still doesn’t even know what you’re talking about. People who have tried it love it, but those who haven’t don’t care.”
Security and standards, but with an eye toward “reasonableness”
Alissa Cooper, computer scientist for the Center for Democracy and Technology, said her “big takeaway from today is that we should be focusing on security. ” She said there should be a push for standards and greater consumer education.
“You just need to think of the ways consumers use their current payment devices and their phone. Are you going to remember to cancel your credit card if you lose your phone? Are you going to buy a mobile for your kids, not realizing they could be buying all those things you never let them buy?”
David Moorman, a director with retail POS software provider PCMS Group, agreed. “We need to help merchants get off the hook by giving them clear standards everyone will play by. I would like to see the FTC bring all the stakeholders together to create standards that have some muscle.”
FTC attorney Kathryn Ratte, said the FTC does have authority to move against companies that have suffered security breaches. “The FTC has the tools to address this type of emerging technology. Our standard in this space is reasonableness. We expect companies to have reasonable security measures in place.”
She warned that the FTC “has been monitoring RFID and won’t hesitate” to get involved.
John Carlson, BITS Financial Services Roundtable, a nonprofit financial services industry consortium, noted that the risk with today’s contactless payments “is somewhat contained, given how it’s being used, as a low value transaction to substitute for cash. There’s not much need for regulation. Where we may run into issues is if it expands beyond that. This is when the FTC needs to get involved,” suggests Carlson.
Of course, not everyone agreed. “I’m not reassured by what I’ve heard this morning,” said Susan Grant, Consumer Federation of America. “I’m more confused than ever and I’m not assuaged by the fact that businesses will secure consumer information when we see data breach after data breach.”
But, BITS’ Carlson wisely reminded the group “we can’t be so fearful about how technology can be used in nefarious ways as to prevent it from moving forward.”
Additional resources:
To learn more about the meeting, to access transcripts, or the webcast of the event, click here.