Export Compliance Daily is a Warren News publication.
'Considerable Innovation' in U.K.

Privacy, Security of Emerging Payment Methods Becomes Focus for Regulators, Standards Bodies

Growing innovation in payment mechanisms is raising privacy and security issues that must be addressed, said the World Wide Web Consortium (W3C) and the U.K. Office of Communications (Ofcom). In response to the innovation, W3C launched a Web payment interest group that seeks to identify the conditions needed for more uptake and wider use of online payments via standards that will make systems more interoperable among different stakeholders and payment methods, its charter said. Ofcom said it's working with other relevant regulators to ensure that new payment systems respect privacy and are secure.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The W3C group launched Oct. 15 after a March workshop showed agreement among all players in the payment value chain on the key issues, including privacy and security, said Stéphane Boyera, CEO of French consultancy SBC4D and spokesman for the group. Regarding privacy, there's "tension" between users who want to safeguard their personal information; businesses providing the payment instruments that need data such as geolocation in order to use their anti-fraud mechanisms; and regulations such as age-restrictions on alcohol purchases or anti-money laundering rules that require the provision of certain data, he said. Privacy has long been overlooked by many in the payment value chain but Apple recently said it has no access to details of what users buy. Using privacy as a marketing element in this way is important because it shows a mindset shift, Boyera said in an interview Friday.

The question is how technology and policy can ensure that people do the right thing with the appropriate information, Boyera said. There are many standards organizations, and W3C wants to complement what they've done, not compete with them, he said. The Web payments interest group hopes to enable technology to be used to support all the different regulations around the world by filling in the gaps, he said.

Web payment security is also a huge issue, said Boyera. Incidence of online fraud is 10 times higher than in-shop fraud, he said. Fraudulent activities take place at several levels, including consumers using fake credit cards, merchants charging customers for bogus promotions and hackers targeting large companies. There's "general agreement" that the payment sector must move away from payments on the Web involving the exchange of credit card information, said Boyera.

There are several options for ensuring that online payments are secure, said Boyera. One is cryptocurrency such as bitcoin, but it's still in its infancy, he said. All stakeholders agree that credit cards will remain the chief payment mechanism for at least another decade, he said. Token-based payment -- in which a credit card with a microchip is placed in a terminal that sends one-time information to a merchant who then sends the token to the consumer's bank for payment -- is now used off-line for credit cards with microchips, and could be used on the Internet as well, said Boyera. One option is to reproduce with the Web and mobile devices what's already being done with credit cards, he said.

Today's credit card payments are pull-based, meaning a merchant must request payment from a customer's bank, Boyera said. But push-based payment such as wire transfers and PayPal, where a retailer gives a bill to the customer, who then directs his bank to pay, is another way to keep businesses from manipulating sensitive information, he said. There's general agreement on the need to move away from usernames and passwords to biometrics or other methods, he said. The question is how to standardize the many authentication tools and make the method available from Web browsers, to adopt current technologies to the online world, he added.

The W3C group wants to publish a road map for its work in Q1 that will identify the various issues in the payment chain such as privacy, security and authentication, said Boyera. At that point, it will have a clear view of what the technology gaps are and what needs to be done about standardization, he said. Standards-development could begin in late Q1 or early Q2, but that depends on how many of the key stakeholders are involved and what resources they contribute, he said. The group's charter ends Sept. 30, 2017.

"Considerable innovation in payments is taking place in the U.K.," said Ofcom and the Financial Conduct Authority, which regulates payment systems, in a Nov. 13 paper. But there are major barriers to that innovation, including "very high security and resilience requirements associated with providing payments services," they said. Consumers see security "as a priority issue," while developers say tough requirements for security are too costly and burdensome, and could affect their decision whether to invest in new payment plans, the regulators said. Consumers may feel privacy is being invaded by new payment systems that use personal data or location-targeted advertising, the paper said.

Ofcom said it will continue to engage with the payment industry "if appropriate" on issues related to the security and availability of communications networks for payment services; consumer protection; and competition. "It will be important that privacy laws are fully respected," and that new technologies and services are properly tested before being released to consumers, to boost consumer trust in Internet payments and reduce fraud, it said.