---

Published: June 2008

FTC should consider protections for contactless payment systems

Consumer Action joined in comments to the Federal Trade Commission regarding contactless payment systems, urging the consideration of broad consumer protections on issues such as privacy, security, and dispute rights.

Dear Mr. Clark:

The Consumer Federation of America (CFA), an association of more than 300 nonprofit consumer organizations, has since 1968 sought to advance the consumer interest through research, education, and advocacy. Consumer Action (CA), founded in 1971, is a nonprofit organization that advocates for consumers and provides consumer education through its extensive network of community organizations. Consumers Union (CU) is a nonprofit membership organization chartered in 1936 under the laws of the State of New York to provide consumers with information, education and counsel about goods, services, health, and personal finance. CU's income is solely derived from the sale of Consumer Reports, its other publications and from noncommercial contributions, grants and fees. In addition to reports on CU’s own product testing, Consumer Reports, with approximately 5.8 million paid circulation, regularly carries articles on health, product safety, marketplace economics and legislative, judicial and regulatory actions that affect consumer welfare. CU's publications carry no advertising and receive no commercial support.

We are pleased that the Federal Trade Commission (FTC) is exploring the consumer protection policy issues related to contactless payment systems. This is an area of growing concern, especially as payments and mobile communications are poised to converge. As is often the case, law and public policy have not kept up with innovations in technology and business to ensure that consumers can enjoy the benefits of contactless payment with the confidence that they have strong legal protections should problems arise.       

We believe that contactless payments can potentially provide many benefits to consumers, including:

• making some transactions quicker;
• obviating the need to carry cash or have the correct change for a transaction;
• storing coupons and gift certificates in electronic form for use at the point of sale, in place of paper versions that are easily lost or forgotten;
• helping consumers keep track of expenditures and receipts.

But there are also privacy, security, and other consumer protection issues. The FTC’s request for comments and the “Town Hall” that the agency will hold on July 24, 2008 on contactless payments provide good opportunities to highlight these issues and discuss how to address them. In these comments, we will briefly describe some of the main issues from the consumer perspective.   

Privacy

Contactless payments can speed small transactions, such as buying transit tickets, by eliminating the need to count out cash or have the correct change. People with sight impairment may find contactless payments easier because there is no need to identify the denominations of bills or coins. In addition, contactless payment can provide a record of transactions, helping consumers keep track of expenditures and receipts. However, cash payments are anonymous and therefore “trackless,” unless consumers are asked for and supply personal information at the time of sale. To the extent that contactless payments replace the use of cash, they will be able to provide much richer information about consumers’ activities than is currently available for marketing and other purposes.

When contactless payment systems are integrated in mobile phones, this privacy concern becomes even greater, since location information can be captured and used in proximity marketing and profiling consumers for other purposes.  

Consumers may receive contactless payment cards or mobile devices equipped with contactless payment capability without specifically requesting them. While they may have the ability to ask for a non-contactless payment replacement, that fact may not be clearly disclosed, if at all. Clear, robust notice is obviously desirable to ensure that the consumer fully understands how the service works and the privacy implications. We believe that the choice between “track me” or “don’t use the service” is not a fair choice; consumers should be able to make contactless payments without having their activities tracked except for payment processing and record keeping if that is their desire.    

Security

The convenience of having account information stored on a card or other device to make contactless payments has a significant potential downside – if it is lost or stolen or borrowed, someone else may be able to use it to make purchases without the account holder’s consent. Authentication such as passwords or PIN numbers should be required in order to make payments. Furthermore, if prepaid funds, gift certificates, or other forms of monetary value are stored in the device and it is lost, consumers should be able to have a “lock” put on the device at no charge and recover the unused funds. Dispute rights are discussed further in the next section of these comments.        

Another security concern is that a thief could surreptitiously obtain the account information on a payment card or other contactless payment device by standing in close proximity to the consumer and using a reader to interact with the radio frequency emitted by the chip in the payment device. The account information could then be used to fabricate a counterfeit payment device or to make purchases online or by telephone. Experiments have demonstrated this vulnerability.  Unlike with a lost or stolen device, the consumer may be unaware that the account information has been stolen for some time. Payment system operators should be responsible for safeguarding their systems and thwarting the use of stolen account information.

Dispute rights

Contactless payment can be made through many channels, including: billed to a credit card, debited from a bank account, deducted from a prepaid amount loaded onto the payment device, and billed to a mobile service account. Third-party systems such as PayPal could also be a payment channel. While payment flexibility is generally a good thing for consumers, the fact that their dispute rights vary significantly depending on the payment channel is not.

For instance, if the payment is made by credit card, the consumer has strong dispute rights for non-delivery, misrepresentation, mistakes in the billing amount, and unauthorized transactions. The maximum liability for unauthorized transactions is $50.  And the consumer is in a good position to dispute the charges because payment is not due until after receiving the bill. In contrast, legal dispute rights for bank debits are much narrower, covering only mistakes and unauthorized transactions, and the consumer’s potential liability is much greater – up to the amount in the person’s bank account.  Furthermore, payment comes out of the bank account immediately, leaving the consumer to dispute it after the fact. There are no legal dispute rights in regard to prepaid funds, except for employer-arranged payment cards onto which wages are deposited.  And there are no legal dispute rights, at least at the federal level, when payments are billed to consumers’ mobile service accounts.

Contactless payment systems are focused on relatively small transactions, at least at this point. But that may change over time, and as any parent of a text-messaging youngster can attest, even small charges can add up to significant amounts if they are made repeatedly.

Payment systems operators may have their own policies, such as the “zero liability” policies of the major credit card issuers, but these are voluntary, have significant loopholes, and can change. Furthermore, it can be confusing for consumers to know whom to contact. In the contactless payment ecosystem, there may be myriad parties. For example, if there is a dispute about a purchase billed to one’s mobile service carrier, who is responsible for dealing with the consumer – the vendor, the carrier, or the third-party billing aggregator?

The advent of contactless payment makes the need to harmonize consumers’ payment dispute rights to a uniformly high level of protection more urgent than ever before. A valuable additional protection would be the ability to set a dollar cap on the transaction size, per transaction and per day, that can be authorized for contactless payments. Express affirmative consent should also be required for consumers to accept contact payment features on their cards, mobile phones or other devices. The FTC should work in conjunction with other regulatory agencies and with Congress to address these issues.

Other consumer concerns

Contactless payment systems can help consumers keep track of their transactions and reduce the need for paper records. However, systems are not perfect; they sometimes malfunction, and errors can be introduced into them. Devices themselves can fail. As a result, consumers could be left without any proof of purchase. If a consumer buys a transit ticket using the contactless payment feature of a mobile device and for some reason the transaction does not appear on the device, who is responsible for the fine if the consumer is accused of turnstile-jumping? There should be clear liability for mistakes or failures that are not the consumer’s fault.

Another concern is whether consumers will be able to use the payment providers of their choice on third-party devices such as mobile phones. Optimally, consumers should be able to use multiple payment providers if they wish. Just as in the “contact payment” world, they might choose to use a mileage credit card for some purchases, another credit card for others, a debit card for certain situations, etc. While there may be physical limits that would prevent a given payment system from functioning on a particular handset, could mobile service providers use other justifications, such as exclusive contracts, to limit the payment systems that consumers can use on their phones? The contactless payment environment must be open to accommodate consumer choice.

Finally, contactless payment operators should be responsible to ensure that their systems are not used for purposes that are clearly illegal, such as gambling in jurisdictions where it is prohibited or extensions of credit that do not comply with state and federal requirements.

Conclusion

We urge the FTC to use the information that it gathers from comments and the “Town Hall” meeting to identify needed consumer protections and coordinate a plan of action with other relevant agencies to implement them.

Lead Organization

Consumer Federation of America

Other Organizations

Consumer Federation of America | Consumers Union

Download PDF

No Download Available