Released: October 26, 2015
Mobile Payments Guide - Fall 2015
Download: Mobile Payments Guide - Fall 2015 (fall_2015_mobile_payments.pdf)
Table of Contents
- Electronic payments using your smartphone
- Mobile Payment Guide: At a glance
- What to know before you pay on the go
- Emerging tap-and-pay consumer protections
- How to get the most out of mobile payments
- About Consumer Action
Web Bonus
- Mobile Payments Guide (PDF)
- Mobile payments: What happens to all that data?
- Beyond the popular payment systems
- Wearable devices allow payments on the go
- An intern's insights
Electronic payments using your smartphone
By Alegra Howard
The idea behind mobile payments is simple: Instead of paying with cash, check, credit or debit card, consumers can use their smartphone to pay for purchases via a mobile app. (Apps are software applications specifically designed to run on smartphones and other mobile devices.)
To help consumers understand their mobile payment choices, Consumer Action looked into how four of these payment systems work. Popular mobile payment systems Apple Pay and PayPal Mobile recently gained two new competitors: Android Pay and Samsung Pay.
Find complete details in our online Mobile Payments Guide. Our at-a-glance chart appears below.
The technology basics
Mobile payments made using a smartphone typically employ a short-range wireless communication process called near field communication (NFC). In the store, payment information is transferred wirelessly from a smartphone equipped with an NFC chip to an NFC “reader” at checkout. This is the same wireless technology used by Bluetooth devices, retail inventory control tags and keyless door entry apps. In order for the transaction to work, the two devices must be close to each other. Typically, customers tap their phones on the reader to pay (“tap-and-pay”). Apple Pay, Android Pay and Samsung Pay use NFC technology.
In addition to enabling NFC tap-and-pay purchases, Samsung Pay also can be used at terminals that read the magnetic stripe on the back of payment cards. When a credit, debit or gift card with a magnetic stripe is swiped through a card reader at a store, financial details are exchanged and the purchase is completed. For many years, consumers have relied on magnetic stripe technology to pay, and the terminals are far more widely available than tap-and-pay terminals. Unlike other mobile payment platforms, Samsung Pay can store and convey the information traditionally contained on a card’s magnetic stripe to most point-of-sale terminals using a technology called magnetic secure transmission (MST).
Acceptance
If you are confused about which retailers accept mobile payments, you’re not alone. According to a mobile payments survey by risk management firm Kount Inc., nearly 24 percent of merchants accept payments from mobile wallets either online or in stores. Most retailers have not converted their payment terminals. The biggest hurdles to wider adoption cited by retailers are cost (NFC terminals can cost $500 to install) and fear of security breaches.
Even so, the number of merchants accepting Apple Pay has more than tripled in the last year to more than 700,000 stores. Android Pay is accepted at over a million retailers, including Duane Reade and Walgreens, Chevron, American Eagle, McDonalds, Jamba Juice and Foot Locker. More than 18,000 stores accept PayPal Mobile, including Famous Footwear, Dollar General, Home Depot, Babies“R”Us and Toys“R”Us. PayPal’s app features a map of nearby businesses that accept PayPal Mobile payments.
Consumers have been slow to adopt mobile payments. Nine out of 10 consumers who don’t have a mobile wallet said they were unlikely to start using one, according to a July Gallup poll. Just 13 percent of U.S. adults have a digital wallet on their smartphone, and of those, most hadn’t used it in the last month. While men and Millennials (now 14-34 years old) were more likely to use a mobile wallet, security was the biggest concern. More than half cited fear of a lost phone or a data breach as reasons they had not adopted the technology.
Apple Pay
Apple Pay is a mobile payment system that can be used to make purchases in stores, at NFC-enabled terminals, and in certain apps. Its built-in digital wallet app (formerly called Passbook, now Apple Wallet) holds the user’s debit and credit card information as well as loyalty card information, digital coupons, e-tickets and boarding passes.
Apple Pay is compatible only with newer iPhones (6, 6S and 6 Plus); the app comes pre-installed on these models. However, iPhone 5 users can use Apple Pay if they have an Apple Watch, a small, wireless device worn on the wrist that is compatible with an iPhone 5 or later.
Every transaction on your iPhone requires authentication with Touch ID (an Apple fingerprint recognition feature) or passcode. To make a purchase, raise your iPhone to an NFC sales terminal with your thumb placed on its Touch ID (home) button. You’ll feel a slight vibration and hear a beep, which tells you the transaction is complete.
You’ll receive a physical receipt from the merchant that includes dollar amount, date, time, your name, the last four digits of your Apple account number and the bankcard you used.
When the notification feature is enabled, Apple Wallet also will send you copies of transactions made with Apple Pay. Date and location of past transactions will be saved in your Apple Wallet but you’ll need to review your credit card or bank statement to see the purchase amounts.
Making purchases with Apple Pay is free, and iPhone owners can link to more than 2,500 banks and credit card issuers. (Apple Pay is accepted at many major retailers, including Bloomingdale’s, Duane Reade, Walgreens, Macy’s, McDonald’s, Nike, Office Depot, Panera Bread, Sephora and Staples.)
Apple Pay’s transactions are tokenized, meaning that every time Apple Pay is used, it generates a one-time payment number and security code. Your payment card is assigned a virtual number (token) and saved in an encrypted chip on your phone. Your credit or debt card details are not stored on Apple’s servers and are never shared during the transaction.
The merchant doesn’t see your payment account number or your name and Apple doesn’t collect any transaction data. If your transactions were hacked, the stolen data would be useless to thieves. This means you wouldn’t need to cancel your cards due to a breach or if you lost your phone. Apple’s Find My iPhone feature also allows users to remotely shut down Apple Pay (and other apps) in case the phone is lost or stolen.
Android Pay/Google Wallet
Google Wallet was recently re-launched as a peer-to-peer payment system allowing anyone with a U.S. debit card to send and receive money for free using email addresses, even if the recipient doesn’t have the Google app. Now Android Pay has replaced Google Wallet as Google’s mobile payment system. Since the system is so new, we found that we couldn’t get many of our questions answered through Google customer service but were able to learn more from Google executives.
Android Pay is a free mobile payment app that comes pre-installed on new Android phones and is compatible with Android 4.4 KitKat (released September 2013) and later versions. You can store an unlimited number of credit, debit, gift card and loyalty card numbers in the app, and shop at over one million stores using its tap-and-pay NFC technology. Eventually you will be able to use Android Pay to make purchases online and in retailers’ apps.
There is no fee to make a purchase with Android Pay. While you may be able to make a few purchases offline using the device’s memory, typically you will need a mobile Internet connection to use tap-and-pay in stores with an NFC terminal. To pay, tap your phone at the payment terminal and enter a four-digit Android Pay PIN to authorize payment. The terminal will flash or beep to show your payment is complete. The four-digit PIN provides an extra layer of security since Android phones don’t yet feature fingerprint ID capability.
Your receipt includes the merchant’s location, dollar amount, transaction ID, date, type of payment card used and its last four digits. You can review past transactions in the app by selecting the card you used, but you will still need the merchant’s paper receipt to return merchandise.
Like Apple Pay, Android Pay uses tokenization technology, generating a one-time virtual number for the transaction. In the case of a data breach, thieves would gain access only to a token number, not your actual payment account details. Card information is stored in Google’s remote Internet datacenters (“cloud” storage). To allow for returns, the token remains active for 120 days following the end of the month in which the purchase was made.
PayPal Mobile
PayPal is a digital payments pioneer; many consumers use it as an intermediary to eliminate the need to reveal bank account or credit card numbers to online merchants. The PayPal Mobile payment app lets you manage your account, send money, request funds and pay at some brick-and-mortar stores, online and via certain retailer apps.
Before you can use PayPal, you need to sign up for an account either online or by downloading the PayPal Mobile app to your mobile phone. Mobile users are asked to register their cell phone number and set up a permanent mobile PIN. PayPal will send you a text message to confirm that your mobile number has been registered successfully.
PayPal Mobile users have two options for using their digital wallet to make purchases:
- Choose PayPal at a store’s payment terminal and enter your mobile phone number and PIN. Following a successful transaction, you’ll get a receipt from the merchant and an email notification from PayPal. Technically, this option doesn’t require your cell phone to make purchases, just your phone number and mobile PIN.
- Download the PayPal app, which is free and compatible with all smartphones. (The app displays nearby merchants that accept PayPal as payment.) The app will generate a four-digit code good for only two hours at a specific merchant location. At checkout, choose PayPal and enter the code. An electronic receipt will be sent to you by email immediately after your purchase. Recent transaction activity is stored in the PayPal app.
PayPal doesn’t share your financial information with merchants. According to PayPal, as long as you don’t share your mobile PIN with anyone but the merchant, your information should remain secure.
PayPal says that most of the 18,000 stores that accept PayPal use its mobile number and PIN system at checkout (option #1 above). Retailers that accept the mobile number and PIN do not accept a PayPal four-digit code (option #2 above). The two major chains that accept option #2 are Dollar General and AutoZone.
Samsung Pay
Electronics manufacturer Samsung launched its mobile payment system, Samsung Pay, in September. The fact that it can use both NFC and MST technology might give Samsung a leg up on the competition, since 80 percent of merchants worldwide are able to accept one or the other.
Samsung Pay is only available on the Galaxy S6, S6 edge, S6 edge+ and Note5 smartphones. Users also must provide a supported payment card from a participating bank and establish a separate Samsung account. Samsung Pay’s NFC tap-and-pay technology uses fingerprint ID verification to authorize transactions via the phone’s Internet connection. If the phone can’t connect to mobile broadband, you can still make purchases “off-line” because the Samsung Pay app can securely send card details for a limited number of transactions to merchants’ magnetic stripe or NFC readers. You must authorize these purchases at the point of sale with your Samsung Pay PIN.
Samsung Pay uses tokenization to encrypt your financial details and does not share actual card information with merchants. A data connection is needed to generate tokens. However, as noted previously, a limited number of purchases can be made without reconnecting to the Internet. If your phone is lost or stolen, Samsung’s Find My Mobile feature can be used to locate, lock or clear the phone.
The emerging landscape
PayPal and Android Pay will appeal to some consumers because both systems are compatible with older phones and operating systems. Apple Pay and PayPal’s phone and PIN option do not require a data connection or Wi-Fi signal to make purchases. (We strongly advise against using unfamiliar or public Wi-Fi to conduct financial transactions.) Samsung Pay is flexible about which terminals it can use.
But if you’re still not sure which mobile payment system to use, hold on to your real wallet for the time being. The mobile payment industry is rapidly evolving—it was changing even while we were double-checking the results of our initial research.
With Google still rolling out Android Pay features, Samsung Pay’s recent launch and PayPal’s acquisition of a mobile payment service provider, Paydiant, consumers are likely to have new mobile payment options in the near future.
Mobile Payment Guide: At a glance
All mobile payment systems listed are free to use for making purchases. Some of the newer phones will have the mobile payment apps pre-installed. If the app you’d like to use is compatible with your phone, you can download it from the Apple App Store or Google Play Store. Find complete details on these payment systems in our Mobile Payments Guide. Please note that you are prohibited from using Consumer Action’s name or any reference to its surveys in advertising or for any other commercial purpose.
| Payment System | Device Needed | Funding Sources | Technology | Data/ID Protection | Disputes | Find Accepted Locations |
|---|---|---|---|---|---|---|
| Android Pay (Google) | Android Pay comes pre-installed on new Android phones and is compatible with Android 4.4 KitKat and later versions | Google Wallet Card and/or an unlimited number of credit, debit and prepaid cards | Near field communication (NFC) | Tokenization hides user’s account information; four-digit PIN | Bank/card issuer | Look for NFC symbol or MasterCard contactless payments at retailers. Online: www.android.com/pay/#merchants |
| Apple Pay | iPhone 6 or higher runnng iOS 8.1 or higher; Apple Watch and the latest iPads also are compatible (iPhone 5 is compatible only when paired with an Apple Watch) | An unlimited number of credit and debit cards | Near field communication (NFC) | Device account number; tokenized transactions; fingerprint ID; financial information not saved by Apple | Bank/card issuer | Look for NFC symbol or Apple Pay symbol at checkout. Online: www.apple.com/apple-pay/where-to-use-apple-pay/ |
| PayPal Mobile | A mobile phone that can send and receive text messages and/or an Internet-enabled mobile device | Up to eight credit/debit/bank accounts | Mobile phone | Login for app; mobile PIN; app-generated transaction codes | PayPal | Listed in the app. Online: www.paypal.com/webapps/mpp/store-locator |
| Samsung Pay | Samsung Galaxy S6 and Note5 models and higher; Samsung Pay comes pre-installed on compatible devices and can’t be added to other devices | Up to 10 cards (credit, debit and private label retail cards) | Near field communication (NFC) and magnetic secure transmission (MST) | Samsung’s Knox security software; PIN authentication; tokenized transactions; fingerprint ID | Bank/card issuer | Because of its dual technology, it can be used anywhere credit and debit cards are accepted |
What to know before you pay on the go
By Monica Steinisch
Who needs a wallet when you’ve got a smartphone in your pocket? The ability to pay for purchases—from your morning coffee and weekly groceries to household items and electronics—with a tap of your phone is becoming more available.
Consumer Action researched your mobile payment options in this ever-evolving market. Whether you’ve already embraced mobile payments or plan to get on board soon, this introduction to the systems, processes and protections will help you make informed decisions about paying by smartphone.
Small provider pool
Consumer Action’s survey features the major mobile payment systems: Apple Pay, Android Pay, PayPal Mobile and the newest entrant, Samsung Pay. These mobile wallets or tap-and-pay systems are the only ones that are accepted in stores, online and in app by unaffiliated merchants. (See Mobile Payment Guide: At a glance for a quick overview of the mobile payment platforms we reviewed.)
We also reviewed retail mobile payment systems implemented by individual companies such as Starbucks, and CurrentC, a branded payment app developed by a group of retailers for use only in their stores. (See Beyond the popular payment systems.)
All but one of these payment systems require a particular device. Apple Pay requires use of an iPhone 6, or an Apple Watch paired with an iPhone 5 or later; Samsung Pay is designed for Samsung Galaxy S6 and Galaxy Note 5 devices; and Android Pay is compatible only with chip-enabled Android phones. (Click here for list of compatible Android phones.) PayPal Mobile is in a class of its own. It’s available to anyone with a mobile phone, regardless of make or model, but does not (yet) enable tap-and-pay purchases.
Payment technology
Pay-by-phone options fall into two categories: digital wallets and mobile payment systems.
PayPal Mobile, a wallet, enables you to store account information for credit cards, debit cards and bank accounts to make payments in stores (at participating retailers), online and, in some cases, to individuals. PayPal also allows you to maintain a “wallet balance”—cash stored in your mobile account—and even receive money.
Apple Pay, Android Pay and Samsung Pay do not store funds. They are mobile payment systems that use near field communication (NFC) technology to facilitate payment. NFC allows devices to talk to each other, so a consumer who has a device with an NFC chip can pay by phone if a merchant has an NFC-enabled terminal, or reader. NFC technology is what allows Trader Joe’s customers to wave their phones at the counter to pay for groceries.
Samsung Pay was launched in the U.S. on September 28 and, uniquely, also works with traditional magnetic-stripe terminals—the kind found in virtually every store nationwide where credit/debit cards are accepted.
Android Pay launched two weeks earlier to replace Google Wallet as Google’s mobile payment system. Google Wallet hasn’t disappeared entirely, though. It is now the company’s peer-to-peer payment system, allowing individuals to make payments to each other.
PayPal Mobile account holders may have two options to pay. They will either enter a mobile phone number and PIN or use a one-time four-digit code for purchases at a particular pre-selected store. (PayPal also plans to introduce a wallet with NFC technology by year’s end.)
Use of any of these systems is dependent on merchant acceptance. Currently, only a small percentage of merchants are equipped with NFC-enabled terminals, but that number was expected to grow by October of this year, when some stores installed chip-ready terminals to fight fraud and avoid being held responsible for counterfeit credit card purchases.
The U.S. credit and debit card industry is in the midst of a transition to chip cards using EMV (Europay, MasterCard, and Visa) technology, which requires special terminals to read the embedded chip. Learn more in Consumer Action’s A consumer’s guide to ‘chip’ cards.
Some chip card terminals are also able to “read” NFC-enabled mobile devices. Many merchants are expected to invest in the NFC function in these readers to serve shoppers who embrace mobile payments. To foster the budding tap-and-pay industry, payment processing companies like Square are giving away chip readers to many small and medium-sized merchants.
Consumer protections
In terms of safety against fraud, mobile payments that use tokenization have the edge. Tokenization substitutes a unique code (token) for your identification and payment information. Even if there were a breach, no card numbers are stored, so the one-time-use token would be worthless for additional transactions.
Apple Pay and Android Pay use tokenization. Samsung Pay uses tokenization for NFC payments, but not for MST payments (those that read the payment information in the card’s magnetic stripe). PayPal does not use tokenization.
Billing errors and fraud problems are usually handled by the underlying payment source—your credit or debit card issuer. (For more information, see Emerging tap-and-pay consumer protections.)
The best protection against unauthorized use of your mobile device—and the apps and data it contains—is setting it to lock after a brief period of inactivity, accessible only by passcode or fingerprint.
For the time being, it’s unlikely you’d be able to get by without carrying at least one payment card or some cash.
According to a CBS News story, an AP reporter tried living for one week last year in New York without carrying cash or credit cards, relying only on payments with his smartphone. While he found that many places accepted mobile payments, many did not, and the transactions were not always successful. Sometimes he ended up borrowing cash for a meal, or walking home because he couldn’t reload his MetroCard so he could ride the subway. Of course, these difficulties should diminish with time.
Weighing the options
Of all the major mobile payment systems, Samsung Pay has a considerable advantage given that its combination NFC and MST technology has the potential to be accepted at nearly any retail location.
PayPal’s system does not always require you to have a mobile phone with you at the time of payment, as long as you have the phone number and account PIN or transaction code.
Until PayPal adds NFC functionality, consumers who are drawn to the convenience of tap-and-pay technology may find PayPal more suited for its traditional uses—online purchases/sales and money transfers—rather than mobile payments. All mobile payment systems are free to make purchases. Choosing one of the payment options will likely come down to which device you have or prefer to use and which payment system is accepted at the places you like to shop.
The mobile payment environment is changing so rapidly that consumers who are on the sidelines today might be rewarded with even better options tomorrow.
Emerging tap-and-pay consumer protections
By Ruth Susswein
One of the most significant concerns for users of mobile phone payments—often called “tap-and-pay”—is how to resolve disputes about fraudulent or unauthorized charges.
Depending on the source of funds used to make a mobile payment (such as a credit, debit or prepaid card), the rules governing unauthorized charges differ. Currently, prepaid cards and mobile payments don’t have the same legal protections as credit cards and debit cards. The Consumer Financial Protection Bureau (CFPB) is aiming to correct that with its extensive proposal to regulate general purpose reloadable prepaid cards and other stored-value payment products. In some cases that will include mobile payments.
Clarity by regulators will be welcome because the current environment is confusing. Reporter Bob Sullivan recently recounted a consumer’s difficulty settling a Starbucks mobile payment dispute. Starbucks has a mobile app (and a reloadable prepaid card) that can be linked to a debit or credit card and used to make payments in its stores.
Ryan Benharris had $200 stolen from his debit card after his Starbucks account was hijacked recently, but that’s not why he was furious at the firm. He was angry about what happened next.
“I had to beg and plead to get my money back,” Benharris said. “They lied to me…I’m an attorney, and it took me four hours on the phone and six weeks to get a refund.”
His [Starbucks] account, with $14 in stored value, was hijacked and hackers sucked two $100 payments from his checking account debit card onto his Starbucks app, and then off the app to a gift card they controlled.
Ultimately, Starbucks refunded the stolen $200-plus and sent him a $100 gift card “for his trouble.” (Read the story online.)
The bank that issues your debit card usually handles disputes, but in this case a hacker accessed the debit card through a mobile payment system. In this dispute, Starbucks restored the funds—but is it the bank or the coffee company that should be resolving your problem?
Consumer protections for mobile payments are what you might call a “work in progress.” The underlying funding source is key to error resolution and fraud protection with most mobile payment services. Problems with mobile transactions paid for with a linked credit or debit card typically should be taken up with your card issuer. If you are using a credit or debit card, you have the right to dispute errors and limit liability for unauthorized (fraudulent) charges. Generally, credit cards provide the strongest level of legal protection, capping liability for unauthorized use at $50.
Debit card users’ liability for unauthorized charges is limited to $50 if reported within two business days, and up to $500 after two business days. However, if consumers do not report unauthorized debit transactions within 60 days after their statement is mailed, they could face unlimited liability even when the charges result from theft.
Mobile wallet and prepaid card users have no clear-cut dispute and error resolution rights, although most issuers voluntarily provide “zero liability” assurances for fraud on credit, debit and prepaid cards.
To help patch these holes, the CFPB has proposed new rules that would apply to prepaid cards and mobile payment systems that store funds. Here are highlights of the proposed rule:
- Access to information: Account balance, payment history and a list of possible fees must be easily available online.
- Error resolution: Financial institutions would be required to investigate account errors in a “timely manner” or credit the account for the disputed amount while continuing to investigate.
- Fraud protection: Losses would be limited on prepaid accounts and stored-value mobile payment services. As with debit cards, consumer liability would be capped at $50 if reported within two business days.
Prepaid cards and mobile payment accounts would have to be registered (with the issuer or financial institution) to be eligible for reimbursement and other protections.
Only mobile payment accounts that can store funds (mobile wallets) would be covered by CPFB rules. That means PayPal (which can store funds) and Starbucks accounts (which are prepaid) likely would fall under CFPB consumer protections, while Apple Pay, Android Pay and Samsung Pay would not. (The latter link to customer bank and credit card accounts and do not store funds.)
PayPal has asked the CFPB to exempt its accounts from any new rules if customers link at least two payment sources (credit, debit, prepaid cards) to their PayPal accounts that already provide consumer protections.
Whether funds stored in a prepaid account or mobile wallet are protected by FDIC deposit insurance will depend on where you deposit the money. PayPal no longer offers FDIC insurance, but other prepaid accounts may. The CFPB’s proposed rules would not require FDIC insurance on prepaid products or stored-value mobile payment accounts. It would, however, require customer notice about the lack of FDIC insurance.
Disputes
Google’s Android Pay, Apple Pay and Samsung Pay are pass-through mobile payment systems. This means you link a payment card (credit or debit) to make payments. If you spot a billing error, contact the issuer of the credit or debit card you linked to, as well as the merchant where the transaction occurred. In most cases, you’ll have to wait until the purchase posts to your credit or debit card account before you can dispute it. If the problem is about a charge you didn’t make, then contact the card issuer immediately to alert them that someone used your card without your permission.
Lost phone? Apple Pay, Android Pay and Samsung Pay do not store payment card details on the phone, and they require passwords or PINs to make payments, so access to your payment information will be limited even if your phone is stolen. All three services offer a way to locate and lock stolen mobile phones. Apple offers Find My iPhone Activation Lock. You can erase information on your Android phone using the Android Device Manager. And Samsung users can use the company’s Find My Mobile service.
PayPal says it investigates all reports of unauthorized account use and tries to resolve claims within 10 days. As to customer disputes, you’d better pay close attention to your transactions.
PayPal’s website states that merchants or sellers are advised to resolve disputes with buyers within 20 days. If a problem isn’t resolved before that time, customers should contact PayPal and ask to file a claim. After day 20, disputes are closed and “cannot be reopened or escalated to a claim.”
Regardless of PayPal’s policies, if a credit or debit card was used in a contested purchase or for unauthorized (fraudulent) charges, Consumer Action recommends that customers preserve their legal rights and dispute the PayPal charge with their card issuers.
How to get the most out of mobile payments
Secure it. Apart from fingerprint fortification, the best way to ensure that your mobile wallet is as safe as possible is to password-protect your phone.
Validate it. Android Pay requires you to enter a payment PIN (personal identification number) before you tap and pay. PayPal also uses a mobile PIN or four-digit code. Samsung Pay and Apple Pay use fingerprint verification or PIN.
Turn it off. When not making a payment, disabling Near Field Communication (NFC) (under your phone’s Settings) will prevent others from accessing your device.
Register it. Register your mobile payment account with the account issuer to ensure that you qualify for all available consumer protections, such as loss limits for fraud and theft and the ability to address billing errors. If you use a prepaid card as an underlying payment source, this is especially important.
Know before you go. Check online before you shop to see if your mobile wallet is accepted where you plan to shop.
Reap rewards. Register your loyalty cards or coupon programs in your mobile payment account, or app, to receive discounts at retailers you frequent.
Check coverage. If you store funds in a mobile wallet, ask if that money is FDIC-insured. If it’s not FDIC-insured or otherwise protected from loss, consider other payment options. — R.S.
About Consumer Action
Consumer Action is a non-profit 501(c)(3) organization that has championed the rights of underrepresented consumers nationwide since 1971. Throughout its history, the organization has dedicated its resources to promoting financial and consumer literacy and advocating for consumer rights in both the media and before lawmakers to promote economic justice for all. With the resources and infrastructure to reach millions of consumers, Consumer Action is one of the most recognized, effective and trusted consumer organizations in the nation.
Consumer education. To empower consumers to assert their rights in the marketplace, Consumer Action provides a range of educational resources. The organization’s extensive library of free publications offers in-depth information on many topics related to personal money management, housing, insurance and privacy, while its hotline provides non-legal advice and referrals. At Consumer-Action.org, visitors have instant access to important consumer news, downloadable materials, an online “help desk,” the Take Action advocacy database and nine topic-specific subsites. Consumer Action also publishes unbiased surveys of financial and consumer services that expose excessive prices and anti-consumer practices to help consumers make informed buying choices and elicit change from big business.
Community outreach. With a special focus on serving low- and moderate-income and limited-English-speaking consumers, Consumer Action maintains strong ties to a national network of nearly 7,000 community-based organizations. Outreach services include training and free mailings of financial and consumer education materials in many languages, including English, Spanish, Chinese, Korean and Vietnamese. Consumer Action’s network is the largest and most diverse of its kind.
Advocacy. Consumer Action is deeply committed to ensuring that underrepresented consumers are represented in the national media and in front of lawmakers. The organization promotes pro-consumer policy, regulation and legislation by taking positions on dozens of bills at the state and national levels and submitting comments and testimony on a host of consumer protection issues. Additionally, its diverse staff provides the media with expert commentary on key consumer issues supported by solid data and victim testimony.
Mobile payments: What happens to all that data?
By Lauren Hall
Some of us are embracing the brave new world of mobile payments with open arms. But it’s not easy to dismiss potential privacy concerns with this new technology because of the massive amount of data it has the potential to collect. When a company knows what you’re buying, and when, and where you are at the time of purchase, questions naturally arise about how secure your data is and what the company is doing with that data.
Are Android (Google), Apply Pay, Samsung Pay and PayPal tracking your purchases? Are they selling or sharing this information with others? Answers can be gleaned from each company’s privacy policy.
Consumer Action reviewed these policies and found that Apple simply states that the company “doesn’t save your transaction information, and any payment information is encrypted. With Apple Pay, your payments are private. Apple Pay doesn’t store the details of your transactions so they can’t be tied back to you. Payment transactions are between you, the merchant, and your bank.” For purchases made through apps, Apple does track purchase amounts, dates and times but does not link it to individual users. In stores, purchase location, time and date may be sent to Apple but the information remains anonymous.
But then there’s “data matching,” or as it’s sometimes called, reverse engineering. Tech blog ZDNet points out that, “The time, location, and value of your financial transactions are still known to Apple and to your card provider—and to every other business they might share that data with. The merchant knows what specific goods or services were purchased for that amount, but not who bought them. But all that is true only if no one does any data matching—either directly between the participants, or by providing the data to data brokers such as Acxiom, Equifax, Experian, or Datalogix, or by collaborating with any of the companies connected with the many, many data-logging apps already on your smartphone. Given the volume of data being collected and shared these days, supposedly anonymous transactional data can easily be re-identified.”
Google encrypts and stores your payment information on Google’s servers and certain pieces of data (they don’t say which) “may also be stored on your mobile device.”
Google’s payments policy for Android Pay says Google does not share personal information with companies, organizations and individuals outside of Google, other than to process a payment or complete your registration with a third party. However, companies affiliated with Google do have access to information you share with it.
Google says, “The information that we collect, including information obtained from third parties, is shared with our affiliates, meaning other companies owned and controlled by Google Inc. Our affiliates, which can be financial and nonfinancial entities, will use such information for their everyday business purposes.”
Google collects credit and debit card numbers, bank account and Social Security numbers, name, date of birth, address, type and amount of transaction, merchant location, description of goods and services purchased and more. (For more information see Google’s privacy policy.)
Google gives consumers the ability to opt-out of sharing information with affiliates about their account history, creditworthiness, and for marketing purposes. Google states: “If you don't want us to share personal information about your creditworthiness...or if you do not want our affiliates to use your personal information...to market to you, please indicate your preference by logging into your account, going to the Google Payments privacy settings page, and updating your preferences.”
PayPal’s policy says: “We store and process your personal information on our computers.” PayPal also makes it clear that, “When you use PayPal Services, we also collect information about your transactions and your activities…. When you download or use our mobile applications, or access one of our mobile optimized sites, we may receive information about your location and your mobile device, including a unique identifier for your device. We may use this information to provide you with location-based services, such as advertising, search results, and other personalized content. Most mobile devices allow you to control or disable location services in the device's settings menu.”
PayPal says it does not sell or rent your personal information to third parties for marketing purposes without your explicit consent, although PayPal states that it “may combine your personal information with information we collect from other companies and use it to improve and personalize PayPal services, content, and advertising.” If you don’t want to receive ads from PayPal, you can log into your account, go to the Notifications section and opt-out.
Sometimes opting out from having your information stored or shared is simple, but sometimes it’s quite complicated.
Tools do exist to help you control how much data is shared with advertisers and how many ads you’re exposed to, but Michelle De Mooy, deputy director of consumer privacy with the Center for Democracy & Technology, says, “It can be really difficult for people to be able to opt-out of all advertising, since often you are forced to block or otherwise disable tracking or ad targeting by painstakingly using settings in each mobile browser, or on your device, by emailing the company, etc.”
Rather than combing through incomprehensible corporate privacy policies, De Mooy says companies like Ghostery can help consumers understand who is collecting their data, how it might be used and how to avoid being tracked. The company offers a free browser add-on (for desktop and mobile) that gives consumers the names of all parties tracking them.
Consumers can also visit the Privacy Rights Clearinghouse (PRC) for comprehensive information on their privacy rights. PRC states: “The single most important thing you can do to protect your financial privacy is to carefully read all information that comes from a financial institution.” It recommends doing business with companies that note they do not share your customer data with corporate affiliates or third parties, or at a minimum give you the choice to remove yourself from unwanted marketing.
Since 2001, the federal Gramm-Leach-Bliley Act has required that banks and nonbanks engaged in financial activities must limit the transfer of customers’ personal financial information. The law requires that financial institutions describe how they will protect the confidentiality and security of customer information. In addition, these companies are required to provide consumers with annual privacy notices that explain how personal information is safeguarded. When companies share customers' personal information with third-party affiliates for marketing purposes, they must tell consumers and allow them to opt out.
“Bottom line, companies that build and provide mobile financial applications have a responsibility to protect consumers’ private data and honor their wishes about sharing that information,” said Linda Sherry, Consumer Action’s director of national priorities. “If they don’t, mobile payments won’t gain widespread trust and acceptance.”
Beyond the popular payment systems
By Alegra Howard
While we have highlighted some popular and versatile mobile payment systems in our survey, we can just hear people in the know asking, “What about....?” Here are a couple of programs, one still in the testing stage and one that it appears many people are using at their favorite coffee shop, that we thought you might want to know about.
CurrentC
The CurrentC mobile payment platform has garnered a lot of attention even before becoming available. Developed as major retailers’ answer to costly credit and debit card transaction fees charged by banks, the payments app has so far only made it into the test phase. Backed by the Merchant Customer Exchange (MCX), a consortium of major retailers, CurrentC is expected to use quick response (QR) code (barcode) technology to draw payments directly from shoppers’ bank accounts. This would allow retailers to avoid paying the two-to-three-percent fees to credit card companies every time you make a purchase. (Whether consumers will see a benefit from any cost savings is unknown.)
Some members of the retail group, which includes Walmart, Target, CVS, Rite Aid, Kohl’s, Dunkin' Donuts, Exxon and Best Buy, signed a contract promising exclusive use of CurrentC over other mobile payment platforms. Still being tested, beta users giving it a whirl can link gift cards, store-branded credit cards or a checking account as underlying payment methods.
Since CurrentC doesn’t use near field communication (NFC) technology, it will likely be compatible with older iPhone and Android mobile operating systems, allowing a larger group of consumers to use the system.
How to use: If you want to test CurrentC, download the app from the Google Play Store or Apple App Store and link your store cards, gift cards and/or bank account. To make a purchase, select “Pay with CurrentC” at the payment terminal, open the app on your phone, enter your four-digit passcode and press Pay. You may also be asked to scan or present a CurrentC paycode generated by the app. The system is expected to store merchants’ loyalty cards and digital coupons. Discounts will be applied to your linked payment account without sharing any financial details with the merchant. CurrentC states it will keep account data in a “secure cloud network,” not in the app on your phone.
Early users have been critical of CurrentC for requiring more steps at checkout than some other systems. Some note that QR code technology is not widely available at participating merchants (nor is it the latest technology), and there have been complaints that QR code scanners are slow to read or process codes, delaying transactions.
Security concerns also plague CurrentC: Last year a hacker was able to steal the email addresses of beta testers.
Starbucks
Starbucks offers its own mobile payment system. More than 15 percent of Starbucks in-store sales were made via its mobile app last year. Compatible with iPhone and Android phones, it allows users to find nearby Starbucks stores and pay for food and merchandise, earning Starbucks rewards. The underlying payment source is a Starbucks-branded reloadable prepaid card or mobile app. Starbucks has said it might broaden use to other retailers in time.
Note: Starbucks accounts were hacked this summer using the automatic reload feature in the app, stealing money from linked payment cards. At least for now, avoid using auto-reload to fund a Starbucks account. The company said that customers who register their Starbucks account would have their account balances protected.
How to use: Sign up for a Starbucks prepaid account and download the app before making mobile in-store purchases. Your Starbucks account can be funded with a debit card, credit card, PayPal or Apple Pay account to maintain a cash balance. Users also can view past purchases in the app’s account history. To pay using your mobile phone, open the app and waive your device in front of the scanner at the register—it reads the on-screen QR code. There are no fees associated with Starbucks mobile payments, and you can add a tip for the barista if you like.
Users in select cities are now able to use the app to order and prepay for menu items, and then pick up their order in the store without waiting in line. Click here to see if the service is available in your area.
Wearable devices allow payments on the go
By Alegra Howard
Not one to wear your heart on your sleeve? Well, what about your wallet? These wearable payment options aim to help you make purchases on the go.
Apple Watch (Payment system: Apple Pay)
Apple Pay uses (near field communication) NFC technology so you can tap-and-pay with your watch wherever Apple Pay is accepted.
You can use the watch to make in-store purchases and review your financial transactions, but you’ll need your iPhone to set up “pay-by-watch,” even if you already use Apple Pay on your phone. To sync a debit or credit card account, you must use the Watch app with an iPhone 5 or higher.
Jawbone UP4 (Payment system: American Express Contactless ("Tap to Pay") Payments)
Jawbone’s latest fitness tracker helps you monitor your activity, calorie intake, sleep and heart rate. Now, you can also tie the tracker to an American Express card and use it to pay wherever AmEx Tap-to-Pay is accepted.
Initially, users will need to pair the tracker with a smartphone to sync their AmEx financial account. Since Jawbone’s band device doesn’t have a display, users have to return to their phones to review mobile transactions. Only one AmEx card can be connected per Jawbone.
Samsung Gear S2 Smartwatch (Payment system: Samsung Pay)
Samsung is expected to launch its newest smartwatch in October. The device will come with an NFC chip and be compatible with the newest mobile payment system on the market, Samsung Pay. Learn more.
An intern’s insights
By Monica Steinisch
Each year, Consumer Action welcomes an intern through Columbia University’s Virtual Internship Program (VIP). The interns are “virtual” because the students, who attend school in New York City, complete their assignments without being in the same location as the sponsoring organization.
Consumer Action’s latest intern, Jingyan (Cindy) Xiao, completed her internship at the end of April, after spending three months conducting research into the world of mobile payments. Before leaving, she shared some of her thoughts on this latest way to pay.
- Expect a lot more changes in this industry: The major mobile payment systems we have now are less than five years old, and during this internship systems both entered and left the market.
- Of the main mobile payment systems, Xiao found Google Wallet offered the most “functionality” (allowing peer-to-peer payments, a wallet balance and links to credit cards and a bank account), but was also the “most convoluted system.” Google Wallet has since transformed into exclusively a peer-to-peer payment system. “Here’s hoping that Android Pay, which takes over for Google Wallet, is more streamlined,” said Xiao.
- Out of all the retail or “other” contactless payment systems, “I would be most willing to try out the Starbucks app because it makes the paying experience much faster and easier. It is also linked to the company’s rewards system, which gives consumers an added incentive to use the app.”
- “Overall, I would recommend that consumers wait for Samsung Pay to come out, and then see how the market reacts” to the introduction of a mobile payment system that allows consumers to pay in store even where only traditional credit card terminals exist.
To make your own assessment, read the results of our Mobile Payments Guide (PDF download).
Download PDF
Mobile Payments Guide - Fall 2015 (fall_2015_mobile_payments.pdf)
Quick Menu
