Gibson Dunn - The Fashion Law and Business Report


Gibson Dunn - The Fashion Law and Business Report > Posts > Retailers Should Think Through the Growing Use of Mobile Devices to Purchase Goods and Services
Retailers Should Think Through the Growing Use of Mobile Devices to Purchase Goods and Services

Recent press reports indicate that more and more companies are exploring ways to allow consumers to use mobile devices to make payments without a need to rely on conventional credit cards.  For example, PayPal and Google have already adopted near-field communication (NFC) technology, which enables devices, such as mobile phones and point-of-sale terminals, to communicate without contact, thus making the payment process quicker, simpler and—hopefully—more secure.  One recent study concluded that mobile commerce revenue in the U.S. will rise from its current 22% of digital commerce to 50% in 2017, making it all the more important to have a mobile device that facilitates credit card-type transactions. 

The basic idea behind these services is to allow consumers to link their credit or debit card numbers (or other proprietary accounts or credit services) to a unique mobile communications device,  which will encrypt and securely store the relevant account information within a chip located in the device.  Rather than using the credit or debit card number to process the payment when making a purchase, whether in store or via an app, the system instead uses the device account number and a transaction-specific dynamic security code, so that third-party credit or debit card numbers are never stored on the servers of the companies that offer this service, and are never shared with merchants or transmitted with payment.   Importantly, the companies behind these mobile payments will not be involved in transmitting the funds at all.  Rather, the transaction information is sent to a credit card issuer (or other credit service), which then separately pays the vendor.

These new mobile payment services have the potential to transform the way retailers are paid for the goods they sell.  At the same time, these services raise a host of legal issues both for the companies that plan to offer these services, and also for the retailers and brands that may be considering using these services.  A few of the issues and risks on the horizon are briefly surveyed below.

  • Data Security: As with any virtual currency or electronic payment, mobile payment services pose a security risk to their users.  This is especially true for companies that promise to keep the system and consumers’ data safe and secure.  Specifically, companies can protect against this risk by structuring the system such that transactions are facilitated through an account number that will be uniquely linked to one particular mobile device and a specific security code for each transaction, and the credit and debit card numbers are never transmitted beyond the normal transmission of information between the credit card company and the merchant.  Companies should also consider enhanced security features at the point when users enter their payment information into the device; while mobile payment may enhance security at the point of sale, it does not necessarily inoculate the user from the risk of having their information compromised at this initial stage.  In line with current FTC mobile privacy disclosure standards, though, mobile payment service providers must make timely disclosures regarding the collection of sensitive information, privacy policies and other security information such that consumers are fully educated on the cyber-security risks inherent in the service.  The retailers who accept payment via mobile devices must also take data security risks into account when determining how to protect consumer information; while the retailer will no longer have access to the credit or debit card numbers, the account number associated with the electronic payment would still be valuable and sought after by hackers.  Of course, no matter how secure the technology, should the device be lost, stolen or otherwise compromised, the user faces a risk of identity theft as credit card information is stored directly on the device.  Other market leaders have added safeguards to protect against this risk by allowing users to suspend the service by placing the device in Lost Mode rather than immediately canceling the stored credit or debit cards or even to permanently remove the ability to pay using the cards currently on the device.

  • Anti-Counterfeiting: Mobile payment services also risk liability for copyright and trademark infringement when the merchants using those services are engaged in unlawful activities, such as the sale of counterfeit goods.  Massive amounts of counterfeit goods are sold online and through mobile commerce, and some counterfeit goods may be sold through merchants that accept these mobile payment services.  Such intermediaries, though, are not necessarily insulated from potential liability stemming from their processing of sales of counterfeit products.  Essentially, third parties that either intentionally induce the infringement or knowingly provide support to counterfeiters (even through willful ignorance of the conduct) may be held accountable for the damages caused by the counterfeiters’ infringement.  Therefore, if a mobile payment service induces its merchant users to engage in copyright or trademark infringement by selling counterfeit goods or had knowledge of and ignored such infringing conduct, it could be liable for damages from counterfeit sales made over the system.  Such services must therefore be aware of their merchants business activities.  And, of course, retailers must be aware of the manufacturers from whom they buy and the goods that they are selling.

  • OFAC: Companies that offer mobile payment services also need to be aware that they open themselves up to potential OFAC sanctions if they, even unknowingly, provide a means for illegal or prohibited transactions to occur.  Difficulties arise because, unlike with traditional financial institutions, mobile payments are anonymous and there are no measures in place to review the transactions beyond the reviews conducted by the credit card companies in the first instance.  Mobile payment service providers—and the retailers who accept such mobile payments—are not insulated from OFAC liability, though, simply by relying on another entity’s due diligence, as OFAC imposes strict liability.  Recent penalties for OFAC violations have been exorbitant and both mobile payment services and merchants who accept those services then open themselves up to risk for potentially significant economic and reputational damages.  There are no clear answers for approaching how to handle such issues in the new era of mobile payment, but the industry, Department of Treasury and OFAC in particular are working together to "insure that our safeguards keep pace with payment system innovations."  The key questions are to determine the point in the technological process at which screening is required, what data is collected, who is responsible for collecting it and how that data is collected.

  • Banking Regulations: Another big question that arises from mobile payment services is whether the institutions offering such services are considered financial institutions for purposes of banking regulations under the Consumer Financial Protection Bureau (“CFPB”).  Some have argued that the Consumer Financial Protection Act covers the companies that plan to offer mobile payments as “service providers” subject to CFPB oversight.  If this view is correct, companies that offer mobile payment services could be subject to scrutiny and regulations pertaining to all aspects of their businesses, not limited solely to the service being offered.  Of course, it is not clear that mobile payment services are in fact covered by the law.  The counter argument is that the companies are simply making available technology that serves as a credit card; they are not themselves transmitting the relevant payments (as they only make the transaction information to the vendor and/or credit card company) and are not otherwise acting as a bank.

  • Money Laundering: Mobile payments limit the information provided to merchants, thus making the payment process inherently less transparent.  On one hand, this will not change the role of the issuing or acquiring financial institutions as they will still have the ability to monitor consumer transactions and conduct due diligence on cardholders, despite that the service provider acting as intermediary between the credit card companies and the merchants may not track transactions or otherwise store credit card information.  On the other hand, however, the amount of information provided to the merchants during the transactions determines whether their role in monitoring unlawful or suspicious transactions will change.  One aspect of mobile payment systems that makes them more secure is that the merchants do not see the credit or debit card numbers associated with the user’s account.  However, if the merchant is provided so little information that it does not even know the name of the consumer, the lack of transparency would make it much more difficult for merchants to identify those who purchase goods as part of a money laundering scheme.  This risk, however, is mitigated by the fact that the financial institutions issuing payment are still monitoring consumer information and transactions on the back end.

  • Patents: To the extent that retailers develop their own technological systems to process mobile payments, or even license such systems from third party providers, there is also a risk that patent trolls may claim that such processes infringe existing patents for computer-assisted systems for processing payments.  Validity of those kinds of patents, however, is very much in question, given the recent Supreme Court decision holding that “generic computer implementation” cannot “transform” an “abstract idea into a patent-eligible invention.”  Basic economic concepts are not patent-eligible, even if performed on a computer.  Retailed must nonetheless be aware of already-existing patents in this space.

  • Class Actions: If any of the aforementioned issues come to fruition, mobile payment services are also open to class actions based on data breaches, misrepresentations and the like.  Similar to recent data breaches at major retailers, if there is a security vulnerability in one of these mobile payment systems that results in a data breach, there may be a class action based on alleged negligence in safeguarding consumers’ personal information.  Similar class actions may result if one of the companies that use these services misrepresents the system or omits a material fact pertaining to the security or privacy safeguards and, therefore, such providers should be careful to accurately market their capacities and security vulnerabilities.

Despite these risks, it increasingly looks like mobile payments are going to be an increasingly important part of retail commerce.  As a result, it will be important for the brands and retailers who take advantage of these services to think through these issues—and take precautions to guard against potential liabilities.

This post was prepared by Howard Hogan and Amy Wolf of Gibson Dunn.

 ‭(Hidden)‬ Blog Tools

© Copyright 2018 Gibson, Dunn & Crutcher LLP.
Attorney Advertising. Prior results do not guarantee a similar outcome. All information provided on this site is for informational purposes only, does not constitute legal advice, is not confidential, and does not create an attorney-client relationship. Statements and content posted to this site do not represent the opinion of Gibson Dunn & Crutcher LLP ("Gibson Dunn"). Gibson Dunn makes no representations as to the accuracy, completeness, currentness, suitability, or validity of any information on this site and will not be liable for any errors or omissions therein, nor for any losses, injuries, or damages arising from its display or use.