WASHINGTON — Congress took its first cautious steps into mobile payments on Thursday with a House hearing focused on security issues and prudent regulation for the rapidly-changing sphere.
In many ways, the hearing before the House Financial Services subcommittee on financial institutions and consumer credit, revealed the wide gap between the industry's focus on mobile payments and Washington's relative lack of focus on the issue.
Members of the panel alternated between marveling at the sector's pace of technological progress and concern about regulatory gaps and the security of payments.
"Most importantly, we must make sure these payments are safe and secure, at least as safe as using cash, checks or credit cards, and hopefully even more so." said Rep. Shelley Moore Capito, R-W.Va., who chairs the subcommittee.
Industry experts who testified acknowledged a real risk to sensitive customer data without a serious effort to ensure the security of mobile payments.
Troy Leach, chief technology officer of the Payment Card Industry Security Standards Council, an international standard-setting body, said while technology to improve security is quickly progressing there are still risks from the rapid development of mobile applications. The lack of traditional security controls for mobile payments, potential unauthorized access to payment applications and the potential for abuse of protective tools such as data encryption also pose risks, he said.
"A failure to adequately address any of these valid concerns can put payment card data at risk," Leach said in written testimony.
But Ed McLaughlin, the chief emerging payments officer for Mastercard, assured lawmakers that when customers swipe their cell phones at a gas station or grocery store, they have better protections than they do with credit and debit cards.
"We would not move toward this payment environment unless we could enhance the security of what we're doing," he said.
The hearing also raised questions about the state of regulation for mobile payments.
One challenge facing the federal government is the lack of clarity over what agency is responsible for regulating the sphere. For example, the Federal Communications Commission, which oversees wireless carriers, has not traditionally played a role in regulating payments.
"It seems to me the consumer can really get bamboozled here," said Rep. David Scott, a Georgia Democrat. "Who's going to regulate this? Who's going to be the oversight for this?"
Some of those concerns were echoed by Suzanne Martindale, an attorney with Consumers Union.
Martindale testified that U.S. payments law is fragmented, and the degree of protection that consumers have depends on whether their mobile payment accounts are linked to a debit card, a credit card, a prepaid card or some other form of payment.
She expressed particular concern about the lack of anti-fraud protections for consumers who link a mobile payment account to a prepaid card. Such payments are expected to grow quickly, as more people who do not have bank accounts seek to use their mobile phones in the same way that bank customers use checking accounts.
"Until U.S. payments law is updated to provide clear, guaranteed protections for all payment methods, consumers may be at risk when using mobile payments technology," Martindale said in written testimony.
Still, the overall tone of the hearing was positive, with lawmakers of both parties expressing excitement about the potential of mobile payments to make transactions safer and more convenient for both consumers and retailers.
The subcommittee plans to hold two more hearings this spring on mobile payments.
Disclosure: I co-founded Plastyc, Inc.a company delivering online payment services with a strong focus on the under-banked, which has recently introduced mobile applications for Android phones and iPhones.
It seems that the representative from MasterCard made an important point during the hearing about mobile devices being able to provide more security, not less, than traditional payment cards.
For example, a mobile phone can:
- be included in a two-factor authentication of the user (asking the user to respond to a text message during or before a transaction)
- be geo-located to ensure the user is where he/she is supposed to be during a transaction
- be remotely wiped out if gone missing
Try to do this with a regular plastic card or with a paper checkbook!
Mobile phones do create new security and privacy challenges. For example, an unscrupulous mobile payment application may be tempted to poach the address book in the phones or willing users in an attempt to capture the names of new potential (and un-willing) users.
So, it is important that providers of mobile payment and mobile banking applications clear a high bar of principles with respect to both the security and the privacy of their customers.