Global money and payment services privacy and security issues

As large segments of the world’s population shift away from face-to-face payment methods to online and mobile payment services, companies must remain competitive whilst complying with their legal obligations, meeting customer expectations, maintaining trust and defending against cyber-threats.

• Anti-Money Laundering and Counter-Terrorism Financing Act review
• APRA releases paper on outsourcing of computer services
• ASIC issues cyber resilience report
• AUSTRAC consults on amendments to AML/CTF Rules
• Cyber security and payment services

Laws, industry standards, codes and regulatory guidance affecting privacy, security and data protection continue to evolve in ways that directly and indirectly impact on payment services. The array of issues includes:

Cybercrime and Data Security– The rise of e-commerce, portable and remote data storage and widespread interactive connectivity exposes companies to increasing levels of cybercrime, attacks on personal data and accidental data loss. Data storage volumes also magnify the extent of the impact when a breach occurs, whether resulting from external hacking, internal error, service provider conduct or otherwise.

Digital Identities and Privacy Substitutes – Consumers’ growing preferences for linked digital delivery of financial services (e.g. multiple payment services through one device such as a mobile phone) is increasing the demand for digital identity and authentication solutions. In addition there is an increased spectrum of technology alternatives such as centralised online identity management systems, giving consumers greater security in a way that seeks to maintain convenience. There is also potential for these types of solutions and systems to be legally endorsed and mandated, although there may be some difficulty for regulators to do this without endorsing particular technologies.

Increased use of Near Field Communication (NFC), Mobile Payment Services and Mobile Wallets – The increased use of mobile payment and NFC services allows users to pay remotely through mobile devices. These payments are increasingly becoming more common with the aim of the making the process of buying goods faster and easier, however the use of these payment technologies can entail the processing of large amounts of personal data.

Increasing regulation and enforcement powers – Relative to other areas of the law, privacy and data protection is at an early stage in its development. This combined with a close tie to technology issues means the pace of growth is rapid. Many jurisdictions are strengthening existing laws, increasing penalties and introducing entirely new laws. In addition to the global spread of general data protection and data breach notification laws, specific laws and regulatory guidance for privacy and security in relation to payment services are also being seen more frequently, for example new Italian data protection rules for mobile payments. We are also seeing an expansion of the types of penalties being imposed, such as the case in South Korea where three credit card companies were subject to a temporary ban on issuing new cards as a result of a data breach incident.

Industry Self-Regulation and Standards – Many market participants in the payment services market self-regulate to reduce the risk of fraud and increase security. Examples include the Payment Card Industry Data Security Standard (PCI DSS) for credit cards and EMV’s specifications for chip cards and payment terminals. These standards create requirements regarding storage, processing and transmission of card and payment data. Those requirements apply in addition to privacy and data protection laws, often being more specific about technical matters.

Lack of International Integration but increased cross-border co-ordination and joint enforcement activities - A particular challenge in the current state of the market is the lack of international integration or standards between jurisdictions meaning companies are forced to ensure they are complying across numerous jurisdictions.

Virtual Currencies/Crypto-Currencies - The increased use of unregulated and potentially untraceable virtual currencies has placed a further unknown factor into the marketplace which payment service providers, regulators and companies will need to consider. The attraction of these alternative currencies lies in the ability for users to remain anonymous, however there are as a result greater risks for users in instances of fraud, hacking and system/platform failure