Law Technology Today From the ABA Legal Technology Resource Center
Related Articles
At the present time, there are no laws at the federal level that deal directly and specifically with online payment services. That’s not likely to remain the case, however, as Missouri and other states are showing some interest in forcing business owners to obtain and retain identity verification for some mobile-based payment types, including Apple Pay, Square, and Google Wallet.
Such a move would likely undermine the security measures built into these technologies, levy an administrative burden on retailers and other businesses, and ultimately prove redundant for their stated purpose since hardware-level security checks like face and fingerprint recognition already provide a significant degree of verifiable authenticity.
Nevertheless, online and mobile payment services are coming of age rapidly in terms of adoption. Use of, and interest in, digital wallets and contactless payments are both rising among users of mobile electronic devices, even if only around 16% of smartphone owners currently use contactless payments.
For small business owners, entrepreneurs and, of course, legal professionals and other contract-based workers, online payment platforms represent a convenient—and mostly safe—way to exchange money. But there are still some legal and practical risks and considerations.
What Kind of Online Payments Are Available, and How Do They Handle Risk?
According to the available data, three online payment services have achieved market dominance over the others: Apple Pay, Google Wallet, and PayPal. Others offer similar features and a similar platform experience.
It’s worth looking into the basic features of each of these and what differentiates them—including the degree of security they boast and how “hardened” their services are against fraud and misuse.
Apple Pay
The security underpinnings of Apple Pay certainly appear robust. Identifying numbers are specific to users’ devices and are physically isolated from the rest of the hardware in a dedicated chip called a “secure element.” Whenever a transaction takes place—in a retail store, for example—the POS terminal and the user’s smartphone exchange a “handshake” using a transaction-specific security code.
Because Apple Pay is included in iOS and relies on hardware-level security like facial recognition and fingerprint scanners, Apple Pay is a relatively low-risk way to send and receive money. However, it comes with the tradeoff that both parties must own iOS devices running recent versions of the software.
Google Wallet
Google Wallet comes with some of the same tradeoffs as Apple Pay—namely, that both parties must have a Google account and that only websites and retail locations that accept MasterCard can take payments made via Google Wallet.
Because Google Wallet is more hardware-agnostic than Apple Pay, its security measures are a little different, too. Users will enter a PIN, and all data exchanged between user devices and Google servers gets encrypted. Google also claims their real-time “risk and fraud protection” engine can stop fraudulent purchases as they’re being made.
Google is the company that built the most sophisticated web-searching algorithm on Earth, so it’s not surprising they might be able to outdo the credit card companies on fraud detection and freezing funds before allowing completion of questionable purchases.
PayPal
PayPal is probably the best-known and most widely used online payment service. It began as a way for customers to make payments to online merchants, but it has since expanded into brick-and-mortar payments and even credit services.
For two parties to exchange money using PayPal, both will need a PayPal account, and account creation requires a successful link with a credit card or bank account in good standing to serve as a source of funds and a default payment method.
PayPal does offer some seller and buyer protections that are compelling for business and legal interests, including refunds for products that arrived at their destination damaged and two-factor authentication to guard against unauthorized account use.
PayPal stores a considerable amount of sensitive financial data, but it performs anonymizing on that data in the sense that neither party can see, or retain, specific payment information about the other party—only PayPal has the credit card and checking account numbers.
Are There Any Reasons to Be Skeptical?
The appeal of near-field communication, or NFC, and other contactless payment technologies gets at the heart of what made smartphones so compelling in the first place: These payment methods will soon render quite a lot of the thickness of our wallets and purses obsolete.
And another of the clear benefits of using online payment services is what makes them secure in the first place. The parties on both ends of the transaction have already performed identification verification using one method or another, be it hardware-based or the linking of an active credit card to the mobile account.
Compared with using credit cards themselves, mobile payment services are veritable ironclad fortresses. Credit cards are easy to lose or steal, and the time required to receive secured funds after a fraudulent purchase can be punishing in a lot of cases. Most online payment services lean on credit and debit cards for facilitating the movement of funds, but they add a layer of buffering and obfuscation that makes “hacking” these accounts useless, or mostly so.
But even technologies that are relatively new to the mainstream, like the NFC readers that “talk” to smartphones at gas pumps and cash registers, are untested in the grand scheme of things. And payment methods that don’t rely on device-specific credentials, like the venerable PayPal, aren’t immune to account hacks, even with their many security measures in place. Unsecured Wi-Fi, phishing scams and user error are all still risks.
But even with the specter of cyber-criminals always rightfully top of mind among modern consumers, and even with a somewhat unclear legal and policymaking precedent when it comes to who shoulders the bulk of the risk and liability in digital purchases, it’s hard to ignore the convenience and general peace of mind online payment services can provide.
