m-commerce: payments and security

March 1, 2003

Although in its infancy, mobile electronic commerce, a form of e-commerce, known as “m-commerce” for short, is an exciting concept. m-commerce is essentially e-commerce conducted via mobile phone or Personal Digital Assistant (PDA) and includes subscription based services such as news and information delivered to your mobile device. Trials taking place around the world have already identified a number of practical difficulties for m-commerce schemes and related legal issues. This article examines aspects of the two most important issues for m-commerce: methods of payment and security. It has often been said that the development of a suitable payment system is critical to the development of m-commerce.

The pace of change in m-commerce is alarming. The initiative to introduce the facility has been taken not only by many of the phone giants (Nokia being a key player) but also by financial institutions. There is a strong desire on the part of mobile phone companies that m-commerce will be secure and that the global market for m-commerce will thereby expand.

Debit and credit card based payment systems

Currently over 90% of all e-commerce transactions are paid for with credit cards. Both credit and debit cards have been adapted fairly successfully for use in e-commerce and many feel that card based payment schemes will be able to meet most of the needs of m-commerce transactions.

Numerous industry alliances have been formed, many with the objective of setting standards for secure card-based payments in m-commerce. For example American Express, Master Card, Visa and over 100 other organisations across the financial and telecommunications industries recently banded together to launch the Mobile Payment Forum. This global organisation aims to develop a framework for standardised secure card-based mobile payments which are user-friendly and capable of authentication.

The Mobile Payment Forum will also address key issues such as inter-operability, passwords, card holder authentication and encryption methods. Their aim is to ensure a secure and seamless m-commerce payment experience.

The problem that arises with m-commerce payment systems based upon credit or debit cards is the current cost of processing and collecting payments. This makes credit and debit cards unsuitable for small payments, or “micropayments”. Unfortunately most m-commerce transactions are for small amounts such as a charge of a few pence to access a news article or download content. Card-based m-commerce payment systems are also unsuitable for consumer-to-consumer transactions (a potential future area for growth in m-commerce) and they also exclude under-18s who comprise a large proportion of the mobile phone market.

Security

There are some m-commerce payment schemes already in operation, notably in Scandinavia and Japan. With co-operation from Baltimore Technologies, a global leader in e-securities solutions, the Finnish operator Radiolinja recently launched a wireless trust infrastructure. This provides a secure platform, allowing mobile users to carry out a range of m-commerce functions such as secure corporate access, financial transactions, electronic payments and online bookings in a secure and trusted environment. This is one of the most advanced wireless security solutions available in the market today and is a significant step in the future development and deployment of secure m-commerce.

Is such a high degree of security really necessary? Increasingly, yes. The number of users of wireless Internet devices is expected to reach 1.3 billion by 2004. When users exchange information or transact using their wireless phones, laptops or PDAs, they will demand that their transactions and information are secure. The difficulty is that existing means of encryption, which prevent sensitive information on wireless networks from being viewed by unauthorised users, can cause performance bottlenecks on Web servers or WAP gateways. This can often make the consumers’ experience slow. The good news is that hardware is being developed, particularly in existing net systems, to accelerate the processing of security protocols.

This is one reason why consumer uptake of m-commerce in the UK has been slower than hoped for. Current technologies such as WAP are at present inadequate or at least perceived to be so. However, an influx of new mobile phone services is imminent. The GPRS network and the new 3G phones should cause the market for m-commerce to grow rapidly.

Integrated billing

Mobile phone network providers already have the ability to bill customers small amounts for calls. The fact that they have much of the key infrastructure in place to implement micropayments means that it would be a small step to integrate an m-commerce transaction into the network providers’ established billing method. In return for collecting payment for the m-commerce transaction on behalf of the supplier, the network provider could take commission on the amounts billed. Integrated billing has the following immediate advantages:

  • consumers have a simple, secure method of payment
  • suppliers can outsource their billing and payment collection
  • the network providers benefit from increased network use in addition to obtaining commission on the transaction value.

However, integrated billing gives rise to many legal issues. For example, what is the contractual relationship between the network provider and customer? And what is the relationship between the network provider and third-party supplier? In which jurisdiction will the contract be made if the supplier has no way of knowing the country of origin of the caller placing the transaction? Due to data protection considerations, the network provider would be unable to disclose the consumer’s personal details to the supplier without the consumer’s consent. Therefore the supplier would not know the identity or age of the consumer and problems could arise due to inappropriate transactions such as sales to a minor. The complexity of the contractual relationship between the parties mean that it is unclear who would be liable in these circumstances.

Vodafone launched their m-payment scheme in the UK during September 2002. It is currently possible for consumers to make purchases up to the value of 10 Euros either online or using a WAP phone. Content is limited at present to the purchase of ringtones, games, and information services. For pay-as-you-talk customers, the amount spent will be deducted from the customer’s airtime credit; otherwise the amount spent will be billed on the customer’s monthly bill.

e-money

The concept of e-money should also be considered in relation to m-commerce payment systems. e-money or ‘digital cash’ is monetary value that can be stored on mobile phones, smartcards, PDAs or other electronic devices and used to make purchases from entities other than the issuer. The main attraction of e-money for consumers is that it can be truly anonymous, ie spent without leaving a transaction trail in the same way as real cash. A number of money-replacement products have already been developed where monetary-equivalent is stored in e-wallets, although not all these schemes are truly anonymous.

Many see that the development of e-money will facilitate m-commerce by overcoming the public reluctance to disclose personal details online. Another advantage is that e-money bypasses the problems specific to card-based payment systems and avoids some of the legal problems associated with integrated billing.

27 April 2002 (which was hailed as “e-day” in the UK, although it sadly passed almost unnoticed), the UK became the first EC member to implement the European Directives on electronic money issuing. Now, subject to prior application to the Financial Services Authority and compliance with the new legislation and FSA rules, anyone in the UK can issue e-money.

Institutions issuing e-money are known as “Electronic Money Institution” (ELMIs). As the major risk to the m-commerce consumer is the insolvency of the ELMI, the directive sets out stringent requirements. ELMIs must be located within the UK, must have minimum capital of 1 million Euros or at least 2% of outstanding e-money liabilities – whichever is the higher. ELMIs are not allowed to have holdings in other businesses except those which also provide e-money related functions. They are also required to complete a comprehensive risk profile and put watertight procedures in place to deal with all foreseeable technological risks.

Altogether the Directives make it easier for non-financial institutions such as ISPs and mobile phone companies to enter the e-money market by levelling the playing field and thus encouraging m-commerce.

As e-money systems are not necessarily based upon bank accounts, the great advantage is accessibility. Even where there is no billing relationship between the customer and service provider, they can be used. In particular they appeal to the youth market or to others who have access to neither a credit nor a debit card.

In the UK, e-money is still far from becoming a reality as the necessary infrastructure is not sufficiently developed. Currently the most mature smart card based e-money system is run by Mondex. In the UK, the Mondex system has thus far only been trialled within closed systems, such as universities where the campus facilities have been specially equipped to deal with e-money payments.

Conclusion

Which type of m-commerce payment system becomes the preferred choice in the future remains to be seen. As integrated billing becomes more widespread, the legal issues will become more clearly defined. Much of the success of e-money will hinge on the consumer’s willingness to embrace mobile handsets as payment devices. It is clear that for m-commerce to succeed a balance must be found between consumer protection, regulation and innovation.

Christopher Scroggs and Rebecca Nugent are Solicitors at Laytons.