Mobile payments laws have gaps but you can still stay safe

Old laws, cards' zero-liability policies don't always apply

By Beth Braverman

Avoiding 4 loopholes in mobile payments protections
Avoiding 4 loopholes in mobile payments protections

While the market for mobile payments is expanding quickly, the laws that govern payments -- and provide important protection for consumers using them -- are still catching up.

"Regulations are always a step behind technology," says Will Hernandez, editor of Mobile Payments Today. "One of the big things that is holding consumers back is the security issues. They're concerned about whether their information is safe."

Mobile payments are a growing target for fraudsters. Mobile payments accounted for 14 percent of all transactions in 2014, but 21 percent of fraudulent transactions, according to LexisNexis. 

A February 2016 white paper commissioned by The Pew Charitable Trusts found that mobile payments pose some serious risks to consumers. The paper, "The Legal Framework of Mobile Payments: Gaps, Ambiguities and Overlap," found that liability laws surrounding mobile payments are still developing and the current landscape leaves some serious loopholes and a good deal of ambiguity about what's required of companies.

If you've made the leap to mobile payments or are planning to do so soon, here's what you need to know, and how to stay safe: 

1. Your protection depends on the type of card you link to an account.
Most mobile payment systems require borrowers to connect their account to a source of funds, typically a credit card, debit card or prepaid card. Once you've done so, purchases made via the app will enjoy the same level of consumer protection as the connected card. It's important for consumers to understand, however, that those protections vary dramatically depending on the type of card used.

Federal law typically provides credit card users with protection from losses of more than $50. Credit cards also allow you to hold off on paying merchant charges if there's a dispute while the issuer investigates. If the card company agrees that the charges are bogus, you won't have to pay them. 

There's not a lot of transparency with mobile payments.

-- Seth Ruden
ACI Worldwide

For debit card users, however, the ceiling for consumer liability is much higher, at $500 if you don't notify your bank within two days of discovering the fraud ($50 if you do notify them within that time frame). In practice, though, most issuers extend zero liability to their customers, but you won't have access to the funds while the charges are being disputed.

There are no federal laws giving consumers remedy for unauthorized use of prepaid accounts such a gift cards, although some issuers offer zero liability. Linking a bank account directly to a mobile wallet also provides fewer protections, but some banks have said that they'll extend zero liability to Apple Pay. There are few regulations around nonbank services that store money, such as PayPal or Venmo. 

Stay safe: If you're unsure about your liability, use a credit card to fund your mobile wallet since it offers the best consumer protections. Also, read the terms of any zero liability policy that your bank does provide, says Mark Budnitz, author of that Pew paper and a professor of law emeritus at Georgia State University College of Law. "There are different versions of zero liability, and the exclusions, limitations, and conditions can vary," he says.

2. You may not know your rights before downloading an app.
The federal Truth in Lending Act  protects consumers from unfair lending practices and requires that financial institutions provide "conspicuous" disclosures that explain to consumers their rights and liability when using a specific payment method. However, half of in-store purchase apps surveyed by the Federal Trade Commission in 2014 did not disclose whether they offered any liability limits or dispute resolution restrictions, such as requiring arbitration. "There's not a lot of transparency with mobile payments," says Seth Ruden, a senior fraud consultant with payment systems company ACI Worldwide. 

There's a lot of confusion about who to call when things go wrong. Do you call Apple? The credit card company? The merchant?

-- Will Hernandez
Editor, Mobile Payments Today

This is particularly an issue with "stored-value" apps offered -- Starbucks is the biggest example -- which require consumers to upload money directly to the app for purchases, rather than paying by credit or debit card as you go.

There also aren't any laws that prevent companies from changing the terms of an agreement once you've started using an app. Nor are there rules dictating how they need to tell consumers they've done so. Even when companies provide protection, it often remains unclear what steps consumers should take if a dispute does arise. "There's a lot of confusion about who to call when things go wrong," Hernandez says. "Do you call Apple? The credit card company? The merchant?"

Stay safe:
Stick with apps that let you use a credit card or clearly disclose upfront the processes for dealing with any potential disputes. If you're unable to avoid using an app without disclosures, limit the amount you spend with it. 

3. You won't have overdraft protection. If you spend more money than you have in a bank account linked to a mobile wallet or other transactional app, you could be setting yourself up for overdraft fees.

Stay safe: Keep yourself from spending more than your current balance by signing up for text alerts from your bank that let you know if you're approaching some pre-set amount. If you're using a debit card, opt out of overdraft protection -- your transaction may be declined if you have insufficient funds, but you won't have to pay any overdraft fees. 

4. You're likely sharing information with more companies than you'd like. The number of companies that have access to your data at some point in a transaction has grown significantly as payments have gone mobile. A single purchase could now involve your phone manufacturer, phone service provider, financial institution, app maker and a retailer. Health-related purchases might also include your insurer. A breach at any one of the systems could give hackers access to your personal information and make you susceptible to identity theft.

The Consumer Finanical Protection Bureau has just begun looking into the data security techniques employed by the mobile industry. In early March, for the first time, it took action against a mobile payment provider, Dwolla, claiming that it had misrepresented its data security practices and had failed to encrypt some consumer information.  

Stay safe: Stick with apps that use encryption or tokenization technology, which offers you the most protection against identity thieves. You'll also want to take basic precautions such as password-protecting your phone, avoiding public Wi-Fi and enabling two-factor authentication whenever it's available. "Mobile payments are just another example of why consumers need to practice good security practices with respect to their device," says Jackie McCarthy, director of wireless Internet development with CTIA -The Wireless Association.

See related: Mobile payment statistics, Video: Digital fingerprints can be hacked, too, Video: Protect your privacy while using mobile shopping apps

Published: April 14, 2016

Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.

Follow Us

Updated: 10-20-2016

Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.