Evan Schuman's StorefrontBacktalk

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Mobile payment is going to change retail in an unknown number of unknown ways, and your lawyers will have healthy employment. Consider in-aisle checkout and shoplifting rules. Today, customers who put products in a concealed place—a pocket, backpack, purse, etc.—while still in the store can be convicted of shoplifting even if they have yet to reach the POS checkout area. The conceal part of that action is considered evidence of criminal intent.

Now let’s see you try and enforce that rule when you have in-aisle mobile checkout. If someone scans and pays for an item in aisle 12, is that person now permitted to place it in a pocket? He or she now owns it, right? And what if that person had merely put it in a mobile shopping cart while walking to the other end of the store to compare two items before purchasing one?

There is clearly an easy policy answer for that—it’s been paid for via mobile; in-pocket is legal. If it’s only in a virtual shopping cart, then in-pocket is a no-no. But how many retailers have thought through these types of mobile policy implications?

There is going to be some new retail mobile-payment technology, and I have no idea what it is going to be. But whatever it is, it will create jobs. Jobs for lawyers, that is. Every new technological advance pushes the envelope of existing law and regulation, and retail payment is no different.

Because the law works by defining rights and responsibilities of parties, the definitions themselves are tested by new technologies. That’s why every new technology should have a legal, privacy and compliance review. Consider a simple RFID payment system. Consumers fill a basket of goods in the store, and as they walk out a device in the store queries all of the items in the basket, determines the identity of the item, looks up the current price, and then charges a contactless credit/debit card of the consumer. Pretty cool. Let’s assume everything works as planned.

The first problem (or advantage) here is privacy. By linking the specific items purchased to the identifiable payment system, we not only know that Joe likes peanut butter and bananas but that he chooses Jif (creamy, not organic). Our barcode scanner already told us that, though. Now, however, we know the specific lot number he purchased. This may help us manage a product recall of a specific lot. It may also create a duty by the retailer to notify the customer that there has, in fact, been a safety or other recall, because the retailer now has that information available.

Another privacy/legal issue relates to the fact that the RFID tags may be queried after the consumer leaves the store. Just as the grocer can ask “what’s in the bag?” so, too, can the cops—or the robbers. Absent some type of “kill switch,” a person could walk down the street and “read” what other people are wearing and what’s in their shopping bags. That person may also be able to learn when and where the items were purchased. Every functionality comes with privacy, security and legal implications.

Some of the security issues are obvious, others not so much. Sure, the contactless payment system must be secured, and there has to be some “second factor” authentication that the purchaser is authorized. There also has to be a mechanism to ensure that the payment system is not charged without authorization and that the merchant isn’t falsely “loading up” on items. Before deploying a system, a retailer must consider all of the things that could reasonably go wrong (and many of them that would not be so reasonable).

There’s a lot of law out there.