Mobile May Force You To Rewrite Your Shoplifting Definitions. And 100 Other Things You Haven’t Yet Thought Of

Written by Mark Rasch
January 16th, 2012

Attorney Mark D. Rasch is the former head of the U.S. Justice Department’s computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Mobile payment is going to change retail in an unknown number of unknown ways, and your lawyers will have healthy employment. Consider in-aisle checkout and shoplifting rules. Today, customers who put products in a concealed place—a pocket, backpack, purse, etc.—while still in the store can be convicted of shoplifting even if they have yet to reach the POS checkout area. The conceal part of that action is considered evidence of criminal intent.

Now let’s see you try and enforce that rule when you have in-aisle mobile checkout. If someone scans and pays for an item in aisle 12, is that person now permitted to place it in a pocket? He or she now owns it, right? And what if that person had merely put it in a mobile shopping cart while walking to the other end of the store to compare two items before purchasing one?

There is clearly an easy policy answer for that—it’s been paid for via mobile; in-pocket is legal. If it’s only in a virtual shopping cart, then in-pocket is a no-no. But how many retailers have thought through these types of mobile policy implications?

There is going to be some new retail mobile-payment technology, and I have no idea what it is going to be. But whatever it is, it will create jobs. Jobs for lawyers, that is. Every new technological advance pushes the envelope of existing law and regulation, and retail payment is no different.

Because the law works by defining rights and responsibilities of parties, the definitions themselves are tested by new technologies. That’s why every new technology should have a legal, privacy and compliance review. Consider a simple RFID payment system. Consumers fill a basket of goods in the store, and as they walk out a device in the store queries all of the items in the basket, determines the identity of the item, looks up the current price, and then charges a contactless credit/debit card of the consumer. Pretty cool. Let’s assume everything works as planned.

The first problem (or advantage) here is privacy. By linking the specific items purchased to the identifiable payment system, we not only know that Joe likes peanut butter and bananas but that he chooses Jif (creamy, not organic). Our barcode scanner already told us that, though. Now, however, we know the specific lot number he purchased. This may help us manage a product recall of a specific lot. It may also create a duty by the retailer to notify the customer that there has, in fact, been a safety or other recall, because the retailer now has that information available.

Another privacy/legal issue relates to the fact that the RFID tags may be queried after the consumer leaves the store. Just as the grocer can ask “what’s in the bag?” so, too, can the cops—or the robbers. Absent some type of “kill switch,” a person could walk down the street and “read” what other people are wearing and what’s in their shopping bags. That person may also be able to learn when and where the items were purchased. Every functionality comes with privacy, security and legal implications.

Some of the security issues are obvious, others not so much. Sure, the contactless payment system must be secured, and there has to be some “second factor” authentication that the purchaser is authorized. There also has to be a mechanism to ensure that the payment system is not charged without authorization and that the merchant isn’t falsely “loading up” on items. Before deploying a system, a retailer must consider all of the things that could reasonably go wrong (and many of them that would not be so reasonable).

There’s a lot of law out there.


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.