Get to Know Your Data Protection Rights before Using Mobile Payment Services

17 October 2016
Email this page

Get to Know Your Data Protection Rights  before Using Mobile Payment Services

With the growing popularity of smartphones, various services that are attached to mobile phones have come into existence, including a number of mobile payment services launched in Hong Kong.  Before using these services, consumers should pay heed to the features and restrictions as well as hidden risks and security precautionary measures.  In addition, different services vary in their approaches to handle personal data.  A number of the services surveyed will determine membership grades according to the amount of personal information users are willing to release, and 1 service provider disclosed that users’ personal data will be retained on a permanent basis.

The Consumer Council examined 10 mobile payment services available in the market and among which, 4 supported merchant payment, 3 supported peer-to-peer (P2P) money transfer, and 3 supported both aforementioned services.  These services are provided not only by financial institutions, but also telecommunication operators, mobile phone developers and social platform providers.  Other than the one offered as a built-in payment app of a mobile device, the remaining 9 required users to download a specific app to their device before one can use the payment service.  Different payment services also have different requirements on smart devices such as phone models and operating systems.

Although the apps that support the payment service can be downloaded for free, there are various restrictions in practice.  5 payment services studied are partnered with only 1 financial institution, thus users of the payment service must hold an account or credit card of that particular financial institution.  Yet there are services that allow users to connect up to 8 bank accounts and function as mini wallet for users.

In selecting the mobile payment services, users should beware that service providers may set limits on amount of transaction made, daily transfer and the total annual transaction amount.  P2P transfer service could take as long as 3 working days to complete if the transaction parties use different banks.  As for termination of services, a service provider request a $300 handling fee for terminating accounts within a year of registration, while others generally agree to remove the accounts free of charge.

In terms of personal data protection, in addition to general personal information, some service providers also require users to provide copies of identity card, address proof or credit card for account registration.  3 service providers require users to provide different amount of personal information depending on membership grade or service scope.  Consumers desire to have more rights, higher membership grade or a higher transaction limit may need to provide more personal data.

The current practice of personal data collection by traders is regulated by the Personal Data (Privacy) Ordinance, which stipulates that personal data should not be kept longer than necessary to fulfil the purpose for which it is collected.  However, our study found that 3 service providers would retain users’ personal data for up to 7 years and 1 disclosed that such data will be permanently kept.

On security aspect, all payment services studied have in place the basic security precautionary measures before and after a payment transaction including log-in password and two-factor authentication.  If the verification code is wrongly entered, the transaction will not be processed.  Users will also receive instant transaction notification, and can check past transaction records.  Consumers should review transaction details at site, if they have any query, they should either ask the trader at once or raise with service providers or banks as soon as possible.

The payment services studied have adopted QR Code and NFC (Near Field Communication) as non-contact means to process payment transactions but both have safety risks of their own.  Users who scanned a phishing QR Code could be led to malicious websites or download viruses which could result in personal data being stolen.  As for NFC, if the NFC tag in the card reader is not protected, fraudsters may rewrite the information, and maliciously modify them, or steal their transaction details through a fake NFC reader.

Consumers should pay attention to the following when using mobile payment services:

When using QR Code:

  • Install the QR Code safety monitor apps and anti-malware software before using;
  • Verify whether the information converted from QR Code is accurate;
  • Do not casually disclose to others the QR Code generated for mobile payment.

When using NFC:

  • Use NFC checking software to verify if the loaded commands or contents are trustworthy;
  • Before making payment, wait for the trader side to provide clear transaction information to validate the transaction and check that payment instruction is correct;
  • Disable NFC immediately after using the payment or transfer service.

The Consumer Council reserves all its right (including copyright) in respect of CHOICE magazine and Online CHOICE.