6 min read

Legal Fundamentals for Monetizing your IoT Solution

Thursday, June 21, 2018

Our last blog focused on how to monetize your IoT solution with consumers. This blog discusses the legal and compliance considerations that apply to consumer charges as you prepare to monetize your IoT solution with credit card payments. Recall that an IoT solution is a product or service that has an internet connected device. For example, a door lock that can be unlocked remotely via mobile phone or a wearable wristband which allows a concert-goer to enter the concert arena, reserve seats and pay for concessions.

In the Q&A below, Gloria Rismondo, from Global Payments Product Strategy and Innovation team, discusses common legal and compliance challenges with Ty Barringer, Global Payments Senior Corporate Counsel who specializes in new technology developments. The goal is to outline some of the legal elements to consider when monetizing a consumer IoT solution to help guide your discussion with your own legal counsel.

Gloria: What legal elements do companies need to think about when creating an IoT device solution?

Ty: The starting point from a legal and compliance standpoint is to identify the regulations and standards that are applicable to your solution. IoT solutions often require significant amounts of data to operate. It is important to identify the data that you are collecting and how you want to use that data. You can then determine how your solution will be regulated and which regulations will apply.

For example, some of the regulations that may apply include FTC guidance (Federal Trade Commission), the GDPR (General Data Protection Regulation) and industry specific regulations like HIPAA for healthcare and PCI DSS for payment card processing.

Gloria: It seems like data capture is really key to understanding how your IoT solution will be regulated. Can you elaborate?

Ty: It is in everyone’s best interests to establish a clear policy on the information you are capturing, where you are storing it and who can access it. Look at relevant guidelines like the GDPR to establish your policy on data capture and storage. Clearly communicate that policy to customers and then follow your own policy.

Beyond GDPR, consult with qualified experts in the area of your solution. For example, I mentioned HIPAA applies to healthcare which will add some additional requirements for healthcare data. PCI DSS (Payment Card Industry Data Security Standard) applies to people, processes and technology that stores, processes or transmits payment card information. The information encompasses the card account number as well as the name on the card and other pertinent details like card expiration date and PIN.

Gloria: That ties in nicely to the subject of our last blog on monetization of IoT solutions. What does a company need to consider when processing payment triggered from an IoT connected device?

Ty: It is important to consider the PCI DSS standards. In most cases, PCI DSS applies to environments that store, process, or transmit payment card account data. Payment card account data (credit and debit card account numbers) are generated from the payment brands like Visa, Mastercard, Discover, and American Express. These payment brands formed the PCI Security Standards Council to maintain integrity of the payment cards they offer, which helps prevent compromised account data and resulting fraud and theft. Each of the credit card brands have their own enforcement programs, requirements and penalties. So essentially, Visa is different from Mastercard which is different from American Express and so on. The overall goal is the same, but there are differences in how to comply -- for example, the payment card brands have different thresholds for transaction volumes so a company that accepts payments might be categorized differently by different brands. On top of that, annual compliance validation, with the card brands’ rules is required.

Gloria: That sounds incredibly confusing! Can you give me some more examples of the requirements that might apply?

Ty: There are strict rules on how and when you can store, process, or transmit payment card account data. There are basically 12 PCI DSS requirements to handling the data. For example, if a company collects a credit or debit card number to charge a fee for a solution, the payment information must be collected in a secure manner such as a secure web browser page.

These requirements can be onerous on a company that is not technically proficient in payments. In PCI, ‘scope’ is everything and is often a function of how an entity configures its network. The systems or networks that touch the payment card information are ‘in scope’ for PCI compliance. However, if the system is not configured correctly, then other areas of the technical infrastructure could be considered ‘in scope’ for PCI and would need to be audited for PCI compliance.

PCI DSS Requirements

Gloria: How does using a technology enabled, software driven payment provider help with PCI DSS compliance?

Ty: When implemented properly, solutions like electronic wallets and tokenization may reduce the scope and complexity of PCI compliance requirements. This process was outlined in the last blog -- the payment technology partner can offer SDK’s and API’s for simple integration of software that will capture the payment card information, tokenize it and securely store it for the IoT company. Because the payment partner is handling and storing that payment information, the IoT company’s systems are not in the scope of PCI DSS and may not need to be validated.

Gloria: So solutions like eWallet and tokenization can really benefit a company building an IoT solution. Any final thoughts on payment regulations for IoT?

Ty: From an initial glance, all of the laws and regulations around payments and IoT data can be daunting. Remember that these kinds of regulations really exist to benefit consumers and ensure that everyone’s information stays protected. It is helpful to know that there are payment technology companies who have built solutions to help navigate the regulations. Working with the right partner can help IoT companies comply while not impeding your core business function.

Electronic Wallet (eWallet) technology securely captures, tokenizes and stores credit card information. Click on the video from Heartland, a Global Payments Company, to see how it works.

Ready to get started? Visit our IoT page to learn more and get in touch.