The ability to purchase goods from on-line merchants has grown at a tremendous rate over the last few years. With the use of the Internet, people are now able to purchase everything from books to vacations without ever leaving their home. While the manner in which these purchases are made, the method the consumer pays the merchant has not. The vast majority of on-line purchases are paid for using conventional payment systems such as the credit card. The first part of this section summarizes the regulatory framework for payment systems. The second part of this section discusses existing payment systems and any associated limitations on their use in electronic commerce. The third part briefly discusses several emerging payment systems. The last part of this section presents a case study on an emerging payment system that may replace conventional systems.
I. Regulatory Framework for Payment Systems
A. What is a Bank?
The Bank Holding Company Act of 1996 defines a bank as an institution that accepts demand deposits and makes commercial loans. A deposit is money placed in the safekeeping of the institution, subject to withdrawal on demand.
B. Electronic Funds Transfer Act
EFTA provides for consumer protection in electronic funds transfer systems by providing error resolution procedures, limiting consumer liability, and requiring disclosure of terms and conditions. Under Regulation E, EFTA applies to any “bank, savings association, credit union, or any other person that directly or indirectly holds and account belonging to a consumer, or that issues a device and agrees with a consumer to provide electronic fund transfer services.”
C. Truth in Lending Act
The Truth in Lending Act and its implementing Regulation Z limit a credit cardholder’s liability for unauthorized use to $50. This $50 liability can only be imposed in transactions where the issuer has provided a method for user to identify himself as the authorized user of the card. Thus in internet transactions, where a card is not even presented to the merchant, cardholders cannot be held liable for any unauthorized transaction amount.
D. Uniform Money Service Act
A uniform framework for the licensing and regulation of money services in each of the 50 states. The Prefatory Note of the Act provides the following goals and objectives:
The Uniform Money Services Act ("UMSA" or "Act") is a state safety and soundness law that creates licensing provisions for various types of money-services businesses ("MSBs"). While many States have laws that deal with the sale of payment instruments, state regulation of money transmission, check cashers and currency exchangers is extremely varied. Furthermore, only a few States have attempted to create statutory frameworks which tie together the various types of MSBs in a manner that assists regulators and attorneys general in terms of law enforcement and the prevention and detection of money laundering.
The UMSA creates a framework that connects all types of MSBs and sets forth clearly the relationship between a licensee and its sales outlets. Uniformity should create a level playing field with respect to the entry of MSBs into various States. More generally, the uniformity of the reporting and record keeping requirements should enable industry to comply with multiple state requirements in a uniform and cost-effective manner. Uniform licensing, reporting and enforcement provisions for MSBs will serve as a larger deterrent to money laundering than will a host of varying state laws.
In some States, this Act will replace existing licensing laws for money transmitters and possibly check cashers. For the vast majority of States, this Act will provide new provisions for dealing with currency exchangers (which are virtually unregulated at the state level). Different States may decide to adopt different parts of this Act, which is why this Act has separate licensing chapters for the different types of money services.
The UMSA provides a unique opportunity for States to take a consistent approach to the licensing and regulation of stored value and other forms of emerging Internet and electronic payment mechanisms. A uniform and consistent approach will provide less of a barrier to competition and growth in these new sectors. For the majority of States, this Act will provide a new approach to the treatment of stored value and electronic currency at the state level. A handful of States have begun to license and regulate such diverse entities as nonbank stored-value issuers, Internet bill payment services and Internet money transfer services. Rather than create a varied and complex regulatory system for these emerging payment service providers, the UMSA attempts to provide a simple and consistent set of licensing requirements for these new entities.
The act defines a money transmission as the “selling or issuing payment instruments, stored value, or receiving money or monetary value for transmission.”
E. USA Patriot Act
The Act was passed after September 11 to strengthen money laundering defenses and help deal with terrorism. Of particular relevance to payment systems, provisions of the act adds to the definition of money transmitter “informal value transfer banking systems or networks of people facilitating the transfer of value outside of the financial institutions system” and makes it a Federal crime to operate a money transmitter business without an appropriate state license.
F. Uniform Commercial Code
When checks meet the formal requirements of Article 3 of the Uniform Commercial Code (UCC) they are regulated as negotiable instruments. Under the code, a financial institution is responsible for loss associated with failure to discover forgery unless actions by the accountholder contributed to the forgery.
II. Existing Payment Systems
The vast majority of payments made for e-commerce transactions are made using traditional payment systems: cash, money orders, checks, and credit cards.
B. Cash, Checks, and Money Orders
Cash has the advantage of providing the buyer anonymity—the purchaser does not have to reveal to the buyer personal information such as credit card number, bank account numbers, or even, perhaps, his name. Unfortunately, the risks of using cash for remote transactions outweigh this advantage. First, because cash must be sent, there is a delay in completing the transaction. Second, cash can be lost or diverted in the mail. Third, the seller can defraud the purchaser by failing to send the purchased goods once the cash is received.
Check payments constitute the largest segment of the overall payment system in the United States and are commonly used for online transactions. Personal checks offer convenience and low expense for both buyers and sellers, provide the purchaser a float and the opportunity to stop payment until the check clears, and provide a record of the transaction in the form of the canceled check. Money orders, while more expensive than checks, provide sellers additional protection against the risk that a purchaser’s personal check will bounce.
Perhaps the greatest advantage of cash, checks, and money orders is that they can be used to pay anyone. Cash, of course, is a universal payment system, and checks and money orders functionally universal as well. To make a payment by check or money order, all a payor needs is the name and, perhaps, address of the payee. To accept a payment by check or money order, all a payee needs is a bank account.
Cash, checks, and money orders, however, have two inherent problems when utilized for payments in e-commerce: immediacy or payment and risk of seller fraud. Use of cash, checks, and money orders as a method of payment for remote transactions drastically delays completion—and convenience—of the transaction. Likely, a seller will not ship purchased goods until he receives payment. Thus a purchaser will experience a delay in receiving goods when paying by one of these methods. More importantly, once a purchaser forwards a cash, check, or money order payment to a remote seller, the purchaser has little or no recourse if he is unsatisfied with the product or never receives the product at all.
C. Credit Cards
Because of the problems with cash, checks, and money orders, credit cards are used for the vast majority of Internet transactions between consumers and retailers. There are three obvious reasons: first, credit cards are the only existing payment system available to consumers that can provide merchants with an instantaneous assurance of being paid in a non-face-to-face transaction; second, there is a large existing base of customers in possession of credit cards; and third, the heavily regulated credit card system affords consumers significant protection against fraud.
1. How they Work
Credit card transactions are founded on a number of agreements between the cardholder, the card issuer, the cardholder’s bank, the merchant, and the merchant’s bank. First, there is a cardholder agreement between the cardholder and the card issuer governing terms such as payment and credit line. Next, there are agreements between the card issuer and banks that collect payments from the cardholder. Before a merchant can accept credit card payments, the merchant must secure authorization of the card issuer and agree to any term and conditions of the issuer. Finally, there is the agreement between the cardholder and the merchant on the transaction itself.
Credit card transactions can be grouped into two general categories: card-present transactions and card-not-present transactions. Card-present transactions are just what the term implies—the card is present and available for the merchant to see and verity its validity when the transaction is completed. A credit card purchase at a “brick and mortar” store typifies this type of transaction. On the other hand, card-not-present transactions are transactions where the merchant has no information other than the card number and expiration date. An Internet purchase with a credit card is an example of a card-not-present transaction. What follows is a brief description of how each of these transactions is completed.
Card-present transactions start with the swipe of the card through a card reader at a store. When the card is swiped, the terminal at the store transmits data encoded on the back of the card to an organization called an “acquirer.” An acquirer receives credit card authentication requests from merchants and provides those merchants with a guarantee of payment. The acquirer checks the card number, the expiration date, the credit card limit and the card usage in order to insure that the card and the transaction is valid. With assurance of validity, the merchant transmits a record of the transaction charge to its bank. The merchant’s bank in turn forward the record of charge to a national switch or clearinghouse to process the credit card charge. The clearinghouse transmits the record of charge to the issuing bank, which then forwards a payment back to the merchant’s bank and applies the charge to the cardholder’s account. To complete the entire transaction, the cardholder then forwards a payment to the issuing bank.
On the other hand, card-not-present transactions do not start with a card swipe and therefore do not afford the merchant the assurance that an authorized cardholder is using a valid credit card. A typical on-line card-not present transaction starts with a customer proceeding to a “checkout” portion of a merchant’s website. The merchant’s website assembles a record of the order and provides an encrypted form for the customer to input credit card information. Typically, a merchant will proceed with card-not-present transactions upon being provided the card number, expiration date, and the billing address of the cardholder. After checking for bogus entries, the merchant’s website will forward the credit card information and order record to an application service provider. The service provider then posts the credit card information and order to a national gateway or clearinghouse. The clearinghouse then processes the information through a financial network designated by the merchant’s bank. The financial network gets an authorization from the issuing bank for a payment to the merchant’s bank. The issuing bank authorizes a charge the customer’s account and a credit to the merchant’s bank. The clearinghouse logs all of the transactions and sends a status report back to the application service provider. If the service provider receives a report of a successful transaction, it provides a confirmation message to the merchant. The merchant is then able to post a confirmation message for the consumer on its website or send an email that confirms the transaction.
2. How Credit Cards are Regulated
In addition to the various agreements mentioned above, credit card transactions are governed by the Truth in Lending Act (TILA) and its implementing Regulation Z. TILA limits a cardholder’s liability for unauthorized transactions to $50. However, the Federal Reserve has indicated under Regulation Z that consumers have no liability for unauthorized transactions that proceed without an adequate method for verifying the identity of the card user. Thus, consumers have no liability for unauthorized card-not present.
In addition limiting cardholder liability, Regulation Z provides cardholders with billing dispute mechanisms. First, cardholders have the right to dispute and withhold payment for any billing errors, such as charges for undelivered merchandise. Second, cardholders can assert claims arising out of the transaction with the merchant against the card issuer after making a good faith effort to resolve those claims with the merchant.
3. Concerns with Credit Card use in E-Commerce
Despite their popularity, credit cards present three major problems when used in e-commerce: fraud, cost, and inability to handle person-to-person transactions.
As noted above, in e-commerce transactions, consumers bear no liability for unauthorized credit card transactions. Therefore, the entire risk of loss falls on the merchant. This is a serious risk considering the relatively insecure method in which credit cards are accepted for payment over the internet. Moreover, the dispute mechanisms provided by Regulation Z allow a cardholder to withhold payment by claiming non-receipt. Thus, even a customer that makes a legitimate purchase and receives his merchandise could disavow that purchase or claim non-receipt and leave the merchant without a payment.
Credit card transactions are also among the most expensive forms of payment systems for merchants. Each of the transaction steps addressed above carries a charge that the merchant has to pay. Thus for purchases around $10 or less, merchants may actually lose money on a credit card transaction. Credit cards, therefore, are not a suitable payment system for “micropayments.”
Lastly, credit cards are typically not available for person to person transactions over the internet. Individuals would have to obtain merchant accounts in order to be able to accept payments by credit cards. Furthermore, for security reasons, individuals are understandably reluctant to provide credit card information to another individual.
III. Emerging Payment Systems
In the past few years, several new technologies and payment systems have emerged to address the shortcomings of existing payment systems. New systems have been designed either to augment existing systems or replace existing systems in whole.
B. Secure Electronic Transactions (SET)
Major credit card issuers first attempted to address security limitations inherent in the use of credit cards in e-commerce transactions by developing secured electronic transactions (SET). SET centered on the use of digital signatures based and cryptography that would allow financial institutions to verify that the customer was an authorized card user. Essentially, when a customer placed an on-line order and selected to pay with a credit card, the customer would send a digital certificate and encrypted credit card information to the merchant. The merchant would forward the information to a financial institution for verification of the card user. The financial institution would then notify the merchant whether the card use was valid.
Do to the complexity and uncertain regulatory support for SET, the concept has never taken hold. Merchants and financial institutions expressed reluctance in reengineering existing computer systems to support cryptographic functions. Moreover, the Federal Reserve Board never addressed whether SET would satisfy the cardholder verification requirements of Regulation Z.
C. Secured Sockets Layer (SSL)
Secured emerged as an alternative for secure credit card transactions when SET failed to take hold. Instead of using digital certificates to verify authorized cardholders, SSL uses digital certificates to validate the e-commerce servers and websites. When a consumer logs onto a secure website, the consumer’s Internet browser validates the merchant’s server certificate. The consumer’s browser then uses a encryption key in the certificate to encrypt communications between the browser and the server. This allows information, such as credit card numbers, to be passed over the Internet in an encrypted form.
While SSL addresses the fear of unauthorized interception of credit card information while it passes from consumer to merchant, it does not address two other issues. SSL does not address security of credit card information once it is in the hands of the vendor and does not in any way validate the identity of the card user.
D. Stored Value Cards
Stored value cards have emerged as a replacement for cash in a limited amount of small-dollar transactions, such as mass-transit fare cards, library copy machine cards, and retail gift certificate cards. In these applications, the stored value card is typically a credit card-sized card that uses a magnetic strip to store impulses that represented the balance of money held on the card. Users can typically purchase a card (using cash, check, or credit card) with a predetermined value already stored on the card directly from the entity that uses the system, or can purchase an “empty” card and then place value on the card at a vending machine that accepts cash, credit cards, or debit cards. Once a user has a card with stored value, he can make payments using the card simply by inserting the card into a terminal that can confirm the validity of the card and read the stored value. If the card is valid and has sufficient funds for the transaction, the terminal simply deducts the appropriate value from the card.
The obvious limitation of using these types of stored value cards in e-commerce transactions is the lack of universal or general use cards. Each of the stored value cards discussed above has a limited application, e.g. mass transit cards can only be used to pay fares on a specific mass transit system, gift certificate cards can only be used at the store where they were purchased.
E. Smart Cards
The next step in the evolution of credit card-based payment systems appears to be the deployment of “smart cards.” Smart cards are credit cards with an integrated microprocessor that can handle functions ranging from monetary storage to card user authentication. The microprocessor represents a significant advance over magnetic strip technology, as a chip, in addition to performing multiple functions, can store thousands of time more information than a magnetic strip.
Card user authentication using smart card technology is based on user-specific personal identification numbers (PIN). When a user first receives a smart card, he would need to insert the card into a card reader and enter a PIN for the card. The imbedded chip would store the PIN in the card. From this point on, when the card is used in transactions, the cardholder would need to insert the card into a card reader and enter the PIN. A valid card and correct PIN would indicate that the cardholder is indeed present and using a valid card. The obvious drawback for e-commerce applications is the need to deploy card-reading equipment to individual consumers such that smart cards can be used from personal computers.
III. Case Study - PayPal
With the rising popularity of on-line auctions such as e-bay, transactions between persons (rather than persons and merchants) over the Internet have dramatically increased over the past few years. Since neither of the participants in these transactions are merchants, the dominant payment system—credit cards—is not available for use. Furthermore, the existing payment systems available to consumers were not practical for remote transactions. Payments for on-line transactions between persons required the use of off-line payment systems such as cash, checks, or money orders. These systems presented two problems. First, if a seller agreed to ship an item while waiting for payment, he had no guarantee that he would receive a payment. On the other hand, if the seller held the item until receiving payment, a purchaser might have to wait weeks before receiving his purchase. Thus there was a market need for an on-line payment system that offered efficient and convenient on-line payments without sacrificing reliability and security.
In December 1998, Peter Thiel and Max Levchin set out to develop a new payment system suited to on-line merchants and individuals engaging in e-commerce. Their idea was to develop a payment system that combined the existing payment system infrastructure of bank accounts and credit cards with the widespread use of email. The idea became reality in October 1999 with the launch of PayPal. PayPal allows any consumer or business with an email address to send or receive on-line payments. The concept was simple: once a user registered with the company, he could send a payment to anyone with an email address by simply entering the recipient’s email address, the payment amount, and the payment source (bank account, credit card, or PayPal account). If the payment is made to a recipient without a PayPal account, the recipient is directed via email to the PayPal website and instructed to establish an account to gain access to the payment. In addition, the Company established a “Web Accept” feature that allows merchants to receive PayPal payments for transactions on the merchant’s website. The Web Accept feature also allows consumers without PayPal accounts to register with PayPal on the merchant’s website.
Allowing payments to non-PayPal users and Web Accept were the key features of what the Company has called its “push-pull” growth strategy. PayPal “pushes” their service through payments to non-users and “pulls” in more users through Web Accept. The strategy has been highly successful. PayPal started in October 1999 with 24 accounts—one for each employee of the company. Each employee began making payments to their friends and by December 1999, the company had 10,000 users. Rapid growth continued, with the company surpassing 100,000 users in February 2000, 1,000,000 users in April 2000, and 10,000,000 users in September 2001. At the close of 2001, PayPal had 12.8 million accounts, processed 189,000 payments accounting for $9.6 million per day.
B. How it the System Works
In order to send a payment or receive the proceeds of a payment, a user must first establish an account with PayPal. Users can easily do so be logging on to the PayPal website or a merchant website utilizing the Web Accept feature. Once an account is established, a user can make a payment by simply entering the recipient’s email address, the payment amount, and the funding source. Users can fund sources in one of three ways: the user’s bank account, using the Automated Clearing House; the user’s credit card; or directly from an account established with PayPal. Once a payment is made, it is deposited in the recipient’s PayPal account, where it can remain or be transferred to the recipient’s bank account.
PayPal, thus is simply a third-party intermediary. From the user’s perspective, it is an entirely new payment system. Behind the scenes, however, PayPal relies on existing payment systems. To handle credit card transactions, PayPal established several merchant bank accounts that accept Visa, MasterCard, Discover, and American Express transactions. These transactions are no different than other card-not-present transactions. PayPal is charged a $0.15 fee per transaction and incurs processing costs of approximately 1.9% of the payment amount. Moreover, as in other card-not-present transactions, PayPal remains liable for charge back costs in the event a consumer disputes making a purchase. PayPal incurs additional fees when processing payments using the Automated Clearing House. Each transfer from a bank account costs PayPal $0.03.
Because of the costs and liability associated with bank transfers and credit card transactions, PayPal initially encouraged its users to maintain a balance in a PayPal account and fund payments from that account. The company incurs no costs when users fund payments from existing PayPal account balances. Moreover, since PayPal did not initially charge its users any transaction fees, interest on user account balances was a principal source of revenue.
F. Regulatory Status of PayPal
Due to the nature of PayPal’s operations, two questions regarding PayPal’s regulatory status have arisen. First, whether PayPal requires a money transmitter license; and second, whether PayPal is acting as a bank without a license.
1. Money Transmission
Under the Uniform Money Services Act, money transmission “means selling or issuing payment instruments, stored value, or receiving money or monetary value for transmission.” More than 40 states regulate money transmission and require a business license to engage in money transmission. PayPal believed that the regulations of these states covered their operations and therefore applied for licenses or requested regulatory clarification in 36 states. As of April 2002, PayPal received money transmitter licenses in seven states, has applications pending in 16 states, and is preparing applications for another four states.
Status as a money transmitted has several consequences for PayPal. First, under the Title III of the USA Patriot Act of 2001, it is a federal crime to operate as a money transmitter without a state license. Second, state regulators may impose fines for the period of time during which PayPal operated as an unlicensed money transmitter. Third, licensing increases operating costs by requiring periodic reporting to state legislatures and maintenance of minimum levels of bonds and capital.
2. Bank Regulation
Several states have gone beyond the money transmission issue by questioning whether PayPal is operating a bank without a license. In August of 2000, PayPal received a letter from Louisiana banking regulators stating that PayPal’s “keeping the money on account so that the recipient may use the balance to send payment to another consumer would in our opinion constitute the business of banking.” Similarly, New York banking regulators stated in July 2000 that “PayPal’s option under which payment money is kept on account for future use constitutes illegal banking.” Banking regulators in California and Idaho have similarly questioned whether PayPal is operating a bank, but have not yet reached that conclusion.
As a result of these concerns, PayPal took two major steps to change its operations such that users that wish to maintain balances for future spending through PayPal are not considered to be “keeping money on account” with PayPal. First, in November 2000, PayPal gave users who choose to maintain balances the option to invest those balances through an arrangement to purchase shares in the PayPal Money Market Fund, a registered mutual fund. Funds in the money market are thus held directly by the user without any claim by PayPal. In August 2001, PayPal further changed its management of funds for users who chose to maintain balances but did not elect to invest in the money market. PayPal placed these funds in a bank account over which the company has no authority for loans or withdraw for corporate purposes. PayPal states in its user agreement that, under this arrangement, it is acting merely as an agent for the user in depositing funds.
In September 2001, PayPal requested an advisory opinion from the FDIC as to whether, after these changes, PayPal was taking deposits for the purposes of the Federal Deposit Insurance Act, and thus was a bank under federal law. The FDIC declined to address this specific request because PayPal is not a bank or savings association for the purposes of the Federal Deposit Insurance Act. The FDIC opinion did state, however, that PayPal was acting as an agent for user’s funds and thus those funds placed in bank accounts were eligible for “pass-through” deposit insurance of up to $100,000. PayPal believed this decision may be of relevance to state banking regulators in deciding whether PayPal is a bank and requested that New York and Louisiana reconsider their previous positions. As of April 2002, PayPal has not received a final determination from either state.
A final determination that PayPal is operating a bank without a license could seriously impact PayPal’s business. Each state could prohibit PayPal from offering residents the option of maintaining balances, or in an extreme case, force the company to cease doing business with state residents. According to PayPal’s latest SEC filing, New York residents account for 6.8% and Louisiana residents for 0.7% of the annual dollar volume sent through the service.
 UCC § 3-406.
 Janine S. Hiller and Don Lloyd Cook, From Clipper Ships To Clipper Chips: The Evolution Of Payment Systems For Electronic Commerce, 17 J.L. & Com. 53, 64 (1997); David E. Sorkin, Payment Methods For Consumer-To-Consumer Online Transactions, 35 Akron L. Rev. 1, 5 (2001).
 Id. at 6.
 Jane Kaufman Winn, Clash of the Titans: Regulating the Competition Between Established and Emerging Payment Systems, 14 Berkeley Tech. L.J. 675, 682 (1999); Sorkin, supra note 2, at 5.
 Winn, supra note 5, at 683.
 Sorkin, supra note 2, at 5.
 Hiller & Cook, supra note 2 at __.
 Winn, supra note 5, at 690-91.
 Id. at 691.
 Id. at 696.