I have a couple of comments on the question.
One is just around this whole notion of a user-centric model. I think that the mobile device creates an interesting opportunity for capturing that kind of consent at the point of interaction with the merchant. That is an important point. There aren't clear rules around what that would actually mean.
The second is really about how to reduce risk in a connected world. Part of it is not requiring every participant, in order to gain the benefit of these kinds of interactions, to have to maintain and house personal and sensitive data. That is really where risk is created, at the end points when data is not properly secured. By creating an environment wherein that data never leaves the protection of where it was created, you can reduce risk in the overall network.