If you’ve taken credit cards in your store, you probably know that PCI compliance is required. The Payment Card Industry (PCI) set forth a Data Security Standard (DSS) it requires adherence to from any business that processes, stores, or transmits payment card data. But did you know that PCI compliance applies when you take credit cards using your smartphone with a card reader, like Square or PayPal Here?
When using a smartphone, tablet or other mobile POS system, these same standards apply.
In addition, specific mobile payments standards apply. In this article, we’ll go over concepts regarding payment security and remaining compliant when processing cards.
- Security Risks of the Digital Age
- The Costs of Non-Compliance
- What to Know About Mobile Compliance
- Approved POI Devices
Security Risks of the Digital Age
Hackers are everywhere, and it’s been that way for years. Anything you connect to the internet is immediately vulnerable. Even the best security isn’t a 100% guarantee that you’re safe.
In 2011, Sony’s PlayStation network was hacked, which caused a multitude of problems for the electronics giant. A couple weeks after a server update was released, hackers exploited a vulnerability in Sony’s older version. They gained access to customer databases and compromised over 70 million customers. In recent years, there have been well-publicized breaches at stores like Target and Home Depot.
You may not have the customer base of Sony or Home Depot, but any size business could experience a breach. In fact, small businesses are often more likely to be targeted due to less sophisticated systems. Hackers and credit card skimmers target any vulnerabilities in a network to access the hundreds or thousands of customers you have.
Fortunately, the payments industry helps you fight against breaches. Chip credit cards, mobile, and contactless payments have introduced a bevy of technological and legal considerations to keep everything safe for the businesses involved. But at the end of the day, if you process or store customer payment information, you’re a potential target for theft. PCI DSS serves as a foundation for basic business security practices to protect your business.
When you change payment processors, upgrade your POS to accept chip payments, accept mobile payment options like PayPal, Samsung Pay, or Apple Pay, install mobile POS platforms, or make any changes, you must notify the PCI Security Standards Council, which will validate the end-2-end security of your payment processing system.
The PCI SSC is a third-party organization created by Visa, Mastercard, Amex, and Discover that maintains a website with everything you need to know about PCI compliance.
The Costs of Non-Compliance
Even though the PCI SSC isn’t a government regulator like the FTC or SEC, they can still fine you. The banks and card issuers work together, and your business can’t afford a banking or card-processing blacklist.
If you are found not in compliance of PCI standards, the banks will perform forensic research to determine the cost of bringing you into compliance and punishment. These fines start at $5,000 and rise to $100,000 per month, depending on how long you’ve been noncompliant and the time it’ll take to reach compliance.
This all happens regardless of whether or not there’s a breach. If you are found responsible for a data breach, regardless of whether or not you’re PCI compliant, you’ll face even more stiff penalties. These include suspension of your credit card processing privileges, $50-$90 per cardholder compromised, and possible civil litigation.
None of this takes into account the reputational impact on your brand and business, as well as any government or cardholder action taken. Security breaches on personal customer payment information is a major contributor to businesses both large and small being forced to close.
What to Know About Mobile Compliance
Much of the PCI standard is common sense, such as not making information easily accessible by any means. With the varying use cases of mobile devices as POS platforms, however, it becomes more difficult to remain PCI compliant.
You can’t just use any tablet, for example. Consumer versions of these devices, including the touchscreen, don’t often comply with privacy standards for PIN input. Extra precaution is necessary by the consumer to secure their own financial transactions in mobile devices that have public access, such as those found in many popular restaurant chains.
Even the mobile POS app (such as Square, PayPal, TSYS MobilePASS, etc.) needs to be compliant, as does your usage of them. Your payment gateway API is what matters. Be careful which mobile POS provider you choose, as you may get locked into their API.
The two major considerations are the level of control you get vs. the out-the-box ease-of-use for businesses lacking a programming department to handle development. Small businesses obviously will have more success with out-of-the-box options. Payment data in these instances is stored remotely on the cloud servers of the mobile card processor.
Another issue discovered in the PlayStation hack is that while the database was encrypted, each individual cell was not. Complete encryption is important to maintaining a secure environment for sensitive payment data.
What matters most when looking for mobile POS devices and apps is point-to-point, or end-to-end, encryption. To maintain PCI compliance, you need encryption on every level, from the device to the network, and everywhere in between.
Approved POI Devices
The point of interaction (POI) is the technical term for both the PIN entry device (PED), if applicable, and secure card reader (SCR). These are the two most vulnerable points of failure in card processing transactions that require the most security.
Both hardware and software make a difference, and it’s preferred that the external devices required use a digital input. Card readers from Square and PayPal both plug into the analog audio jack of cell phones, but other options (such as connecting via Bluetooth) are also available.
Regardless of what POS you use, PCI compliance is necessary to maintain security and avoid fines. You don’t want a data leak, nor do you want to be found as the point of vulnerability for credit card fraud.
Mobile devices are particularly vulnerable due to them being multi-purpose computers, similar to desktops in processing power. Hackers may take advantage of mobile POS devices. It’s important to practice safe processes and procedures when handling financial transactions.
Most mobile POS solutions store payment information on cloud servers, but some allow you to store it locally. It’s important to take proper security precautions with all stored data to maintain PCI compliance.
If you’re still confused about PCI security, let us know in the comments.