Credit Card Processing, Security and PCI Compliance

PCI Compliance for Mobile Devices

by

April 18, 2018

If you’ve taken credit cards in your store, you probably know that PCI compliance is required. The Payment Card Industry (PCI) set forth a Data Security Standard (DSS) it requires adherence to from any business that processes, stores, or transmits payment card data. But did you know that PCI compliance applies when you take credit cards using your smartphone with a card reader, like Square or PayPal Here?

When using a smartphone, tablet or other mobile POS system, these same standards apply. In addition, specific mobile payments standards apply. In this article, we’ll go over concepts regarding payment security and remaining compliant when processing cards.


Security Risks of the Digital Age

Hackers are everywhere, and it’s been that way for over 30 years. Anything you connect to the Internet is immediately vulnerable. Even the best security isn’t a 100% guarantee that you’re safe.

In 2011, Sony’s PlayStation network was hacked, which caused a multitude of problems for the electronics giant. A couple weeks after a server update was released, hackers exploited a vulnerability in Sony’s older version. They gained access to customer databases and compromised over 70 million customers. In recent years, there have been well-publicized breaches at stores like Target and Home Depot.

You may not have the customer base of Sony or Home Depot, but any size business could experience a breach. Hackers and credit card skimmers target any vulnerabilities in a network to access the hundreds or thousands of customers you have.

Fortunately, the payments industry helps you fight against breaches. Chip credit cards, mobile, and contactless payments have introduced a bevy of technological and legal considerations to keep everything safe for the businesses involved. But at the end of the day, if you process or store customer payment information, you’re a potential target for theft. PCI DSS serves as a foundation for basic business security practices to protect your business.

When you change payment processors, upgrade your POS to accept chip payments, accept mobile payment options like PayPal, Samsung Pay, or Apple Pay, install mobile POS platforms, or make any changes, you must notify the PCI Security Standards Council, which will validate the end-2-end security of your payment processing system.

The PCI SSC is a third-party organization created by Visa, MasterCard, Amex, and Discover that maintains a website with everything you need to know about PCI compliance.

The Costs of Non-Compliance

Even though the PCI SSC isn’t a government regulator like the FTC or SEC, they can still fine you. The banks and card issuers work together, and your business can’t afford a banking or card-processing blacklist.

If you are found not in compliance of PCI standards, the banks will perform forensic research to determine the cost of bringing you into compliance and punishment. These fines start at $5,000 and rise to $100,000 per month, depending on how long you’ve been noncompliant and the time it’ll take to reach compliance.

This all happens regardless of whether or not there’s a breach. If you are found responsible for a data breach, regardless of whether or not you’re PCI compliant, you’ll face even more stiff penalties. These include suspension of your credit card processing privileges, $50-$90 per cardholder compromised, and possible civil litigation.

None of this takes into account the reputational impact on your brand and business, as well as any government or cardholder action taken. Security breaches on personal customer payment information is a major contributor to businesses both large and small being forced to close.

What to Know About Mobile Compliance

Much of the PCI standards are common sense, such as not making information easily accessible by any means. With the varying use cases of mobile devices as POS platforms, however, it becomes more difficult to remain PCI compliant.

You can’t just use any tablet, for example. Consumer versions of these devices, including the touchscreen, don’t often comply with privacy standards for PIN input. Extra precaution is necessary by the consumer to secure their own financial transactions in mobile devices that have public access, such as those found in many popular restaurant chains.

Even the mobile POS app (such as Square, PayPal, TSYS MobilePASS, etc.) needs to be compliant, as does your usage of them. Your payment gateway API is what matters. Be careful which mobile POS provider you choose, as you may get locked in their API.

The two major considerations are the level of control you get vs. the out-the-box ease-of-use for businesses lacking a programming department to handle development. Small businesses obviously will have more success with out-the-box options. Payment data in these instances is stored remotely on the cloud servers of the mobile card processor.

Another issue discovered in the PlayStation hack is that while the database was encrypted, each individual cell was not. Complete encryption is important to maintaining a secure environment for sensitive payment data.

What matters most when looking for mobile POS devices and apps is point-to-point, or end-to-end, encryption. To maintain PCI compliance, you need encryption on every level, from the device to the network, and everywhere in between.

Approved POI Devices

The point of interaction (POI) is the technical term for both the PIN entry device (PED), if applicable, and secure card reader (SCR). These are the two most vulnerable points of failure in card processing transactions that require the most security.

The Security Council provides both a short and long-form mobile security document on its website that’s filled with useful information on what to look for in a mobile device.

Both hardware and software make a difference, and it’s preferred that the external devices required use a digital input. Card readers from Square and PayPal both plug into the analog audio jack of cell phones. USB adapters exist, and the new iPhone is rumored to use a new, proprietary digital audio jack.

Each of these technologies is worth keeping an eye out on in the upcoming future. Perhaps it’ll be more financially viable to save up for one of these iterations.

Conclusion

Regardless of what POS you use, PCI compliance is necessary to maintain security and avoid fines. You don’t want a data leak, nor do you want to be found as the point of vulnerability for credit card fraud.

Mobile devices are particularly vulnerable due to them being multi-purpose computers, similar to desktops in processing power. Hackers may take advantage of mobile POS devices. It’s important to practice safe processes and procedures when handling financial transactions.

Most mobile POS solutions store payment information on cloud servers, but some allow you to store it locally. It’s important to take proper security precautions with all stored data to maintain PCI compliance.

If you’re still confused about PCI security, let us know in the comments.

TwitterFacebookLinkedIn
Brian Penny

BY Brian Penny

Brian Penny is a former business analyst and operations manager at Countrywide and Bank of America turned whistleblower and freelance writer. His banking career also included jobs for Chase, American Express, and client work for Wells Fargo and other large banks. He's interested in all things finance, and spends much of his time for CardFellow writing about financial technology and payment security.In addition to CardFellow, you can find Penny's blogs on Huffington Post, Forbes, Fast Company, The Street, Cracked, High Times, Quicken's Small Business Resource, and Small Business Daily.

FOUND THIS USEFUL? SHARE THIS!
 

Credit Card Processing exposed

Use the secrets that credit card processors don't want
you to know to drastically lower your credit card
processing fees.

Read Now!
 

You might also like…

PCI Compliance

View all articles

Please join the conversation

Your email address will not be published.