PCI Compliance for Mobile Devices
If you’ve taken credit cards in your store, you probably know that PCI compliance is required. The Payment Card Industry (PCI) set forth a Data Security Standard (DSS) it requires adherence to from any business that processes, stores, or transmits payment card data. But did you know that PCI compliance applies when you take credit cards using your smartphone with a card reader, like Square or PayPal Here?
When using a smartphone, tablet or other mobile POS system, these same standards apply, along with a few situational ones designed in 2012 specifically to address mobile payments. In this article, we’ll go over some basic and advanced concepts regarding payment security and remaining legally compliant when processing cards at your business.
- Security Risks of the Digital Age
- The Costs of Non-Compliance
- What to Know About Mobile Compliance
- Approved POI Devices
Security Risks of the Digital Age
Hackers are everywhere, and it’s been that way for over 30 years. Anything you connect to the Internet is immediately vulnerable, and even the best security isn’t a 100% guarantee that you’re safe.
In 2011, Sony’s PlayStation network was hacked, which caused a multitude of problems for the electronics giant. A couple weeks after a server update was released, hackers exploited a vulnerability in Sony’s older version to gain access to customer databases and compromise over 70 million customers. In more recent years, there have been well-publicized breaches at stores like Target and Home Depot.
You may not have the customer base of Sony or Home Depot, but any size business could experience a breach. Hackers and credit card skimmers target any vulnerabilities in a network to access the hundreds or thousands of customers you have.
Fortunately, the payments industry helps you fight against breaches. Chip credit cards, mobile, and contactless payments have introduced a bevy of technological and legal considerations to keep everything safe for the businesses involved. But at the end of the day, if you process or store customer payment information, you’re a potential target for theft, and PCI DSS is meant to serve as a foundation for basic business security practices to protect your business from financial fraud.
When you change payment processors, upgrade your POS to accept chip payments, accept mobile payment options like PayPal, Samsung Pay, or Apple Pay, install mobile POS platforms, or make any changes, you must notify the PCI Security Standards Council, which will validate the end-2-end security of your payment processing system.
The PCI SSC is a third-party organization created by Visa, MasterCard, Amex, and Discover that maintains a website with everything you need to know about PCI compliance.
The Costs of Non-Compliance
Even though the PCI SSC isn’t a government regulator like the FTC or SEC, you still need to worry about them levying fines. The banks and card issuers work together, and your business can’t afford a banking or card-processing blacklist.
If you are found not in compliance of PCI standards, the banks will perform forensic research to determine the cost of bringing you into compliance and punishment. These fines start at $5,000 and rise to $100,000 per month, depending on how long you’ve been noncompliant and the time it’ll take to reach compliance.
This all happens regardless of whether or not there’s a breach. If you are found responsible for a data breach, regardless of whether or not you’re PCI compliant, you’ll face even more stiff penalties. These include suspension of your credit card processing privileges, $50-$90 per cardholder compromised, and possible civil litigation.
None of this takes into account the reputational impact on your brand and business, as well as any government or cardholder action taken. Security breaches on personal customer payment information is a major contributor to businesses both large and small being forced to close.
What to Know About Mobile Compliance
Much of the PCI standards are common sense, such as not making information easily accessible by any means. With the varying use cases of mobile devices as POS platforms, however, it becomes more difficult to remain PCI compliant.
You can’t just use any tablet, for example. Consumer versions of these devices, including the touchscreen, don’t often comply with privacy standards for PIN input. Extra precaution is necessary by the consumer to secure their own financial transactions in mobile devices that have public access, such as those found in many popular restaurant chains.
Even the mobile POS app (such as Square, PayPal, TSYS MobilePASS, etc.) needs to be compliant, as does your usage of them. Your payment gateway API is what matters, and you should be careful which mobile POS provider you choose, as you may get locked in their API, despite limitations in the UX.
The two major considerations are the level of control you get vs. the out-the-box ease-of-use for businesses lacking a programming department to handle development. Small businesses obviously will have more success with out-the-box options. Payment data in these instances is stored remotely on the cloud servers of the mobile card processor.
Another issue discovered in the PlayStation hack is that while the database was encrypted, each individual cell was not, so complete encryption is important to maintaining a secure environment for your sensitive payment data.
What matters most when looking for mobile POS devices and apps is point-to-point, or end-to-end, encryption. To maintain PCI compliance, you need encryption on every level, from the device to the network, and everywhere in between.
Approved POI Devices
The point of interaction (POI) is the technical term for both the PIN entry device (PED), if applicable, and secure card reader (SCR). These are the two most vulnerable points of failure in card processing transactions that require the most security.
Both hardware and software make a difference, and it’s preferred that the external devices required use a digital input. Card readers from Square and PayPal both plug into the analog audio jack of cell phones. USB adapters exist, and the new iPhone is rumored to use a new, proprietary digital audio jack.
Each of these technologies is worth keeping an eye out on in the upcoming future. Perhaps it’ll be more financially viable to save up for one of these iterations.
Regardless of what POS you use, PCI compliance is a necessity to stay in business, maintain security, and avoid stiff fines. You don’t want a data leak, nor do you want to be found as the point of vulnerability for credit card fraud.
Mobile devices are particularly vulnerable due to them being multi-purpose computers, similar to desktops in processing power. Hackers may take advantage of mobile POS devices, so it’s important to practice safe processes and procedures when handling financial transactions.
Most mobile POS solutions store payment information on cloud servers, but some allow you to store it locally, though it’s important to take proper security precautions with all stored data to maintain PCI compliance.
If you’re still confused about PCI security, or anything else to do with card processing, let us know in the comments below or by contacting one of our client support specialists. It’s a dog-eat-dog world out there, and CardFellow is here to help.
Brian Penny is a former Business Analyst and Operations Manager at Bank of America turned freelance writer focused on business and technology. His work appears in Huffington Post, Fast Company, and The Street.