This is What Happens to Card Data on a Mobile Reader

May 28, 2014 9:54 AM  By

With mobile card readers and the advent of point-to-point encryption, merchants don’t have to think twice about where and when they’re swiping a credit card. Mobile POS technology has blown the doors wide open for merchants of all sizes to accept payments in nontraditional ways – like at farmer’s markets and craft fairs – and has eliminated many of the issues associated with cash and checks. Mobile card readers are fast, it’s how they were intended to be.

That’s why it’s so important for merchants to understand this process. You are the gatekeeper of your customer’s private information in their card data. What exactly happens to that data once the gates are opened and it’s swiped by a mobile reader?

The process can be understood in three steps: the swipe, the processor and the storage.

Step 1: The Swipe

The moment you swipe your customer’s credit card on a mobile reader, the data begins its journey through the transaction. First the card reader encrypts the data as it passes through the card reader, creating a random sequence of numbers and letters that look garbled to those who can’t decrypt it. A series of characters are sent into the application on your mobile device, and as a merchant you are able to read certain decrypted elements of the data: the cardholder’s name and the last four digits of the credit card.

The application then takes that information and packages it together with the remaining transaction details, including the dollar charge, a breakdown of taxes and tips if they are included. That package of data is encrypted and synced to your payment processor through a secure gateway.

Step 2: The Processor

Once the encrypted data reaches your payments processor, that information is decrypted using a special key that only your processor can understand and use. The decrypted data is then translated back into the original information your mobile hardware picked up at the point of swipe. The cardholder’s information and the dollar amount being charged to the card are sent over a secure network to a credit card provider such as American Express, Visa or MasterCard. The processor then goes to the customer’s bank to confirm they have enough funds in their account to cover the charge. A hold is then put on the account for that amount and the authorization is approved.

The bank sends the authorization to the issuing bank, which sends it to the payments processor, which then sends it back to the application on the merchant’s mobile device to let the customer know the payment has been approved. The exchange is now complete. This may seem like a complex process, and it is, but with the right mobile payments processor it can take just a few seconds. The customer’s card will be authorized before they’ve even put it back in their wallet.

Step 3: The Storage

Though storage is its own step in the process, it works in tandem with step two. As the cardholder’s data is being processed, decrypted and transmitted to the card association, it is encrypted and stored within the payments processor’s secure vaults. That stored data acts as a reference point for your processor that the transaction was authorized and completed. Your customer’s card number is not stored in its original, unencrypted format. Instead, an encrypted version of the card number is stored in the processor’s servers. Through this approach, the processor is not exposing consumer data either in transit or in storage. In other words, hackers could not infiltrate the system and access the consumer’s information.

The Payment Card Industry sets a security standard for all payments processors storing credit card information, in the interest of protecting the consumers. Standards are enforced on four levels, based on the volume of transactions you as a merchant are processing. All payments processors are required to be PCI compliant, but pay close attention to who goes beyond the minimum standards when choosing a processor to partner with.

Now you have an inside view into exactly what happens to all of the data from the credit cards you’re swiping on your mobile phones and tablets. Bear in mind that this process will have its nuances, depending on the payments processor you choose to partner with. So the next time you hold a customer’s card in your hand, consider the strikingly complex process you’re initiating with every swipe.

Nish Modi is the vice president of product at SecureNet, an end-to-end omnichannel payments processor that works with retailers and online merchants to provide integrated payment solutions and detailed purchasing analytics.