Accepting payments on the go with a mobile device is a great option for businesses that need to make sales away from their brick and mortar location. It’s also a great solution for small businesses without a physical store or when services are provided at the customer’s location.
Many mobile payment solutions work by attaching a small card reader device to a smartphone or tablet. This small device plus a software app for payment authorization turns a standard consumer device into a pocket sized point of sale system.
Mobile POS systems have a lot of appeal for merchants of all sizes for a variety of reasons. They’re convenient, affordable, scalable, and help merchants engage their customers. Smaller merchants are jumping at the opportunity to experience the power of a POS system with a much smaller price tag and footprint than a traditional POS.
Despite their small size and affordability, the need for thorough security controls to protect sensitive customer data is just as important for mobile payment processing solutions as it is for full scale legacy POS systems. Protecting customers’ card data is the responsibility of every merchant who accepts credit cards, regardless of which POS system is used. A mobile POS may be small, but the security demands are just as big. If you’re in the market for a mobile POS, make sure you don’t neglect these three must-have security feature
Card Data Encryption and Tokenization
One of the biggest vulnerabilities for payment systems is the ability of cyberthieves to steal payment data while it’s in transit from the POS system, to the authorization networks and back. Preventing this type of theft requires encryption, which is a way of masking the true data with characters that are meaningless to thieves.
Tokenization is another security feature that helps protect card data. Whereas encryption protects data in motion, tokenization is used to protect data at rest. Data can be “at rest” while it’s being temporarily stored for future use. Merchants that offer subscription services with automatic payments, or perform tip adjustments have a business need for storing certain types of payment data. But doing so puts the data at much greater risk of being stolen. With tokenization, that data isn’t visible because it’s replaced by a unique identification code that is unusable for hackers in its tokenized form.
Together, encryption and tokenization have the best chance of preventing data from being stolen and greatly reduce a merchant’s responsibilities with regards to protecting sensitive data. Be sure to work with a payment processor and mobile system that use encryption and tokenization.
Encrypted Card Reader
We’ve covered data in motion and data at rest, but there is another major vulnerability for payment data—the point of entry. Point of entry refers to the way that the card data is entered into the system. When you swipe a credit card through a terminal or magnetic stripe reader, the data is in clear text for a split second, before the data is encrypted and sent to the network for authorization. The data is encrypted during transit, but is very briefly unprotected while it’s being read during the swipe.
For mobile payment systems, the card reader is often a small device that is plugged into the audio jack of a smartphone or tablet. Other systems may have a card reader built into the hardware of the device. But in either case, it’s important that the card reader itself is encrypted. With an encrypted card reader, the payment data is protected from start to finish leaving little to no opportunity for theft. Not all card readers are encrypted, so be sure to ask.
Maintaining PCI compliance, every day, year-round, is a big task, but it is the responsibility of every merchant who accepts credit cards, large or small. The upside is that strict PCI compliance can help reduce the security threats associated with payments. The 12 PCI Data Security Standards, established by the PCI Council, address common payment vulnerabilities and help merchants protect their business on every front. Requirements like protecting internet networks with a firewall and virus detection software, and securing wireless routers can help you avoid experiencing a data breach.
Even the smallest business can experience a breach. In fact, according to the National Cyber Security Alliance, 96 percent of data breaches target payment card data at the SMB level. Small businesses make good targets precisely because they often lack the resources and IT staff to handle PCI compliance on their own and view themselves as too small for thieves to bother with. Some small merchants make the same mistake of viewing their pocket sized point of sale solutions as too small to worry about, making them perfectly unsuspecting targets for data theft.
As with encryption and tokenization, working with the right payment processor can help alleviate your PCI compliance challenges as well. Many processors offer PCI compliance assistance programs that help streamline and automate the compliance process. Before you make a purchase and dive in with mobile payment processing, make sure you have the security protections you need to guard your business and your customers from compromise.
Ray Moorman is the Director of Product Management at Vantiv Integrated Payments (formerly Mercury Payment Systems)