The taxi driver at the airport took your credit card using Square on an iPhone. The plumber that fixed your leaky pipes swiped your card on a PayPal device connected to an Android phone. And that posh restaurant where you impressed a client not only took your order on an iPad, but the server swiped your credit card on a PayFox device attached to the iPad. It seems as though everyone is taking advantage of mobile payment technology… Shouldn’t you?
You want to have that same flexibility, but you are unsure: Are these devices safe? Can you use your personal phone? Can you still be compliant with the PCI Data Security Standard?
The current Payment Card Industry Data Security Standard (PCI DSS 2.0) does not contain specific recommendations about accepting payments with consumer grade mobile devices. Although the PCI Council has indicated that they are working on this, the proliferation of devices and market adoption rate are rapidly advancing. In fact, to provide guidance while they are working on formal standards, the PCI Council, in May 2012, released an “At a Glance” document called “Accepting Mobile Payments with a Smartphone or Tablet.” This document provides a preview of the direction the Council may take with its formal standards.
In the meantime, if you are interested in using a mobile device to accept credit card payments, here are five preliminary steps you can take to secure your device and sensitive cardholder data:
Step #1: Check to see if there is a P2PE solution available.
In its “At a Glance” document “Accepting Mobile Payments with a Smartphone or Tablet,” the PCI Council recommends using a validated Point-to-Point Encryption (P2PE) solution. P2PE basically means that the cardholder data is encrypted before it enters the smartphone or tablet and stays encrypted all the way to the P2PE Solution Provider, who then transmits it safely to the payment processor. Following the P2PE Solution Providers Instruction Manual (and attesting that you’ve done so) will significantly reduce your PCI scope and provide assurance that you are accepting credit cards in a safe environment.
Bam! That was easy, right? Well, not so fast. As of this writing, there are not any P2PE solutions that have been validated by the PCI Council. However, the PCI Council has qualified a number of companies to assess PCI P2PE Solutions, so please check the PCI Council’s website for updates.
Step #2: Check with your payment processor and/or card brand for recommendations.
If you already accept credit cards and have a payment processor, they may have guidelines and recommendations; in fact, they may also have solutions available that they recommend. You should also review the card brands’ recommendations on accepting mobile payments.
In May, 2012 MasterCard released its “MasterCard Best Practices for Mobile Point of Sale Acceptance” document, and Visa followed with version 2.0, and then version 3.0, of its “Visa Security Best Practices for Mobile Payment Acceptance Solutions” document. Pay special attention to the “Best Practices for Merchants” sections of these documents.
Step #3: Ensure that the mobile device you intend to utilize for accepting mobile payments is safe and up to date.
Security for mobile devices is a new field and it is important to follow best practices to keep that device safe:
- Make sure your mobile device is not “rooted” or “jailbroken”—”Rooting” an Android phone is gaining superuser rights so you can install apps and customizations not allowed by the Android market or the carrier. “Jailbreaking” an iPhone is basically the same thing. If you bought your phone used or if it was in the hands of a curious teenager for any length of time, you may want to check it out. A quick Internet search will give you instructions on how to find out if your phone is in this condition. Your carrier will not support a “rooted” or “jailbroken” device, because the vast majority of mobile device breaches happen to devices in this condition.
- Update to the latest version of your operating system—To ensure that you are as secure as possible, you should update to the latest version of iOS, Android, MS or Blackberry. Some older phones cannot update to the latest version of the operating system due to hardware limits; if that is the case, you should upgrade the device so that you can remain current.
- Only use apps from trusted sources—This ties to the first item about not rooting or jailbreaking the device, which is generally the only way to get access to apps outside of the official locations. Take a moment to look through all of your apps and uninstall any apps that are no longer used.
- Update your apps as new releases become available—You should make sure that all apps on your mobile device are up to date and at the latest release.
- Install an anti-malware/anti-virus app.—There are a number of anti-malware applications for most mobile operating systems; Many very good ones are even free. Reviews can be found easily and you can make a choice.
Step #4: Don’t store card data.
Some mobile payment acceptance applications will store card data on the mobile device if there is no service available and then send it when a network connection can be made. Any time data lingers on the device, even if encrypted, there is a higher risk of that data being compromised. To be safe, check to see if your payment acceptance application has this “store and forward” feature and if it does, turn it off.
Step #5: Lock your mobile device!
This is fundamentally simple and one of the most overlooked security principles. Sure, you look at your mobile phone every 30 seconds during the course of a day and entering in a PIN is a pain, but just compare that to what you might lose if your device is stolen and compromised. Android phones allow the use of a “pattern,” but patterns are more easily compromised, so you should avoid them. In addition, don’t use the most common PINs (1111, 1234, 0000, 2580, 0852). Amazingly, these 5 PINs account for more than 10% of all PINs in use on mobile devices and therefore are not very secure.
Ready? Set? Go!
You can enjoy the flexibility of taking payments in your customer’s home, or at the table, or at your neighbor’s door, or at your client’s remote work site. If you take the above basic precautions, you should be able to select a technology that allows you to accept payments on your mobile device and at the same time, feel secure.
Want to learn about what your peers are (and should be) doing when using a mobile device to accept credit card payments? Check out ControlScan’s Mobile Research Report.