August 7, 2013
3 Major Mobile Mistakes Merchants Make
Mobile payments technologies are continuing to grab market share and are popping up in more and more businesses. To most of the public, the ability to take payments on a smart phone or tablet seems like a clever advancement that simplifies the payment process and potentially makes shopping quicker and easier. But to those of us who are more security minded, they’re scary little devices that come with a host of new issues that need to be thought through.
Here are three things merchants should avoid when setting up mobile payments.
1) Don’t allow sensitive cardholder data to enter your device.
As a consumer, would you think twice before letting someone punch your credit card number into their phone? You should, and you should expect your customers to do the same! Clear-text card data stored on a phone can be retrieved and used for fraud – even months after the transactions were completed. As a merchant, you have a responsibility to ensure this never happens to your customers’ data.
Even if you delete card data from your phone as soon as you finish a transaction, it’s not really gone. Simple (and relatively inexpensive) software programs are available that can recover that “deleted” data in minutes. If your phone was ever lost, stolen, or sold, years’ worth of sensitive cardholder data might go with it. This is why we recommend you never manually enter card numbers into a mobile payment app. Likewise, if you are going to use an add-on swipe device (the ones that plug into the headphone jack or the charging port), make sure that the device supports point-to-point encryption (P2PE) so that it is not filling your phone with sensitive data. (There are currently only a handful of mobile P2PE devices on the market, so finding one that works with your setup may not be easy – but it is definitely worth the effort.)
2) Use a trusted, protected network.Whether you’re using a smart phone or a tablet-based POS to process payments, it’s important that you transmit payment data over a secure connection whenever possible. Whether you’re using 3G/4G on your iPhone or connecting a laptop to your Wi-Fi network, be sure that your solution uses SSL encryption (or better) before submitting any card data.
Also, make sure the wireless network you’re using to process payments is not the same one that you allow your customers free access to. The PCI Council actually has a 34-page-long document entitled Information Supplement: PCI DSS Wireless Guidelines that focuses entirely on how to remain PCI compliant while running a wireless network. Thirty-plus pages on Wi-Fi seems excessive until you realize that some of the highest profile data breaches of the past few years were the result of Wi-Fi vulnerabilities.
3) Wait for the right solution. Finally, remember the old proverb, “Patience is a virtue.” Many merchants are so anxious to look like they’re on the cutting edge that they are rushing to implement mobile solutions that may be unsecure and incomplete. Sure, customers might think it’s cool when the clerk is ringing them up in the middle of the store or checking them into their room at curbside, but the cool factor will quickly wear off if their card number is compromised.
Likewise, front-line employees may enjoy the freedom that a mobile POS grants them to move around the property, but if the solution isn’t integrated to your traditional POS, the back-of-house staff will quickly become frustrated with having to coordinate two different systems. There are integrated solutions available, just not for every POS. Although, if your POS is integrated with DOLLARS ON THE NET®, you certainly have the option to run Shift4’s 4VT® virtual terminal to process mobile transactions directly into your DOLLARS ON THE NET account, saving you the headache of juggling two separate systems.
The mobile payments space is still rapidly developing, and literally hundreds of vendors are fighting for a piece of the pie. (Case in point, there are currently almost 1,000 unique digital wallets in the app store.) Right now there is no clear winner in terms of technology or method. Those who rush to the party may end up with more problems than benefits, so be careful and be sure you think through everything before you make your decision.