Multi-Unit Franchisee Magazine Issue IV, 2013 | Page 74
Technology
By Jon Clark
Card-tastrophe?
Why mobile payment processing
should scare you
H
ave you begun processing payments with a smartphone or tablet yet? Perhaps you’re seriously
considering doing that, as many businesses and
retailers have already done. That’s wonderful. But
here’s the bad news: although the number of mobile payments
is skyrocketing, the security portion of processing credit cards
through mobile devices has been seriously neglected.
Mobile processing (Square, GoPayment, etc.) is a doubleedged sword: while it allows greater processing flexibility, it also
has the potential to dramatically increase fraud and business
liability. The problem with mobile devices is that they weren’t
made for security or payment processing. Hackers know this,
and they are after your customers’ profitable payment data.
Mobile devices are exposed to the same threats as computers (malware, viruses, etc.), but the hardware and software are
created with significantly fewer security fortifications. Unlike
typical POS systems, even new mobile devices don’t include
firewalls or other safeguards, and they are automatically connected to the Internet. How could a device so innovative and
technologically advanced not securely process a credit card?
Here are a couple of reasons (there are more).
• Bad apps. One of the security drawbacks with a mobile
device is that it’s difficult to guarantee that an app is malwarefree as it enters an app store. Thousands of malicious apps
are downloaded through official software stores daily, putting smartphones and tablets at risk for payment card theft.
Hackers repackage apps, or create their own malicious apps,
intended to be downloaded by unsuspecting mobile users.
For example, malicious code could be embedded in a popular
flashlight application. Those bad apps have the power to steal
credit card information, monitor text and audio conversations,
read data from other applications, or even control the actions
of the entire device.
• Lack of security policies. In addition to bad apps, many
organizations fail to implement procedures that dictate the
proper usage and storage of mobile devices. Loss, theft, and
employee misuse are all security issues easily prevented through
franchise security policies.
Fines and penalties
If hackers steal customer data by accessing a franchise’s mobile
POS system, the business could be held liable by card issuers
such as Visa, MasterCard, and American Express under the
Payment Card Industry Data Security Standards (PCI DSS).
Fines and penalties may follow, which may include forensic
investigations and customer notification costs. Some research
72
Multi-Unit Franchisee Is s ue IV, 2013
shows that 80 percent of all small businesses that experience
a data breach either go bankrupt or have severe financial difficulties within two years of the breach. Even if you manage to
avoid the forensic fines, auditing costs, and card brand penalties, your brand may still face consumer doubt and criticism.
Because your brand is at increased risk with each mobile
POS device you deploy, you have the right—and responsibility—to regulate device security. Mobile device vulnerability
scanning is a great way to identify which franchisees follow
mobile best practice guidelines. I suggest regular testing
through a security scanning app. When selecting a mobile
vulnerability scanner, check to see if it also includes a mobile
device management tool to allow you to remotely wipe devices
or check in on security at multiple locations.
5 best practices
Though mobile security is still in its infancy, there are methods
to securely process payments using mobile devices.
1. Use an encrypt-at-swipe piece of hardware that attaches
to a smartphone or tablet to securely process payment cards.
When selecting mobile POS hardware, ensure that it supports encrypt-at-swipe.
2. Don’t manually key customers’ credit card data—even if
a card stubbornly refuses to be swiped! While your hardware
card reader may encrypt sensitive information when a card
is swiped, your phone does not have that secure capability.
Manually typed data is not encrypted, and a rogue app could
be recording those card numbers.
3. Always update both OS and app software so any discovered security holes can quickly be patched.
4. Read up on the PCI Mobile Payment Acceptance Security Guidelines for Merchants and follow all the instructions.
Ensure your employees are also familiar with the mobile security standard.
5. Use mobile scanning apps to ensure that devices are
tested for mobile processing security—and promptly remediate any discovered vulnerabilities.
No