How to make smartphone and tablet payments secure

How to make smartphone and tablet payments secure

To compete with the big guys, small and mid-sized merchants are pursuing innovative ways to save money -- including accepting payments via smartphone or tablet computer (with apps like Square) instead of investing in expensive traditional registers.

However, the convenience of using a portable register comes at a cost. Smartphones and tablet PCs are not built to be secure holders of credit card data. So it's up to merchants to make sure customers' information is secure.

The PCI Security Standards Council (PCI Council) recently released "At a Glance: Mobile Payments Acceptance Security," a fact sheet for merchants who wish to begin accepting payments via smartphone or tablet, while protecting cardholder data. Here are some of the highlights.

Compliance guidance
"At a Glance" provides merchants with guidance on securely accepting smartphone or tablet payments, while also remaining in accordance with Payment Card Industry Data Security Standard (PCI DSS) -- the security standards that govern the payments industry.

According to the PCI Council, secure mobile payment acceptance is critical because:

• Today's mobile devices provide limited security safeguards for payment acceptance.
• Multiple participants are responsible for security in the mobile infrastructure.
• Mobile payment security supports consumer confidence.

Yet not all small merchants are serious enough about data safety. According to a 2011 ControlScan survey, Level 4 (small to medium-sized) merchants tend to be apathetic about or unaware of PCI DSS. One reason for this apathy, according to the survey, is that merchants are "frustrated and overwhelmed ... by comprehending and applying compliance measures." Many small merchants also believe they are at a low risk for security breaches. With an increasing number of these small businesses eager to adopt mobile payment technology, this attitude could be dangerous.

That's why the PCI Council's new guide is "geared more toward a smaller merchant [and] letting them know how they can accept mobile payments," PCI Council general manager Robert Russo told Digital Transactions News.

How to secure customer data

The point-to-point encryption cycle prevents unencrypted data from entering the smartphone or tablet computer. Source: PCI Security Standards Council LLC

Encryption -- specifically, a validated "point-to-point encryption" (P2PE) solution -- is key to cardholder data security, according to the PCI Council. P2PE is a technology that ensures card data is protected from the first card swipe all the way through to the payment processor. The encryption device scans a customer's card data, but then encrypts that data before the electronic payment is actually processed. That means, while the data is in transit, it is completely hidden. Because the encrypted data bears no resemblance to the card or account data (in fact, it looks like a random string of letters and numbers), even if a data thief is able to access the encrypted data while it is in transit, the information is useless.

In other words, P2PE prevents unencrypted card data from passing through (or being stored on) the smartphone or tablet computer being used to accept payments. How can merchants find a P2PE solution? The PCI Council provides a searchable database.

Off-the-shelf? Or build-your-own?
Some merchants will want to make use of an existing mobile payment or portable register app, while others will want to build (and customize) their own mobile payments software. For each option, merchants will have to take slightly different steps to ensure data security.

Merchants interested in going the off-the-shelf route by using an existing mobile payments app should make sure they also hire a P2PE solution provider. That provider will often supply merchants with approved card readers that have been tested to work securely with the mobile devices and apps they are using. It is the provider's responsibility to ensure that any approved card reader used with their solution is validated as compliant under PCI security requirements.

Merchants who want to build their own mobile payment solutions will need to do a little extra  legwork. Smartphones and tablets alone are not necessarily designed as secure input or storage devices for cardholder data. So, first the merchant will need to find an approved card reader to plug into the phone or tablet they are using in place of a register. An approved device (whether it requires PIN entry or not) is one that safely captures and encrypts cardholder data before it enters the phone or tablet. Merchants can find a PCI-approved card reader on the PCI Council's website.

Merchants going the build-your-own route should also implement piecemeal the security measures they would otherwise get from using an off-the-shelf product coupled with a P2PE solution. This includes encryption software that ensures no intact cardholder data passes into the phone or tablet accepting payments.

So, which is the best solution for your business? While building your own payment acceptance solution allows you to customize, using an existing solution might cost you less in the long run. PCI compliance requires regular testing and monitoring -- and the PCI Council emphasizes that using a validated and properly maintained P2PE solution for mobile payment security may lessen the cost and effort of PCI compliance. However, even if merchants use PCI-approved solutions, they are still responsible for compliance with other PCI DSS requirements, including contractual agreements with the P2PE solution provider, physical protection of payment assets and following the P2PE instruction manual.

See related: In rush to mobile market, merchants vulnerable to fraud, Will consumers reject mobile payments

Published: June 21,2023