Merchant Account Types
Merchant Account Providers
News & Advice
Merchant Account Tools
How to make smartphone and tablet payments secure
To compete with the big guys, small and mid-sized merchants are pursuing innovative ways to save money -- including accepting payments via smartphone or tablet computer (with apps like Square) instead of investing in expensive traditional registers.
However, the convenience of using a portable register comes at a cost. Smartphones and tablet PCs are not built to be secure holders of credit card data. So it's up to merchants to make sure customers' information is secure.
The PCI Security Standards Council (PCI Council) recently released "At a Glance: Mobile Payments Acceptance Security," a fact sheet for merchants who wish to begin accepting payments via smartphone or tablet, while protecting cardholder data. Here are some of the highlights.
According to the PCI Council, secure mobile payment acceptance is critical because:
Yet not all small merchants are serious enough about data safety. According to a 2011 ControlScan survey, Level 4 (small to medium-sized) merchants tend to be apathetic about or unaware of PCI DSS. One reason for this apathy, according to the survey, is that merchants are "frustrated and overwhelmed ... by comprehending and applying compliance measures." Many small merchants also believe they are at a low risk for security breaches. With an increasing number of these small businesses eager to adopt mobile payment technology, this attitude could be dangerous.
That's why the PCI Council's new guide is "geared more toward a smaller merchant [and] letting them know how they can accept mobile payments," PCI Council general manager Robert Russo told Digital Transactions News.
How to secure customer data
In other words, P2PE prevents unencrypted card data from passing through (or being stored on) the smartphone or tablet computer being used to accept payments. How can merchants find a P2PE solution? The PCI Council provides a searchable database.
Off-the-shelf? Or build-your-own?
Merchants interested in going the off-the-shelf route by using an existing mobile payments app should make sure they also hire a P2PE solution provider. That provider will often supply merchants with approved card readers that have been tested to work securely with the mobile devices and apps they are using. It is the provider's responsibility to ensure that any approved card reader used with their solution is validated as compliant under PCI security requirements.
Merchants who want to build their own mobile payment solutions will need to do a little extra legwork. Smartphones and tablets alone are not necessarily designed as secure input or storage devices for cardholder data. So, first the merchant will need to find an approved card reader to plug into the phone or tablet they are using in place of a register. An approved device (whether it requires PIN entry or not) is one that safely captures and encrypts cardholder data before it enters the phone or tablet. Merchants can find a PCI-approved card reader on the PCI Council's website.
Merchants going the build-your-own route should also implement piecemeal the security measures they would otherwise get from using an off-the-shelf product coupled with a P2PE solution. This includes encryption software that ensures no intact cardholder data passes into the phone or tablet accepting payments.
So, which is the best solution for your business? While building your own payment acceptance solution allows you to customize, using an existing solution might cost you less in the long run. PCI compliance requires regular testing and monitoring -- and the PCI Council emphasizes that using a validated and properly maintained P2PE solution for mobile payment security may lessen the cost and effort of PCI compliance. However, even if merchants use PCI-approved solutions, they are still responsible for compliance with other PCI DSS requirements, including contractual agreements with the P2PE solution provider, physical protection of payment assets and following the P2PE instruction manual.
Published: June 21,2020