Card Catastrophe: Why Mobile Processing Should Scare You
By: Jon Clark
Have your begun processing payments with a smartphone or tablet yet? Maybe they're seriously considering implementing a mobile processing strategy like many other businesses and micro-merchants. That's wonderful. But here's the bad news. Though mobile payments are growing exponentially, the security portion of processing credit cards via mobile devices has seriously been neglected.
Get up to speed with the issues
Mobile processing (e.g., Square, GoPayment) is a double-edged sword. On one hand, it allows more processing flexibility, but it also has the potential to dramatically increase fraud and business liability. The problem with mobile devices is that they weren't made for security or payment processing. Hackers know that, and they are after customers' profitable payment data.
How could a device so innovative and technologically advanced not securely process a credit card?
Mobile devices are exposed to the same threats as computers (e.g., malware, viruses) but the hardware and software is created with significantly fewer security fortifications. Unlike typical point of sale (POS) systems, even new mobile devices don't include firewalls or other safeguards, and are automatically connected to the Internet.
One of the security drawbacks with a mobile device is that it's difficult to guarantee an app is malware-free as it enters an app store. Thousands of malicious apps are downloaded through official software stores daily, putting smartphones and tablets at risk for payment card theft.
Hackers repackage apps, or create their own malicious apps, to be downloaded by unsuspecting mobile users. For example, malicious code could be embedded in a popular flashlight application. Those bad apps have the power to steal credit card information, listen to text and audio conversations, read data from other applications, or even control the actions of the entire device.
Lack of security policies
In addition to bad apps, many organizations fail to implement procedures that dictate the proper use and storage of mobile devices. Loss, theft, and employee misuse are all security issues that are easily prevented through franchise security policies.
Fines and penalties for compromise
If hackers steal customer data by accessing a franchise's mobile POS system, the business could be held liable by card brands like Visa, MasterCard, and American Express as per the Payment Card Industry Data Security Standards (PCI DSS). Fines and penalties may follow, which may include forensic investigations and customer notification costs. Research shows that 80 percent of all small businesses that experience a data breach either go bankrupt or have severe financial difficulties within two years of the breach*.
Even if you manage to avoid the forensic fines, auditing costs, and card brand penalties, your brand may still face consumer doubt and criticism.
Because your brand is at increased risk per mobile-device POS user, you have the right to regulate device security. Mobile device vulnerability scanning is a great way of identifying which franchises follow mobile best practice guidelines. I suggest regular testing through a security scanning app. When selecting a mobile vulnerability scanner, check if it also includes a mobile device management (MDM) tool to allow you to remotely wipe devices or check in on multiple locations' security.
5 best practices to protect franchises
Though mobile security is in its infancy, there are methods to securely process via mobile devices.
Use an encrypt-at-swipe piece of hardware that attaches to a smartphone or tablet to securely process payment cards. Perform due-diligence when selecting mobile POS hardware to ensure it supports encrypt-at-swipe.
Don't manually key customer's credit card data, even if a card stubbornly refuses to be swiped! While your hardware card reader may encrypt sensitive information at-swipe, your phone does not have that secure capability. Manually-typed data is not encrypted, and a rogue app could be recording those card numbers.
Always update both OS and app software so any discovered security holes can quickly be patched.
Read up on the PCI Mobile Payment Acceptance Security Guidelines for Merchants and follow all the instructions. Ensure your employees are also familiar with the mobile security standard.
Use mobile scanning apps to ensure devices are tested for mobile processing security. Don't forget to promptly remediate any discovered vulnerabilities.
Not a serious problem...yet
Luckily for all of us, mobile payments are thinly spread among small merchants and its likely hackers are more concerned with obtaining credit cards from known, high-transaction areas. However, as the trend of mobile device payments increases, so will attacks on businesses via mobile devices, resulting in reputation loss and possible fines from card brands.
Jon Clark is the Marketing Director for SecurityMetrics, and can be reached at firstname.lastname@example.org or 801-995-6858. SecurityMetrics is a data security and compliance company that offers mobile vulnerability scanning products and PCI services for businesses worldwide.
The multi-unit franchise opportunities listed above are not related to or endorsed by Multi-Unit Franchisee or Franchise Update Media Group. We are not engaged in, supporting, or endorsing any specific franchise, business opportunity, company or individual. No statement in this site is to be construed as a recommendation. We encourage prospective franchise buyers to perform extensive due diligence when considering a franchise opportunity.