{{byline}}
Have your begun processing payments with a smartphone or tablet yet? Maybe they're seriously considering implementing a mobile processing strategy like many other businesses and micro-merchants. That's wonderful. But here's the bad news. Though mobile payments are growing exponentially, the security portion of processing credit cards via mobile devices has seriously been neglected.
Mobile processing (e.g., Square, GoPayment) is a double-edged sword. On one hand, it allows more processing flexibility, but it also has the potential to dramatically increase fraud and business liability. The problem with mobile devices is that they weren't made for security or payment processing. Hackers know that, and they are after customers' profitable payment data.
How could a device so innovative and technologically advanced not securely process a credit card?
Mobile devices are exposed to the same threats as computers (e.g., malware, viruses) but the hardware and software is created with significantly fewer security fortifications. Unlike typical point of sale (POS) systems, even new mobile devices don't include firewalls or other safeguards, and are automatically connected to the Internet.
One of the security drawbacks with a mobile device is that it's difficult to guarantee an app is malware-free as it enters an app store. Thousands of malicious apps are downloaded through official software stores daily, putting smartphones and tablets at risk for payment card theft.
Hackers repackage apps, or create their own malicious apps, to be downloaded by unsuspecting mobile users. For example, malicious code could be embedded in a popular flashlight application. Those bad apps have the power to steal credit card information, listen to text and audio conversations, read data from other applications, or even control the actions of the entire device.
In addition to bad apps, many organizations fail to implement procedures that dictate the proper use and storage of mobile devices. Loss, theft, and employee misuse are all security issues that are easily prevented through franchise security policies.
If hackers steal customer data by accessing a franchise's mobile POS system, the business could be held liable by card brands like Visa, MasterCard, and American Express as per the Payment Card Industry Data Security Standards (PCI DSS). Fines and penalties may follow, which may include forensic investigations and customer notification costs. Research shows that 80 percent of all small businesses that experience a data breach either go bankrupt or have severe financial difficulties within two years of the breach*.
Even if you manage to avoid the forensic fines, auditing costs, and card brand penalties, your brand may still face consumer doubt and criticism.
Because your brand is at increased risk per mobile-device POS user, you have the right to regulate device security. Mobile device vulnerability scanning is a great way of identifying which franchises follow mobile best practice guidelines. I suggest regular testing through a security scanning app. When selecting a mobile vulnerability scanner, check if it also includes a mobile device management (MDM) tool to allow you to remotely wipe devices or check in on multiple locations' security.
Though mobile security is in its infancy, there are methods to securely process via mobile devices.
Luckily for all of us, mobile payments are thinly spread among small merchants and its likely hackers are more concerned with obtaining credit cards from known, high-transaction areas. However, as the trend of mobile device payments increases, so will attacks on businesses via mobile devices, resulting in reputation loss and possible fines from card brands.
Jon Clark is the Marketing Director for SecurityMetrics, and can be reached at jonc@securitymetrics.com or 801-995-6858. SecurityMetrics is a data security and compliance company that offers mobile vulnerability scanning products and PCI services for businesses worldwide.