Saturday, June 9, 2012

PCI Compliance for Mobile Point of Sale

PCI Council Releases “Accepting Mobile Payments with a Smartphone or Tablet”

By Amy Hanson, One Step Retail Solutions

“We know merchants are eager to take advantage of their existing smartphones or tablets to accept payment cards,” said Bob Russo, general manager, PCI Security Standards Council. “And the Council and its stakeholders, want to help the market to do this in a secure way. We're excited about this easy-to-use reference that will help merchants understand how to use the suite of PCI Standards to enable their businesses while still keeping data security top of mind.”

80% of identity theft can be traced back to small business breaches in security
With the “mobile revolution” comes a shift in retail security practices by independent retailers looking for cost effective retail technology solutions. Taunted by the allure of a “full mobile POS system” for dirt cheap, it can seem too good to be true when it comes to PCI Compliance. The PCI Security Standards Council state what many have been wondering for some time, “Mobile devices are not necessarily designed to be secure input or storage devices for cardholder data. Your mobile payment solutions thus requires additional technology, including encryption to secure cardholder data acceptance.”

At this point, the exact regulations and guidelines have yet to been fully defined by the PCI Council regarding mobile point of sale systems. So, when a prospective mobile POS provider has stated that they are PCI compliant, this does not necessarily mean that any specific actions have been taken to ensure that the specific system is secure. Factually, PCI compliance is not limited to your software capabilities and while you may be attempting to form up a small business on a dime with an iPad and a $15 a month system, you are in the hot seat if you are not only PCI compliant but truly secure.

How “hot” is the hot seat?

The reason this is of absolute importance to you as a retailer, is you could personally be held accountable for everything from full reimbursement for monies stolen, to a possible $500,000 fine for negligence should there be a data breach which traces back to one of your devices. As you can see, this is very serious business that a fly-by-night POS system should not be trusted with. In this matter, the cheapest option is not necessarily the better option and could effectively close your business.

How to protect yourself and your livelihood
Several heavily marketed and relatively new mobile POS systems are under scrutiny for PCI compliance failure (lack of data encryption is a common oversight). A  long term service provider of point of sale solutions, hardware and supporting systems (security, etc.) will know the ins and outs of how to create a safe point of sale for your retail store.  We recommend a layered approach to security. Our definition of “layered security” would include: Firewall for all internet connections, system back-ups, run regularly and security cameras installed in high theft locations in the store.  In addition to having a security suite, ensuring the mobile POS device you use has data encryption, goes a long, long way to complying with  PCI Compliant regulations.

A thorough list of best practices is expected before year end. In the mean time, a straightforward paper (link below) gives some hands on advice for merchants including:

  • Leveraging the benefits of the Council's recently published Point-to-Point Encryption (P2PE) standard and program
  • Responsibilities under PCI DSS, and how to translate to mobile payments

Be sure to choose a mobile payment acceptance solution that complements the merchant's PCI DSS responsibilities.

PCI Security Standards Council - Accepting Mobile Payments with a Smartphone or Tablet

If the above link doesn't work, copy and paste this into your browers: