This week’s blog, the first of a two-part series, will focus on some of the security considerations pertaining to the device itself. Next week’s blog will discuss measures, including insurance, small business owners can take to protect their businesses should the mobile device go missing or worse.
What is at stake?
You very well could experience a security breach that (though not restricted to using a mobile device to collect payments but applicable to every method you use to collect cardholder data) with consequences that include:
|An example of a mobile payment card reader. Wikipedia.org|
- cost of reissuing new payment cards,
- termination of ability to accept payment cards, and
- "going out of business" (bit.ly/1iwnFUd).
Why is there so much concern about compromised data or a security breach associated with mobile devices?
As you can imagine, and maybe it has happened to you, it is easier to misplace a smartphone or other mobile device compared to a register or computer that is either tethered to something or too heavy or bulky to just carry off without anyone noticing.
A safeguard that is suggested includes securely storing the device, in a safe for example, when not in use or fastening the device to a heavy, bulky item (such as a desk or counter) with a combination lock and cable, much as you would a laptop or desktop. Concern is further based on “traditional security controls such as [anti-virus], firewalls, and encryption [not having] reached the level of maturity needed in the mobile space” (bit.ly/1ftLIm3).
How can a small business owner using a mobile payment system protect customer data and their business?
Let’s first start with the device that you will use to collect payments. A list of equipment and systems can be found here (Why Mobile Payment Systems Might Work for Your Business), but you’ll also need to consider device ownership, who can use the device, and (in certain instances) whether an employee can use the device for more than just collecting payments.
If you are not already familiar with the PCI (Payment Card Industry) Security Standards Council, they work “to educated stakeholders (merchants, processors, financial institutes, and similar) about the PCI Security Standards…and promotes the awareness of the need for payment data security to the public” (www.pcisecuritystandards.org), in essence “keeping your customer’s payment card data secure.” bit.ly/1ix8PN3. Retailers who accept credit cards are required to be compliant with the standards (next week’s blog will include an overview on how to be complaint).
Device ownership: BYOD vs COPE
The PCI strongly discourages what is referred to as BYOD (bring your own device), which involves employees using their own mobile device to process consumer credit card payments. Instead the device should be owned by the business, regardless if it is used solely for “payment and acceptance for transaction processing” or for both business and personal tasks (bit.ly/1hayiqv).
Some companies do buy corporate-owned personally enabled (COPE) devices which they distribute to managers and other employees who process payments at remote locations. In such instances these businesses permit employees to use the device for both business and personal use. This allows the business to install and update software that might not necessarily be appropriate for an employee-owned device (bit.ly/1iCHYyj). Updates can be pushed to devices and the business can seize the device when needed. This particular arrangement is not unreasonable as employees are often provided with desktops, laptops, and tablets to use in their homes and when traveling.
Basic mobile device security policies
Some of the more recognized security policies that you should implement:
• Don’t store any sensitive cardholder data on the mobile device, or on any electronic equipment for that matter. If you are using the smartphone or tablet and/or a mobile app to save customers’ addresses, birthdates, etc. for the purpose of keeping track of purchases (i.e. loyalty program) take steps to encrypt the data and only collect and store what is absolutely necessary.
• Be selective about what apps you download to the device and question why apps might need access to contacts, calendars, location services, etc. on the device.
• Require each employee who needs to have access to mobile devices to have a unique username and password.
• Employees should be trained on how to properly use the device and owners should educate them on how to maintain device security.
• Don’t “jailbreak” or “root” your devices (iPhone, iPad, iPod touch, Android phone or tablets). Jailbreaking or rooting a device allows the owner to download “additional applications, extensions, and themes” not available at the Apple App Store (bit.ly/1luD6Mb); however, Apple states on its website that doing could: shorten battery live, allow for security vulnerabilities, cause apps to crash, prevent future software updates, and similar (bit.ly/1iDCiEq).
• Update your operating software. Often you will get a notification but check the setting on each device often in case a push notification doesn’t go through.
• Keep apps up-to-date, too.
• Beware of phishing emails (emails from individuals posing as legitimate companies with links to malicious software) and SMS texts. Don’t click on any hyperlinks or URLs that look suspicious.
All of these procedures, and other applicable best practices, should be included in your employee handbook and operations manual. Just as you would expect your employees to adhere to a code of conduct when dealing with customers you should expect the same for those who have access to business-owned mobile devices.
No matter what type of device, mobile or stationary, that is used to collect payments it is the retailer’s responsibility to ensure that customer payments processed properly and that only the appropriate data is stored – and that it is stored correctly. In next week’s blog we will continue the discussing and help you further ensure that you are operating a safe mobile payment system and have a policy in place for any issues that might occur with either a missing device or compromised cardholder data.
Kathy Kelley is a professor of horticultural marketing in the Department of Plant Science
Robert C. Goodling, Jr. is an extension associate in the Department of Animal Science