Merchant Alert: Avoid “Jailbroken” Phones and Tablets for POS Payments
In a study released earlier this year, the PCI Security Standards Council (PCI SSC) advises merchants using smartphones and tablets as POS (point of sale) payment processing to be sure that proper security measures such as encryption controls are functional.
Noted in the report is a prediction from Juniper Research that mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today, as more businesses turn to consumer smartphones, tablets and PDAs for payment processing.
The report emphasizes that merchants are responsible for the security of the device. The council also recommends against allowing employees to bring their own devices to use in the workplace.
The Council’s recommendations are based on the assumption that mobile devises are multi-purpose and not dedicated to payment processing, and, more importantly, that they are not secure. The security issue extends beyond the workplace, as the devices, being mobile by definition, are at risk of being lost or stolen. The Council recommends that all mobile devices used for card processing include an encrypting PIN pad and an approved secure card reader.
Troy Leach, Chief Technology Officer of the Council, explained in a corporate media release, “It comes down to the basic element of trust. Consumers want to have confidence that their information is protected whether at their favorite restaurant, shopping online or making a purchase using a mobile device in lieu of a traditional POS. Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes, which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”
The guidelines are clear that merchants who “deliberately subvert the native security controls of a mobile device by ‘jailbreaking’ or ‘rooting’ the device increase the risk of malware infection. Payment solutions should not be installed or used on any mobile device that is rooted or ‘jailbroken,’“ the council’s document states.
The Council’s recommendations include the caveat that until mobile hardware and software implementations meet the guidelines, merchants should exclusively use PCI-validated point-to-point encryption.
The intent of this guidance is certainly not to thwart mobile commerce; rather it is directed to merchants so they can better understand the risks involved, and that that together with developers and device vendors they can safely implement a solution that will enable mobile commerce to flourish.
Business owners using plug payment card process equipment rather than traditional checkout terminals can access the Council’s recommendations from PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users.
… contest legitimate charges while also providing the customer with an additional layer of security. GPS features can prove location, and the whole process iscompliant so that the restaurant can promise …
… your customer’s information—when using POS. To this end, theSecurity Standards Council is now offering the Qualified Integrators and Resellers (QIR) Program. This program trains resellers and integrators …
… card on them.” Over 1 million merchants use Square’s Verisign certified andcompliant technology. Square provides card readers free to users and a free app is available for download at the App Stor