Mobile Payment Security in the Store
By Jeff Wakefield, Verifone
Mobility. It is such a broad concept, meaning different things to merchants and consumers. Mobile acceptance, mobile payments, mobile POS, mobile shopping – each plays a distinct part in the overall mobile experience and each has different risks and rewards.
Within this larger mobile arena, the security of the mobile payment device offers the greatest risk for both merchants and consumers alike.
Mobile payments, or its more technical term, “mobile acceptance,” is simply the process of accepting payment using a mobile device. There are three primary categories of mobile acceptance products on the market, each with a different set of capabilities. They include:
1. Purpose-built mobile payment devices: actual payment terminals with wireless capability.
2. Secure mobile acceptance peripheral devices that connect to payment applications on mobile handsets. These are the cradle-like units that mold around the mobile device.
3. Simple audio jack type devices that attach to another consumer device
While ANY payment device should provide for some minimal level of payment security, the first two categories fall under the realm of governance by PCI PTS standards. But regardless of the type of device in use, the questions we must ask and answer, as merchants, includes the balance of risk vs. reward. First, what are the risks with accepting any type of mobile payment? And secondly, what level of risk are we willing to accept in return for the ability to offer our customers an enhanced consumer experience?
The First Area of Risk
Most mobile payment solutions in use today — smartphones and tablets — aren’t purpose — built for accepting payments, so there are peripherals that connect to them to facilitate that. Usually, a mobile point of sale application is also running on the mobile device itself. These applications vary in complexity, from simple barcode scanning and payments to full — fledged inventory management and CRM. A simple scenario for this kind of mobile payment transaction might look like this:
The consumer finalizes her selection and approaches a store clerk who is either carrying around the mPOS device or has access to one at the counter. Once all items have been scanned, using the built — in barcode scanner, the total appears on the screen of the mobile device and depending on the type of payment acceptance available (swipe, tap, keyed or dipped) either the clerk or customer inputs payment information. This payment information is transmitted through the actual payment — acceptance peripheral (the cradle, audio jack attachment, etc.) to the mobile application. The payment information then leaves the mobile application and is sent to an authorization system.
There are a number of potential intervening systems here that process the payment information in some way, but for the sake of simplicity, we will say that in this scenario, the capture device sees the payment information first. Simply put, when you swipe, tap or manually input your card information, it first interacts with the payment device before being transmitted through the store and out to the payment processor.
This is the first area of risk; without protecting the payment data at the initial point of capture, before if flows through the peripheral and through the mobile payment application, merchants are exposing themselves to some level of risk. As such, ANY payment — accepting consumer electronic device should be considered unsafe — period. Both iOS and Android devices have the potential for malware intrusions, either due to “jailbreaking” or via legitimate applications that have security holes in their code.
Once you are in a habit of assuming that each device is unsafe, you become better attuned to ensuring that proper security precautions are being met.
The most effective form of payment security on any kind of payment device — be it a mobile device, a countertop device, or a simple acceptance unit built into a vending machine or fuel pump — is encryption. The PCI Standards Security Council (SSC), hardware and software vendors, security practitioners, and even informed consumers agree that encrypting data immediately at the point of capture and before it traverses the mobile operating system, is an effective deterrent to transaction data interception and theft.
Encrypting payment data after it has moved through the peripheral, and into the payment application is a polite gesture, but hardly effective. It is a bit like running an encrypted network inside your home, but then not password— protecting your PC login. You must encrypt the data at the point of capture, with no exceptions.
This can be accomplished in different ways, but enterprise — class deployments should follow best practices and use only those devices that been tested and approved as PCI PTS compliant.
From a customer interaction perspective, mobile devices are being used to engage customers on a much deeper level. Consider the other types of information merchants collect — email addresses, phone numbers, loyalty rewards numbers and purchase history.
It’s possible that some information, while not considered sensitive from a PCI and payments perspective, is still sensitive. Separately these bits of personal information don’t mean much, but together, a customer’s personal information and shopping preferences can be used by attackers to leverage more information.
Building “Big Data” profiles of consumers — as part of a CRM program — is becoming more common and merchants need to consider the backlash they could face customer information be used by attackers to gain access to parts of their digital lives.
So, what’s the solution? Encryption of payment data is possible. Encryption of addresses, ZIP codes, pet names, and birthdays places a much larger burden on merchants as encrypting this information introduces a host of additional processes. But as custodians for this information, merchants should treat it with care and be responsible for its safe-keeping.
Securing the mobile acceptance and point of sale environment is not simple, but as an industry we need to tighten up our security controls and practices. The worst thing that can happen to the “mobility” rage right now is a rash of well‐publicized merchant breaches using mobile acceptance systems.
Jeff Wakefield is VP of new business development & strategic initiatives, vertical & global, security solutions, VeriFone.