The PCI Security Standards Council has recently released a study, which encourages merchants that use tablet PCs and smartphones as payment processing devices at the point of sale to verify whether they are using adequate security features, such as encryption.
The report cites a prediction made by Juniper Research, which claims that mobile transactions will grow to $1.3 trillion around the world by the year 2015. The figure predicted for 2015 is four times higher than the current transaction volume. The increase is expected as a larger number of businesses will use mobile devices such as smartphones, tablets and portable computers to process payments. According to the report, merchants should be aware that the security of the device used in transactions is their responsibility. The PCI Security Standards Council has also issued a recommendation that merchants should not allow employees to use personal devices at work.
The reasons these recommendations were made are that mobile devices can be used for various purposes and are not a standalone payment processing system. By definition, a mobile device is certainly “mobile”, which means it can be taken out of the workplace and therefore easily lost or stolen. The council recommends that any merchant using a mobile device for transaction processing use a secure mobile card reader that meets industry standards.
According to Troy Leach, the Council’s Chief Technology Officer, customers expect their security to be protected when they shop at online or at a store, and this extends to using a mobile device to pay for a purchase instead of a “regular” POS system. He went on to say that it is quite difficult to make customers confident in the security of a device that was primarily made for consumers and not as a business tool.
Guidelines issued by the Council state that “jailbreaking” or “rooting” a device increases security risks, as doing so circumvents some of the device’s security features, allowing malware infections to take hold more easily. To meet the guidelines, merchants should only use point-to-point encryption that has been PCI-validated.
The guidelines should not be seen as an attempt to limit the growth of mobile transactions, but rather help merchants understand the security risks they face when processing payments on mobile devices. Software developers and device manufacturers can create solutions that would allow mobile commerce to grow exponentially all while remaining as secure as possible.
Business owners who use payment processing equipment that connects to a mobile device as opposed to a “regular” checkout terminal can read the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users to know some of the important recommendations aimed at them.