In big cities, they are everywhere: Coffee shops, boutique clothing stores, and even sidewalk vendors have card readers attached to mobile devices to facilitate payment for products or services. There is no question why the trend is so popular; tablet computers and smartphones are much cheaper than complex POS systems, and the process is sleeker, simpler, and ultimately faster. Generally, sellers and buyers walk away from transactions supremely happy. But should they?
In 2011, reports surfaced that Apple’s Square program exposed users’ card information to potential theft because the company neglected to encrypt the data during the transfer between the swipe and the transmission into the device. In response, the Apple spokesperson harped on the general insecurities of any card transaction and largely ignored the claim, likely confirming Square’s faults. However, Square’s deficiencies shouldn’t scare all consumers and producers away from using mobile card readers. Here’s what everyone should know about this versatile and useful payment trend.
Not All Mobile Transactions Are Insecure
Fortunately, Apple Square seems to be alone in this security shortcoming. In fact, American payment systems are largely held to strict standards that are meant to decrease the visibility of card information and thus protect user information. In 2004, the five major card companies in the U.S. — Visa, MasterCard, American Express, Discover, and JCB — combined their security programs to form the Payment Card Industry Data Security Standard (PCI DSS) which requires retailers to employ specific security measures, including:
Install and maintain a strong firewall
Encrypt cardholder data across public networks
Use and update anti-virus software
Assign unique user IDs to individual employees
Test security system frequently for flaws
Information theft is costly to everyone involved — consumers, banks, and vendors — so the limitation or elimination of breaches has become paramount. Every retailer in the U.S. (including purveyors of
mobile card reading technology) is expected to uphold the PCI DSS, and non-compliance results in the inability to accept certain cards, which dramatically impacts a vendor’s customer base. The key to complying with PCI DSS over mobile devices is employing an app and reader you can trust.
Most Individual Transactions Are Safe
There are two more reasons consumers in particular don’t need to worry about the theft of their card information. First, security technology progresses significantly faster than hackers’ ability to circumvent it. Even the most skilled hackers must spend time and energy working to understand new security programs, and by the time an efficient breach can be made, the technology has likely updated to thwart intrusion. Security companies and hackers are in a perpetual arms race, and security companies almost always come out on top.
Additionally, most hackers aren’t interested in stealing a single cardholder’s information. Because of the great effort it takes to break a company’s digital defenses, a single card number attained through a mobile card reader deficiency simply isn’t worthwhile. Instead, hackers look for weaknesses in mega corporations, who store cardholder data for convenience. Then, when a breach occurs, hackers run away with millions of accounts. In reality, it is much more dangerous to trust companies like Target or Home Depot with your cards than it is to trust a small business using a mobile device.
Vendors Can Ensure Security
If you are a producer as well as a consumer — or you want to know how your favorite retailers should be protecting your cards — there are a number of security practices you should make habits to safeguard your customers’ information while using mobile card readers. Here are some tried-and-true tricks to using a mobile card reader safely and securely:
Never “root” or “jailbreak” your mobile device. In doing this, you circumvent your device’s operating system and gain access to apps or customizations your current provider doesn’t allow — but you also invite hackers, who have an easier time taking control of such devices.
Update your operating system and apps frequently. Updates usually improve security by closing potential gaps in protections.
Use only trustworthy apps. Plenty of clever hackers have gained access to devices through sketchy software.
Install device-appropriate anti-malware and firewalls. It is certainly worth the cost to
download a reliable protection app, but many anti-virus companies provide excellent services for free, as well.
Lock the device when not in use. Some hacks actually arise from negligence of physical security rather than digital security.
Never store cardholder data. Big companies may have more resources to protect their cache of user information, but small businesses using mobile card readers certainly don’t. There is no reason to store your customers’ information and potentially lose it to hackers.