Last month, CampusGuard’s President, Ron King, was asked to present at the annual New York State Organization of Bursars and Business Administrators (NYSOBBA) conference. He provided guidance to the attendees on how to weigh the risks and benefits of accepting payments via mobile devices. The presentation was well-received, so we wanted to share a few of the highlights with you this month.
When we talk about accepting payments on mobile devices, the benefits are obvious. The devices are mobile; they can be taken anywhere. They can be carried to places that are convenient for a customer (e.g. sporting events, fundraisers, concerts, etc.) and can increase your ability to bring in revenue or donations. Consumers typically do not fear submitting sensitive information or making purchases using smartphones. In fact, most users trust smartphones over using a public computer or kiosk any day. But is this really the right way for your organization to be accepting payments?
As mobile commerce activity continues to increase, merchants and service providers need to evolve and reposition themselves to meet the market demands. However, while making the process as simple for the end user is almost always the end goal, you also need to ensure you are not putting your consumer’s data at risk by doing so.
With regards to the PCI DSS, there are basically two types of mobile payments—consumers entering cardholder data (CHD) on their personally-owned mobile devices and staff-assisted transactions where the consumers’ CHD is handled on your organization’s mobile devices on their behalf.
When an individual or consumer is entering in their own CHD into their own mobile device, there are no PCI requirements that need to be met by the merchant with regard to their mobile device. However, as the merchant, you are responsible for the compliance status of the payment service, regardless of whether it is hosted and maintained by your IT staff or by a third party service provider.
When a mobile device is being used by the organization to accept cardholder data from consumers, you are now responsible for ensuring that device and any other connected, in-scope components are compliant with the PCI DSS.
Other things to consider: Are payments only accepted via a card reader connected to the device, or is there a manual entry process in the event of a swipe-failure? Is the device used for both payment activities and personal use? Is the mobile device owned by the organization or is an employee utilizing a personal device? Is the device being updated regularly to protect against malware and other known threats? Is the device at risk for being lost or stolen? How easily can it be tampered with? Since mobile devices have no fixed location, keeping track of inventory and defining merchant responsibilities can become more difficult.
If you have merchants asking to use a mobile solution to accept payments, the mobile options that require the least amount of effort to implement in a compliant manner are:
- Purpose-built PCI-listed PTS-approved cellular POS devices or
- Mobile solutions from a PCI-listed point-to-point encryption (P2PE) vendor.
If you aren’t able to use the above solutions and choose to use a consumer mobile device (e.g. iPad, iPhone, etc.), that device must be configured so that its only purpose is securely handling payments (i.e. all non-payment related applications and functions must be removed from the device). The reason for this is that the same risks that exist on a computer will also exist on a mobile device. If you can access your e-mail, browse the internet, install apps, etc., the device vulnerable to a data breach from attack vectors like malware, keyloggers, and more. The list below are a few best practices to keep in mind to better secure the device:
- Do not use the mobile device directly on any wireless network (e.g. WIFI, 3G/4G, etc.).
- Always use a firewall or other scope limiting device between the mobile device and the Internet to keep the PCI scope as small as possible.
- Do not implement solutions that permit PIN entry directly into the mobile device.
- Verify the mobile device and associated card readers have not been tampered/substituted by following your tamper-checking protocols (e.g. validating device ID and serial numbers).
- Restrict access to the equipment to only authorized personnel.
- Establish security controls and install and regularly update anti-malware/antivirus software.
- Install only trusted software.
- Ensure the mobile device is stored in a secure location when not in use (e.g. locked in a drawer, etc.)
- Keep an accurate inventory with serial numbers, model numbers, operating systems, firmware, etc. and log all information. Mark devices with a unique identifier to protect from fraud and counterfeiting.
- Implement an incident management process for the timely detection and reporting of theft or loss of a mobile device.
- Ensure there are processes for the secure disposal of outdated devices.
As you have more and more merchant areas requesting mobile solutions, it can be to your benefit to have approved solutions and payment processes already defined. List the solutions that they are allowed to utilize at your organization and have the configuration requirements specified.
Don’t hesitate to reach out to us if you would like to discuss possible mobile solutions for your organization and how to increase convenience while maintaining compliance.
Some additional guidance from our Security Advisor team below:
[Burt]: For higher education, the ability to accept payment cards in a mobile fashion does not just have obvious benefits, it either is or soon will be a demand or standard practice. Universities and Colleges by design have numerous departments and merchants that want and need the flexibility to be located in more than one place (e.g. Athletics, Foundation, Performing Arts, etc.). The best practices mentioned above are great guidance if an institution decides to accept mobile payments utilizing their own equipment. However, based on my experience, there are a few other things to consider.
First, when shopping around for solutions that will satisfy PCI compliance requirements as well as business needs, keep the words point-to-point encryption (P2PE) in the back of your mind. By this I mean, be cautious of third party solutions being sold as “fully PCI compliant” because they utilize P2PE. Using a mobile solution with P2PE is a great method for keeping the customer cardholder data secure, however just attaching said solution or device to your equipment does not make the institution PCI compliant. This is probably one of the biggest misunderstandings that I see when performing reviews. Unfortunately, the crafty advertising and marketing of products/solutions being PCI complaint doesn’t just apply to mobile avenues (e.g. this could be an entire POS system).
Second, feel free to take advantage of PCI-listed P2PE mobile solutions that are available. A true PCI-listed solution can assist in reducing or eliminating the scope (concern) of hardening organization-owned devices and systems involved with the payment card process. Admittedly, the options for a “dongle-type” solution are currently limited. However, there are a few PCI-listed P2PE solution vendors that have mobile options. As the need continues to grow and technology continues to advance, we feel confident that more options will become available.
Lastly, keep in mind that no matter what mobile solution is chosen, the ultimate responsibility of PCI compliance still falls on the organization providing the ability for customers to make payment card transactions. There is no “silver bullet” that eliminates the need to satisfy PCI requirements and attest compliance. Even utilizing a PCI-listed P2PE solution still requires the organization to adhere to certain requirements and attest compliance to their acquiring bank.