With a proliferation of newcomers to the market, merchants need to be aware of potential mobile payments security problems. The PCI Security Standards Council recently released new standards for developers as well as guidelines for merchants. One important aspect to ask questions about, is ‘store and forward‘.
If the mobile application enables you to accept credit cards when you cannot connect to the internet, clearly the data resides on the device, which creates a potential security risk. This issue is addressed in a new Best Practice for Mobile Payments Developers released by the PCI Security Standards Council. Who can access the card information, pending presentment to your processor for an authorization? In what format does that data reside? If the user cannot access, is it possible other malware could access the data?
Editor’s note: Our CenPOS iPad mobile app does not support store on device and forward for presentment later. Merchants must have access to an internet connection. There are multiple options should you need to store payment data with that live connection:
- Zero dollar auth- validate the card only, and store data for later billing.
- Auth- Get an authorization for a specific sale, but don’t charge yet; store data for later billing.
- Repeat sale- Process transaction now, and store payment information for future billing.
In each case above, the credit card information is encrypted and replaced by a random alpha-numeric character, or ‘token’. The encrypted payment information can never be seen again.
Accepting Mobile Payments with a Smartphone or Tablet (PDF download from PCI Security Standards Council)