What You Need to Know About the Risks of Mobile Payment Apps
The first way to answer this question is with another question: How badly do you need to use a mobile phone point-of-sale app right now?
Most of the mobile POS apps released by companies like VeriFone, Square and others in the last 18 months employ a card swiper accessory that connects to a smartphone, though some may require a merchant to input customer credit card information using the phone keypad. The potential benefits: You unchain yourself from the cash register and the equipment and connectivity costs associated with a fixed, dedicated POS solution.
But Gary Glover, director of security assessment at auditing firm SecurityMetrics, says that for now, the apps carry risks for small-business adopters.
The new mobile apps should not be confused with other wireless POS systems, Glover says. These older systems--the kind that allow you to pay at the table at a restaurant, transmit credit card info over a dedicated Wi-Fi connection--do not have general internet access or share their connections with other devices. Mobile POS apps can be downloaded to any smartphone and use the same OS as other apps without firewall protection on a device that's always connected to the internet.
"The back end [the swiper] may be secure, but it's the phone part of the app I'm not so sure about," Glover says. Adding to the uncertainty, the PCI Security Standards Council suspended its certification of mobile POS apps last November to further study them and ensure enough security protections exist.
"Until I know what controls are in place, I don't know if I want to use an app from an unknown--though maybe from someone like VeriFone that is established," Glover says.
If your business depends on using mobile POS right now, Glover advises the following:
- Stick with experienced POS vendors with trustworthy reputations.
- Stay tuned to what the PCI council does to develop a vetting process, and do your own due diligence to evaluate apps.
- Consider putting the app on a controlled set of phones--don't just allow your employees to use it on their personal phones.
- If you're operating a storefront business, you may want to stay with private, dedicated Wi-Fi POS device for now.
Mobile phone POS apps should not be dismissed, Glover says, and could in fact trigger a major shift in how merchants get paid. In particular, the app from Square (a company co-founded by Twitter co-founder Jack Dorsey) could shake up traditional payment processing because, like PayPal, it can turn anyone into a payment-processing merchant.
"It's a brilliant, revolutionary idea," Glover says. "In the long run this is the way the world is going."