How to Protect Customer Data When Using Credit-Card Plug-ins for Smartphones
Q: Are those credit card plug-ins for smartphones really PCI compliant?
A: First, a primer on Payment Card Industry (PCI) noncompliance. If you fail to protect customers' credit card data, your business could face hefty--even crippling--penalties and fines from payment processors, and could lose the ability to accept cards altogether. (Then there's the prospect of facing angry customers demanding to know how fraudulent charges ended up on their credit card statements.)
If you think your small operation is too insignificant to bother, think again. According to the PCI Security Standards Council, 80 percent of all credit card security breaches in the U.S. since 2005 have been attributed to small businesses. (For more info, go to PCISecurityStandards.org.)
With usage of mobile payments skyrocketing each quarter, understanding and maintaining PCI compliance is vital to protecting your business. As for the security of the hardware attachments (dongles) and software that can turn a smartphone or iPad into a credit card reader, you can breathe easy if you follow PCI rules and common sense, according to Rajat Bhargava, chairman and CEO of StillSecure, a Colorado-based security provider and PCI-compliance expert. Here's what he suggests.
- Separate online credit card processing from your business's main network, ideally with a dedicated computer, smartphone or tablet with its own internet connection. This will reduce the chances of infection from malware downloaded from an e-mail, website or app. Testing Square's card-processing app on your nephew's iPhone? That's a no-no.
- Limit control over access to those employees who actually take credit card information. Data access and monitoring should be limited to you or your controller.
- Monitor your account regularly--daily is best. You'll quickly spot any security breach or theft. If you find a breach, have a plan in place and follow it. This will help you validate your compliance measures and could reduce or negate your responsibility for fraud.
- Secure the device being used to process credit cards 24/7--both physically and through regularly updated network security apps. Start thinking of your smartphone or iPad as a portable cash register full of money. The last thing you want to do is lose it.