Are Your Customers Safe When They Use Your Mobile Card Reader?


Online shops and mobile payment systems are now a huge target for cyber criminals. You hear a lot about the big companies being infiltrated, but the truth is smaller, more vulnerable eCommerce websites are being exploited more often.

“Malware in the retail IT systems, especially the traditional POS (Point of Sale), has resulted in major costly breaches worldwide.” says Mark Bower, VP at Voltage Security, as reported by Point of Sale. Malware isn’t just a concern for personal computers, but merchants as well. Yet, if your computer is infected with software that can read every key stroke on your keyboard, then hackers have all your passwords for your bank, your email, and your eCommerce software or website.

If you use a mobile payment process in your shop (a card reader plugged into your phone or iPad), those devices can be infected as well. But they’re harder to notice. One study, the 2013 Trustwave Global Security Report, indicates that it took businesses 210 days, on average, to notice they had been hacked. The report goes on to say that mobile malware increased 400 percent that year, with malware found on more than 200,000 Android devices.

The Trustwave report studied 450 data breach investigations and found that 48 percent of those breaches were eCommerce sites.  “There is no ‘if’ you will be attacked, only ‘when’ which is why it is crucial for organizations to follow security best practices and recommendations,” Chris Christiansen, Program Vice President at International Data Corporation, commented to Trustwave.

Then how are you supposed to make sure your customer’s money isn’t syphoned out of their bank accounts because they shopped at your store?

Security Standards That Will Reinforce Your Customer’s Faith in You

The Payment Card Industry Security Standards Council (PCI SSC) developed the Payment Card Industry Data Security Standard (PCI DSS) as protection. To put it simply, you want to be “PCI compliant.”

There are 12 requirements that any store or business must meet in order to be PCI compliant. These requirements take into account your entire payment process – from your mobile card reader to the method used to deposit money into your bank. The PCI DSS requires all businesses to make sure every form of record keeping and transaction processing is air tight. How you store and protect receipts or printed records is covered as well.

This is starting to sound complex, isn’t it? Don’t worry. There are three steps to ensure you’re doing it right and then some relieving news for eCommerce sites. These three steps are outlined by the PCI SSC to help you maintain your customer’s trust:

  • Step 1: Assess
    • Take a step back and honestly evaluate your entire payment process. Data flows like a stream, from one point to the next. What’s your customer’s data stream look like? Note any gaps or weak spots where customer’s data is at risk. Think about what devices you are using that have access to your sensitive systems: PCs, laptops, and phones. How is the data being stored? Are your paper records safe? The PCI SSC website has a Self-Assessment Questionnaire to guide you through a thorough assessment. Or you can hire a Qualified Security Assessor (QSA) to do the work for you. A list of QSAs can be found on the PCI SSC website as well.
  • Step 2: Remediate
    • Now fill in the gaps, strengthen your weak spots. Fix any vulnerability that was identified in the assessment. This can mean applying software patches or updates. It could also mean changing the flow of your customer’s data by eliminating the use of laptops, or adding a more secure storage device. Any investment to fix your data flow is an investment into your customer’s trust.
  • Step 3: Report
    • Every three months a report must be filed with the bank and payment brands that you do business with. The assessment in step 1 needs to be done every year. As long as your assessments and report are up-to-date, you are PCI compliant.

Relieving News for Mobile eCommerce Businesses

Most eCommerce websites, such as Shopify, are PCI compliant. An easy way to tell if your POS and card reader equipment is secure is to look for Point to Point Encryption (P2PE). This encryption seals your customer’s data the instant their credit or debit card is swiped. When the information is sent from the reader to your mobile device through the Internet and then to your Payment processing company and bank, it looks like a random jumble of letters and numbers. Only companies entrusted with the decryption codes can process the payment. This way, if malware does infiltrate your system, the hackers would also have to know the decryption code. Otherwise all they have access to is a list of random numbers and letters. To find out more, read over the “Accepting Mobile Payments with a Smartphone or Tablet” guide offered on the PCI SSC website.

Even though you are doing business in a highly targeted industry, you’re also extremely well protected, especially if you are using a third party application to host your store and website. It is in their best interest to keep you and your customer’s safe, and it saves you from spending major dollars to be PCI compliant. You can focus on keeping your customers happy and your customers can feel safe doing business with you.