There has been much talk in the media about Mobile Point of Sale associated with Smart Phones and Tablet computers based on Apple (iOS), Google (Android), and recently Microsoft (Windows 8). At the same time there is little or no mention of PCI requirements and how credit card acceptance is secured on a consumer grade mobile device.
The PCI Security Standards Council (PCI-SSC) recommends using a validated Point-to-Point Encryption (P2Pe) solution to help you meet your responsibilities under PCI-DSS. However, as of this writing there are no validated P2Pe devices or software vendors listed on the PCI-SSC website. Nor is there any indication that using a P2Pe solution actually reduces the mobile device PCI security requirements or removes the payment application from requiring Payment Application (PA-DSS) certification. PA-DSS certification is not possible for consumer grade mobile devices because PCI-SSC has yet to define how to certify the payment application on one of these devices. The only certification to date is based on devices dedicated exclusively to Credit Processing and/or Point of Sale.
Until the PCI-SSC defines how to secure the payment application for PA-DSS and mobile device for PCI-DSS, acceptance of credit cards for payment using a consumer grade device (any non-dedicated mobile device like a personal iPhone or Android ) may put a merchant into an untenable situation if they become involved in a card breach investigation. The merchant’s financial and legal liabilities could be significant.
The expectation is that in the near future PCI-SSC will come up with standards for both PCI-DSS and PA-DSS validation of consumer grade mobile devices. We can’t fault PCI-SSC for being cautious and that they will always, by their nature, trail technological developments. Just because a solution isn’t (yet) certified, doesn’t mean it isn’t secure or a good approach. Of course without an independent security assessment we can only rely on the vendor’s claims. This requires a serious discussion with the vendor to understand the security risks and benefits of their product before accepting their product into the payment process.
There is the prospect of a better solution to credit card acceptance on a mobile device by using a payment process in which the cardholder information is not present on the POS while retaining the direct link between the POS transaction and authorization of the payment. These solutions include Google Wallet, Isis, PayPal or other electronic wallets connected to the consumer’s smart phone. This could lead to little or no security responsibility for the merchant and the POS software being used to accept Credit Card payments, which will allow everyone to breathe easier. Until then don’t be the low hanging fruit.
Certainly processing credit cards on employee phones is a risky proposition, and the investment required for wireless devices that must be dedicated to Point of Sale seems too high a price for the benefits. It seems to me that the appeal of a mobile POS solution is to utilize technology that everyone already has. While I am sure this technology is coming, security must come first for all retailers. I’d rather wait until the costs and risks both come down – as they always do. It will be fun to participate as this technology develops.