Mobile payments are a secure and convenient alternative to traditional credit or debit card payments. However, as evidenced by recent findings, this relatively new technology has its security and privacy issues, and compliance standards that must be followed. It is commonly employed in two broad implementations: in one case, the buyer uses his or her phone with specialized software to authorize the operation. In the other, the payer uses his or her card with a magnetic stripe reader connected to the provider’s phone.
In the first scenario, customers use digital wallet software such as Apple Pay or Google Pay. This type of software allows them to store their credit or debit card details on the phone. However, rather than directly storing the data, the software requests a token from the issuing bank (Google Support, n. d.). When making a payment, the user taps his or her phone to the provider’s terminal, which uses a technology called near field communication (NFC) to exchange data (Square, 2017).
Specifically, the client’s phone provides the card’s token and a one-time purchase for the purchase in an encrypted form (Google Support, n. d.). At that point, the customer and the provider’s banks process the payment as normal. This approach makes the technique as secure as using a regular chip-based card as no card details are exchanged.
The second scenario uses a card reader device attached to the provider’s smartphone. This device utilizes the same technology as a regular point-of-sale (POS) reader, using the phone to transmit transaction data. They can work with traditional magstripe cards or modern contactless solutions like EVC cards and digital wallets (Square, n. d.). If used correctly, mobile POS is secure; however, it presents multiple opportunities for attack. Especially where magnetic strip operations are concerned, the strip data can be copied (Osborne, 2018). Furthermore, using Bluetooth for communication between the card reader and the phone presents additional vulnerabilities (Osborne, 2018). Thus, independent providers using mPOS solutions can present serious issues for PCI-DSS compliance.
Although the majority of use cases for cashless payment and mPOS solutions do not transfer credit card details directly, they can still present privacy and security issues. Notably, losing one’s phone can allow others to make purchases without the card holder’s consent even if security measures such as biometric identification are used (Porche, 2017). Similarly, a lost phone with a mobile POS solution can enable one to impersonate the provider and fraudulently charge customers. Furthermore, issues can arise from entering one’s personal data to add a card to his or her digital wallet through an unsecured or compromised Wi-Fi network can allow an attacker to intercept said data (Porche, 2017).
Another avenue for attack is malware, which can infect a provider’s phone; since magnetic strip data of a given card does not change, intercepting it from a mobile card reader is tantamount to copying the card. Related to malware, digital wallet software itself can be counterfeited, presented as the genuine app, but transmitting any personal and credit or debit card data to the attacker (Shastri, 2019). Most of these concerns are outside of our company’s control.
In terms of PCI-DSS compliance, the present situations raises certain concerns. As mobile POS operations are carried out by authorized, but independent providers, it is impossible to control their behavior. Therefore, oversight over malware protection or their compliance with information security, which are required by PCI-DSS, is impossible (PCI Security Standards Council, 2018). Ultimately, allowing independent guest services to operate without oversight or additional authorization and verification is a detriment to PCI-DSS compliance.
References
Google Support (n. d.) How payments work. Google Pay merchants help. Web.
Osborne, C. (2018). PayPal, Square vulnerabilities impact mobile point-of-sale machines. Zdnet. Web.
PCI Security Standards Council (2018). PCI DSS Quick Reference Guide. Web.
Porche, B. (2017). 3 major mobile payment security risks, and how to avoid them. Creditcards. Web.
Shastri, S. (2019). 5 mobile payment security concerns to consider. PaymentsJournal. Web.
Square (2017). What are mobile payments? And how to use them. Web.
Square (n. d.) Square Reader for contactless and chip. Web.