Lock it up: 5 ways to protect customers using mobile payments
By Kristen Gramigna, Chief Marketing Officer, BluePay
There are plenty of cost-efficient mobile payment processors designed to fit the budget needs of small businesses, but ensuring sensitive data customers that your business is secure is just as important as the convenience factor mobile payments offer. Here’s a quick checklist to help determine if your mobile payment transactions are truly secure:
Confirm that your mobile payment provider guarantees PCI compliance. Payment Card Industry Data Security Standards (often referred to as PCI Compliance) govern the level of security companies who accept sensitive customer payment data should follow when accepting, transmitting, processing and storing such information. Though PCI compliance standards aren’t technically “law,” any merchant who accepts customer credit card payments in a manner that isn’t PCI compliant, both directly and by way of the third-party merchants, could be found liable and subject to significant fines and potential lawsuits — should a data breach occur. Though mobile devices have become as common in business as a desktop computer (and often, more cost-effective), remember that they are not inherently designed to securely process and store customer data. Ensure that your mobile payment processor guarantees PCI compliance, including data encryption throughout the transaction, — and that anyone in your company who processes mobile payments utilizes the secure tools the provider supplies, including “dongles” (that plug into the jack of a smartphone or tablet) for “swipe” card transactions. If your business processes include manually entering customer’s card information into a payment processors mobile app, ensure the app is downloaded specifically from the providers secure site, versus an “app store,” where identity thieves may post convincing imposters.
Be aware of how you manage receipts. PCI standards mandate that any business keeping paper records of receipts follow certain storage and security standards. Most mobile payment providers equip a business to provide the customer with an electronic receipt delivered from the secure mobile payment processor by way of text message with a link, or email. Delivering receipts via these methods can ensure that your business isn’t tasked with handling hard copies of sensitive customer data that could increase risk of a breach.
Know who has access to your data. Though online hackers are certainly a threat to be mindful of, many breaches begin with a physical intrusion, including stolen credentials and similar imposter devices (like stickers) placed on a point of sale terminal by a person posing as a customer, or a vendor. For example, in the case of the Target data breach, one of the largest in history, the source of the attack is thought to have originated with a fraudulent HVAC vendor, as reported by Krebs on Security. PCI compliance standards recommend that merchants conduct a vulnerability scan of their networks, hardware and mobile devices every three months. Further, experts at ControlScan recommend that all small businesses maintain written agreements about how data is accessed, shared and recorded with anyone who has been given credentials to log in to business systems, including direct employees, accountants, contractors, vendors and business partners.
Educate your staff about Wi-FI security. It’s critical that mobile payment transactions are processed on a secure and private Wi-Fi connection — particularly if your business accepts mobile payments to transact in remote locations, like special events, festivals and trade shows. Many mobile payment providers include features that equip merchants to transact in “offline” mode when private connections are not available. This ensures customer payment information is held encrypted and in queue, until it can process securely. Though public Wi-Fi “hot spots” may seem like a convenient means of accepting mobile payments quickly, they’re easily compromised by hackers.
Avoid handling sensitive data whenever possible. Display the logo of the mobile payment provider your business uses so that customers are empowered to transact independently when appropriate. As mobile payments become increasingly popular, customers may have established accounts with the same mobile payment provider you rely on to transact. In such cases, customers can pay your business by logging in to the secure payment portal, using their own set of secure credentials. The less you handle sensitive customer information directly, the less risk you assume as a business.
Kristen Gramigna is Chief Marketing Officer for BluePay, a credit card processing firm that provides services to restaurants, among other types of small businesses. She has more than 20 years experience in the bankcard industry in direct sales, sales management and marketing.