Just How Secure Is mPOS Equipment, Anyway?

We live, unfortunately, in the age of the data breach.

Target. Home Depot. Sony. The IRS. ADP. Noodles & Co. Wendy’s. Yahoo.

Over the past few years, all of these companies (and many, many others) have been hit with some sort of data breach that has compromised personalized data ranging from social security numbers and W2 information to credit card numbers. The tactics used vary — from online hacks to malware installed in POS systems or equipment — but in all cases, unscrupulous criminals are looking for any opportunity to snag data that can be used to commit fraud or sold to someone else.

Most people understand that their data is a target — and that swiping a card at a terminal or ATM carries an inherent risk. With consumer concerns about the safety of their information (and payment methods) at an all-time high, merchants definitely need to take a moment and ask themselves, “Is my credit card processing setup secure?”

That includes merchants who are using an mPOS app such as Square or PayPal Here. mPOS providers are increasingly popular — so much that Juniper Research predicts they will account for more than 20% of all retail POS transactions by 2021, up from just 4% in 2016. They’re not as robust as a full-fledged POS in most cases, but they can do a lot.

There are some advantages to using mPOS options versus traditional merchant accounts and terminal setups: consistent transaction rates (especially if you currently have or have ever been trapped in a qualified/tiered pricing plan), often-seamless omni-channel commerce, affordable hardware, for starters.

In some ways, mPOS has a leg up in terms of security. It’ll cost you less, at the very least.

So what exactly are the biggest threats to mPOS security? What security measures do the leading mPOS apps provide, and how can you protect yourself? All great questions, so without further ado, let’s take a look.

A Quick Primer on Payment Security

Let me get one important, and slightly upsetting, fact out of the way: No system, no piece of technology is totally impervious to an attack or breach. But you can minimize your risk by keeping yourself informed and being diligent.

Any business that processes credit cards needs to be PCI-DSS compliant. (That stands for Payment Card Industry-Data Security Standard). PCI-DSS is a universal set of practices for protecting cardholder data.

Having a merchant account doesn’t automatically mean you’re PCI compliant — especially if you use a virtual terminal or have a hosted payment page. Depending on your setup, additional measures may be required. And even if not, some merchant account issues will charge you a monthly or annual fee for PCI compliance.

How Do Card Processors Secure Transactions?

Right now, there are 3 primary security features used in processing card payments: (1) encryption, (2) tokenization, and (3) dynamic authentic authentication/EMV. While you’ll see those terms slung about a lot (often together), they aren’t the same:

Encryption: Credit card data must be sent from a merchant’s terminal, over a network, to the banks, and then back to the terminal. The same way you wouldn’t want to log into your private accounts on a public Wi-Fi network, you don’t want to send credit card data over the network without any protection.

Enter encryption. An algorithm encodes the data using a special key, and to make any sense of the data, you need to have access to that key. Only once the information is encrypted is it sent onto the banks. Even if it’s intercepted, without that cypher key, the data is useless.

At this point, encryption is (nearly) universal. (If you know for certain that you don’t have a terminal capable of encryption, it’s time to go shopping!) Credit card processing equipment typically relies on end-to-end (E2E) encryption, meaning the data itself is encoded, and not just protected by a layer of encrypted code (as is common in eCommerce). A subsect of E2E encryption is point-to-point (P2P) encryption which works slightly differently, but still has the same overall effect.

Tokenization: Tokenization really came into popularity with the rise of mobile payments such as Apple Pay, but it’s also used for eCommerce. This technology ensures that the merchant never actually has access to a card or bank account number. Instead, the merchant receives a token — a string of randomly generated numbers that stand in as a substitute for the account number. The actual data is stored elsewhere in a secure vault.

Tokenization is a powerful way to reduce a merchant’s risk and protect consumer data — because even if there is a breach at a merchant location, the information obtained is useless.

EMV: Here’s a fun fact: the black magnetic stripes on the back of credit cards are, more or less, the same technology that enables cassette tapes. While it’s perfectly functional, it’s also decades out of date.

That’s a major reason why EMV (the “chip” card) is replacing magstripe technology. EMV is the MP3 to magstripe tech’s cassette tape. it’s far more advanced — and like the MP3, everyone else around the world is already on board with the technology.

EMV uses a microchip rather than the magstripe. It contains a lot more information and the checks the chip can run (ensuring the card is real and valid) are far more advanced. EMV is not the same as encryption or tokenization, but it is complementary to them.

Together, experts agree that these three technologies are our best shot to protect consumer data in the payment space. However, adoption of this trifecta is far from universal.

How Can a mPOS System or Piece of Hardware be Compromised?

If you really want to know more about all the ways that payment systems can be compromised, the PCI Security Standards Council has a useful handout. It’s worth pointing out that it dates to 2014, but the council hasn’t put out anything more recent, and since magstripe technology isn’t exactly evolving, the core information is still relevant. Second, it mostly applies to traditional terminals and POS systems, not mPOS. However, it does have a lot of information and visuals, and has a lot of good advice for how merchants can improve their security and protect themselves.

Now, if you want to know about mPOS security and don’t mind asking Google the kind of questions that might raise a few eyebrows (which is one of my favorite things to do), you can find some interesting information.

The biggest threat to mPOS is a lack of encryption. No encryption means the data can be read by other mobile apps. That data can then be saved and reused later to process larger transactions without the customer’s knowledge, which is essentially a crude form of skimming.

Square had this problem when it first launched its mobile credit card reader. The device didn’t perform any sort of encryption initially, meaning the scammers found ways to exploit the data. It wasn’t until PayPal announced its own device back in 2012, one that had built-in encryption, that Square felt compelled to make a change to its own hardware.

That wasn’t the last time Square got in trouble, either… Researchers in 2015 found a couple more exploits: 1) that old, unencrypted card readers could still work with the (at the time) most recent version of the Square app, and 2) the encryption on the current reader could be bypassed by breaking open the case, thus turning the reader into a skimmer. The first issue has since been addressed. And Square claims that damaged readers — or those whose encryption is broken — do not work with Square’s app.

Intuit seems to have had the same problems with encryption that Square had initially. However, they also appear to have been rectified. PayPal Here has used encryption since day 1, and while a couple of exploits of PayPal’s security system have been exposed, neither relates to or affects PayPal Here in any way. There’s also no indication that Spark Pay by Capital One has had any sort of breach or security issue.

That said, Square’s confirmed that its devices won’t work with the app if you break the encryption. And PayPal’s readers have the same feature. This shouldn’t be surprising to you — mPOS companies don’t want people cracking open their hardware and playing with it.

The second issue: The smartphones and tablets running the apps are inherently vulnerable. Any device could be compromised — some are just bigger targets than others. Malware for phones is a thing (just go look up HummingBad ), and malware can do anything from hijacking your phone to mining it for sensitive data. You should exercise caution when clicking links or downloading apps to your phone or tablet.

Third: Credit card fraud isn’t just about stealing card numbers. Once a card has been compromised, the parties behind it are going to be looking for a way to spend the funds they now have access to. Accidentally swiping a cloned or stolen card potentially leaves you, the merchant, on the hook, and that’s a dangerous spot to be.

Mobile POS App/Hardware Security Features

Now that we’ve got that out of the way…just what are the leading mPOS providers doing for security? I took a look at 4 major mPOS players — Square, PayPal Here, Intuit/QuickBooks GoPayment, and Spark Pay — and compared them. Specifically, I looked at both the security measures used in the entire payments process and the security of the hardware itself.

There was a pretty clear common thread:

All four companies are PCI-DSS compliant.

That means you don’t have to do anything to make yourself compliant. You also don’t have to pay for PCI certification or compliance fees, which are fairly common for holders of traditional merchant accounts. There’s no pesky self-assessments involved, either.

Part of the reason for that is all four companies encrypt their transactions. This shouldn’t surprise you — I did say encryption was nearly universal. With it, merchants are never actually handling or storing the credit card data, which is part of why these mPOS apps can give you PCI compliance without you ever having to lift a finger.

The only noteworthy difference in security is that Square tokenizes data when it reaches the servers, which is not something the other mobile providers offer (or at least, not something they disclose).

So What Can You Do to Protect Yourself and Your Business?

mPOS apps aren’t invulnerable to data breaches. As Square has shown, it’s hard vulnerabilities in the past — it’s not hard to imagine someone will find another way eventually. Unfortunately, it’s just an effect of the times we live in.

That’s not to say you should be feeling all “doom and gloom” about the security of your chosen mPOS providers! Mobile providers are now taking all the right measures to ensure their transactions are secure, complying with the strictest industry standards.

They also work hard to put as little of the burden on you as possible! But if you want to ensure your payment processing is as secure as it can be, here are some things to keep in mind:

Upgrade to EMV. No seriously. I really mean it this time. If you haven’t yet, get yourself an EMV reader. You might not be in a high-risk business for card fraud, but that doesn’t mean you’re immune to risk altogether. (If you’re using Spark Pay and don’t have the terminal, Capital One should have you covered for liability until they release an EMV reader.) While you’re at it, it wouldn’t hurt to get a reader that supports NFC so you can accept mobile payments. (You can check out an in-depth comparison of mobile hardware options right here.)

Swipe or dip transactions wherever possible. Keyed transactions cost you more, for starters, because they’re processed as Card not Present. There’s an inherently higher risk of fraud or chargebacks. (For example, a card could be damaged specifically to encourage manual entry for the purpose of filing a chargeback later.) It’s a small risk for most merchants, but a good practice nonetheless.

Check IDs on high-value transactions and get signatures on transactions. This is pretty basic, but it’s a good reminder that little things like this do matter. Most of the time, signatures will be required for transactions over $25, but you can typically disable this feature for small transactions if you want. It’ll make the transaction faster, but take away some of the security.

Update Passwords and User Accounts: You still change your passwords regularly, right? While you’re add it, don’t forget to remove user accounts when you have staff turnover. While someone can’t access credit card data just by logging into your dashboard, there’s plenty of other damage that can be wrought.

Keep an eye on your hardware. While it’s (unfortunately) fairly easy to install a skimmer on a terminal, I’ve not seen any cases of skimmers being installed directly on an mPOS reader (yeah, that was one of those eyebrow-raising questions). The devices are usually tinkered with directly. But that doesn’t mean someone couldn’t switch your reader out for another one if you put it somewhere easy to access. So keep your hardware somewhere secure when not in use and inspect it regularly.

Be smart about your phone or tablet. Again, this should be fairly obvious: Don’t click random links from your phone (especially not ones from suspicious messages). Make sure you download any apps (mPOS or otherwise) from your device’s default marketplace (that is, iTunes or Google Play). Check that the publisher is correct before you download an app and steer clear of anything that looks suspicious.

As always, thanks for reading! Got questions? Thoughts? Leave us a comment!