Mobile Card Readers Are Convenient, But Are They PCI Compliant?

mobile card readersLately I’ve seen a lot of commercials for mobile card readers that allow merchants to process card payments from anywhere. With the increased use of smartphones and tablets, this may be the future for accepting payment for services, especially for small businesses. But as I sit and watch these commercials, I  wonder…Are these mobile card readers PCI compliant?

According to the PCI Security Standards Council, 80% of all security breaches occur within small businesses. These statistics show the importance of PCI compliance for small business owners, who are the most likely to use mobile card readers.

How do mobile card readers work?

Usually the mobile card reader plugs into the headphone jack in your mobile phone or tablet. You’ll need to download a payment processing app that goes along with the card reader. Then when you swipe a credit card, it sends the information to your app which acts as a network gateway to process the payment with your merchant bank account. The app is usually free and can have extra features such as the ability to print or email receipts.

What safety precautions do mobile card readers have?

There are many mobile card readers out there and it is important to know what safety precautions they have in place. Here are some things to consider.

Most mobile card readers claim that they provide encryption services. While that is great and dandy, it is important to know how the encryption works. If encryption software is used, the information is usually sent from the card reader to the app where it is then encrypted. In order to be PCI compliant, the encryption needs to be “end to end” which means that the encryption needs to happen in the reader itself before the card information hits the app. With encryption starting at the card reader, your device does not even “see” the card information. Many card reader apps use SSL certificates as a secure means of transferring data.

Another important point is that in order to be PCI compliant, sensitive card information cannot be stored on your smartphone or tablet device. In most cases, your mobile device acts as a gateway between the card reader and the merchant account. One card reader company stated that if you were in an area with spotty Internet coverage, they would store the swiped information and send it later when the connection was better. That is a red flag. More research would be necessary to make sure that they hold to PCI standards.

Another aspect of PCI compliance is to allow access on a need-to-know basis. Most apps for the mobile card readers are password-protected and need a PIN to enter. Some log out after a certain amount of inactivity and even provide a way to lock down or delete the account in case your device is lost or stolen. Also, it is important to know that those running the app are following PCI compliant standards as well.

Not being PCI compliant can cause serious consequences such as hefty fines and restrictions on accepting card payments. These complications could be devastating to small business owners. PCI compliance must be a priority when accepting card payments, no matter the venue. As far as I could tell, most mobile card readers are working hard at providing physical and network security, secure apps, organizational security and third-party SSL certificates, all to enhance PCI compliance, thus keeping sensitive payment card information safe. However, you should not take this at face value. It is extremely important to do your research before purchasing a mobile card reader to ensure they have the security measures in place to help you obtain your PCI compliance goals.


Speak Your Mind