By Pascale Juan, I Love Velvet
As the payments industry moves at lightning speed and technology changes rapidly, it can be a challenge to keep pace with the security payments and standards of the mobile payments industry. In addition, one of the most frustrating areas of mobile security is the challenge of navigating global security requirements. As a global brand, using mobile point-of-sale (MPOS) requires compliance with the differing security certifications and methods in various countries.
When considering global security requirements for MPOS hardware, the most obvious difference in preferred security standard lies between the U.S. and Europe – the biggest difference of which is the use of “chip and pin” technology. Chip and pin is the colloquial name for the rollout of the EMV smart card payment system for credit, debit and ATM cards, and has become extremely popular overseas as a payment method. (While “Chip” refers to the computer chip embedded in the smartcard, the “Pin” represents the personal ID number assigned for use by the customer.)
When it comes to payment, the popularity of “chip and pin” abroad highlights one of the bigger cultural differences between the U.S. and Europe. While U.S. consumers are content to hand over their credit card at a restaurant, this practice is unheard of in Europe. Instead, a reader is typically brought to the guest and they then enter their credit card pin code. It’s a subtle difference that many American companies have yet to realize, making it difficult for U.S. brands when they expand internationally. In fact, European customers will often chase down associates who take their credit cards for processing!
The other concern for global mobile payment security is EMV certification (EMV stands for Euro Mastercard Visa), a global security certification for chip-based debit and credit cards. Unlike in the U.S., when using a MPOS system in Europe, most European banks and brands will immediately ask for EMV certification. Notably, there are two types of certification: EMV 1 and EMV 2, each of which pertain to the different dollar amounts of transactions that each level supports. Because chip and pin cards are slated to roll out in the U.S. within the next few years, chain stores considering MPOS technology must look for systems that are EMV certification compliant.
In the U.S., retailers have always been more concerned with the Payment Card Industry Data Security Standard (PCI DSS) certification. Designed to prevent credit card fraud, PCI DSS is an industry-wide security certification for major debit, credit, prepaid, ATM and POS cards. As such, all MPOS hardware in the U.S. has typically been tailored to meet the PCI DSS standard. Perhaps a signal of what’s to come, the standards were recently updated to include ‘chip and pin’ terminology. While this is a step towards creating a truly global security standard, for global brands, it will be critical to be aware of both changes to and requirements for the PCI DSS standard, as well as EMV standards.
It’s important to note that some technologies that have gained popularity in recent years with U.S. retailers — including Square — are not chip and pin enabled. Square, which uses a simple dongle, could not support this type of payment, and adding a key pad would violate security standards. So while the allure of a quick and easy solution for MPOS is understandable, the cost of failing to adhere to global security standards — or worse, the leak of customer payment details — is much higher. As such, MPOS should have chip and pin enabled and go a step further with EMV 1, EMV 2 and PCI DSS certification.
The next level of global security certification for MPOS is encryption. It’s a basic level of security, but important nonetheless. The potential landmine issue here is making sure that both the MPOS device (terminal or reader) and the associated software is encrypted. Many retailers assume that if the device is protected, the software must be too, which isn’t always the case. Since MPOS systems often involve software that is rich with customer or store details (i.e CRM software or inventory management), both the device and software should be equally protected.
Further, provisions should be made to ensure that store associates only have access to the CRM program or inventory program if they are connected to the companies’ Visual Private Network (VPN). And, if a store associate tries to remove a device from the store, administrators must ably and remotely block the device via an online portal. Devices should also be assigned “store numbers”, where, for example, a mobile reader or iPad terminal can only be used in Store A, and if you bring the device to Store B, it will essentially become a paperweight.
In addition, the highest level of encryption is via a Secure Access Model (SAM) chip. These can be inserted into mobile POS readers, providing extra levels of encryption. SAM technology can be used for cryptographic computation and secure authentication against smart cards or contactless cards, heightening the security of each transaction. “Master keys” for the card are held by the bank issuing the credit card, making it impossible for an in-store associate to access the payment details. Some of our customers have even designed custom SAM chips for their network.
Lastly, regardless of which country you operate in, the most critical piece of security standards globally requires that no information is ever saved on a mobile POS device. The risk of losing a device or having a device stolen by a customer or store associate is simply too great in brick-and-mortar stores. If a store associate walks away with a device, then they shouldn’t walk away with all of your customer’s credit card details as well. Nothing should ever be stored on the device during a credit card swipe, and on the flip side, store associates shouldn’t be able to use the device to swipe credit cards at home. By implementing sensors within the POS device, retailers can ensure that even if an iPad, Android device or iTouch terminal is cracked open, the device will wipe itself and require a firmware re-installation.
It may seem like a lengthy list of ‘must haves’ when it comes to implementing global security standards for a store’s new MPOS system, but the risks associated with a customer’s payment or personal details are far too great. Companies who are truly forward-looking will act now to make sure their MPOS standards are up to code not just in their headquartered country, but also globally.
Pascale Juan is the COO of I Love Velvet.