BYOD and Smartphones as POS Terminals Don’t Mix!
February 28, 2013 Leave a comment
- Retailers should resist the urge to have employees use their own smartphones or tablets as point of sales terminals for credit card transactions
- Mobile malware has a fast growth trajectory, and retailers are a prime target for cybercrime
Here’s a really terrible idea: retailers allowing employees to use their personal smartphones or tablets to process credit card transactions on behalf of their employers. This caught my eye recently after the PCI Security Standards Council released its “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users” document, which does not recommend that activity as a best practice. Now there’s an understatement. Just because there’s an app for that doesn’t mean it’s a good idea to allow just any smartphone or tablet to act as a point of sale (POS) device in the retail world. The PCI Security Standards Council rightly pointed out to merchants that they have an end-to-end responsibility for the mobile app employed to process payments, the back-end processes and the security of a device that in this case they would not own.
Retailers need to look beyond the obvious cost reduction and sales productivity opportunities such a practice offers to take into account the necessary security protections that must be built into using a smartphone or tablet as a POS terminal. Those protections at minimum should include encrypting the credit card information going into the device, insuring that the device is protected by an anti-malware program, and requiring the proper authentication to use the device in that business transaction. And above all else, the merchant needs to insure that the device has not been jail-broken. The cost of putting those protections in place could reduce or even eliminate the benefits of applying BYOD to a retail environment. And a breach that gave cybercriminals access to a large number of customers’ credit card information could obviously cost the retailer huge sums of money. Interestingly, at the same time the new recommendations came out, PCI DSS compliance management services provider Trustwave declared that retailers are now the top target for cybercriminals. In its recently released 2013 Global Security Report, Trustwave found that retailers made up the largest percentage of the breach investigations it conducted in 2012. They accounted for 45% of the investigations Trustwave conducted, compared to 24% for food and beverage and 9% for hospitality verticals. Trustwave’s report also cited a dramatic increase in the amount of mobile malware that it found, which amounted to a 400% increase in the number of mobile malware samples that it gathered.
Employees using their personal smartphones and tablets for work may be an eventuality in many enterprises, but that shouldn’t be the case for swiping credit cards on behalf of a retail employer. Do you agree?