How to Make Your Mobile Device PCI Compliant

In order to improve the user experience, many businesses are opting to turn tablets and smartphones into POS terminals. Having a more mobile POS (point of sale) system allows businesses to simplify the checkout process for customers. When it comes to credit card processing systems, there are some regulations in place to protect cardholder data that you can’t ignore just because you are on a mobile device. Data security is important for both you and the customers. If you’re using a mobile device when processing payments, make sure you’re PCI compliant. Here’s how to get started.
The PCI Data Security Standard (PCI DSS) requires merchants to protect cardholder information. No matter where the information is located, it is the business’s job to make sure the cardholder is protected.

Off-the-shelf Mobile Payment Acceptance Solutions
Using a validated and properly implemented P2PE (Point-to-Point Encryption) solution greatly reduces the risk that someone could attain and use cardholder data. Validated solution providers will have a list of approved card readers that have been tested to work securely with their solution and most will provide you with one once you’ve signed up for their service. The provider is responsible for ensuring that any reader used with their solution has been validated as compliant with the appropriate PCI SSC security requirements, including the Secure Reading and Exchange of Data (SRED). SRED ensures that the cardholder’s account data is protected at the point where it is accepted.

Building Your Own Mobile Acceptance Solution
If you plan to build your own credit card payment acceptance solution, you’ll need additional encryption technology beyond the basics of your mobile device.

• Use an approved POI (Point of Interaction) device. Your POI is the approved PIN entry device (PED) or approved secure card reader (SCR) that is used to capture and encrypt cardholder data.
• Comply with the PCI data Security Standard. Using a validated P2PE solution for processing mobile payments may lessen the requirements for its annual merchant compliance with the PCI DSS.

Best Practices
If you plan to use a mobile device as your POS terminal, start by following guidelines provided by the PCI SSC. Taking additional steps towards protecting cardholder data includes encryption and using approved devices. Some important things to keep in mind: don’t store card data on your mobile device and be sure to lock it when it’s not in use.

• If you plan to develop your own payment acceptance application, use industry-recognized secure coding practices.
• Have a policy in place for resolving problems that arise when a device is lost or stolen. Make sure you can remotely disable the device and the application so you can protect the cardholder’s information.
• Businesses are strongly advised to use mPOS solutions that utilize P2PE in accordance with the PCI Point-to-Point Encryption Solution Requirements.

Accepting credit cards on a mobile device is easy. However, getting the system up and running isn’t. Make sure you pay attention to PCI standards and are taking the necessary steps to protect cardholder information. Security breaches can cost you and your customers, so it is important to do what you can to reduce the risks.