Views appear mixed on whether PCI compliance matters with mobile payment dongles, but one independent sales organization says adherence to the data-security standard is a no-brainer.
"Given our Level 1 PCI-compliance status, we feel we can't put into the market a device or mechanism that is not fully PCI-compliant," says Michael Long, chairman and CEO of Payment Data Systems Inc. of San Antonio. "That maintains our standard of excellence as it relates to security."
Other ISOs may brush aside the significance, or they may be unsure.
Part of the confusion may be traced to the fact that there is no mobile-reader PCI requirement, notes Pete Bartolik, a spokesperson for VeriFone Systems Inc. VeriFone's Sail mobile reader encrypts sensitive card data with the company's VeriShield Protect system.
Just more than a year ago, VeriFone's CEO, Doug Bergeron, called out Square Inc. for its lack of encryption.
"It's our understanding that Square is now shipping encrypting card readers, according to media reports we've seen," Bartolik said in a June 22 email. "There's no indication they've made any efforts to swap out the million or so unencrypted readers they sent out previously."
In an email seeking a response to Bartolik’s comments, Square spokesperson Khobi Brooklyn said Square is PCI Level 1 compliant. “Our card reader is fully encrypted, with credit card information encrypted at the moment of swipe,” she wrote. “Security is one of our biggest priorities. All information by our users has been encrypted, and our software and hardware meet–and in most cases exceed–all PCI-compliant regulations as well.
Companies are taking different approaches in how they market their mobile card readers. Whereas PowerPay is touting its 24/7 customer support as a market differentiator, Payment Data is emphasizing security.
In either case, ISOs and companies like VeriFone view their products as necessary to compete with market newcomers–in particular Square, which this month said more than 2 million consumers and small merchants use its dongle to accept payments.
And Square itself, facing increasing competition from bigger rivals, is adding features to its small plastic card reader to make it a more fleshed-out product for merchants.
Indeed, Payment Data Systems, which plans to launch a product called iRemotePay by September, considers it necessary to offer a mobile card reader to "maintain our competitive advantage," Long said in an interview. "Encrypting also provides a distinguishing factor."
On June 22, Payment Data announced the inclusion of the Encrypt SSP9000 hardware security module from Futurex with its iRemotePay mobile application.
IRemotePay will support Apple Inc.'s iPhone, iPad and iPod Touch devices to process swiped card purchases. Merchants also may use the iRemotePay software to process checks via the automated clearinghouse system by manually entering the magnetic ink character recognition information from the drafts, Long says.
The software also can log cash purchases and keep that information in the transaction database as well, he adds.
During the payment process, iRemote's reader, manufactured by ID Tech, immediately encrypts the swiped or keyed in information, which the Encrypt SSP9000 module decrypts at Payment Data's data center, Long says.
Unlike Square, which primarily targets micro-merchants, Payment Data will focus on organizations with large sales forces or outreach efforts where mobile-payment acceptance is beneficial. Such companies include utility or insurance providers or church organizations that often accept payments away from their brick-and-mortar locations, Long says.
Payment Data plans to provide its device for free, but it will assess an initial $50 set-up charge plus a $25 minimum monthly fee. The discount rate on card transactions will be between 2.2% and 2.3% of the sale, Long says.
Though Square and others offering similar mobile-payment services do not charge standard monthly or set-up fees, Payment Data says its pricing is appealing to merchants with higher sales volumes.
"At the end of the day, if they do the math it's a better deal," Long says.
By comparison, Square's discount rate is 2.75% of the sale. Intuit Inc.'s basic GoPayment mobile-reader service has no monthly transaction fees, and the rate for swiped transactions is 2.7%. Intuit also has a monthly payment option that costs $12.95 a month, with swiped transactions at 1.6%. VeriFone's Sail reader comes with a flat 2.7% rate, but merchants with more than $1,300 in monthly sales can pay $9.95 per month to receive a reduced rate of 1.95%.
Payment Data does not intend to provide 24/7 customer service to most users, but it will provide it if the client requests, Long says. Call staff will be on duty to handle calls at all times, but it won't be a call center where everyone has access, he adds.
The ISO's customers will "also have my number," Long says of the ISO's customers. "It's not that I can do a lot, but I can reach a lot of people."