PayThink

The mobile point of sale wave presents a distinct fraud risk

Register now

As more mobile point of sale devices come into use, security and fraud experts caution that these tools carry their own set of data safety and payment fraud concerns, in addition to the challenges that all business face when accepting with card payments.

Any merchant who uses mPOS or is considering it needs to be aware of what those risks are and how to reduce them.

One of the most obvious but overlooked risks with mobile point of sale systems is the risk of physical theft or loss.
Despite advances in anti-theft technology, smartphones are still an appealing target for thieves looking to resell them for a couple of hundred dollars apiece, even without the added temptation of access to a merchant payment account.

Whether your business owns its own mPOS devices or has a bring-your-own-device policy for employees, make sure that every device used for mPOS can be remotely locked or wiped to deny thieves access to your data. A recent report found that only 56 percent of employees at many companies can remotely wipe sensitive data from their devices.

Malware on an employee’s smartphone or tablet puts your payment data at risk of exposure and corruption. Incredibly, more than 40 percent of companies with BYOD policies say they don’t know if those devices are infected with malware. One solution is to require that employees use the security apps of your choice on personal devices they use for payments.

Hacking over open wireless networks is a factor in many device hijacking and account takeover attacks against individuals. Such attacks can impact your business if an employee’s device is hacked while your payment processing app is installed.

To guard against this type of intrusion, discourage your team from using unsecured WiFi networks; make sure the payment service you use includes point-to-point encryption (P2PE) from the point of swipe or chip-card insertion to the data center; and set up a VPN for employees to use if they access other company services from their mobile devices.

These steps can also help protect your transaction data and account information from remote code execution and man-in-the-middle attacks enabled by vulnerabilities in Bluetooth and mobile apps. In 2018, researchers were able to find a way to manipulate the value of magstripe transactions processed on mobile devices and to access card readers’ operating systems.

By exploiting these weaknesses, the researchers said hackers could collect enough data to clone customer cards for CNP fraud. The companies whose devices were tested said they were working on fixes. However, because security experts (and criminals) are always finding new vulnerabilities that can be exploited, make sure every mPOS device, yours and your employees’, is updated and patched whenever problems are announced.

All these mPOS security steps should be layered on top of the other anti-fraud and data-protection processes your company uses. As with dedicated POS terminals, any mPOS system you use should be PCI and EMV compliant to meet payment security standards and protect you from liability for card fraud. By taking precautions to protect your mPOS devices, your business can safely sell at more locations for a comparatively low cost while keeping your customer and company data safe.

For reprint and licensing requests for this article, click here.