The growth of mobile POS and preventing fraud
Mobile point-of-sale (mPOS) devices are having a moment, with analysts predicting that the yearly number of mobile POS transactions will triple by 2023. Among the reasons: Prices are dropping for wireless POS units and plug-in card readers, and some POS vendors are expanding their product lines to offer mPOS technology. Cost-conscious small businesses, SMBs that sell at temporary or mobile locations, and brick-and-mortar merchants all stand to benefit from mPOS adoption—as long as they understand how to protect their data on these comparatively new systems.
How merchants are using mPOS tools
Some companies use dedicated mPOS terminals that can print receipts for customers, but the typical mobile point-of-sale setup is a smartphone or tablet with a payment-processing app and a card reader that plugs into the audio jack. This tech is ideal for small retailers and food vendors who sell at different locations like fairs, food truck courts, and farmer’s markets. It’s also helpful for service providers like HVAC repair technicians who can process payments on the spot at clients’ homes and offices without having to phone in a credit card number or mail an invoice.
In physical stores, MPOS units can work as additions to a traditional POS terminal or replace it entirely, which is the case with some small businesses that use a tablet-and-reader setup instead of a dedicated POS terminal. Larger retailers with existing POS infrastructure—recently updated for the 2017 EMV liability shift in the US–have been slower than mobile and small businesses to adopt mPOS technology. But now, larger merchants are driving growth in the mPOS, which is expected to top 27 million devices by 2020. By untethering in-store payments from the checkout counter and allowing customers to pay anywhere in the store whenever they’re ready, retailers can reclaim floor space and increase sales, as women’s fashion chain Lilly Pulitzer has reported since it added mPOS capability for its In The Pink stores.
As more mPOS devices come into use, security and fraud experts caution that these tools carry their own set of data-safety and payment-fraud concerns, in addition to the challenges that all business face when accepting with card payments. Any merchant who uses mPOS or is considering it needs to be aware of what those risks are and how to reduce them.
Security and fraud considerations
One of the most obvious but overlooked risks with mobile point of sale systems is the risk of physical theft or loss . Despite advances in anti-theft technology, smartphones are still an appealing target for thieves looking to resell them for a couple of hundred dollars apiece, even without the added temptation of access to a merchant payment account. Whether your business owns its own mPOS devices or lets employees bring their own devices (BYOD), make sure that every device used for mPOS can be remotely locked or wiped to deny thieves access to your data. A recent report found that only 56% of employees at many companies can remotely wipe sensitive data from their devices.
Malware on an employee’s smartphone or tablet puts your payment data at risk of exposure and corruption. Incredibly, more than 40 percent of companies with BYOD policies say they don’t know if those devices are infected with malware. One solution is to require that employees use the security apps of your choice on personal devices they use for payments.
Hacking over open wireless networks is a factor in many device hijacking and account takeover attacks against individuals. Such attacks can impact your business if an employee’s device is hacked while your payment processing app is installed. To guard against this type of intrusion, discourage your team from using unsecured WiFi networks; make sure the payment service you use includes point-to-point encryption (P2PE) from the point of swipe or chip-card insertion to the data center; and set up a VPN for employees to use if they access other company services from their mobile devices.
These steps can also help protect your transaction data and account information from remote code execution and man-in-the-middle attacks enabled by vulnerabilities in bluetooth and mobile apps. In 2018, researchers were able to find a way to manipulate the value of magstripe transactions processed on mobile devices and to access card readers’ operating systems. By exploiting these weaknesses, the researchers said hackers could collect enough data to clone customer cards for CNP fraud. The companies whose devices were tested said they were working on fixes. However, because security experts (and criminals) are always finding new vulnerabilities that can be exploited, make sure every mPOS device, yours and your employees’, is updated and patched whenever problems are announced.
All these mPOS security steps should be layered on top of the other anti-fraud and data-protection processes your company uses. As with dedicated POS terminals, any mPOS system you use should be PCI and EMV compliant to meet payment security standards and protect you from liability for card fraud. By taking precautions to protect your mPOS devices, your business can safely sell at more locations for a comparatively low cost while keeping your customer and company data safe.
Source: Mobile Payments Today