This story is the third in a statewide series about cyber security and small businesses, supported by the Michigan Small Business Development Center. Read the rest of the series here.
If you have a credit card, you've seen them. The small, white squares attached to cell phones. The nifty, user-friendly apps on iPads that allow you to tip (or not) after paying for your coffee. The easy, one-step payment systems that even send you a receipt via email.
These mobile payment software allow small business owners and start-ups to conveniently collect their customers' payment information on the go or at their brick-and-mortar locations. But how can they ensure that credit card information is secure? What risks are associated with a convenience that collects sensitive information with the tap of a fingertip? As the use of mobile payment software continues to rise, small business owners in particular take advantage of this unique payment process, all while paying attention to the risks associated with credit card information being sent into the aether.
Alex Linebrink, founder of Passage
"You have this really powerful computer in your pocket now," says Alex Linebrink, founder of Passage
, a Detroit-based platform for powering ticketing and payments online and at-the-door for specialty events. Utilizing mobile payment software before events such as festivals and concerts, Linebrink has years of experience managing the risks of processing his customers' payment information. Looking back at the development of credit cards, Linebrink notes, "Credit cards were really never made for public transactions."
When credit cards were first developed, they were stored at department stores, not carried around in back pockets, and certainly not floating around online. That's why, he continues, we're "really behind" the rest of the world and are only now implementing security protocols like chip-imbedded cards and biometrics (fingerprints). Thus, one of the most important security measures that Linebrink takes is credit card number encryption.
"We're never storing credit card numbers," says Linebrink. By using a mobile payment software that encrypts at the hardware level, meaning the number is converted into a cipher or code before it is sent into the data port, or terminal through which the data travels online, Linebrink ensures his users' information is secure. Many mobile payment software only encrypt at the software level, meaning the number is only hidden when it reaches the software on the device, creating a gap in which the credit card number could be accessed and stolen.
John Hey, chief operating officer of Trivalent Group
, a Grandville-based business-to-business technology firm, agrees. "Employing a tool/system that utilizes immediate encryption is a must," he says. "Requiring a signature and perhaps even a second or third form of 'authentication' will help avoid potential fraudulent transactions." These multiple levels of encryption and authentication aid the small business owner in ensuring that the financial information they're collecting is secure.
Linebrink also advises that employees of small businesses have specifically designated permissions to handle the device on which mobile payments are processed. Pick an app that allows you to create individual users, and "make sure those roles are set up properly," he says. "Nobody should have access to aspects of the software that they don't need. The fewer logins you have with access to crucial customer info, the fewer potential points of failure exist," says Linebrink.
For example, Linebrink creates special employee accounts on his Passage platform for ticket redemption and sales that only allows this person to scan tickets, thus preventing any risk associated with payment information.
Also, when choosing mobile payment software, small business owners should consider those with Payment Card Industry Data Security Standards
(PCI-DSS) certification, adds Linebrink. The standard certification for the payments industry (founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc.), the Wakefield, Massachussetts-based PCI-DSS, provides training and certification for businesses seeking compliance with their security standards. "This is an absolute 'must-have,'" says Linebrink. "If [businesses] follow great safety practices with the card-holder data they handle, they'll be certified."
North American Bancard
CIO Jim Parkinson agrees, speaking for the company's successful mobile payment app, PayAnywhere
. "Security should be a priority for any business that accepts payment cards," he says. "PayAnywhere is PCI compliant and gives merchants the ability to track and record transactions and encrypt data." This tracking of transactions is another feature of highly useful mobile payment software, adds Linebrink.
In addition to choosing secure, trusted software, small business owners should also consider the network through which their customers' payment information is traveling. "Another area of vulnerability is if the merchant is using public Wi-Fi for their connectivity and transactions," says Hey. If other measures are taken to ensure security, the network itself can become a risk. With an unlocked, public network, hackers could be trolling connected devices, hunting for sensitive information. Thus, small business owners should be careful about which networks they utilize when they're on the go, collecting payments on their mobile device.
"[A] cellular network is almost always inherently more secure than a public Wi-Fi," says Hey. If one must utilize public Wi-Fi, Hey notes that bigger, more populated cities and events are probably riskier than, say, small town fairs. "In denser population centers you have more 'talent' (used loosely), more potential targets and more areas of vulnerability," he says.
With all of these vulnerable areas, tips, and tricks, small business owners could surely feel their heads begin to spin when deciding on a mobile payment software and how best to use it. However, a quick read of the software's features (and a chat with a few other small business owners) should reveal the best fit for them. When it comes down to it, awareness is key. "So much of security risk comes from behavior and lack of education and awareness as much or more than any technical shortcomings," says Hey. "My advice is stick with known, trusted solutions."
This story is a part of a statewide series about cyber security and small businesses edited by Lauren Fay Carlson. Support for this series is provided by the Small Business Development Center, which has just launched a free online security assessment tool and resources at www.SmallBusinessBigThreat.com to help small businesses measure their cyber security preparedness.