Most of us have heard of BYOB, a popular acronym for Bring Your Own Bottle. The big new thing in the credit card processing arena appears to be BYOD – Bring Your Own Device.
Bringing your own smart phone, tablet or other mobile device into the part of your business that accepts credit and debit cards for payments sounds like a good way to extend your card processing capabilities into a delivery or service vehicle or even a busy checkout line. But there are a number of pitfalls to this low-cost strategy.
Far too many, in my opinion, to adopt BYOD blindly.
As all merchants should know, protecting card data is not only a requirement of the card brands (Visa/MasterCard) but also state and federal law. The penalties for a data breach are so significant that at Michigan Retailers Association we automatically provide $100,000 in data breach insurance to each merchant using our system for processing their transactions.
But with the pervasive use of smart phones and the development of smart phone merchant processing solutions by vendors (including MRA), more and more businesses are seeing opportunities to extend the ability to “swipe” a card (and benefit from the lower rates of face-to-face transactions) and get out from behind their current fixed, in-store, credit card terminal. They do that by downloading an app from the web that turns a smart phone into a credit card processing device.
If your processor has a smart phone solution that you think would benefit your business, you should develop a procedure for who and where/when this solution can be used. The PCI Security Council has just released standards for mobile phone merchant processing. If you are currently using or planning to deploy a smart phone solution, it is critical that you review these standards and make sure your policies and procedures match the minimum required. These can be downloaded from the PCI Council’s website (https://www.pcisecuritystandards.org/documents).
Most of the standards discussed in that document relate to controlling the data or the device. If you allow BYOD in your business, you are, in effect, allowing the sales person, service person or delivery driver to load your credit card terminal onto their mobile device. Even if you presume that this is okay for the workday, what happens when they leave for the day? What happens on their day off? What happens if they are no longer employed by your business? What happens if they lose their phone? And don’t tell you?
To repeat, a BYOD situation creates too many opportunities to compromise your customers’ card data. And compromising your customers’ data should be avoided at all costs.
With the evolution of this industry, the need for a low-cost smart phone solution is starting to be filled. At least one terminal service provider has developed a smart phone (data only) solution that is designed to scale up and down as your business needs change and evolve. This solution is provided without the usual cost from the cellular networks or the typical two-year contract for a cell phone.
You, as the “owner” of the merchant account, need to make sure that you look before you jump into this new payment space.
If you have any questions about this or any other merchant processing issue, please don’t hesitate to contact us here at Michigan Retailers Association. It’s always better with an expert to help guide you through the process.
John Mayleben CPP is Retailers Processing Network senior vice president, technology and product development, and a national expert on electronic payment processing. He was the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.