PCI Free Blog

Not All Accessories are Created Equally

A new type of processing service company is blazing new trails in mass credit card processing availability. This opens up a whole new world of payment options to those who previously could only be paid in cash or checks. There are millions of honest, hardworking, law-abiding people out there trying to make a fast buck in our ever-changing economy, and companies like Square Up do make it possible for the non-business owner to take credit cards without doing the full underwriting required for the type of account that is setup for a retail type business. Unfortunately the device that Square Up provides for their wireless service is not PCI compliant. This comes from an industry giant in the manufacture of POS (point of sale) equipment in what they called “An Open Letter to the Industry and Consumers.” In the letter they state that the mobile MSR (magnetic stripe reader) provided complimentary by Square, does not meet PCI DSS (payment card industry data security standard) requirements for devices that transmit over an open public network like the mobile broadband network.
The reason it is not compliant because it does not meet the data encryption standard required by the PCI SSC (payment card industry security standards council) which is populated by IT security and network management professionals, in addition to credit card processing industry professionals. PCI DSS requirement 4 says: Encrypt transmission of cardholder data across open public networks. The Square Up device does not use encryption and decryption software and, according to the POS equipment manufacturer: “In less than an hour, any reasonably skilled programmer can write an application that will “skim” or steal a consumer’s financial and personal information right off the card utilizing an easily obtained Square MSR. How do we know? We did it. Tested on sample Square card readers with our own personal credit cards, we wrote an application in less than an hour that did exactly this.”
More to follow on next week’s blog. If your business isn’t PCI compliant yet, you are doing yourself a disservice. See our home page for information on how your business can be PCI compliant for free!

This entry was posted in PCI Compliance, PCI DSS and PA-DSS, Point-Of-Sale Equipment, Wireless Technology Security. Bookmark the permalink.

Leave a Reply