If you read this blog regularly you have heard me mention an entrepreneurial processing service company called Square Up. I have to applaud their innovation and see the benefit of making credit card payments available to anyone with a bank account and a smart phone. The problem with comes with their handy dandy portable card reader device. The PCI DSS (payment card industry data security standard) dictates that to be PCI compliant data sent over an open public network like the internet must be encrypted. This is found under PCI DSS Requirement 4: Encrypt transmission of cardholder data across open, public networks.
Encryption is a security method that translates the data into a set of alternate, unrelated characters while it’s being transmitted. If the data is intercepted, as it easily can be with store bought radio monitoring equipment and a little electronics savvy, it is useless without the proper decryption key. There are of course many levels or layers of encryption, and as hackers continue to defeat the latest encryption standards, the standard for true data security is constantly being upgraded. The Square card reader device does not encrypt cardholder data to the standard set by the PCI DSS.
If you use this non-compliant device, you are putting your customers’ sensitive authentication data at risk. This in turn puts your business at risk. A recent article in Digital Transactions magazine predicts that with the propitious rise in wireless technology usage for electronic payments, that hackers and other cyber criminals will be having a field day with all of the opportunities to intercept exploitable data. The article refers to Square as having “passed out boatloads of card readers for smart phones that transmitted card holder data in the clear.”
I still don’t know why the PCI SSC (payment card industry security standards council) hasn’t put the kibosh on the distribution of these devices, but they may just put the onus on the user to not use a device that’s not PCI compliant. The goals set forth in the PCI DSS are your road map towards protecting your and your customers’ data security. See our home page for information on how your company can be PCI compliant for absolutely free.