Posted by John Kindervag on April 7, 2010
Even though the iPad is barely birthed, there is already a push to provide payment applications for the device. It's time to pull the emergency brake on this trend. Are these applications PA-DSS certified? Do they have swipe devices with crypto hardware built-in? Has the Pin Entry Device been rigorously tested and meet all the PIN Transaction Security Guidelines? There are so many things consumers should know about the security of these new methods of payments *before* they allow their credit card to be captured by an iPad or iPhone. Is the card's Personal Account Number (PAN) encrypted at the moment it is swiped by the device? Does the device establish an encrypted tunnel to transport the transaction to the payment gateway? Doe the iPad store the PAN? Is that storage encrypted or unencrypted? Does the processor support a tokenization scheme to keep the iPad out of PCI scope? Is the payment app the only thing running on the iPad?
To use an iPad as a POS device, the only application allowed is the payment app. No iTunes or Facebook or Games. Read the regulations. How will iPad payment vendors try and get around PCI Requirement 2.2.1: "Implement only one primary function per server?" This requirement was designed precisely to keep merchants from using the same system for payment applications and any other purpose. A POS device must be a single purpose device. Limit the iPad to having only the payment application installed and nothing else and then we will talk.
Too many questions and no answers. Taking credit cards for use by your business is not a right. It is an obligation. An obligation to your customers to protect their data. An obligation to your acquiring bank to play by their rules.
Until these new types of payment companies can demonstrate that they are compliant with industry standards and their names show up on the PCI SSC website, consumers would be foolish to allow their card information to be captured by one of these applications.