Posted by John Kindervag on February 8, 2010
Question: Do I really want someone with an iPhone taking my credit card info?
Enormous buzz lately about all of the new players trying to turn iPhones and other mobile devices into credit card swipe terminals. Very scary. Just because someone can create a website does not mean they understand payments.
So many questions:
- Does the solution use a cryptographically enable swipe reader?
- Does the solution encrypt credit card information at the moment it is swiped?
- Does the solution store any track data?
- Does the solution encrypt all sessions back to the payment gateway?
- Will it support tokenization?
- Is the solution PCI PTS certified?
- Is the solution PCI PA-DSS certified?
That's just for starters. Now add in questions about the security of the 3G network and proper WiFi configuration and security, and you could be creating the perfect recipe for massive credit card breaches. These things are designed to "democratize" the taking of credit cards by the little guys, but should payments really be democratized?
There's no constitutional right to take credit cards. Taking credit cards to fuel your business is a responsibility. It's our data you're playing with!
Very few merchants — especially the smaller ones — understand, or even care about, security.