A few of our small business customers have asked us about Payment Card Industry (PCI) compliance requirements for merchants who accept payment via a combination of a smartphone application with additional hardware. These are the magnetic stripe credit card readers, such as Square, which connect to the iPhone, iPad or Android via the headphone jack.
How do you figure out which PCI requirements apply to you?
To determine what PCI requirements apply to your business if you use these readers, you should start the PCI compliance process just as any other company would.
You need to determine what exposure you have to payment card data and what data you are storing, if anything. This will determine what is in scope for PCI compliance and which requirements apply to you.
The process we examined is simple: you swipe a customer's payment card with the plug-in reader, and the card information is encrypted on your phone. The payment card data remains encrypted until it gets to the payment processor. From that point, you never see the number again. The customer gets a receipt via an email. If there is a dispute, you will have to contact the processor.
What now? Which SAQ is the right one?
You know how the card data arrives and where it goes, but which Self-Assessment Questionnaire (SAQ) should you complete? Take a look at the PCI DSS Self-Assessment Guide for the answer. On the last page, there is a flowchart that guides you towards a specific SAQ. Because the mag stripe readers connected to a phone are basically standalone terminals, so you might think that SAQ B is appropriate. However, the device uses a payment application that processes transactions via the data/Internet portion of the phone, so your payment method would fall into SAQ C.
It is perfectly acceptable to answer N/A to questions in the SAQ if they do not apply to you. If you can answer all the questions yes or N/A, and you submit the completed SAQ to the company that is taking your payments, you are validated PCI compliant! When you are entrusting so much to the payment card processor, you must make sure you are performing your due diligence. The POS vendor provides secure support requirement that is in the Self-Assessment instruction guide becomes most critical since they have all of the exposure. They need to be processing credit cards in a PCI-compliant manner at a minimum, and preferably be validated as PCI compliant by a Qualified Security Assessor.
While most merchants aren't using mag stripe credit card readers with smartphones in their normal retail environment, these configurations are rapidly gaining traction with independent, small vendors, as well as with merchants that may wish to accept payment cards in 'outside the box' settings (for example, trade shows, consumer expos, or special events).
If you're thinking about using this payment option, it's important to establish usage policies that take security into consideration. And just as you would with other payment processing options, you need to educate employees on the potential risks.