When businesses use mobile devices for payments, they have to make sure the devices they use are secure. Otherwise, they put themselves at risk. The following steps are for all of the hardware of card reader payments.
Keep people from physically accessing the device
When a mobile device is not in use, it is up to its owner to store it safely. It should go into a safe, locked cabinet or be secured in the building where it used.
Prevention of analytic and deductive methods of accessing the device
- Use device security measures, such as complex passwords and multi-level verification.
- Restrict such access to authorized users
- If the device does not have built-in vendor verification, vendors using the machine should always have users verify themselves with personal identification numbers and other methods. It is a good idea to have the device lockout and require reauthorization after a set period.
- If possible, full disk encryption should be employed on any mobile devices used for payment. It can help keep people from bypassing the reader's security.
Whenever businesses are dealing with devices such as computers and card readers, they have to protect against malware. The best way to protect against malware is anti-malware software.
- Make sure that all antivirus and antispyware software comes from an authentic vendor and is the latest version.
- Going around security that is installed on the device is disabling its protection, so do not tinker with it.
- Do not install unnecessary software.
Card reader providers should:
- Have updates when necessary, communicate those updates to their users and make them readily available
- Make it impossible for the application to run on devices that have installed unapproved firmware
- Provide instruction on how and when to do updates
- Update users of any vulnerabilities that arise. They should also tell users how to fix these concerns and update them regularly as new solutions are found.
Monitor the current security status of the mobile devices
- Make sure to scan all mobile devices with all security software to see if there are any security issues, such as apps with access to payment information and insecure apps. This should be done frequently.
- The device should have some visible indicator that shows whether the devise is currently safe to use. This may be an icon or something of the sort. If that is absent, then vendors should not use the application under any circumstances.
- Jailbreaking or rooting a device opens it up to malware. Do not do this with mobile devices that are being used for payment applications. Do not use payment solutions on mobile devices that are rooted or jailbroken, as they can become insecure easier than a mobile device that still has its native security controls. Also, disable USB bugging on the device.
- Try to use mobiles that are direct from the factory for payment solutions instead of purchasing second-hand devices or devices through a third party vendor.
Keep only information required for the primary function of payment solutions
If a device has communications that it does not need for the card reader, disable it.
Record all device information to deter theft and aid recovery
Write down all of the information on the device and all of its applications. This includes:
- The device model number
- Serial numbers
- Operating system