Are mobile card readers safe for small businesses?

Cybercriminals target mPOS devices, but there are ways to protect your business

John Egan
Personal Finance Writer
Writes trendy stories about credit cards.

Are mobile card readers safe for small businesses?

From a 12-person jewelry boutique to a six-person handyman service, small businesses can keep up with the big boys these days when it comes to accepting electronic payments. 

Mobile point-of-sale (mPOS) devices equipped with payment technology from companies such as Square and PayPal enable small businesses to handle credit card and debit card transactions in a speedy, convenient fashion.

But in terms of security, at what cost do speed and convenience come? And, most importantly, how can small businesses head off security problems with these mPOS devices before they wreak havoc?

Study shows mPOS devices are vulnerable to fraud, theft  

Research recently conducted by cybersecurity company Positive Technologies unveiled flaws in mPOS devices that could trigger fraud and theft. 

In a news release, Leigh-Anne Galloway and Tim Yunusov, two researchers at Positive Technologies, said they found vulnerabilities in mPOS devices that could let “malicious merchants” change the amount charged and force the use of insecure payment methods, such as credit and debit cards with magnetic stripes. Furthermore, flaws in the devices could allow customer data, such as PINs, to be swiped.

The payment apps included in Galloway and Yunusov’s review were iZettle, PayPal, Square and SumUp. In the case of Square, the vulnerabilities cropped up only in devices that were operating with third-party software from a company called Miura. 

The researchers looked at mPOS devices in the U.S. and Europe, and emphasized that only a minority of the devices were susceptible to security breaches.

“Currently, there are very few checks on merchants before they can start using an mPOS device, and less scrupulous individuals can, therefore, essentially steal money from people with relative ease if they have the technical know-how,” Galloway warned in the news release. “As such, providers of readers need to make sure security is very high and is built into the development process from the very beginning.”

See related: How to accept credit cards at your next garage sale

Major payment app makers say they’re on it 

Security expert Robert Siciliano, CEO of Safr.me, said all payment apps experience vulnerabilities after they’re released because developers are still trying to get rid of software bugs. This typically happens when a company is rushing to market with an app, he said, and puts more emphasis on sales and marketing rather than on security.

PaymentsSource.com reported that iZettle, PayPal, Square and SumUp said they’d fixed the vulnerabilities highlighted by Positive Technologies and had “minimized” any threats.

CreditCards.com reached out to the two biggest payment technology providers among those four – PayPal and Square – to learn more about how they bolster the security of mobile payments.

A representative of PayPal said the company wouldn’t provide information beyond this statement: “The safety and security of our customers’ accounts, data and money is PayPal’s highest priority. We maintain sophisticated practices designed to protect our customer’s data.”

However, the PayPal representative did point us to a webpage about security for PayPal business accounts. Included in PayPal’s security protocol are temporary restrictions that sometimes are placed on accounts to protect buyers and sellers from possibly nefarious activity.

For its part, Square provided no statement and simply directed us to its webpage regarding security. On there, Square says it encrypts payment information and closely monitors transactions to help prevent fraud, among other security measures. As a precaution, Square prohibits storage of card numbers, magnetic stripe data and security codes on its mobile payment devices.

See related: How to get an EIN as a small-business owner 

How do small business owners feel about mPOS security?  

CreditCards.com reached out to a handful of small business owners to gauge their concerns about mPOS security. 

By and large, the small business owners who responded said they weren’t worried about potential mPOS flaws and hadn’t run into any security problems.

David Klein, owner of powered-candy retailer CandyManKitchens.com and inventor of Jelly Belly candies, said he uses Square for mobile transactions and trusts the company to “always be on top of security.” Klein said he hadn’t encountered any problems with Square, other than the occasional flagging of a transaction as possibly being fraudulent.

In a different vein, Lucas Horton, owner of Valeria Custom Jewelry, said he doesn’t have “a ton of confidence” in payment apps – he uses both Square and PayPal – but hasn’t been victimized by any security flaws.

Regardless of whether you’re more trusting or more skeptical, your small business still must shore up its defenses against cybercrooks seeking to infiltrate your payment apps. 

So, how do you do that? We pulled together advice from PayPal, Square, Positive Technologies and others.

See related: Post EMV: How retailers can avoid paying for fraud 

How to protect your business when using mobile card readers

1. Assess the risks.

Before you start using any mPOS device, weigh the risks. Is the brand reputable when it comes to payment security? Research the company online to find out.

“While the market for most of these products is currently not very mature, the popularity is growing, so it is imperative that security is made a priority,” said Yunusov, one of the Positive Technologies researchers.

One of the items to look for is whether the provider of an mPOS app pairs multifactor authentication with substantial password requirements, along with how strong its security firewalls are, said Louis Scialabba, director of carrier solutions marketing at Radware, a provider of web security technology.

On its website, PayPal says use of its optional “security key” is strongly recommended. The key involves two-step authentication that sends a one-time PIN that’s coupled with your password for each account login.

“While large retailers are coming to grips with the notion that customer experience includes security, [small businesses] need to also weigh how a breach can impact customer loyalty,” Scialabba said. “The time it takes to securely process a payment may be worth the wait in the long run.”

In evaluating security, Prakash Ranganathan, assistant professor of electrical engineering at the University of North Dakota and director of cybersecurity programs, noted that hackers are finding a “lucrative target” in cheap card readers that attach to smartphones or tablets because it’s fairly easy to exploit their vulnerabilities. Therefore, it’s best to invest in higher-quality, more costly card readers. 

"While large retailers are coming to grips with the notion that customer experience includes security, [small businesses] need to also weigh how a breach can impact customer loyalty."

2. Do the updates.

You know those update alerts you receive from software providers? Sure, they may be annoying, but they’re also important. Experts recommend performing software updates when you’re notified about them – and not putting off the updates – to ensure your mobile payment system is armed to defend against the latest cyberattacks. 

3. Practice good management of passwords.

Other than creating complicated passwords (with uppercase letters, lowercase letters and different characters, for instance) and never using the same password for different accounts, Siciliano suggests being mindful of who within your business has access to account passwords.

Meanwhile, Ranganathan recommends changing passwords frequently – every 60 to 90 days.

4. Swipe instead of manually entering numbers.

PayPal recommends that if faced with manually entering numbers when using a mobile payment app versus swiping or dipping a card, you should swipe or dip. Why? Because transactions via magnetic stripe or EMV chip offer built-in security features that aren’t available with manually entered transactions.

5. Get creative.

Aaron Weast, founder of Drink Shrub, a startup that produces vinegar- and coconut-water-based soft drinks, said that in order to help prevent security breaches with mobile payment apps, his business has set up separate bank accounts tied to the apps that aren’t the company’s main bank accounts.

Therefore, if an account connected to a payment app gets hacked, “we have only a small amount of exposure,” Weast said.

“Other than that, we trust the vendors to handle this – it’s well beyond our expertise,” he added. “If and when we get hacked, we will likely change providers if they’re unwilling to resolve the issue and refund any lost money.”


Join the discussion
We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

If you are commenting using a Facebook account, your profile information may be displayed with your comment depending on your privacy settings. By leaving the 'Post to Facebook' box selected, your comment will be published to your Facebook profile in addition to the space below.

The editorial content on CreditCards.com is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company's business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.




Weekly newsletter
Get the latest news, advice, articles and tips delivered to your inbox. It's FREE.


Updated: 11-16-2018