Announcement

Collapse
No announcement yet.

Taking Credit Cards

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Re: Taking Credit Cards

    Bank of America money in my account by 12:00 a.m.

    Comment


    • #17
      Re: Taking Credit Cards

      Bill I just wanted to do a quick follow up on your comments.

      Originally posted by OkieBill View Post

      1. I did not ask "IF" it could be done I was asking for real world examples of where Square and its security have been compromised in the real world as it has been in operation for 2 years.
      Here is a link to a group that created a Trojan that listens and looks for Credit Card transactions on the Droid Platform. You wanted to know if it has been done. Yes, it has, as a security protocol test.

      Android Trojan captures credit card details | thinq_


      Originally posted by OkieBill View Post
      2. The hardware level encryption of your current system is just as vulnerable to brute force attack as software encryption albeit one will take significantly longer then the other..
      As of 2010, the POS terminals only hold data until they are settled, then the data is dumped. It is part of the PCI compliance act. To date there has been no reported hack for transmitted data from terminal to processor.

      I am an agreement with you the actual terminal can be hacked as stand alone item, until its settled. So in this case if your running around with a portable unit for a week and then settle on Friday afternoon, yeah all the information stored on that card reader could be hacked. Our policy in our company is simple. The portable units are locked in a safe, and only pulled out when we know a customer is going to pay with a credit card. When that card reader comes back, its settled and locked up again. The other issue with a stand alone POS is the ability to credit back money on a debit card for example. Our units are password protected for that feature and only myself and my office manager have the ability to access that part of the machine. Again the machine would have to be stolen from a truck during the day, which would give us the opportunity to notify everyone in a pretty short period of time. Also since only one person at a time is issued these machines, we have a control in effect that would let us know exactly who was in charge of a unit if some type of fraud occurred during a shift.

      To take it one step further, POS systems, for example software based sales systems in a restaurant have been hacked, and thats a software hack. The issues is the terminal based card swipe is integrated into the POS system and designed to retain customer information, for marketing purposes. Now thats a potential breach, and there are countless articles on the net on compromised POS integrated software packages.

      Bill I will make one suggestion that may make you re-think the use of Square. As of 2010, (merchants like you, me and others) must be PCI compliant with regards to credit card use if you want the protection of the industry. As of current Dongle operated credit card systems, Square being one of them, is not.

      Here is the latest list of compliant Credit Card Processors put out by VISA, for using there service.. Square is not listed.

      http://usa.visa.com/download/merchan...plications.pdf

      Also for your review is a Q&A on PCI compliance that you may find of interest.

      PCI Compliance Guide Frequently Asked Questions

      For yucks, while writing this response I contacted Intuit, as they have just started a Dongle card processing service. Since we are a QuickBooks Pro user and have an unlimited tech support account I figured I would see what they have to say about it. At first the Rep said they were compliant. When I pointed out that they were not, they said "no", we are compliant under the name Intuit. I told them I was looking at the list and the only compliance under Intuit dealt with the QuickBooks software packages and not the Dongle. They put me on hold came back on and said that they were not complaint, but that they used the same encryption that the standalone POS units use. (That I knew was B.S.) so I questioned them on that and they turned me over to a supervisor. When she supervisor came on, she said that they were not PCI compliant. Did not use the same encryption technology. So I asked this question.

      "If we use your Dongle, and the smart phone is hacked and our customers data is compromised, used in fraud, is Intuit going to absorb any potential financial responsibility that we may incur, because the dongle is not PCI compliant?"

      She put me on hold for about ten minutes and said, "No we would not be responsible for any losses that may occur because the Droid or other smart phone platforms is open source."

      Bill here lies the problem. If your customers information is hacked from you, and it is determined that you are not using a PCI compliant card service, you can be held legally responsible for the losses,legal fees etc. Even though your customer is protected by federal law up to $50.00 on the card, the card service company, Visa, MasterCard, AE, etc... can come after you for the lost money.

      The logical solution to this problem would be to turn it over to your insurance company and let them absorb the loss. Unfortunately, (at least with our policy, and that's with Hartford) those losses will not be supported by the policy if we are not following the PCI compliance guidelines. I highly recommend that anyone that reads this blog take the time to check with there insurance carrier, underwriter, broker and ask this simple question.

      "If my customers credit card information is stolen from our card service system and we are not PCI Industry Compliant, are we protected from potential losses, ie refunding any potential lost money back to the Credit Card processor?"

      Bill my policy says no. I had a couple of other merchants I know ask the same question with there policy holders and the answer for them was also no.

      So in my earlier story about my personal $15,000.00 fraud charge. Legally as the customer I would only be held responsible for $50.00 of charges. If I was a merchant using a dongle and the customers information was hacked out of the phone, and $15,000.00 was fraudulently charged, the processor, ie Visa could come after me for that loss and without the protection of my liability insurance policy I would have to cut them a check, or file BK.

      I believe in Smart Phone Technology and its future. However in the case of Dongle based credit card processing I believe this one statement says it all.

      "Great in Theory, Bad in Practice"

      It probably explains why Square is scrambling to come up with a different Dongle that is PCI Compliant.

      Hope this info helps someone.

      Comment


      • #18
        Re: Taking Credit Cards

        I am gonna try the Square app, I am only taking plastic from big plants that getting a check from is a paperwork nightmare.

        Comment

        Working...
        X