Evan Schuman's StorefrontBacktalk

Unfortunately, both those vendors’ licenses reserve the right to reach in, either to push operating system upgrades or remove problem software. And if retailers can’t completely control what’s on the devices, who has access to them, how they’ll be set up and when they’ll be changed, there’s no way for a QSA to be sure a device is secure for handling payment card information. And these fears certainly also extend to mobile units that might happen to never be used for tendering purposes.

After all, mobile devices are much easier to steal or tamper with than dedicated POS devices, and those are already a perpetual security headache. A payment-card reader that’s been tampered with is a bad enough risk, but at least those devices can literally be nailed down.

Not so with a mobile POS device. A dedicated thief with a netbook and a little privacy could steal an unattended POS smartphone or tablet, install malware and return the device in minutes without even leaving the store and with no obvious signs of tampering with the device. Short of the ability to lock down that phone or tablet, how can a QSA seriously agree that this is a secure way of processing a payment card?

The problem for retailers with reach-ins doesn’t stop with payments. True, IT departments now have decades of experience with automated software updates for everything from PCs to HVAC systems. But mobile is very new and—as with every new platform—developers don’t know which rules they can bend. (The one thing you know for sure is that they will break rules to make the devices do what’s needed.)

That means there’s a much higher chance that an unexpected update will break existing software as soon as it arrives, or worse, create subtle issues that won’t become obvious until they generate major problems. That’s why IT does regression testing on new software before it goes into production — which can’t happen if Apple or Google makes changes without warning.

Still, because on-the-spot checkout is a prime reason many retailers are looking at in-store mobile devices, mobile POS is the place where reach-ins have the potential to be a deal killer.

It shouldn’t be. Apple and Google should be the most retailer-friendly phone vendors imaginable. Apple runs a chain of stores; Google offers an online checkout system. If any smartphone or tablet maker is going to understand the need of retailers to lock down devices and exempt them from reach-in, it should be these guys.

Of course, that’s no guarantee they will understand. Apple and Google have brands to protect. Are they ready to let retailers completely control the devices, even if that means critical bugs can’t be fixed? Will retailers have to sign away the right to sue over faulty handheld products, in exchange for the ability to completely control them as POS devices?

Maybe the response should be special hardened versions of Android and i-devices that can be locked down. But that’s likely to jack up the price per device, and those hardened versions will always trail the current consumer smartphones in terms of capabilities.

It’s an ugly tradeoff for retailers. Simply cutting a deal to allow locked-down devices would be a lot more attractive.

Still, Google and Apple’s ability to spike rogue apps isn’t all bad news for retailers. Suppose a retailer’s own app is cracked by thieves and injected with malware, then submitted to the App Store or Android Marketplace. Suppose it slipped through the phone vendor’s vetting process, and hundreds of thousands of your customers downloaded it to use before the malware was discovered.

Just about then, the ability to reach into all those phones and kill bad apps would start to sound very attractive indeed.