Evan Schuman's StorefrontBacktalk

These mobile payment systems add an additional layer of complexity to the PCI DSS arena—and it’s one that most retailers have not yet explored. The promise of technologies like Square is that they free the retailer from dedicated POS devices and from the store itself. That means a single individual at a road-side stand, far removed from anything, can become an outlet store.

This is as true for a big-box retailer as it is for the guy who sells tube socks at the flea market. The technology is designed to be used by both the sophisticated and the unsophisticated user. Just swipe and you are done.

Although the Square device may be secure, and PCI-DSS compliant, it resides in an environment that is anything but. Mobile phones, particularly smartphones, are mini computers without firewalls, authentication devices, password protection schemes, monitoring software, antivirus or anti-malware programs, access controls or other rudimentary security protocols.

When you attach a payment system to that device, you inherit all of the vulnerabilities of the device itself. Software and “hacks” are available today that will allow hackers to invade the smartphone, monitor and control what is going on (e.g., take over the camera, microphone, phone, applications, GPS, etc.) and essentially “own” the device. Because the device has a persistent Internet connection, it can be used to transmit information back at any time. If I “own” the device, I “own” the POS terminal.

Moreover, mobile devices are, well, mobile. They can be put down and unmonitored. They can be lost or misplaced. These devices also run a host of other applications, from GPS mapping to birds that are apparently very angry. A developer in the former Soviet Union could (and many have) develop a game or app that is intended to have one functionality but, in reality, is designed to corrupt the smartphone or other applications.

Despite precautions to prevent such conduct, the development of such software and its exploitation is inevitable. And this is true even if the device attached to the smartphone is PCI-DSS compliant.

Just as attaching a secure POS device to an insecure network destroys the security of the POS device, attaching a secure payment device to an insecure mobile device or platform can destroy the security of that secure device.

What is worse, it is neither the manufacturer of the POS application, the smartphone, the network provider, the payment processor, the issuing bank nor the receiving bank that would likely be on the hook for the damages resulting from such attacks. No, it would generally be the retailer that used the technology. Thus, the guy making 50 cents each from sales of tube socks could be liable for the 15,079,942-ruble (US $5,000) flat-screen TV purchased in Belarus by the hackers who attacked the iPhone at the Yonkers raceway flea market.

There is great promise in mobile technology that leverages existing infrastructure. There is gold in them thar hills. But before you go to mine that gold, remember your safety harness. After all, if anyone gets burned online, it will be the retailer.

If you disagree with me, I’ll see you in court, buddy. If you agree with me, however, I would love to hear from you.