Main Nav

Colleagues, Our Alumni Affairs office is interested in using an iPad as a mobile presentation tool with our Alumni at both on campus and off campus events. This isn't all that new or different, but then the individual presentation will be followed-up with an appeal for money. They propose that they then use an iPad and a credit card reader to swipe the credit card on the spot. Something like this: Has anyone had any experience with the security and logistics of just such a transaction on the iPad or iPod touch? Gary Roberts Alfred University ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.

Comments

We have used Square. It works OK. It seems to translate the data on the mag strip into sound and the iPhone/iPad picks up the sound and translates correctly. So far no issues have arisen. PayPal also offers similar service but no experience with them. Chip Chip Eckardt CIO University of Wisconsin-Eau Claire 105 Garfield Ave. Eau Claire, WI 54701 Phone 715-836-4636 ext. 362381 eckardpp@uwec.edu
I know Apple does this for purchases at Apple stores on iPhones. Not sure about iPads... Dr. Robert Paterson Vice President, Information Technology, Planning & Research Molloy College Rockville Centre, NY 11571 516-678-5000 ex 6443
Gary,

We took over operations at a local country club this summer (dining and drink sales).  The location was not close enough to extend campus network access and this was a trial arrangement so catering did not want to invest in a new POS.  Enter Square - We are using this on this on three iPads and folks love signing their name with their finger and receiving a receipt by email.  We are on the local cable provider for internet access.  This was a reliable, convenient and very cost effective solution for our needs.  If they were close enough to extend our network we would have suggested iPads using the Verizon (or ATT) broadband so this credit card traffic would be going over our campus network (one less thing to worry about).

Curtis

Any concerns about PCI compliance if you’re using wifi on the iPad/iPhone over your network?

 

Bobby

 

Bobby L. Flack, MBA, CCP

Chief Information Officer

 

 

 

16300 Old Emmitsburg Road

Emmitsburg, Maryland  21727

(301) 447-3705

 

Faith  ~  Discovery  ~  Leadership  ~  Community

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis White
Sent: Monday, August 13, 2012 11:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Credit Card Swiping On The iPad

 

Gary,

 

We took over operations at a local country club this summer (dining and drink sales).  The location was not close enough to extend campus network access and this was a trial arrangement so catering did not want to invest in a new POS.  Enter Square - We are using this on this on three iPads and folks love signing their name with their finger and receiving a receipt by email.  We are on the local cable provider for internet access.  This was a reliable, convenient and very cost effective solution for our needs.  If they were close enough to extend our network we would have suggested iPads using the Verizon (or ATT) broadband so this credit card traffic would be going over our campus network (one less thing to worry about).

 

Curtis

There were rumblings that due to Square not encrypting the data within the device (end to end encryption) during a swipe that it was not PCI compliant. This may have changed, but I'm not aware of it and I didn't find anything on Square's webpage regarding this. I would also be concerned with what network is used to transmit the data from the device to Square. If you use your general WiFi network (even if encrypted) you may find that you bring your entire WiFi network into scope for PCI audits. Using a cellular connection in the device may help with this, but you should consult with your QSA to be sure.

As far as security concerns there are always concerns wired or wireless.  You really just need to take your normal precautions for the network security.  Take a layered approach and do as much as you can to minimize your exposure and risk.  For wireless make sure the encryption is the highest it can be.  Never an open network  Then a plus is if you are using a third party for the sales via an https site.  This way PCI compliance does not necessarily fall on your network.  But if you have to host it internally then normal PCI compliance steps should be followed.

 

Joey Rego
Network Security Administrator

Lynn University
Information Technology

3601 North Military Trail
Boca Raton, Fla. 33431-5598
Phone: 561-237-7982
Fax: 561-237-7115
E-mail: jrego@lynn.edu   
Web: http://www.lynn.edu 
Help: http://itsupport.lynn.edu

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Flack, Bobby L.
Sent: Monday, August 13, 2012 11:40 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Credit Card Swiping On The iPad

 

Any concerns about PCI compliance if you’re using wifi on the iPad/iPhone over your network?

 

Bobby

 

Bobby L. Flack, MBA, CCP

Chief Information Officer

 

 

 

16300 Old Emmitsburg Road

Emmitsburg, Maryland  21727

(301) 447-3705

 

Faith  ~  Discovery  ~  Leadership  ~  Community

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis White
Sent: Monday, August 13, 2012 11:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Credit Card Swiping On The iPad

 

Gary,

 

We took over operations at a local country club this summer (dining and drink sales).  The location was not close enough to extend campus network access and this was a trial arrangement so catering did not want to invest in a new POS.  Enter Square - We are using this on this on three iPads and folks love signing their name with their finger and receiving a receipt by email.  We are on the local cable provider for internet access.  This was a reliable, convenient and very cost effective solution for our needs.  If they were close enough to extend our network we would have suggested iPads using the Verizon (or ATT) broadband so this credit card traffic would be going over our campus network (one less thing to worry about).

 

Curtis

Message from jmorales@purduecal.edu

The network will still be in the PCI scope.  That transmission will end up on your wired network before reaching final destination.


Joe Morales
Director of Technological Infrastructure Services
Information Services
Purdue University Calumet
219-989-2356


Joey Rego <jrego@LYNN.EDU> wrote:

As far as security concerns there are always concerns wired or wireless.  You really just need to take your normal precautions for the network security.  Take a layered approach and do as much as you can to minimize your exposure and risk.  For wireless make sure the encryption is the highest it can be.  Never an open network  Then a plus is if you are using a third party for the sales via an https site.  This way PCI compliance does not necessarily fall on your network.  But if you have to host it internally then normal PCI compliance steps should be followed.

 

Joey Rego
Network Security Administrator

Lynn University
Information Technology

3601 North Military Trail
Boca Raton, Fla. 33431-5598
Phone: 561-237-7982
Fax: 561-237-7115
E-mail: jrego@lynn.edu   
Web: http://www.lynn.edu 
Help: http://itsupport.lynn.edu

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Flack, Bobby L.
Sent: Monday, August 13, 2012 11:40 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Credit Card Swiping On The iPad

 

Any concerns about PCI compliance if you’re using wifi on the iPad/iPhone over your network?

 

Bobby

 

Bobby L. Flack, MBA, CCP

Chief Information Officer

 

 

 

16300 Old Emmitsburg Road

Emmitsburg, Maryland  21727

(301) 447-3705

 

Faith  ~  Discovery  ~  Leadership  ~  Community

 

 

 

From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Curtis White
Sent: Monday, August 13, 2012 11:21 AM
To: CIO@LISTSERV.EDUCAUSE.EDU
Subject: Re: [CIO] Credit Card Swiping On The iPad

 

Gary,

 

We took over operations at a local country club this summer (dining and drink sales).  The location was not close enough to extend campus network access and this was a trial arrangement so catering did not want to invest in a new POS.  Enter Square - We are using this on this on three iPads and folks love signing their name with their finger and receiving a receipt by email.  We are on the local cable provider for internet access.  This was a reliable, convenient and very cost effective solution for our needs.  If they were close enough to extend our network we would have suggested iPads using the Verizon (or ATT) broadband so this credit card traffic would be going over our campus network (one less thing to worry about).

 

Curtis

Obviously check with your QSA for their interpretation of PCI DSS impact and scope, but Square and several other solutions are Visa PCI DSS Validated Entities (Service Providers) - so typically a QSA is going to validate the Service Provider is still listed and you can effectively push most of the compliance requirement over to the Service Provider. Essentially as soon as it hits the swipe the security is the responsibility of the Service Provider. I'd argue (with my QSA) that the network is not in scope, because the institution has no control over the information as soon as it hits the swipe, so the network it transits is irrelevant….but I've met & managed enough QSAs to know their interpretation will vary widely. It sounds like an entertaining conversation at least. The other challenge I see with the solution is merchant card processing – the actual acquiring bank. Several of the solutions out there require you to process the cards through them instead of your existing acquirer. So, pile a business discussion on top of the technical, compliance, and security analysis. Robert Rudloff AVC, UTS-Service Assurance University of Denver Office: (303) 871-4030 Mobile: (303) 590-8770 From: Joe Morales > Date: Monday, August 13, 2012 1:05 PM Subject: Re: Credit Card Swiping On The iPad The network will still be in the PCI scope. That transmission will end up on your wired network before reaching final destination. Joe Morales Director of Technological Infrastructure Services Information Services Purdue University Calumet 219-989-2356 Joey Rego > wrote: As far as security concerns there are always concerns wired or wireless. You really just need to take your normal precautions for the network security. Take a layered approach and do as much as you can to minimize your exposure and risk. For wireless make sure the encryption is the highest it can be. Never an open network Then a plus is if you are using a third party for the sales via an https site. This way PCI compliance does not necessarily fall on your network. But if you have to host it internally then normal PCI compliance steps should be followed. Joey Rego Network Security Administrator [cid:image002.jpg@01CD7949.14E07400] Lynn University Information Technology 3601 North Military Trail Boca Raton, Fla. 33431-5598 Phone: 561-237-7982 Fax: 561-237-7115 E-mail: jrego@lynn.edu Web: http://www.lynn.edu Help: http://itsupport.lynn.edu From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU] On Behalf Of Flack, Bobby L. Sent: Monday, August 13, 2012 11:40 AM To: CIO@LISTSERV.EDUCAUSE.EDU Subject: Re: [CIO] Credit Card Swiping On The iPad Any concerns about PCI compliance if you’re using wifi on the iPad/iPhone over your network? Bobby Bobby L. Flack, MBA, CCP Chief Information Officer [cid:image003.jpg@01CD7949.14E07400] 16300 Old Emmitsburg Road Emmitsburg, Maryland 21727 (301) 447-3705 Faith ~ Discovery ~ Leadership ~ Community From: The EDUCAUSE CIO Constituent Group Listserv [mailto:CIO@LISTSERV.EDUCAUSE.EDU]On Behalf Of Curtis White Sent: Monday, August 13, 2012 11:21 AM To: CIO@LISTSERV.EDUCAUSE.EDU Subject: Re: [CIO] Credit Card Swiping On The iPad Gary, We took over operations at a local country club this summer (dining and drink sales). The location was not close enough to extend campus network access and this was a trial arrangement so catering did not want to invest in a new POS. Enter Square - We are using this on this on three iPads and folks love signing their name with their finger and receiving a receipt by email. We are on the local cable provider for internet access. This was a reliable, convenient and very cost effective solution for our needs. If they were close enough to extend our network we would have suggested iPads using the Verizon (or ATT) broadband so this credit card traffic would be going over our campus network (one less thing to worry about). Curtis
I am not our expert here and I know nothing about the company Square, but we are taking a hard look at such encrypting swipe technologies.  It is my understanding that very recent changes in PCI guidelines open the possibility that using encrypting swipe devices would remove the intervening network from the scope of PCI.  

As suggested earlier, be sure to check with your QSA.

Rick
Associate Provost for Technology & Information Systems
Wake Forest University



Close
Close


Annual Conference
September 29–October 2
Register Now!

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.