More than a fifth of small and mid-sized businesses use mobile devices to accept payments, almost twice the rate of mobile acceptance two years ago, but all too few of those businesses are concerned about payment security, according to new findings from ControlScan Inc.
According to the survey of 6,186 randomly selected businesses that are customers of eight payment-processor clients of ControlScan, 21% had adopted mobile payments at the point of sale. That compares with 17% using mobile devices for card-present sales in a similar ControlScan survey in April 2013 and only 10% in July 2012. Another 4% of this year’s respondents were in the process of implementing mobile POS payments when queried. The businesses, three-fourths of which had 10 or fewer employees, were polled by Internet in June and July.
“We have seen the number of small businesses using mobile devices nearly double,” Joan Herbig, chief executive of ControlScan, an Alpharetta, Ga.-based payments-security services firm, tells Digital Transactions News.
That finding is no surprise given all the attention to mobile payments by prominent startups such as Square Inc. as well as independent sales organizations, tech specialists and big merchant acquirers. Square quickly came to dominate mobile-payment services for new merchants and small businesses when it burst onto the scene in 2010, but all the new competition apparently has eroded its market share even though the company is still reporting strong growth. Some 28% of ControlScan’s respondents reporting using Square services in 2014, down from 45% in 2012.
“It may have been Square was the only game in town; today we’re seeing processors and ISOs bringing their own solutions to the marketplace,” says Herbig.
Indeed, 59% of respondents get their processing services from “other.” Six percent of respondents reported using PayPal Inc.’s PayPal Here service while 4% use North American Bancard’s PayAnywhere and 1% each use Roam Data Inc.’s RoamPay, ID Tech’s iMag, and ShopKeep POS.
Besides having to choose their mobile-payments processor, small businesses must deploy card-accepting hardware, either purpose-built terminals or personal devices adapted for mobile payments. Devices from Apple Inc., which recently introduced its Apple Pay service, dominate among ControlScan’s respondents, who could select all choices that apply. Many are using more than one type. Some 55% use Apple’s iPhone and 40% use Apple’s iPad tablet. Thirty-four percent use a smart phone running Google Inc.’s Android mobile operating system.
After that, there’s a big drop-off in device popularity. Only 11% of respondents reported using an Android tablet, followed by 3% for tablets running Microsoft Corp.’s Windows system, and 2% each for BlackBerry Ltd.’s smart phones and Windows phones. Seven percent of respondents reported using “other.”
A full 33% of respondents said they have always used a mobile-based POS system, while 20% said they had or would replace a traditional system with one based entirely on mobile devices. Forty-seven percent said mobile devices supplement the traditional POS systems they use.
Security concerns, meanwhile, are evident from survey responses. Employees provide their own devices in 40% of cases while employers supply 60%. The PCI Security Standards Council, which updates the Payment Card Industry data-security standard (PCI) and its related standards, has noted that off-the-shelf mobile devices may not have incorporated generally accepted information-security standards.
Plus, there’s a large element of personal usage of the mobile devices small businesses deploy for payments. The clear preference among security executives is for dedicated payments equipment, but a full 78% of ControlScan’s respondents answered yes when asked if the mobile devices used for accepting credit card payments also are used “for other tasks such as checking and sending email, surfing the Web, etc.?”
“The nature of these mobile devices provides some barriers to PCI compliance,” says Steve Robb, ControlScan senior vice president.
The sizable share of Android devices handling small-business mobile payments also raises some security issues, according to Robb. In contrast to Apple’s “walled garden” of mobile apps that run only on Apple devices, Android is an open platform used by a number of mobile-device manufacturers, and Apple’s apps tend to be vetted more stringently than Android’s. “That growth in Android—that’s some cause for concern,” he says.
Other research has established that most payment card data breaches happen at small businesses but rarely get headlines. Some 63% of ControlScan’s respondents reported being “not at all concerned” about the data they were transmitting via a mobile device. Only 10% said they were very concerned while 27% said they were somewhat concerned.
The findings represent an opening for ISOs and acquirers to educate their small-business clientele about payments security—and to showcase their services, according to Herbig. “Use this as an opportunity to promote your mobile-security solutions,” she says.