Using Mobile Pay Devices (Like Square) to Accept Payments – Internal Control and Security Considerations

One of the great things about mobile payment technologies is that they allow anyone to become a “merchant” and accept payments by credit or debit card anywhere there is an internet connection.  For those not familiar with this technology, common versions of it allow a user to insert a device into his/her smart phone or tablet (typically into the headphone jack) that serves as a debit/credit card reader.  Together with its accompanying app, the device allows the user to accept payments by debit/credit card with a simple swipe of the card.  Two of the most well-known providers of this technology are Square and PayPal.

Nonprofit organizations are discovering the flexibility and mobility of such payment systems and are using them with increasing frequency.  With fewer people carrying cash or checkbooks, collecting money from people often requires the ability to accept card payments.  Mobile payment devices and apps are particularly convenient for collecting money for event admissions, concessions, and similar activities.

When considering the use of mobile payment methods, nonprofit organizations often have questions about the internal control and security considerations.

Since we are an accounting firm, folks might expect that our response would be to recommend that organizations either employ extensive controls over such payment methods or avoid them altogether due to the inherent risks.  But such an approach is not practical.  It would be like recommending that the concession stand operators at a high school football game provide detailed receipts (in duplicate) for all buyers of hot dogs and sodas. It’s not going to happen.  So, we look at the issue realistically.

First, we believe that nonprofit organizations should use mobile payment systems only in limited circumstances.  In order to maintain reasonable internal controls over incoming electronic payments, mobile payment methods should only be used where they are truly one of the only practical payment options.  For example, an organization that accepts general contributions should not use mobile payment methods as the means for accepting them on a regular or wide-scale basis.  There are far more robust systems with appropriate security and internal controls available for the primary and major transactions of nonprofit organizations.  But mobile payment systems may be appropriate for collecting admission fees to remote events (where a kiosk or box office is not practicable), for concessions at remote locations (where use of a regular payment terminal is not practicable), and for similar activities.

Now, let’s look at risk issues.  The primary risk associated with using mobile payment methods is similar to the risk associated with accepting cash (currency) payments – the risk that the payments don’t make it to the organization.  That is, the risk that someone misappropriates the payments.  With mobile payment technology, a very simple way that someone could misappropriate funds would be to configure the payment app to direct the funds collected to his/her personal bank account.  The person may appear to be collecting funds like everyone else.  How can an organization address and reduce the risk that someone might do such a thing?  Here are some ideas:

  • Only allow official organization devices (e.g., smart phones, tablets, and other payment devices) to be used.
  • Mark or brand the devices in a way that will make it very noticeable if anyone were to use an unauthorized device.
  • Control access to the organization’s account with the app provider, making sure that nobody in the organization’s accounting department and nobody who will actually be using the devices has access to the account. Do not allow unauthorized persons to change account settings in the app (restrict access to passwords).
  • Post a very conspicuous notice at the event for payers to see stating that their charges will show in their debit/credit card accounts as “XXXXX” (indicating the name that will show up on their account statement if the official, authorized payment system is used.)  (Note, however, that it may be possible for wily perpetrators to set up an unauthorized account with the same or a similar name to that of the authorized account.)
  • Employ metrics independent of the payment devices that can be used to evaluate whether the amount of payments received is commensurate with the activity.  Have you ever been told by a vendor that they can’t give you a soda cup because they have to account for every one that is missing?  That’s the idea.  For event admissions, use admission tickets or a physical count as a mechanism to test the reasonableness of the revenue received.  For concessions, count the inventory of items before and after the event and compare consumption to revenue for reasonableness.  Follow up on any significant variances found when performing such analyses.
  • Keep an eye on things.  There is no substitute for eyeball-based oversight and supervision.

In summary, mobile payment devices can be a wonderfully helpful way to collect funds at remote events in an increasingly cashless society.  Used sensibly, they can be a great help to nonprofit organizations. Organizations that use mobile payment devices and systems should do so prudently.  Prudence dictates that mobile payment devices be used only when they are truly needed…more robust systems should be used where possible.  Employing reasonable controls and oversight measures like those described above can help keep the use of mobile payment devices reasonably safe.

This publication is for general informational and educational purposes only, and does not constitute legal, accounting, tax, financial, or other professional advice. It is not a substitute for professional advice. For permission to reprint, please contact us.  © 2024 Batts Morrison Wales & Lee, P.A.  All rights reserved.