Mobile Payments Face the PCI Treatment

The concept of mobile payment has increased over the past couple of years, and with it has the need for decent levels of security.

Last month the PCI council announced the development of a new standard for software-based PIN entry on commercial off the shelf (COTS) devices. The concept behind this was one of permitting secure PIN-based applications and card readers to work with a mobile device, utilizing a back-end system for transaction monitoring and processing.

This week Infosecurity attended a presentation by MyPinPad featuring speakers from across payment security and retail technology. The theme was based around the fact that its been 12 years since the roll-out of Chip and PIN, and how the development of mobile-enabled payments have enabled more merchants to offer payments in instances where cash or cheques would only have been accepted in the past.

Jeremy King, international director of the Payment Card Industry Security Standards Council (PCI SSC), said that in instances such as local social clubs or outdoor festivals, those vendors offering mobile payments saw the most business. Therefore there was a need to determine a secure and practical solution to enable mobile payments, and the first draft of its new standard was published in January.

While this could take most of 2018 to come to light, as King admitted that the validation program documentation is expected in Q2, and it would be the end of 2018 before any approved solutions are released for merchants to use.

The concept that the PCI SSC have developed works around encrypting data so that it is never in plain text, using an application on the phone where the data is sent to a back end system and then to a processor, which will see it as a standard chip and PIN transaction.

King admitted that the “hard work” is in securing the PIN and mobile device so that it is one simultaneous secure process, however when questioned about updates to the PCI-certified applications, he did clarify that any application updates would not affect the overall operating system.

Also presenting was Gary Munro, senior consultant at Consult Hyperion, who said that the enablement of mobile point of sale (POS) functionality had brought cost and capability issues down, as well as the problem of unpatched payment terminals, as in the past a payment terminal would be deployed and never updated.

This, he claimed, would resolve the problem of unpatched vulnerabilities, and being application-based, could see flaws fixed in a rapidly changing threat landscape. 

Much like the problem with low grade Internet of Things (IoT), the commercial devices in mobile payments have seen costs reduced but at the same time, the quality of the software and the build has diminished. 

The PCI guidance will provide a set of principles, requirements and an evaluation methodology for a mobile payment-acceptance solution where the PIN Cardholder Verification Method (CVM) entry is performed on a COTS device in a merchant attended environment.

Will this provide some reassurance to an audience that have been delivered into a world of mobile-enable payments? Potentially yes, but also the sight of regulation will inject a much needed dose of security into the technology.

What’s Hot on Infosecurity Magazine?