PCI Council releases mobile payments security guidance for merchants

Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today
Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today

In the era of Square and NFC, the time is certainly ripe for a dedicated look at the issue. Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today, as more and more businesses turn to consumer electronic handheld devices (e.g., smartphones and tablets) for payment acceptance. Because these devices are not solely used as point-of-sale (PoS) tools but also to carry out other functions, they introduce new security risks. By design, almost any mobile application could access account data stored in or passing through the mobile device, Juniper noted.

The new guidance for merchants focuses on these scenarios and specifically the payment software that operates on these devices. The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users leverages industry best practices to educate merchants on what is needed to isolate and prevent card data from exposure.

“Even with rapid adoption of mobile technology in payments, security still tops concerns for merchants. It comes down to the basic element of trust,” said Troy Leach, CTO at the PCI Security Standards Council, in a statement. “Consumers want to have confidence that their information is protected – whether at their favorite restaurant, shopping online or making a purchase using a mobile device in lieu of a traditional PoS.”

Until mobile hardware and software implementations can meet the stringent PCI guidelines, Leach noted, one of the best options for merchants is the use of a PCI-validated, point-to-point encryption (PCI P2PE) solution, which it outlines in a fact sheet.

“It is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes,” Leach said. “Which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”

The PCI Mobile Payment Acceptance Security Guidelines recognize payment security as a shared responsibility, and outlines the unique, complex and evolving mobile environment that underscores the need for all parties in the payment chain to work together to ensure mobile acceptance solutions are deployed securely.

To that end, the guidance is organized around three key areas and objectives: security of a payment transaction, of the mobile device itself, and of the payment acceptance solution.

When it comes to mobile payment transactions, merchants must consider the account data entering the device, account data residing in the device and account data leaving the device. As far as the smartphone or tablet, the guidance provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance. PCI also offers guidance for the different components of the payment acceptance solution, including the hardware, software, the use of the payment acceptance solution and the relationship with the customer.

A glossary of terms, chart to help determine responsibility for each best practice, checklist for choosing a mobile solution provider, and further detail on additional risks associated with mobile devices are included as appendices.

“When considering mobile payment acceptance, merchants need to go in with their eyes open,” Leach said. “And that’s what the intent of this guidance is, to help merchants understand the risks so that together with developers and device vendors they can safely implement a solution that will enable mobile commerce to flourish.”

Leach added that in 2013, the Council will continue to collaborate with industry subject matter experts and other standards bodies to explore how card data security can be addressed in an evolving mobile acceptance environment, and whether additional guidance or requirements should be developed.

What’s hot on Infosecurity Magazine?