PCI explains how merchants can securely accept mobile payments

At a Glance: Mobile Payment Acceptance Security provides merchants with recommendations on partnering with a point-to-point encryption (P2PE) provider to securely accept payments and meet their PCI Data Security Standards (DSS) compliance obligations.

The fact sheet “talks about secure card readers or approved PED devices that can be connected to a smartphone or tablet that will encrypt a payment card as it is being swiped and then use either the phone or the tablet as a transport device to send it to the processor encrypted, so it can be processed, approved, and sent back to the phone in a point-to-point encrypted manner”, Bob Russo, general manager of PCI SSC, told Infosecurity.

Using smartphones and tablets as point-of-sale terminals to accept payments in place of traditional hardware terminals offers merchants flexibility. As mobile technology continues to change, the council said it will continue to work with the industry to ensure data security remains at the forefront of mobile evolution.

The fact sheet is the product of the council’s Mobile Working Group and is the result of input from merchants, vendors, and organizations involved in the mobile payment acceptance industry.

The document helps clarify complex technology and security terminology into practical guidance that can help merchants understand their responsibilities under PCI DSS and how they translate that to mobile payment acceptance; leverage the benefits of the council’s recently published P2PE standard and program; and choose a mobile payment acceptance product that complements the merchant’s PCI DSS responsibilities, for example, a P2PE provider.

The fact sheet also draws on recent updates made to the PIN Transaction Security (PTS) requirements at the end of 2011, creating the foundation for data security in mobile payment acceptance.

“We have been getting questions from the merchants and banking community asking, ‘What are you doing about mobile. We don’t see the word mobile in any of these standards.’ This paper is the first in a series of papers that the council will be releasing this year that demonstrates how our standards apply for mobile transactions and can protect customer cardholder data by using these two standards in partnership”, Troy Leach, chief technology officer at PCI SSC, told Infosecurity.

Using this resource to guide them in how PTS and P2PE standards work together, merchants can better understand how to use external plug-in devices with smartphones or tablets to accept payment cards by first encrypting and securing the data at the point that the account data are captured. The smartphone or tablet has no ability to decrypt the data, thus simplifying PCI DSS scope for the merchant, the council explained.

What’s hot on Infosecurity Magazine?