The group has issued its best practices for mobile payment acceptance security guidelines, which offer software developers and mobile device manufacturers guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely.
“The local pizza place knows how to make a great pepperoni pie, but they don’t know how to install a wireless mobile payments processing application securely,” said Bob Russo, general manager at PCI SSC, speaking to Infosecurity. “That’s why we’ve started a listing on our website of approved VARs to help them through the process.”
Part of the problem also in that segment of the market is the fact that mobile computing, m-commerce and mobile malware – and the intersection of them – are still in their infancy compared with the wired web, and existing platforms limit users’ ability to ensure the security of transactions, said Nicholas Percoco, senior vice president at Trustwave SpiderLabs, speaking at the most recent PCI SSC annual meeting. Rootkits, jailbreaking vulnerabilities and SSL-man-in-the-middle attacks are only a few of the vectors.
“It is important that a best practice guide be developed, by the industry, to educate mobile app developers on methods of securing commerce transactions and risks of not doing so,” said Percoco.
Offering guidance for mobile payment developers has been a recent focus for the council. “Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC CTO Troy Leach in his presentation to PCI CM attendees. “It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”
To that end, PCI SSC has issued a document that organizes the mobile payment-acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices; and guidelines for securing the supporting environment, which addresses security measures essential to the integrity of the broader mobile application platform environment.
In 2013, the council plans to explore how card data security can be addressed in an evolving mobile acceptance environment, and whether additional guidance or requirements must be developed.
The council formed an industry taskforce in 2010 as part of a dedicated effort to address mobile payment acceptance security. Since then, it has released guidance on how merchants can apply its current standards to mobile payment acceptance – by addressing mobile applications with the Payment Application Data Security Standard (PA-DSS), and leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to accept payments on mobile devices more securely.