The Payment Card Industry Security Standards Council Feb. 14 released guidance for merchants on protecting payment card data when they use mobile devices to accept payments.
The council is a global forum that develops payment card security standards, including the Payment Card Industry Data Security Standard (PCI DSS). The self-regulatory PCI DSS requires companies handling card transactions to maintain certain data security measures or face fines and/or the cut-off of their ability to process cards.
“Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes,” Troy Leach, the council's chief technology officer, said in the council's Feb. 14 statement. “Which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”
According to a study by Juniper Research Ltd, mobile transactions will reach $1.3 trillion around the world by 2015--four times today's amount--the council said. But mobile devices also introduce new security risks. “By design, almost any mobile application could access account data stored in or passing through the mobile device,” the council explained.
The guide applies to “payment-acceptance applications that operate on any consumer electronic handheld device (e.g., smartphone, tablet, or PDA) that is not solely dedicated to payment-acceptance transaction processing and where the electronic handheld device has access to clear-text data.”
Besides providing an overview of the mobile payments space, the council said the guidelines identify the three primary security risks inherent in mobile payment transactions: (1) “account data entering the device”; (2) “account data residing in the device”; and (3) “account data leaving the device.”
The document recommends measures for ensuring the security of mobile devices used for the acceptance of payments and offers guidance on securing the components of the payment acceptance solution, such as hardware and software, the council explained.
The guide does not recommend bring your own device (BYOD) as a best practice because it does not give the merchant control over the device's configuration and content.
Until merchants can meet the new mobile payment guidelines, they should use “a PCI-validated, Point-to-Point Encryption (PCI P2PE) solution” as detailed in a May 2012 fact sheet, according to the council.
The latest document “goes hand-in-hand” with the council's September 2012 mobile payment acceptance security guidelines for mobile app developers and device vendors, the council said.
On Feb. 7 the council published guidelines for securing customer payment card data in cloud computing environments (12 PVLR 237, 2/11/13). On Jan. 30, the council issued guidelines on satisfying PCI DSS requirements in e-commerce environments and guidelines on preventing the compromise of payment card data at ATMs (12 PVLR 190, 2/4/13).
The February 2013 document “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users” is available at https://www.pcisecuritystandards.org/documents/Mobile_Payment_Security_Guidelines_Merchants_v1.pdf.
The September 2012 document “PCI Mobile Payment Acceptance Security Guidelines for Developers” is available at https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).