The Payment Card Industry Security Standards Council Feb. 14 released guidance
for merchants on protecting payment card data when they use mobile devices to
The council is a global forum that develops payment card security standards,
including the Payment Card Industry Data Security Standard (PCI DSS). The
self-regulatory PCI DSS requires companies handling card transactions to
maintain certain data security measures or face fines and/or the cut-off of
their ability to process cards.
“Currently, it is challenging to demonstrate a high level of confidence in
the security of sensitive financial data in devices that were designed for other
consumer purposes,” Troy Leach, the council's chief technology officer, said in
the council's Feb. 14 statement. “Which is why we encourage merchants to
consider encrypting cardholder data securely prior to using mobile devices to
According to a study by Juniper Research Ltd, mobile transactions will reach
$1.3 trillion around the world by 2015--four times today's amount--the council
said. But mobile devices also introduce new security risks. “By design, almost
any mobile application could access account data stored in or passing through
the mobile device,” the council explained.
The guide applies to “payment-acceptance applications that operate on any
consumer electronic handheld device (e.g., smartphone, tablet, or PDA) that is
not solely dedicated to payment-acceptance transaction processing and where the
electronic handheld device has access to clear-text data.”
Besides providing an overview of the mobile payments space, the council said
the guidelines identify the three primary security risks inherent in mobile
payment transactions: (1) “account data entering the device”; (2) “account data
residing in the device”; and (3) “account data leaving the device.”
The document recommends measures for ensuring the security of mobile devices
used for the acceptance of payments and offers guidance on securing the
components of the payment acceptance solution, such as hardware and software,
the council explained.
The guide does not recommend bring your own device (BYOD) as a best practice
because it does not give the merchant control over the device's configuration
Until merchants can meet the new mobile payment guidelines, they should use
“a PCI-validated, Point-to-Point Encryption (PCI P2PE) solution” as detailed in
a May 2012 fact
sheet, according to the council.
The latest document “goes hand-in-hand” with the council's September 2012 mobile
payment acceptance security guidelines for mobile app developers and device
vendors, the council said.
On Feb. 7 the council published guidelines
for securing customer payment card data in cloud computing environments (12 PVLR
237, 2/11/13). On Jan. 30, the council issued guidelines
on satisfying PCI DSS requirements in e-commerce environments and guidelines
on preventing the compromise of payment card data at ATMs (12 PVLR 190,
The February 2013 document “PCI Mobile Payment Acceptance Security Guidelines
for Merchants as End-Users” is available at https://www.pcisecuritystandards.org/documents/Mobile_Payment_Security_Guidelines_Merchants_v1.pdf.
The September 2012 document “PCI Mobile Payment Acceptance Security
Guidelines for Developers” is available at https://www.pcisecuritystandards.org/documents/Mobile%20Payment%20Security%20Guidelines%20v1%200.pdf.