New PCI Security Standards Council Guide Offers Best Practices for Mobile Payments

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

The Payment Card Industry Security Standards Council Feb. 14 released guidance for merchants on protecting payment card data when they use mobile devices to accept payments.

The council is a global forum that develops payment card security standards, including the Payment Card Industry Data Security Standard (PCI DSS). The self-regulatory PCI DSS requires companies handling card transactions to maintain certain data security measures or face fines and/or the cut-off of their ability to process cards.

“Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes,” Troy Leach, the council's chief technology officer, said in the council's Feb. 14 statement. “Which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”

According to a study by Juniper Research Ltd, mobile transactions will reach $1.3 trillion around the world by 2015--four times today's amount--the council said. But mobile devices also introduce new security risks. “By design, almost any mobile application could access account data stored in or passing through the mobile device,” the council explained.

BYOD Not Recommended

The guide applies to “payment-acceptance applications that operate on any consumer electronic handheld device (e.g., smartphone, tablet, or PDA) that is not solely dedicated to payment-acceptance transaction processing and where the electronic handheld device has access to clear-text data.”

Besides providing an overview of the mobile payments space, the council said the guidelines identify the three primary security risks inherent in mobile payment transactions: (1) “account data entering the device”; (2) “account data residing in the device”; and (3) “account data leaving the device.”

The document recommends measures for ensuring the security of mobile devices used for the acceptance of payments and offers guidance on securing the components of the payment acceptance solution, such as hardware and software, the council explained.

The guide does not recommend bring your own device (BYOD) as a best practice because it does not give the merchant control over the device's configuration and content.

Until merchants can meet the new mobile payment guidelines, they should use “a PCI-validated, Point-to-Point Encryption (PCI P2PE) solution” as detailed in a May 2012 fact sheet, according to the council.

The latest document “goes hand-in-hand” with the council's September 2012 mobile payment acceptance security guidelines for mobile app developers and device vendors, the council said.

On Feb. 7 the council published guidelines for securing customer payment card data in cloud computing environments (12 PVLR 237, 2/11/13). On Jan. 30, the council issued guidelines on satisfying PCI DSS requirements in e-commerce environments and guidelines on preventing the compromise of payment card data at ATMs (12 PVLR 190, 2/4/13).

The February 2013 document “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users” is available at

The September 2012 document “PCI Mobile Payment Acceptance Security Guidelines for Developers” is available at

Request Bloomberg Law: Privacy & Data Security