PCI Issues New Security Guidelines For Mobile Payments

The Payment Card Industry Security Standards Council (PCI SSC) recently issued guidelines for mobile payment acceptance security. The “PCI Mobile Payment Acceptance Security Guidelines” provide smart phone manufacturers and mobile app developers’ best practices on security controls to help facilitate consumer mobile payment transactions. The PCI SSC oversees the Payment Card Industry data-security standards (PCI DSS), which include standards for secure payments software and PIN-based transaction devices. The Council previously published related guidelines such as the application of data standards to mobile payment acceptance using the Payment Application Data Security Standard (PA-DSS), leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to secure payments on smart phones. The latest guidelines are intended to address software security problems that have started to creep into the plethora of new programs and apps designed to process payments on smart phones.

The three main objectives delineated in the guidelines include:

  1. Protect sensitive account data from being intercepted when entered into a mobile device used for payment processing. Viable protection options include encryption or establishing a secure path between the data entry mechanism (i.e., the keypad) and the mobile unit that stores memory.
  2. Prevent sensitive account data from being compromised while stored inside the mobile device. The guidelines recommend a strategy that allows for: secure distribution of account data; secure access to and storage of account data; controls over account data while in use and; prevention of unintentional data disclosures. Account data should be temporarily stored in a secured environment before processing and authorization and should not be accessible to third parties. If data is stored on the mobile device after authentication, data should be rendered unreadable or encrypted. Other means to prevent unauthorized access are the implementation of design features such as secure lock screens and time-sensitive sessions requiring logins. Server-side control options include an access control list, the ability to monitor system events and distinguish normal from abnormal events and the ability to report abnormal events that may indicate a system breach or data leak (e.g., encryption key changes, invalid login attempts and app updates).
  3. Protect sensitive account data during transmission out of the mobile device, usually through encryption. One way to do so is to prevent unauthorized logical device access by implementing design features that prevent unauthorized access, including secure lock screens and time-sensitive sessions requiring logins.

Another security measure identified in the guidelines is the remote disablement of stolen or lost devices, which will become a significant feature over time as tablet computers are increasingly used by merchants in lieu of the more conventional point-of-sale (POS) terminals in retail store and restaurants. As merchants increase their usage of mobile devices in the POS process, the potential for those devices to go missing will correspondingly increase but, unlike a standard POS terminal at a fixed check-out location, a missing mobile device may not be detected for hours, which greatly enhances the potential damage since that mobile device can then be used as a skimmer if a thief is able to access the credit and debit card numbers entered from past sales.

Some in the industry have criticized the guidelines as being too summary in nature and thin on substance, but that is the reality when offering general guidelines. Specific security solutions will be dependent upon the particular software, app and/or mobile device in use.