02-15-13 | Blog Post
The PCI SSC (Payment Card Industry Security Standards Council) is looking alive this year, rolling out supplemental guides to help clarify a number of evolving PCI technical issues, including:
The PCI Mobile Payment Security Recommendations targeted at application developers were initially released last September, but another version was released just yesterday by the council specifically for merchants as end-users. Read more in PCI Mobile Payment Security Recommendations Released by PCI SSC.
Mobile payments, via smartphones and tablets, are increasing in popularity in the retail industry and quickly outpacing the use of traditional point-of-sale systems (POS). Why mobile payments? Faster checkouts and efficiency benefit both consumers and businesses, whereas transaction fees can also be lower with mobile payment companies vs. credit card companies.
According to CFO.com, a Deloitte study found that 58 percent of smartphone consumers check and compare prices while shopping, making their mobile device an integral part of expediting the decision-making process. Mobile payments fulfill the final step, making it a seamless transition to wrapping the buying cycle.
The PCI SSC recognizes the proliferation of mobile payments and the unique security risks they introduce to merchants. While they detail the specific requirements for securing data with mobile payment applications, they also provided a list of best practices, with a matrix that indicates who is responsible for what.
Appendix B defines two entities responsible for securing cardholder data during the mobile payment process – Merchant as an End User (M) is any entity that uses a mobile payment acceptance solution; and the Mobile Payment Acceptance Solution Provider (SP) is any entity that integrates components of the mobile payment acceptance solution, and is responsible for the back-end administration of the solution.
| Best Practice | M | SP |
| Prevent account data from being intercepted when entered into a mobile device. | X | X |
| Prevent account data from compromise while processed or stored within the mobile device. | X | X |
| Prevent account data from interception upon transmission out of the mobile device. | X | |
| Prevent unauthorized physical device access. | X | |
| Protect mobile device from malware. | X | X |
| Ensure the device is in a secure state. | X | |
| Disable unnecessary device functions. | X | X |
| Detect loss or theft. | X | X |
| Ensure the secure disposal of the device. | X | |
| Implement secure solutions. | X | X |
| Ensure the secure use of the payment-acceptance solution. | X | |
| Prefer online transactions. | X | |
| Prevent unauthorized use. | X | |
| Inspect system logs and reports. | X | X |
| Ensure that customers can validate the merchant / transaction. | X | |
| Issue secure receipts | X |
Part of the mobile payment acceptance solution, aside from the application itself, lies in the data hosting solution. Infrastructure as a Service (IaaS) (provider of servers, storage, network and virtual machines in the case of a PCI cloud hosting solution) is another component of the entire mobile payment solution that must also meet PCI DSS compliance.
A PCI compliant hosting provider should have achieved an attestation of compliance across their entire hosting solution, including infrastructure, policies and procedures, staff training, contractual requirements and technical security services. Check for documentation of compliance, and ensure they are aware of their responsibilities and services that fulfill each PCI requirement. Read Four Ways to Gain Transparency with PCI Hosting Providers for tips.
Interested in learning more about mobile device and application security? Read our Mobile Security white paper for a guide on mobile security risks, malware, compliance, and how to successfully implement BYOD (Bring Your Own Device) in the workplace.
References:
PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users (PDF)
