PCI Mobile Payment Security Recommendations Released by PCI SSC

The PCI SSC (Payment Card Industry Security Standards Council) just released a document addressing mobile device (smartphone, tablet or PDA) payments, PCI Mobile Payment Acceptance Security Guidelines, version 1.0. Three major risks associated with mobile payment transactions include:

1. Account data entering the device
2. Account data residing in the device
3. Account data leaving the device

One objective includes the prevention of account data being intercepted while it’s being transmitted into a mobile device. In order to do so, the PCI SSC recommends that account data is encrypted before it reaches a mobile device, which can be achieved by validating a PCI P2PE (Point-to-Point Encryption) solution, seen below, from the PCI SSC’s Accepting Mobile Payments with a Smartphone or Tablet At-a-Glance mobile payment acceptance security document.

Encrypted data flows from either an approved PED (pin entry device) or an approved secure card reader to the mobile device, then to a P2PE solution provider.

The second objective involves preventing account data from being compromised while in processing or while it’s stored within the mobile device. These general guidelines recommend a strategy is devised for:

• Secure distribution of account data
• Secure access to and storage of account data
• Controls over account data while in use
• Prevention of unintentional ‘data leakage’

The PCI SSC recommends that account data storage should be temporarily stored in a secured storage environment before processing and authorization. If data is stored on the mobile device after authentication, data should be rendered unreadable or encrypted by the PCI DSS standard 3.5 to limit application, personnel and process access to the keys.

The third objective is to prevent account data from interception upon transmission out of the mobile device. One way to do so is to prevent unauthorized logical device access by implementing design features that prevent unauthorized access, including secure lock screens and time-sensitive sessions requiring logins.

Another method includes creating server-side controls and reporting unauthorized access; controls include:

• An access control list
• Ability to monitor system events and distinguish normal from abnormal events
• Ability to report abnormal events that may indicate a system breach or data leak, including encryption key changes, invalid login attempts, app updates and more

File integrity monitoring (FIM) is one way to watch a system’s critical files and ensure any changes are sent as alerts to administrators. Preventing the escalation of privileges is another control that can protect cardholder data by ensuring only trusted individuals can control security settings on the device.

Other controls that can help prevent data from falling into the wrong hands while being transmitted from the device include:

• Enable the ability to remotely disable payment applications
• Use GPS or other location apps/technology to detect theft or loss, and require re-authentication of the user/device
• Ensure any supporting systems are compliant with PCI DSS
• Prefer online transactions whenever the mobile payment-acceptance app on the host is inaccessible in order to prevent offline transactions/storage of transactions
• All mobile payment apps should conform to secure coding, engineering and testing as required by the Payment Application Data Security Standard (PA-DSS)
• Protect against known vulnerabilities by evaluating updates, checking the source, and applying updates in a timely manner
• Protect against unauthorized applications on the mobile device
• Protect devices from malware
• Protect devices from unauthorized attachments
• Document device implementation and use
• Support secure merchant receipts – mask the PAN (Payment Account Number) and never use email or SMS to send PAN or SAD (Sensitive Account Data)
• Provide an indication of secure state, similar to an active SSL session in a browser

Find out more about PCI-secure networks for mobile devices in our PCI Compliant Hosting white paper.

References:
PCI Mobile Payment Acceptance Security Guidelines (PDF)
Accepting Mobile Payments with a Smartphone (PDF)