The PCI SSC (Payment Card Industry Security Standards Council) just released a document addressing mobile device (smartphone, tablet or PDA) payments, PCI Mobile Payment Acceptance Security Guidelines, version 1.0. Three major risks associated with mobile payment transactions include:
One objective includes the prevention of account data being intercepted while it’s being transmitted into a mobile device. In order to do so, the PCI SSC recommends that account data is encrypted before it reaches a mobile device, which can be achieved by validating a PCI P2PE (Point-to-Point Encryption) solution, seen below, from the PCI SSC’s Accepting Mobile Payments with a Smartphone or Tablet At-a-Glance mobile payment acceptance security document.
Encrypted data flows from either an approved PED (pin entry device) or an approved secure card reader to the mobile device, then to a P2PE solution provider.
The second objective involves preventing account data from being compromised while in processing or while it’s stored within the mobile device. These general guidelines recommend a strategy is devised for:
The PCI SSC recommends that account data storage should be temporarily stored in a secured storage environment before processing and authorization. If data is stored on the mobile device after authentication, data should be rendered unreadable or encrypted by the PCI DSS standard 3.5 to limit application, personnel and process access to the keys.
The third objective is to prevent account data from interception upon transmission out of the mobile device. One way to do so is to prevent unauthorized logical device access by implementing design features that prevent unauthorized access, including secure lock screens and time-sensitive sessions requiring logins.
Another method includes creating server-side controls and reporting unauthorized access; controls include:
File integrity monitoring (FIM) is one way to watch a system’s critical files and ensure any changes are sent as alerts to administrators. Preventing the escalation of privileges is another control that can protect cardholder data by ensuring only trusted individuals can control security settings on the device.
Other controls that can help prevent data from falling into the wrong hands while being transmitted from the device include:
Find out more about PCI-secure networks for mobile devices in our PCI Compliant Hosting white paper.
Otava provides the secure, compliant hybrid cloud solutions demanded by service providers, channel partners and enterprise clients in compliance-sensitive industries. By actively aggregating best-of-breed cloud companies and investing in people, tools, and processes, Otava’s global footprint continues to expand. The company provides its customers in highly regulated disciplines with a clear path to transformation through its effective solutions and broad portfolio of hybrid cloud, data protection, disaster recovery, security and colocation services, all championed by an exceptional support team. Learn more at www.otava.com.