New PCI Guidance for Mobile Payments
Highlights Risks for Acquirers, MerchantsNew merchant guidance from the Payment Card Industry Security Standards Council addresses card data protection for mobile devices used to accept payments, an area that poses increasing risks.
See Also: Panel Discussion | Smartest Path to PCI DSS v4.0 on AWS
Banking institutions, as card issuers and acquirers, should use the guidance when assisting merchants with end-to-end mobile transaction security, says Steve Kenneally, who works in the Center for Regulatory Compliance at the American Bankers Association.
"Shining a spotlight on the need to improve payment security is always a great idea," he says. "Providing specific recommendations on how to achieve a higher level of security is even better."
As payments acquirers, banking institutions work with merchants to ensure the payment environment is secure, Kenneally says. "We expect the PCI guidelines to become one more tool that acquirers can use to increase merchant security," he adds.
Among mobile security considerations addressed in the PCI Council's new guidance are:
- Risks associated with account data entry on mobile devices, account data residing or stored on the devices and account data transmitted through mobile devices;
- Steps merchants should follow to ensure the physical and transactional security of mobile devices used for payment acceptance; and
- Guidelines for components involved in payment acceptance, such as hardware, software, the use of payment acceptance solutions and customer relationship considerations.
Mobile for Payment Acceptance
"The PCI guidelines recognize that some of the qualities that make mobile acceptance so attractive to merchants, also make it attractive to fraudsters," Kenneally says. "The applications are simple to obtain, easy to use and, by definition, are easy to transport. It may be easier just to steal a merchant's phone or tablet, rather than hacking into the system. You can't say that about a gas pump or checkout line at the supermarket."
Unlike point-of-sale terminals, mobile devices are not dedicated to payments, and that makes them more difficult to secure, Kenneally says.
"Merchants that have a history of conventional processing of card transactions should be aware of the need to secure card data and their devices," he says.
As merchants migrate to mobile acquiring, banking institutions must make it clear that they expect them to maintain the same financial security standards they would in conventional payments environments, he adds.
Understanding the Risks
The guidance aims to educate merchants about the risks that need to be considered to ensure card data is secure when transactions are conducted on smart phones and tablets, the council says. By design, almost any mobile application could access account data stored in or passing through the mobile device, says Troy Leach, chief technology officer of the council.
"It is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes," Leach says. "We encourage merchants to consider encrypting cardholder data prior to using mobile devices to process transactions."
The guidance also addresses risks merchants must consider when working with mobile platform developers and device vendors - two factors that are often overlooked, says Shirley Inscoe, a financial fraud analyst with consultancy Aite.
"There are issues that must be addressed to properly secure the channel," she says. "These include hardware, software and transactional security requirements. Encrypting the transaction itself is not adequate if unencrypted data resides on the hardware or in applications on the device."
Inscoe stresses that encrypting card data prior to transmitting it ensures data is protected during the transaction as well as when and if it's stored on the mobile device.
More for Banks
While banking institutions are not directly affected by this new guidance, they are responsible, as acquirers, for ensuring merchants are taking steps to comply, Inscoe says.
"Acquirers are responsible for the merchants they sponsor and typically have contractual language in place requiring merchants to comply with the PCI DSS [Data Security Standard]," she says. "Acquirers communicate with their merchants and help them understand the importance of the security standards and require their merchants to comply. If the merchants need assistance in identifying third parties to assist them achieve compliance, the acquirer is responsible for helping them identify the tools they need, as well as third parties who can assist them."
Kenneally says acquirers should pay close attention to the guidance and take steps to assist merchants that are new to mobile payments processing.
"Protecting your device is one thing, but protecting the information as it flows in and out is vital," Kenneally says. "The key thing is to effectively communicate this urgency to the merchants to the degree that they actually act on it. Merchant acquirers do this now, and these guidelines should help them in letting merchants know their role in securing consumer data.
"Their responsibility to protect the data begins when they plug their dongle into the earphone jack, but doesn't end until they take the right steps to protect consumer data."