New PCI Guidance for Mobile Payments

Highlights Risks for Acquirers, Merchants

By , February 18, 2013.
New PCI Guidance for Mobile Payments

New merchant guidance from the Payment Card Industry Security Standards Council addresses card data protection for mobile devices used to accept payments, an area that poses increasing risks.

See Also: Stop Mobile Payment Fraud, Not Customers

Banking institutions, as card issuers and acquirers, should use the guidance when assisting merchants with end-to-end mobile transaction security, says Steve Kenneally, who works in the Center for Regulatory Compliance at the American Bankers Association.

"Shining a spotlight on the need to improve payment security is always a great idea," he says. "Providing specific recommendations on how to achieve a higher level of security is even better."

As payments acquirers, banking institutions work with merchants to ensure the payment environment is secure, Kenneally says. "We expect the PCI guidelines to become one more tool that acquirers can use to increase merchant security," he adds.

Among mobile security considerations addressed in the PCI Council's new guidance are:

  • Risks associated with account data entry on mobile devices, account data residing or stored on the devices and account data transmitted through mobile devices;
  • Steps merchants should follow to ensure the physical and transactional security of mobile devices used for payment acceptance; and
  • Guidelines for components involved in payment acceptance, such as hardware, software, the use of payment acceptance solutions and customer relationship considerations.

Mobile for Payment Acceptance

"The PCI guidelines recognize that some of the qualities that make mobile acceptance so attractive to merchants, also make it attractive to fraudsters," Kenneally says. "The applications are simple to obtain, easy to use and, by definition, are easy to transport. It may be easier just to steal a merchant's phone or tablet, rather than hacking into the system. You can't say that about a gas pump or checkout line at the supermarket."

Unlike point-of-sale terminals, mobile devices are not dedicated to payments, and that makes them more difficult to secure, Kenneally says.

"Merchants that have a history of conventional processing of card transactions should be aware of the need to secure card data and their devices," he says.

As merchants migrate to mobile acquiring, banking institutions must make it clear that they expect them to maintain the same financial security standards they would in conventional payments environments, he adds.

Understanding the Risks

The guidance aims to educate merchants about the risks that need to be considered to ensure card data is secure when transactions are conducted on smart phones and tablets, the council says. By design, almost any mobile application could access account data stored in or passing through the mobile device, says Troy Leach, chief technology officer of the council.

"It is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes," Leach says. "We encourage merchants to consider encrypting cardholder data prior to using mobile devices to process transactions."

The guidance also addresses risks merchants must consider when working with mobile platform developers and device vendors - two factors that are often overlooked, says Shirley Inscoe, a financial fraud analyst with consultancy Aite.

"There are issues that must be addressed to properly secure the channel," she says. "These include hardware, software and transactional security requirements. Encrypting the transaction itself is not adequate if unencrypted data resides on the hardware or in applications on the device."

Inscoe stresses that encrypting card data prior to transmitting it ensures data is protected during the transaction as well as when and if it's stored on the mobile device.

More for Banks

While banking institutions are not directly affected by this new guidance, they are responsible, as acquirers, for ensuring merchants are taking steps to comply, Inscoe says.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE RSA 2015: Ripped from the Headlines

The upcoming RSA Conference 2015 in San Francisco will feature sessions ripped from the headlines,...

Latest Tweets and Mentions

ARTICLE RSA 2015: Ripped from the Headlines

The upcoming RSA Conference 2015 in San Francisco will feature sessions ripped from the headlines,...

The ISMG Network