The Payment Card Industry Security Standards Council, which provides oversight and guidance on payment card data protection, recently released its best practices for mobile payment acceptance security. The new guidelines are intended to offer developers of mobile apps and manufacturers of mobile devices some guidance on security controls to provide solutions for merchants to accept mobile payments securely, the group said.

The PCI Mobile Payment Acceptance Security Guidelines are the product of the council's efforts over the past two years to deal with the topic of mobile payment acceptance security. The council has released guidelines already that address how to apply current data standards to mobile payment acceptance using the Payment Application Data Security Standard (PA-DSS), as well as leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to secure payments on mobile devices.

The current guidelines separate mobile payment acceptance security guidance into two broad categories. The first category, best practices to secure transactions on mobile devices, covers cardholder data as it is entered, stored and processed through a mobile devices. The second category on the supporting environment looks at measures necessary to secure the mobile application platform environment. Among the recommendations in the guidelines are:

  • Isolate sensitive functions and data in trusted environments
  • Implement secure coding best practices
  • Eliminate unnecessary third-party access and privilege escalation
  • Create the ability to remotely disable payment applications
  • Create server-side controls and report unauthorized access

"Applications are going to market so quickly — anyone can design their own app today that can be used to accept payments tomorrow," said PCI SSC Chief Technology Officer, Troy Leach. "It's our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we'll start to see the market drive more secure options for merchants to protect their customers' data."

The PCI Council said it will release additional guidelines for merchants to help them leverage mobile payment acceptance securely. Those best practices will be released in 2013. The council said it will continue to work with industry subject matter experts to determine how data security can be addressed in the rapidly changing mobile acceptance environment, and whether more guidance and requirements are needed.

The PCI Mobile Payment Security Guidelines are available at the PCI website.

For more stories like this, visit the Security research center.

Related Content

User Comments – Give us your opinion!
Products & Services

mFUSION - Mobile Marketing and Advertising platform

http://global.networldalliance.com/new/images/products/4536.png

4536/mFUSION-Mobile-Marketing-and-Advertising-platform

Total-Mobile Merchant Services

http://global.networldalliance.com/new/images/products/6199.png

6199/Total-Mobile-Merchant-Services

Cellum Solutions for Public Transport

http://global.networldalliance.com/new/images/products/6751.png

6751/Cellum-Solutions-for-Public-Transport

Total-Customer Service

http://global.networldalliance.com/new/images/products/6205.png

6205/Total-Customer-Service

Unified Payment API

http://global.networldalliance.com/new/images/products/6119.png

6119/Unified-Payment-API

TIO Mobile Pay

http://global.networldalliance.com/new/images/products/4446.png

4446/TIO-Mobile-Pay

In-App Billing

http://global.networldalliance.com/new/images/products/4533.png

4533/In-App-Billing

Total-Mobile Swipe

http://global.networldalliance.com/new/images/products/6203.png

6203/Total-Mobile-Swipe

Peer-to-Peer

http://global.networldalliance.com/new/images/products/6743.png

6743/Peer-to-Peer

QwickPAY Mobile POS

http://global.networldalliance.com/new/images/products/4293.png

4293/QwickPAY-Mobile-POS

Wallet Wars
CONNECT 2014 Mobile Innovation Summit
Request Information From Suppliers
Save time looking for suppliers. Complete this form to submit a Request for Information to our entire network of partners.