The Payment Card Industry Security Standards Council has issued additional guidance for merchants looking to integrate mobile devices into their payment acceptance processes. While the publication bears the rather unwieldy title "PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users," it provides some common-sense direction that merchants can use when addressing the potential data risks associated with using mobile devices to accept payments.
Founded in 2006, the PCI SSC is made up of members of the payment industry including banks, merchants and the major payment card brands such as MasterCard, Visa and American Express. PCI SSC is the industry group tasked with developing, maintaining and enforcing standards to protect consumer data. It certifies auditors to evaluate merchants' data security measures and can even deny merchants the ability to accept credit cards if they fail to meet its data security standard.
This new publication is the latest in a series of guidelines, fact sheets and documents produced by the PCI SSC aimed at dealing with the rapidly changing world of mobile payments. These guidelines, however, do not affect the PCI's actual data security standard, the standard with which merchants must comply in order to accept credit cards for payment. Instead, they provide best practices merchants should use when implementing mobile solutions.
Securing the insecure
According to the PCI SSC, the issue with mobile devices being used to accept payments and is that smartphones and tablets were not created to be point-of-sale tools. Mobile devices may offer improvements in convenience and customer service, but they also carry out a multitude of other functions that can access data stored on them making that data potentially insecure.
"Even with rapid adoption of mobile technology in payments, security still tops concerns for merchants. It comes down to the basic element of trust. Consumers want to have confidence that their information is protected - whether at their favorite restaurant, shopping online or making a purchase using a mobile device in lieu of a traditional POS," said PCI CTO Troy Leach in announcing the guidelines. "Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes."
The 27-page booklet is designed with the merchant audience in mind and is organized into three areas covering key areas merchants need to address when evaluating mobile solution. One section looks at risks associated with data entering, residing and leaving a mobile device. The second section covers securing the mobile device itself. A third section addresses the components of the payment acceptance solution including the hardware, software, the use of a payment acceptance solution and the relationship with the customer.
"PCI is providing a usable checklist," said David W. Schropfer, head of mobile commerce with market research and advisory firm the Luciano Group. "It's a resource any merchant, large or small, can use to begin to evaluate options for mobile payment acceptance." He added that it's not a technical document; it seems to be written with the intention of giving broad, general guidance to merchants.
The new guidelines are meant to go with recommendations the PCI SSC published last year addressing how mobile app developers and device vendors can design security controls into their mobile payment acceptance solutions, the organization said.
"When considering mobile payment acceptance, merchants need to go in with their eyes open," Leach said. "And that’s what the intent of this guidance is, to help merchants understand the risks so that together with developers and device vendors they can safely implement a solution that will enable mobile commerce to flourish."
The changing payment landscape
As helpful as the intentions of the document, the fact that PCI hasn't actually changed the security standard itself to include mobile payments after more than two years of study and evaluation may be an indication the group is facing a payment landscape that is changing too rapidly for its data security standard to keep up.
"PCI is showing a weakness in its area of expertise, which may arguably stop at the end of the 'wire,'" Schropfer said. "In other words, the security of a truly mobile device like a consumer smartphone that relies on over the air [OTA] transmissions for all of its functionality has long been the domain of other agencies, most notably the GSMA. PCI may not be able to offer better security standards for mobile devices than the GSMA, which may be why the new PCI document described consumer mobile phones as a generally unmanageable security threat."
Schropfer said mobile security, especially as it relates to the use and transmission of credentials, is a very different arena from traditional payment security. And it may be something PCI isn’t be equipped to police.
"The question becomes is PCI really the best organization to write the manual for the security of credentials stored and used in a mobile device?" he said.
The PCI SSC said that during 2013 it will continue to collaborate with industry experts and other standards bodies to look at data security regarding mobile acceptance and determine if it needs to develop additional guidance or requirements.
The new guidelines, along with other documents produced by the PCI SSC relating to mobile payment acceptance, can be found at the PCI's official site.