Sept. 18, 2012
The Payment Card Industry Security Standards Council, which provides oversight and guidance on payment card data protection, recently released its best practices for mobile payment acceptance security. The new guidelines are intended to offer developers of mobile apps and manufacturers of mobile devices some guidance on security controls to provide solutions for merchants to accept mobile payments securely, the group said.
The PCI Mobile Payment Acceptance Security Guidelines are the product of the council's efforts over the past two years to deal with the topic of mobile payment acceptance security. The council has released guidelines already that address how to apply current data standards to mobile payment acceptance using the Payment Application Data Security Standard (PA-DSS), as well as leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to secure payments on mobile devices.
The current guidelines separate mobile payment acceptance security guidance into two broad categories. The first category, best practices to secure transactions on mobile devices, covers cardholder data as it is entered, stored and processed through a mobile devices. The second category on the supporting environment looks at measures necessary to secure the mobile application platform environment. Among the recommendations in the guidelines are:
- Isolate sensitive functions and data in trusted environments
- Implement secure coding best practices
- Eliminate unnecessary third-party access and privilege escalation
- Create the ability to remotely disable payment applications
- Create server-side controls and report unauthorized access
"Applications are going to market so quickly — anyone can design their own app today that can be used to accept payments tomorrow," said PCI SSC Chief Technology Officer, Troy Leach. "It's our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we'll start to see the market drive more secure options for merchants to protect their customers' data."
The PCI Council said it will release additional guidelines for merchants to help them leverage mobile payment acceptance securely. Those best practices will be released in 2013. The council said it will continue to work with industry subject matter experts to determine how data security can be addressed in the rapidly changing mobile acceptance environment, and whether more guidance and requirements are needed.
The PCI Mobile Payment Security Guidelines are available at the PCI website.
For more stories like this, visit the Security research center.