On May 16, 2012, the PCI Security Standards Council (PCI Council) provided guidance to merchants as an initial step in identifying measures that can be taken to facilitate secure acceptance of payments using mobile devices such as smartphones or tablets at the point-of-sale. In particular, the PCI Council’s guidance is intended to provide merchants with actionable recommendations on accepting payments via mobile devices in a manner that comports with the PCI Data Security Standard (PCI DSS), which requires merchants to protect cardholder data (whether such information is printed, processed, transmitted or stored). The PCI Council reasoned that taking additional measures for securing mobile payments is important because there are limited security safeguards on current mobile devices for payment acceptance, responsibilities for security in the mobile ecosystem span multiple payers (e.g., financial institutions, payment brands, mobile network operators, handset manufacturers, etc.), protecting cardholder data is required under the PCI DSS, and securing mobile acceptance supports consumer confidence.
The PCI Council determined that securing account data at the point of capture is a meaningful way to actively control the risks associated with mobile payments. As such, the guidance provides specific recommendations on point of capture security measures for: (i) merchants that utilize an off-the-shelf payment acceptance solution, and (ii) merchants that build their own mobile acceptance solution. If a merchant utilizes an off-the-shelf solution, the PCI Council recommends that the merchant use a validated and properly implemented Point-to-Point Encryption (P2PE) solution. The PCI Council explained that using a validated P2PE solution will significantly reduce the risk that a malicious person could intercept and use cardholder data.
Alternatively, if a merchant chooses to build its own solution, the PCI Council recommends that the solution require additional encryption technology (beyond that provided in a mobile device), including an approved “point of interaction” (POI) device (i.e., a PIN entry device or secure card reader) to capture and encrypt cardholder data for a transaction. The PCI Council noted that a list of validated P2PE solutions and approved POI devices will be available on the PCI Council’s website as and when they are approved.
According to the PCI Council, a merchant’s use of a validated P2PE solution for processing mobile payments may lessen the requirements for its annual merchant compliance with the PCI DSS, which will likely reduce the costs associated with compliance. Nevertheless, the PCI Council cautioned that merchants will still be required to comply with the PCI DSS, contractual obligations with third party vendors (including the P2PE solution provider) and any other applicable law, rules, regulations or guidance.