The September 2012 release of the Mobile Payment Acceptance Security Guidelines for Developers (the “Guidelines”) by the Payment Card Industry Security Standards Council (“PCI SSC”) should be of interest to providers of mobile payments services or applications. Although the Guidelines are directed to payment acceptance applications that reside on mobile devices (i.e., that are used by merchants to accept payment), they clearly indicate the PCI SSC’s approach to integrating mobile payments with the existing PCI Data Security Standard (“PCI DSS”) and the PCI Payment Application Data Security Standard.
The Guidelines are intended to help payment application developers and consumer electronic handheld device manufacturers design appropriate security controls within their software and hardware products. We’ve summarized a few important points below (bear in mind the measures are directed at mobile devices in the hands of merchants as payment acceptance devices – not consumers).
- Data should be encrypted prior to entry into the mobile device and upon exit from the mobile device, e.g., if transmitted to and from a card reader by a wireless connection.
- Account data should only be process in the “trusted execution environment;” as is the case for all payments systems under PCI DSS, sensitive authentication data should not be retained after authorization.
- Each device should be protected by one or more secure lock screens (face unlock, password, PIN or pattern) – not by a slide lock.
- Controls should be included to prevent escalation of privileges, e.g., by “rooting” or “jail-breaking” the device.
- There should be an ability to disable the payment application remotely in a way that does not interfere with the other applications on the device.
Incidentally, the Guidelines include a useful Glossary of Terms that are helpful in decoding the jargon surrounding mobile payments generally.
Integration of mobile payments into existing payment infrastructure and standards is gathering steam and standards applicable to mobile payments will be in flux for some time. For this reason, all players contracting in the area need to allow for change and the advent of new standards within the agreements entered into for mobile payment arrangements.