New Mobile Payments Standards Issued by PCI
Two facts about mobile payments: Just about nobody has actually made a mobile payment just yet, but a massive, multi-billion industry is betting big that mobile payments via smartphones will in fact take off soon.
A step in that direction: the PCI Security Standards Council now has issued its PCI Mobile Payments Acceptance Security Guidelines. a dense, 20-page document designed to bring safety and security to the emerging sector.
PCI is a global forum founded by leading credit card brands: American Express, Discover, JCB, MasterCard and Visa. The organization does not itself enforce compliance – it says that is up to the individual card issuers and their merchant networks. But its pronouncements carry weight in financial services.
The current document focuses on two issues: how best to secure mobile payments transactions and how to secure the apps used for mobile payments.
Early on, the guidelines offer this self explanation: “The purpose of this document is to educate stakeholders responsible for the architecture, design and development of mobile apps and their associated environment within a mobile device that merchants might use for payment acceptance. Developers and manufacturers can use these guidelines to help them design appropriate security controls within their software and hardware products. These controls can then be applied to mobile payment-acceptance environments, thus supporting the deployment of more-secure solutions.”
The document continued: “Any risk that exists on a standard desktop or laptop computer may also exist on a mobile device. In addition, mobile devices may have a broader set of functionalities than standard desktop and laptop computers, resulting in more security vulnerabilities.” In that latter regard, the document pointed to removable mobile media (SIM cards for instance) as creating unique risks.
PCI indicated it had multiple primary objectives in drafting the document.
Objective 1: Prevent account data from being intercepted when entered into a mobile device.
Objective 2: Prevent account data from compromise while processed or stored within the mobile device.
Objective 3: Prevent account data from interception upon transmission out of the mobile device.
PCI in turn discussed in the document a variety of ways to achieve its objectives.
A primary focus of the PCI report, said the organization, is sharply upping awareness among application developers of risks and solutions.
“Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC Chief Technology Officer Troy Leach in a recent presentation and cited by PCI in a press release.
“It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more-secure options for merchants to protect their customers’ data” Leach said.
The takeaway from the document is that, although mobile payments bring significant new risks, work is occurring to anticipate and resolve those risks before the mobile payments channel matures.