Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Embracing Mobile Payments? You Might Not Be Compliant

“There’s an app for that” has become a mantra of the modern day smartphone carrier. Most businesses are deploying mobile apps as a convenient accompaniment for their web services. Almost every major service customer use can be performed using a smartphone. From banks letting us do monetary transactions through an app, to retailers like Amazon, or Starbucks letting you simply hold up your phone for a scan to pay for your coffee.

“There’s an app for that” has become a mantra of the modern day smartphone carrier. Most businesses are deploying mobile apps as a convenient accompaniment for their web services. Almost every major service customer use can be performed using a smartphone. From banks letting us do monetary transactions through an app, to retailers like Amazon, or Starbucks letting you simply hold up your phone for a scan to pay for your coffee. Most recently Google and PayPal have announced mobile “wallets” that will literally let you skip the step of opening your wallet and handing over plastic to pay a merchant.

PCI Compliance MobileBut there is vagueness around the safety of consumers’ credit card numbers when they are transmitted through mobile applications. A website that has been modified for a mobile platform is presumably safer than an actual mobile application, making the latter considered not compliant according to the PCI DSS Council. If your business is working on a payment app to make transactions easier or more convenient for customers, you must consider this before deploying the app into the iPhone, Android, Blackberry or other marketplace.

The PCI SSC issued a short, but concise statement this summer with the middle section pretty much summing it up:

“Until such time that it has completed a comprehensive examination of the mobile communications device and mobile payment application landscape, the Council will not approve or list mobile payment applications used by merchants to accept and process payment for goods and services as validated PA-DSS applications unless all requirements can be satisfied as stated.”

Why The Hold Up?

It feels like the driver education instructor is stepping on his brake just as we’re getting the feel of the road, doesn’t it? But there’s sound reason for the slow down and the PCI Council is rightfully exploring the landscape before letting companies blast through. Just a few weeks out of the gate and users of the Google wallet are already reporting hackers being able to port the app on unsecured networks and devices. One of the major problems has to do with the devices themselves. An application can achieve PA-DSS compliance but in order to be PCI DSS compliant, the device in which the application is used must also be deemed compliant. Smartphones and tablets are still being reviewed and approved as safe environments.

Second, the mobile applications and the platforms they are built on make PA-DSS compliance difficult because of a rapidly evolving threat landscape. Traditional threats such as keyloggers and data sniffers are still very dangerous as they can log everything you enter into your mobile device. New threats are becoming more sophisticated and elusive than ever before. For instance, it is possible today to build a very low cost cellular interception device that will essentially act as a cell tower. Any mobile phone close to this device will automatically connect to it and use it allowing the malicious rogue cell site operator to essentially intercept any phone calls or data that would normally be encrypted, in the clear.

Mobile PaymentsFinally, another concern is the security of the operating systems that run on the mobile devices. By June, between one percent and five percent of Android users — the number varies by country — had been infected by mobile malware, according to Kevin Mahaffey, co-founder and CTO of San Francisco-based Lookout Security.  Google’s Android, Apple’s iOS, and Blackberry – all must continue to address security issues. One young technology, NFC (Near Field Communication). Is being utilized by Google. NFC is a wireless technology that operates much the same as proximity cards used with access control systems. Developers using NFC technology will need to add in their own security measures. Undoubtedly, the PCI SSC will continue to research and build upon their recommendations.

Watching The Clock

Merchants are eager for a fix, although it will be a temporary one as the technology changes. The PCI Council initially said that a ruling on mobile payments with approved devices and guidelines won’t be ready until April of 2012. But in the interim, they have released temporary fixes and suggestions. For example, merchants who deploy encryption-friendly sleds that enable encryption at one end and decryption at the other end of the transaction are fine. So if a retailer simply swipes a credit card into a peripheral device that plugs into the phone, and the phone just transmits the encrypted data, the merchant should be in compliance. These kind of interim band aids, while not ideal, should be able to help see through merchants who care about compliance until a concrete set of standards are released.

Advertisement. Scroll to continue reading.

It might be a long road until security standards for mobile payments are fully baked. But with today’s heightened state of cyber attacks and their tragic affects on businesses and consumers, it really can’t hurt to take our time and make sure it’s done right.

Related Reading: Social, Economic & Technological Forces Propel Mobile Payments

Related Reading: Visa Releases Best Practices for Mobile Payment Acceptance

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...