At its North America Community Meeting on Thursday, the PCI Security Standards Council (PCI SSC), the standards body that oversees the Payment Card Industry Data Security Standard (PCI DSS), released best practices for mobile payment acceptance security.
The PCI Mobile Payment Acceptance Security Guidelines offer software developers and mobile device manufacturers guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely, the organization explained.
The guidance was put together to support the need for more secure development practices for mobile payment acceptance solutions.
“It is important that a best practice guide be developed, by the industry, to educate mobile app developers on methods of securing commerce transactions and risks of not doing so,” said Nicholas J. Percoco, senior vice president, Trustwave SpiderLabs.
To prove his point, at a presentation at the PCI Community Meeting in Orlando, Percoco demonstrated some of the top attacks that threaten the security of payments over mobile acceptance devices, including malware and rootkits, jailbreaking vulnerabilities and SSL-man-in-the-middle attacks.
The Council formed a taskforce in 2010 to address mobile payment acceptance security. Since then, the Council has released guidance on how merchants can apply its current standards to mobile payment acceptance – by addressing mobile applications with the Payment Application Data Security Standard (PA-DSS), and leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to accept payments on mobile devices more securely.
The document organizes the mobile payment-acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices;
Key recommendations include:
• Isolate sensitive functions and data in trusted environments
• Implement secure coding best practices
• Eliminate unnecessary third-party access and privilege escalation
• Create the ability to remotely disable payment applications
• Create server-side controls and report unauthorized access
“Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC Chief Technology Officer Troy Leach in his presentation to meeting attendees. “It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”
Moving forward, the Council plans to release further guidance in 2013 for merchants to help them leverage mobile payment acceptance securely, while continuing to collaborate with industry subject matter experts to explore how card data security can be addressed.