Security Experts:

'Tis The Season of E-commerce: How to Safeguard Against Mobile Payment Vulnerabilities

While There are Numerous Options on How to Protect Mobile Payments, Attaining Impermeable Protection is Non-Negotiable.

As e-commerce ramps up again in advance of the holiday season, businesses need to take mobile payments security seriously. You might be launching an app that makes online shopping easier for consumers, or just expecting more customers to make purchases using a mobile device. Certainly with the growth of mobile payment technology, we’ll see more and more issues arise with security. Old hacking standbys like key loggers and data sniffers are still prevalent, as they can record just about anything entered into a mobile device, but compromises in mobile security continue to evolve and multiply. You had better believe hackers are anticipating a surge in mobile holiday shopping, and creating new ways to attain data.

Accepting Mobile Payments Compliance Requirements

The PCI Security Standards Council published a fact sheet earlier this year to give businesses guidelines to follow in order to make mobile payments more secure, and eCommerce businesses would be wise to adopt these guidelines and adapt to this heightened need for more security immediately. Here’s a look at three ways to protect your customers’ information when accepting mobile payments.

Degrees of separation: Personal information and phones don’t mix 

In order to fully protect the personal information your customers enter for mobile payments, their data needs to get as far away from their phones as possible the instant it’s entered. As IT administrators, or CIOs counting on IT professionals to implement these safeguards, be sure that personal information is kept in Web services that come from your server, preferably tokenized by your payment gateway. For optimal security, your Web services should be housed on a different server than your database server with layers of security between the two. Ideally, your database should live in a different security zone than your Web server without direct access to the Internet, and with stateful packet inspection firewalls in between. Query auditing and alerting to unusual or out of the ordinary queries help as well.

Security in layers

Mobile payments are especially vulnerable to risks that control SSL and Web responses, making encryption and multiple layers of security key. IT administrators, or the IT team you are outsourcing your security to, should look into memory isolation, certificates, and sandboxing as just a few of the necessary precautions to take in order to secure mobile payments. Memory isolation goes a long way in creating boundaries for programs. It divides memory to prevent loss of information, and keeps memory contained and uncontaminated by other programs. Certificates, like the SSL certificate for example, provide encryption and identity validation, which boost customers’ confidence in making mobile purchases from your business. Sandboxing is another important tool to employ because it segments running programs, thereby separating data and codes from one another. Sandboxing protects servers and their data from potentially destructive changes or from code that has yet to be tested. These are all important methods, but the strongest layer of all with mobile payment security is encryption. Use strong encryption ciphers and utilize SSLv3 or TLS1.0 when using secure transport. In other words, make encryption one of your highest priorities, period.

Understand the power of Point-to-Point Encryption

Point-to-Point Encryption (P2PE) solutions are an area of security that should not be overlooked. Not only does the PCI Security Standards Council recommend partnering with a provider of a validated solution, but it’s also a fairly simple step that has a far reach. Direct your IT administrators to look into P2PE solutions, which take care of encrypting cardholder information prior to its foray onto a mobile device, meaning that the risk of data interception is severely reduced. If you are paired with a provider of P2PE solutions, you will often receive additional guidance on ways to improve security, along with a list of Points of Interaction (POI) that function safely with mobile devices and the P2PE solution. This is just one other way to ensure data is secure, but it’s one that comes highly recommended for good reason.

It might seem daunting just to keep up with new attacks and techniques coming out, such as the SSL attacks BEAST and CRIME. Who has time to anticipate a whole new crop of attacks? Well, we need to find the time. If you don’t have the resources in-house, then outsource it. You better believe that hackers are concocting a whole mass of attacks based on consumers using their phones to shop this holiday season. In the mobile payment space, it’s of utmost importance to integrate security in every aspect of your software development lifecycle. Although there are numerous options when it comes to the ‘how’ of protecting mobile payments, attaining impermeable protection is non-negotiable. To be a trusted vendor that accepts mobile payments, you must consider security your highest priority.

RelatedEmbracing Mobile Payments? You Might Not Be Compliant

Subscribe to the SecurityWeek Email Briefing
view counter
Chris Hinkley is a Senior Security Engineer at FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.