For mobile payments to reach a critical mass, they must work everywhere, every time. With that in mind, Visa released a set of mobile acceptance best practices this week for merchants, developers and device manufacturers who are using consumer mobile devices process card payments. Visa best practices call for important security considerations such as encryption and tokenization of cardholder data and are designed to foster a better understanding of the merchant and service provider responsibilities related to securing cardholder data when a mobile phone is used as an acceptance device instead of a traditional terminal.
Mobile technology is enabling a growing number of small and medium-sized merchants to accept payments using mobile devices. As retailers harness the power of mobile technology to accept payments and grow their businesses, the industry must also build in adequate controls and security measures to maintain stakeholder trust in electronic payments.
“Mobile devices that can facilitate acceptance of payments are an important advancement in payments that must balance the promise of an enhanced consumer and retailer shopping experience with enhanced security measures to protect sensitive cardholder information,” said Eduardo Perez, head of global payment system risk, Visa Inc.
Because mobile devices and acceptance attachments today are not designed to the same security requirements as traditional payment terminals, and merchants do not control the security of the network environments to which their acceptance devices connect wirelessly, there are important security considerations above and beyond those for traditional acceptance solutions.
These best practices are intended for two distinct audiences – mobile acceptance application and software solution providers as well as merchants who use these solutions. Among the best practices guidance:
Best Practices for Vendors
Design and implement secure mobile payment acceptance solutions.
1. Provide payment acceptance applications and any associated updates in a secure manner with a known chain of trust.
2. Develop mobile payment acceptance applications based on secure coding guidelines.
3. Protect encryption keys that secure account data against disclosure and misuse in accordance with industry-accepted standards.
Ensure the secure use of mobile payment acceptance solutions
1. Provide the ability to disable the mobile payment acceptance solution.
2. Provide functionality to track use and key activities within the mobile payment acceptance solution
Limit exposure of account data that could be used to commit fraud.
1. Provide the ability to encrypt all public transmission of account data.
2. Ensure that account data electronically read from a payment card is protected against fraudulent use by unauthorized applications in a consumer mobile device.
3. Provide the ability to truncate or tokenize the Primary Account Number (PAN) after authorization to facilitate cardholder identification by the merchant.
4. Protect stored PAN data and/or sensitive authentication data.
Best Practices for Merchants:
Ensure the secure use of mobile payment acceptance solutions.
1. Only use mobile payment acceptance solutions as originally intended by an acquiring bank and solution provider.
Limit the exposure of account data that may be used to commit fraud.
1. Limit access to the mobile payment acceptance solution.
2. Immediately report the loss or theft of a consumer mobile device and/or hardware accessory.
Prevent software attacks on consumer mobile devices.
1. Install software only from trusted sources.
2. Protect the consumer mobile device from malware.
These best practices are the first version to support the growth of the emerging mobile acceptance solutions and will be updated and refined based on industry feedback. Beyond the best practices, vendors, merchants and acquirers are should also follow requirements for magnetic stripe, chip and contactless acceptance. and should also adhere to the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standards (PA-DSS).
