Connect with us

Hi, what are you looking for?



‘Tis The Season of E-commerce: How to Safeguard Against Mobile Payment Vulnerabilities

While There are Numerous Options on How to Protect Mobile Payments, Attaining Impermeable Protection is Non-Negotiable.

While There are Numerous Options on How to Protect Mobile Payments, Attaining Impermeable Protection is Non-Negotiable.

As e-commerce ramps up again in advance of the holiday season, businesses need to take mobile payments security seriously. You might be launching an app that makes online shopping easier for consumers, or just expecting more customers to make purchases using a mobile device. Certainly with the growth of mobile payment technology, we’ll see more and more issues arise with security. Old hacking standbys like key loggers and data sniffers are still prevalent, as they can record just about anything entered into a mobile device, but compromises in mobile security continue to evolve and multiply. You had better believe hackers are anticipating a surge in mobile holiday shopping, and creating new ways to attain data.

Accepting Mobile Payments Compliance Requirements

The PCI Security Standards Council published a fact sheet earlier this year to give businesses guidelines to follow in order to make mobile payments more secure, and eCommerce businesses would be wise to adopt these guidelines and adapt to this heightened need for more security immediately. Here’s a look at three ways to protect your customers’ information when accepting mobile payments.

Degrees of separation: Personal information and phones don’t mix 

In order to fully protect the personal information your customers enter for mobile payments, their data needs to get as far away from their phones as possible the instant it’s entered. As IT administrators, or CIOs counting on IT professionals to implement these safeguards, be sure that personal information is kept in Web services that come from your server, preferably tokenized by your payment gateway. For optimal security, your Web services should be housed on a different server than your database server with layers of security between the two. Ideally, your database should live in a different security zone than your Web server without direct access to the Internet, and with stateful packet inspection firewalls in between. Query auditing and alerting to unusual or out of the ordinary queries help as well.

Security in layers

Mobile payments are especially vulnerable to risks that control SSL and Web responses, making encryption and multiple layers of security key. IT administrators, or the IT team you are outsourcing your security to, should look into memory isolation, certificates, and sandboxing as just a few of the necessary precautions to take in order to secure mobile payments. Memory isolation goes a long way in creating boundaries for programs. It divides memory to prevent loss of information, and keeps memory contained and uncontaminated by other programs. Certificates, like the SSL certificate for example, provide encryption and identity validation, which boost customers’ confidence in making mobile purchases from your business. Sandboxing is another important tool to employ because it segments running programs, thereby separating data and codes from one another. Sandboxing protects servers and their data from potentially destructive changes or from code that has yet to be tested. These are all important methods, but the strongest layer of all with mobile payment security is encryption. Use strong encryption ciphers and utilize SSLv3 or TLS1.0 when using secure transport. In other words, make encryption one of your highest priorities, period.

Advertisement. Scroll to continue reading.

Understand the power of Point-to-Point Encryption

Point-to-Point Encryption (P2PE) solutions are an area of security that should not be overlooked. Not only does the PCI Security Standards Council recommend partnering with a provider of a validated solution, but it’s also a fairly simple step that has a far reach. Direct your IT administrators to look into P2PE solutions, which take care of encrypting cardholder information prior to its foray onto a mobile device, meaning that the risk of data interception is severely reduced. If you are paired with a provider of P2PE solutions, you will often receive additional guidance on ways to improve security, along with a list of Points of Interaction (POI) that function safely with mobile devices and the P2PE solution. This is just one other way to ensure data is secure, but it’s one that comes highly recommended for good reason.

It might seem daunting just to keep up with new attacks and techniques coming out, such as the SSL attacks BEAST and CRIME. Who has time to anticipate a whole new crop of attacks? Well, we need to find the time. If you don’t have the resources in-house, then outsource it. You better believe that hackers are concocting a whole mass of attacks based on consumers using their phones to shop this holiday season. In the mobile payment space, it’s of utmost importance to integrate security in every aspect of your software development lifecycle. Although there are numerous options when it comes to the ‘how’ of protecting mobile payments, attaining impermeable protection is non-negotiable. To be a trusted vendor that accepts mobile payments, you must consider security your highest priority.

RelatedEmbracing Mobile Payments? You Might Not Be Compliant

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...