Article

Mobile payments prompt response from PCI DSS Council

Robert Westervelt

The growing use of smartphones and technologies that turn them into payment devices has prompted the Payment Card Industry Security Standards Council (PCI SSC) to start a mobile task force to study the issue. 

Apple, Google and other mobile device makers are reportedly readying near field communications (NFC) or short-range wireless technologies that could turn a smartphone into a virtual wallet. It is drawing interest from data security experts who say the technology could put credit card data at risk. Bob Russo, general manager of the PCI SSC, said an internal team is investigating technologies for securing mobile payment systems.

"We're trying to dissect the mobile area now because there are just so many unknowns out there and so many different devices that don't have any security we can see," Russo said in an interview with SearchSecurity.com. "You look at a mobile phone and you look at a cash register and cash registers are much more mature. Even though cash registers have applications running on them that may not be secure, there are technologies available that make them more secure."

The PCI SSC has no plans to update

Requires Free Membership to View

PCI DSS 2.0 until 2013, but the organization is planning to issue guidance on emerging technologies over the next several years. Last October, the council issued guidance on end-to-end encryption. A guidance document offering best practices on tokenization technologies and securing payment data in virtual environments will be released later this year, Russo said.

The use of mobile devices to buy goods and services has skyrocketed, mostly due to the success of Apple's iPhone and smartphones running Google's Android platform. But few best practices exist to protect credit card data flowing in and out of mobile environments. Security experts are already pointing out dozens of mobile application vulnerabilities. There is also growing evidence that cybercriminals setting their sites on mobile platforms. Google recently removed nearly 60 applications from its official marketplace for containing dangerous DroidDream malware.

"The app store owners are responsible for policing their infrastructures," said Don Bailey,a mobile security expert and researcher at iSEC Partners. "Mobile devices at this stage of the game are almost inherently vulnerable to application level attacks. All up and down the spectrum there are issues of developing and deploying on a device like this."

Bailey said that for now, the consumer needs to be aware of the risks in using and storing sensitive data on a mobile device. The NFC system, he said, will make mobile malware a more attractive option for cybercriminals. "The mobile device was a place where interesting data may be stored, but now you're almost guaranteed that a user is going to have interesting data on their phone," Bailey said.

Merchants can reference guidance documents to gain data security best practices, but the standard itself won't change to address mobile issues -- at least not now. Russo wouldn't rule out changes in version 3.0 of PCI DSS -- due out in 2013 -- to address certain emerging payment technologies and processes. The revised document may also recommend new security technologies to better protect credit card data. The PCI SSC hosts special interest groups made up of about 700 participating organizations. In addition to technology vendors, security consultants and merchants are invited to participate in the SIGs which examine the use of emerging technologies for payment processes. Russo said the Council could get outside help in investigating mobile payments or set up a SIG to determine a set of best practices around mobile payment technologies.

"The merchants are the ones that are driving us to give guidance on these kinds of things," Russo said. "Whether or not they'll work their way into the standard remains to be seen and I don't want to discount that."

But critics of the PCI standards say one of the unintended consequences of the standard has been to turn security technology spending by enterprises into compliance checklist spending. Joshua Corman, director of enterprise security research at the 451 Group, said PCI DSS has had a hard time keeping up with emerging technologies.

"The technology landscape and adversary landscape change so frequently and the standard hasn't really substantively changed in a few years," Corman said. "A lot of the people in the research side are concerned it might not be setting the bar high enough and were disappointed to see very few changes last year and no outlook for substantive changes for a few more years."

Proponents of PCI say the standards have improved data security by forcing merchants to deploy security technologies or risk being denied the ability to accept credit cards. For example, PCI 6.6 fostered adoption of Web application firewalls and also encouraged merchants to conduct a code review for Internet-facing payment applications. Compliance often helps stimulate innovation in certain markets, said noted security expert Paul Judge, chief research officer and vice president of Campbell, Calif.-based Barracuda Networks Inc. Security vendors often have to improve the effectiveness of their products, boost the ease-of-use of their tools or reduce the price of their products.

"You stimulate a market and the vendors in that market crank up competition," Judge said. "Everyone benefits from vast improvements over a short amount of time, so it's very different than a market that just sits there stagnated."