Merchants accepting mobile payments with a smartphone or tablet are being urged to use validated hardware that supports encryption, according to a new document issued today by the PCI Security Standards
Using a validated and properly implemented P2PE solution greatly
reduces the risk that a malicious person could intercept and use cardholder data.
PCI Security Standards Council LLC
Merchants can accept payments using mobile devices by buying technology from a point-to-point (P2P) encryption provider to meet the spirit of the Payment Card Industry Data Security Standard (PCI DSS), according to the new guidance document, Mobile Payment Acceptance Security (.pdf)
Security researchers have raised concern about the security of early versions of hardware designed to let merchants accept payments via their smartphone or tablet devices. San Francisco-based Square Inc. began selling a card reader for use on iPhones, iPads and Android devices in 2010. Since then, other providers, including VeriFone, PayPal and SalesVu, sell smartphone-compatible payment devices to merchants.
The document, created by the PCI Council’s Mobile Working Group, offers what the PCI Council calls “practical guidance,” to merchants. It draws on recent updates made to the PIN Transaction Security (PTS) Requirements at the end of 2011.
A validated PIN entry device or approved secure card reader must be used to safely capture and encrypt cardholder data, according to the two-page document. “Mobile devices are not necessarily designed to be secure input or storage devices for cardholder data,” the PCI Council said in its document.
A validated card reader encrypts the data before it enters the mobile device. Providers of the card reader will be responsible for getting the devices certified through the PCI SSC’s new P2P encryption validation requirements. Once the council determines it meets the minimum requirements for security, it will be approved as a validated device and listed on the PCI Council’s website.
“In 2012, validated point-to-point encryption (P2PE) solutions will be listed on the PCI Council Security Standards Council (PCI SSC) website,” the council said in its document. “If you choose to accept mobile payments, these solutions may help you in your responsibilities under PCI DSS.”
The PCI Council is also urging merchants to work closely with their acquiring bank or payment brand to ensure PCI DSS validation. The PCI Council said it plans to publish best practices for securing mobile transactions later this year.
Emerging payment options:
The PCI Council said last year that it was starting a task force to study the security of mobile payment systems. The “fact sheet” does not outline emerging payment systems, such as Near Field Communications (NFC) or short-range wireless technologies that could turn a smartphone into a virtual wallet.
Technologies are already emerging and some of them are being driven by the credit card brands. Visa unveiled a “one-stop” mobile payment kiosk in February. It is similar to Google Wallet and can be used by mobile devices that support NFC technology. Mobile carriers are also developing a mobile payment system. AT&T, T-Mobile and Verizon Wireless are set to begin testing the ISIS payment system, which also uses NFC.