Continuing its slow march toward comprehensive security requirements for mobile payments, the PCI Security Standards Council on Thursday released a set of best practices for developers of software for mobile devices. The guidelines follow by four months the guidance about mobile payments that the Council released for small merchants.
The Wakefield, Mass.-based PCI Council administers the Payment Card Industry data-security standard and its affiliated standards for secure payments software and PIN-based transaction devices. Thursday’s release came during the Council’s annual North American meeting in Orlando, Fla., with security assessors, merchants, processors, and vendors as it prepares to update the main PCI standard next year.
The Council has started to approve hardware for mobile payments such as card readers that plug into smart phones or tablet computers. But it has yet to begin widespread approval of software for mobile payments, and exactly when that might happen isn’t clear. The Council does plan to release more guidance for merchants next year and continue taking input from the payments industry about the complex task of protecting cardholder data when payments originate from mobile devices.
Council General Manager Bob Russo notes that his organization has been working on mobile-payment software standards for about two years. “Unfortunately it’s that complicated,” he tells Digital Transactions News. “We’ve got to get it right, and get it right the first time.”
Troy Leach, the Council’s chief technology officer, adds that developing software standards was “like Charlie Brown with a football,” meaning that every time the Council got close to what it felt was a solid body of guidance, a new data breach would force it to re-examine its work.
A demonstration at the Orlando meeting, which has about 1,000 attendees, showed the vulnerability of payment transactions on mobile devices to a variety of attacks that can add data-harvesting software, so-called malware, to a device, or compromise a device’s built-in protections.
The new guidelines are aimed at correcting software vulnerabilities as app developers crank out seemingly countless new programs for processing payments on smart phones and tablet computers. According to Leach, the guidance covers everything concerning the payment transaction itself, including the isolation of clear-text data, server-side controls that would indicate abnormal payment behavior from a mobile device, access protection that thwarts the installation of rogue third-party apps, and remote disablement of missing devices.
That last point is becoming increasingly important as tablet computers such as Apple Inc.’s iPad take the place of more conventional point-of-sale terminals in some stores and restaurants. A regular system, notes Leach, usually is bolted to the counter. “If it\'s missing in the morning, you know it’s missing,” he says. In contrast, a missing tablet or payment-processing smart phone might compromise dozens of credit or debit cards before it’s detected. “It goes from a mobile point-of-sale acceptance device to a skimmer,” says Leach.
A link to the mobile-app guidelines can be found here.
While the PCI Council deals with secure payments from mobile devices, MasterCard is turning its attention to beefing up security at ATMs as the U.S. prepares for so-called EMV chip cards to replace fraud-prone magnetic-stripe cards. All of the major networks, beginning with Visa Inc. in mid-2011, have announced plans to nudge U.S. merchants, card issuers, and processors toward chip cards.
MasterCard this week disclosed what it calls a “liability shift hierarchy” that will take effect in October 2016 for U.S. ATM transactions. Essentially, the hierarchy sets rules on assigning liability in fraudulent transactions to the non-EMV party involved. The shift will apply to all transactions originating from MasterCard-branded products.
“As other markets have migrated to EMV, we have seen fraud shift to the least secure channel,” Mike Weitzman, group executive of U.S. Markets for MasterCard, said in a statement. “By establishing this liability shift, we’re advancing efforts to prevent and reduce fraud. At the same time…we’re providing our issuers, acquirers, and ISOs flexibility and sufficient time to manage their ATM technology decisions.”