The PCI Security Standards Council on Thursday released yet another set of data-protection guidelines for mobile payments, this one aimed at merchants using smart phones and tablet computers to accept credit and debit cards. Although it touches on many points, the guidance especially focuses on the software running on the devices.
In issuing the guidance, however, the PCI Council gave no indication about if or when it would actually begin certifying the card-accepting software applications developed by technology companies and merchant processors for mobile devices as compliant with the Payment Application data-security standard (PA-DSS). The Wakefield, Mass.-based Council administers that standard, along with the main Payment Card Industry data-security standard (PCI) and another standard governing PIN-entry devices known as the PIN Transaction Security (PTS) requirements. Payments executives have been expecting that mobile-application certifications would resume after the Council froze them in November 2010, but the Council instead has opted for issuing guidance as mobile payments rapidly evolve.
The lack of software certifications leaves mobile-payments providers in somewhat of a security limbo because PCI and its two related standards govern everything else in card payments. Merchants and processors are supposed to meet the main PCI standard, the software applications they use for point-of-sale and online payments are supposed to meet the PA-DSS, and card-accepting terminals and related hardware are supposed to comply with PTS.
But mobile payments are a different animal. In contrast with the purpose-built POS terminals and software most merchants use, mobile merchants very often accept cards by using iPhones, Android smart phones, and tablet computers that weren’t built with payments in mind. But millions of small businesses and even individuals served by everyone from hot startups such as Square Inc. to Intuit Inc. and Groupon Inc. to various independent sales organizations now use their smart phones or iPads to take card payments, often with magnetic-stripe readers that plug into the device’s audio jack. The new guidelines acknowledge that difference.
“As these devices are not solely used as point-of-sale tools but also to carry out other functions, they introduce new security risks,” the Council said in a news release. “By design, almost any mobile application could access account data stored in or passing through the mobile device.”
Later in the release, chief technology officer Troy Leach said: “Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes, which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”
The Council did not respond to Digital Transactions News’ requests for comment. The release is vague about what the Council’s next move will be. “In 2013 the Council will continue to collaborate with industry subject-matter experts and other standards bodies to explore how card data security can be addressed in an evolving mobile-acceptance environment, and whether additional guidance or requirements must be developed,” it says.
The 27-page document, dubbed “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users,” strikes Bruce Shirey, senior vice president of business development at Houston-based merchant processor eProcessing Network, as providing “common-sense stuff” addressing data encryption and other security topics familiar in the merchant-acquiring industry.
The guidelines specifically cover payment card account data entering the mobile device, account data residing in the device, and data leaving the device. The paper also provides recommendations for merchants regarding the physical and logical security of card-accepting mobile devices in addition to guidance for hardware, software, the use of a payment-acceptance solution, and customer relationships.
The new document follows the guidelines the Council released last September for mobile-app developers. Earlier in 2012 the Council issued a brief “fact sheet” for merchants using smart phones to accept cards.
Shirey speculates that the Council’s hold on mobile-software certifications may be the result of difficulty in keeping up with the industry’s rapid technological evolution. “The apps are coming out so fast,” he says. “I think it snuck up on them and they weren’t prepared for it.”