-
Lawmakers at House hearing voice excitement about evolving industry, but also express concern about security and regulatory gaps.
March 22 -
In merchants' eagerness to use mobile devices to attract new business, many are inadvertently creating new openings for credit and debit card fraud. And fraudsters have noticed.
March 9 -
More than 200 web developers and designers pulled all-nighters in New York to build digital commerce applications over the weekend. The event yielded 37 innovative technology "hacks" in about 30 hours.
August 6
The quick growth of mobile payment technology can boost function in the blink of an eye, but also
The PCI Mobile Payment Acceptance Security Guidelines aim to suggest appropriate security controls for the software developers and mobile device manufacturers that are creating mobile payment solutions. PCI manages the Payment Card Industry Data Security Standard (PCI DSS) that’s used as a security badge of sorts by merchants and tech providers
Citing research from data breach and malware security experts at Trustwave SpiderLabs, PCI says mobile computing, commerce and malware are still in their infancy, and existing platforms limit users’ ability to ensure the security of transactions conducted on mobile technology. Mobile payment app development increasingly takes place in an open source environment, in which parts of the application are freely shared among different developers. That makes for faster growth of new apps, but also can complicate security strategies such as access and data controls.
“Is the application going through a secure review? We’re working in a fast evolving space. Mobile applications are being updated three to four times per week in some cases. You have to worry about secure lifecycles,” says Troy Leach, chief technology officer of the PCI Security Standards Council. The Council was formed in 2006 by American Express (AXP), Discover Financial Services (DFS), MasterCard (MA), Visa (V) and the Japan Credit Bureau, though it operates independently of these companies.
At a PCI community meeting, Trustwave SpiderLabs demonstrated the top attacks that threaten payments over mobile acceptance devices, such as malware, rootkits (software that allows unauthorized privileged access), jailbreaking (hacking that allows smartphone programs and access to be altered) and man-in-the-middle attacks (attacks that allow messages between devices to be intercepted). “Are application designers aware of these security responsibilities?” Leach says.
PCI has been gradually addressing mobile payment acceptance, or the use of a mobile device to execute a payment at the point of sale, since 2010. It’s previously encouraged the use of PIN transaction security technology from vendors that have completed a security guidance questionnaire. It has also endorsed the use of PCI and point-to-point encryption -- the encryption of payment card data as it enters the merchant environment, and replacing the card data with a “token” number as a means to shield it from crooks as the encrypted data moves between the merchant and the financial institution.
The new mobile guidance for developers is divided into two categories: best practices to secure the transaction (protecting card data as it’s entered, stored and processed using mobile devices); and guidelines for securing the broader mobile application platform environment.
The Council recommends isolating sensitive functions and data in trusted environments; implementing secure coding (such as architecting with security protocols in mind and managing access privileges during development to reduce the opportunity for hackers to later execute code while in a more sensitive, higher privileged area); eliminating unnecessary third-party access and privilege escalation; allowing the ability to remotely disable payment applications; and creating server-side controls and reporting unauthorized access.
Much of the guidance deals with the access external parties may have to card or consumer data as it moves between the payment app, the merchant and the financial institution. “How does the payment card data leave the mobile device?” Leach says. “Is there the ability to put data into its own space, one that eliminates exposure of that data to third parties?”
The guidance also leans toward layered or dual authentication of transactions in different channels, which Leach says is important in fostering comfort in security among and between merchants and developers.
PCI, which in the past has been criticized for being
Bob Russo, general manager of PCI, says the Council has been accumulating feedback on mobile, including the input from more than 1,000 people at its recent North America meeting. “We realize there is an appetite for this. We have lots of people asking about mobile and sharing experiences with mobile,” says Russo, who added the Council will be further discussing guidance at its European meeting in October and is scheduled to release its mobile payments guidance for merchants in the first quarter of 2013. “The impetus is everybody wants mobile…it’s a complex issue,” Russo says.
