Will Devices for Mobile Payments Pass PCI Test?

Mobile phones are becoming the Swiss Army knives of banking — mobility seems to present an almost infinite number of ways to extend financial services.

Consider merchant acquisition. The opportunities for banks to offer on their own, or partner with providers, devices that attach to smartphones are so great that even the folks who are charged with producing security protocols for mobile payments are impressed.

"This provides a whole new payment channel for acquiring banks, not only for existing customers and existing merchants, but to reach a new portfolio of merchants that didn't have access before this," says Troy Leach, the PCI Security Standards Council's chief technology officer.

That's not to say there aren't potential security risks — and exposures — for institutions that offer or plan to offer technology that lets merchants accept payments via attachments to smartphones. The PCI Council is weighing in on the issue by releasing its first set of guidance for mobile payment acceptance security. The guidance is an initial step in vetting the technology that's designed to execute mobile phone-enabled payments, a channel that's previously existed on the periphery of PCI's vetting work.

The new guidance is designed to help merchants and merchant acquiring banks understand their responsibilities under PCI and how these responsibilities translate to mobile payment acceptance, and to eventually choose a provider that complies with PCI's standards for payments encryption. "If you were to use one of these newfangled devices that fits on to a cellphone or iPad to start accepting credit cards, that's what we're looking at," says Bob Russo, the general manager of the PCI Council.

Banks have an important stake in securing these transactions. "The acquiring banks have relationships and contracts with merchants to ensure they are in fact in PCI compliance, so the banks would obviously be on the list of people who want to make sure the merchants are using something that's PCI compliant and not exposing any data," Russo says.

The council's assessors will vet products and develop a list of solutions that have encrypted the transactions at the point of swipe, which is designed to prevent sensitive customer information from being transmitted openly during processing. As with all transaction types vetted by the PCI council, removing this information reduces the merchant's exposure, or scope, to PCI compliance vetting, which reduces expense, a long-standing goal of merchant acquirers when pitching new payment solutions to merchants.

"It's a phased approach that uses different pieces from the other standards that we have, we want to make sure there are point-to-point encryption standards to make sure there are validated solutions," Russo says.

The mobile acceptance standards evolved out of an early set of requirements for point-to-point encryption solutions published in late 2011. They generally cover hardware-based encryption and decryption through secure cryptographic devices that keep customer data from being exposed during transaction processing. That same approach will be taken to vet payments that are executed using a smartphone, tablet or other device as the payment terminal. Russo says the timing to produce a list of vetted solutions will be in the next few months.

The use of payment devices, commonly called dongles, to allow merchants or fundraisers to take payments, is becoming increasingly popular. A number of companies such as Square and Intuit GoPayment are pitching the devices for use by contractors or fundraisers. Some of the startups have expressed an interest in partnering with banks, which would allow banks to reach more businesses with digital payments solutions, but would expose a venue of payment that the PCI Council has not fully vetted yet for security.

In an e-mail Tuesday, Square said it was PCI-DSS Level 1 compliant. It also said it's card reader is fully encrypted, with credit card information encrypted at the moment of swipe. Intuit did not return calls seeking comment on the new guidance by Tuesday evening. Russo didn't address specific vendors or products. He did say some secure card readers have gone through PCI assessments, but most of those are point of sale devices or automated teller machines that encrypt payments at the point of swipe. He said that most of the new startup technology has not been vetted. "Most of the [mobile acceptance] devices that people have been taking about have not been listed, as they have not been approved yet," Russo says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER