PCI Council Releases Guidance on Mobile Payment Security | Practical Law

PCI Council Releases Guidance on Mobile Payment Security | Practical Law

The Payment Card Industry Security Standards Council (PCI SSC) published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The guidelines highlight the factors and risks that merchants should address to protect card data when using mobile devices to accept payments.

PCI Council Releases Guidance on Mobile Payment Security

Practical Law Legal Update 7-524-2321 (Approx. 3 pages)

PCI Council Releases Guidance on Mobile Payment Security

by PLC Intellectual Property & Technology
Published on 19 Feb 2013USA (National/Federal)
The Payment Card Industry Security Standards Council (PCI SSC) published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The guidelines highlight the factors and risks that merchants should address to protect card data when using mobile devices to accept payments.
On February 14, 2013, the Payment Card Industry Security Standards Council (PCI SSC) released the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users to address the increasing use of mobile devices, like smart phones and tablets, as point of sale tools. The guidance highlights that mobile applications typically lack the same level of data security as using a payment card in a traditional retail store. In particular, due to design differences, almost any mobile application could access account data stored in or passing through the mobile device. Although these guidelines are not mandatory, they aim to:
  • Address and educate merchants on the new security risks and payment software associated with mobile payments.
  • Provide best practices and guidelines on preventing card data exposure.
The guidance focuses on the following key areas and objectives:
  • Objectives and guidance for the three main risks associated with the security of a payment transaction:
    • account data entering a mobile device;
    • account data residing on the mobile device; and
    • account data leaving the mobile device.
  • Guidelines for securing the mobile device, including measures to help:
    • prevent unauthorized physical device access;
    • prevent unauthorized logical device access;
    • protect the mobile device from malware;
    • ensure the mobile device is in a secure state;
    • disable unnecessary device functions;
    • detect loss or theft; and
    • ensure the secure disposal of old devices.
  • Guidelines for securing the payment acceptance solution, including:
    • the software;
    • the hardware;
    • the use of the payment acceptance solution; and
    • the relationship with the customer.
The guidance also includes appendices containing:
  • A glossary of terms.
  • A chart to help determine responsibility for each best practice.
  • A checklist for choosing a mobile solution provider.
  • Further detail on additional risks associated with mobile devices.
The guidance emphasizes that until mobile hardware and software implementations can meet these guidelines, merchants should consider using a PCI-validated, Point-to-Point Encryption (PCI P2PE) solution as outlined in the Accepting Mobile Payments with a Smartphone or Tablet fact sheet.
The new guidelines complement recommendations the PCI SSC published in September 2012 for mobile app developers and device vendors on designing appropriate security controls that provide secure mobile payment acceptance solutions for merchants (for more on these recommendations, see Legal Update, PCI Security Standards Council Issues Best Practices Guidelines for Mobile Software Developers).