The PCI Security Standards Council's (PCI-SSC) Emerging Technologies group recently issued guidance addressing security standards for mobile payment applications on consumer handheld devices. The new guidelines apply specifically to payment applications installed on consumer devices (such as smartphones, PDAs, and tablets) not solely dedicated to payment acceptance transaction processing in instances where non-encrypted transaction and account data is present on the device. The guidelines are intended to raise awareness of secure payment acceptance principles and coding practices among developers, and to monitor emergent security threats inherent in mobile payment applications.
The guidelines identified the following risk reduction objectives for developers:
- Individual payment transactions risks: - preventing interception of account data entered into, stored on, and transmitted from a device
- Mobile platform and supporting environment risks and controls: - preventing and detecting unauthorized device access (using PIN-based access, secure passwords, screen locking, logging of access attempts) - preventing escalation of application control privileges in case a device is rooted or "jail-broken” - enabling remote disablement of payment applications and detecting theft or loss of the device - hardening of supporting systems such as card readers and other peripherals to prevent unauthorized application access - establishing a preference for online transactions over cached, stored, or offline transactions - utilizing secure industry standards when coding, engineering, and testing applications - enabling automated patching of applications against known threats - protecting devices from installation of unauthorized applications, malware, and unsecure attachments - creating proper documentation for installation and use of mobile payment applications - supporting secure merchant receipts; and - indicating to consumers when an application is in a secure state (analogous to SSL “lock” indication in web browsers)
At present, PCI-SSC is not considering mobile payment acceptance applications installed on consumer devices for Payment Application Data Security Standard (PA-DSS) validation, but emphasizes that developers should design such applications according to the PA-DSS standard until appropriate standards can be developed. The full guidelines are available for download from the PCI Security Standard Council web site here. For more information on mobile payment security standards, readers are encouraged to visit the PCI Document Library and the Payment Law Advisor Privacy and Data Security Resources page.