The PCI Security Standards Council recently issued security guidelines for merchants who accept mobile payments.  The guidelines apply to payment acceptance applications that operate on any consumer electronic handheld device (a) that is not solely dedicated to payment transaction processing, and (b) where the device has access to clear text transaction data (customer names, card numbers, and transaction information.  The guidance would therefore apply to accepting payments using smartphones, tablets, PDAs and any other device that is technically capable of performing operations other than payment transactions (even if such operations are blocked or disabled).  The guidelines do not replace any of the existing PCI-DSS certification requirements, but assist merchants with:

  • identifying the primary risks inherent with payment transactions on mobile devices (entering, storing and transmitting account data)
  • understanding and deploying methods for physically and logically securing mobile devices
  • securing the back-end hardware and software that enables mobile payment solutions, and
  • evaluating mobile payment solution providers from the perspective of transaction security

The PCI guidance follows on the heels of the FDIC’s report on mobile payment risks, and the Federal Reserve Bank of Boston’s whitepaper on mobile payment security.

The full text of the guidelines can be found here.