New PCI Guidance for Mobile Payments
The PCI Security Standards Council released new guidance addressing daily protection for payment-accepting mobile devices. The American Bankers Association’s Steve Kenneally says banks, card issuers, and acquirers should use the guidance when helping merchants with end-to-end mobile transaction security. The guidance covers mobile security considerations such as risks affiliated with account data entry on mobile devices, account data residing or stored on the devices, and account data transmitted through mobile devices; strategies for retailers to guarantee the physical and transactional security of mobile devices used for payment acceptance; and guidelines for elements involved in payment acceptance, including hardware, software, use of payment acceptance solutions, and customer relationship considerations. “Merchants that have a history of conventional processing of card transactions should be aware of the need to secure card data and their devices,” notes Kenneally. PCI Council CTO Troy Leach recommends that merchants consider encryption of cardholder data before using mobile devices for transaction processing, while consultant Shirley Inscoe says the guidance also covers risks worth consideration when merchants work with mobile platform developers and device vendors. “Encrypting the transaction itself is not adequate if unencrypted data resides on the hardware or in applications on the device,” she warns.
[divide]From “New PCI Guidance for Mobile Payments”
BankInfoSecurity.com (02/18/13) Kitten, Tracy