Visa Europe Mobile Security Best Practices

Further to my last post about the guidance on developing mobile applications that accept payments from the PCI SSC, Visa Europe has also published updated guidance concerning mobile payment acceptance solutions.

Mobile Payment Acceptance Solutions, version 2, September 2012, includes guidance for payment solution developers (in-house or on behalf of another organisation), and merchants, acquirers and payment service providers (PSPs) using Mobile Payment Acceptance Solutions. Developers, merchants and acquirers must follow all Visa requirements for magnetic stripe, chip and contactless acceptance (where supported) as well as the guidance in this document. Visa Europe also state mobile payment solutions should also adhere to the principles set out in the Payment Card Industry Data Security Standard (PCI DSS) and Payment Application Data Security Standard (PA-DSS).

Additionally the guidance document provides three security goals each for vendors, merchants and acquirers/PSPs:

• Mobile Payment Acceptance Solution Vendors
  • Design and implement secure Mobile Payment Acceptance Solutions
  • Ensure the secure use of Mobile Payment Acceptance Solutions
  • Limit exposure of account data that could be used to commit fraud
• Merchants
  • Ensure the secure use of Mobile Payment Acceptance Solutions
  • xLimit the exposure of account data that may be used to commit fraud
  • Prevent software attacks on Consumer Mobile Devices
• Acquirers & Payment Service Providers (PSPs)
  • Design and deploy robust Mobile Payment Acceptance Solutions
  • Design and Implement appropriate controls when on-boarding merchants
  • Ensure proper monitoring of Mobile Payment Acceptance Solutions

Best practices are then defined for each security goal. So there is some overlap, and some merchants might also be considered vendors (if they develop their own payment applications), and some might also conceivably be PSPs.