Applications that accept payments and are installed on consumer mobile devices, not used exclusively used for a single payment application, such as smart phones, tablets and PDAs have been excluded from the PCI SSC's validation programme Payment Application Data Security Standard (PA-DSS). These types of mobile payment acceptance applications are known as Category 3 - payment applications operating on any consumer electronic handheld device that is not solely dedicated to payment acceptance for transaction processing.
Mobile payment Acceptance FAQs, published in June 2011, recommended that Category 3 applications intended for use in the cardholder data environment are developed using PA-DSS as a baseline for protection of payment card data and in support of PCI DSS compliance, until the development of appropriate advice, guidance, and/or standards to ensure that such applications are capable of supporting a merchant's PCI DSS compliance. On Friday the PCI SSC published new guidance for developers.
PCI Mobile Payment Acceptance Security Guidelines v1.0 September 2012, describes firstly 3 objectives and guidance for application payment transactions:
- Prevent account data from being intercepted when entered into a mobile device
- Prevent account data from compromise while processed or stored within the mobile device
- Prevent account data from interception upon transmission out of the mobile device
Secondly, guidance on 15 risks and controls in the supporting environment (mobile platform and associated applications):
- Prevent unauthorized logical-device access
- Create server-side controls and report unauthorized access
- Prevent escalation of privileges
- Create the ability to remotely disable payment application
- Detect theft or loss
- Harden supporting systems
- Prefer online transactions
- Conform to secure coding, engineering, and testing
- Protect against known vulnerabilities
- Protect the mobile device from unauthorised applications
- Protect the mobile device from malware
- Protect the mobile device from unauthorized attachments
- Create instructional materials for implementation and use
- Support secure merchant receipts
- Provide an indication of a secure state
Recognising that no one party has sole responsibility for security of Category 3 applications, a table in Appendix B of the guidance suggests responsibilities for the 18 practices. The responsibilities are assigned to device manufacturers (e.g. Apple, Huawei, Motorola, Nokia, Samsung), operating system developers (e.g. Apple, Google, Microsoft), application developers (e.g. you?), and merchants as end-users or payment acceptance service providers.
The guidance also provides a list of ten additional sources of information to support the guidance. Further advice and standards on mobile payments are expected from the PCISSC in 2013.
In the next post, I will discuss some related updated guidance from Visa.
Posted on: 18 September 2012 at 23:30 hrs