Last week the Payment Card Industry Security Standards Council (PCI SSC) released an important document on best-practices for mobile payment security. Merchants have been rapidly adopting mobile devices—tablets, smartphones, notebooks, and other consumer gadgetry—as point-of-sale (POS) systems instead of using proprietary solutions. The trend will continue with experts predicting a $1 trillion mobile payment market by 2017. Unfortunately, this new breed of mobile software and hardware is not yet up to PCI-DSS compliance, so the PCI folks came up with a series of guidelines to help merchants and service providers reduce security risks.
For the IT savvy, PCI’s best-practices for mobile will be second nature. Non-tech savvy merchants, though, may mistakenly assume that off-the-shelf payment solutions based around IOS or Android will provide the same level of security and trust as purpose-built environments. That’s not the case. In 2011, PCI SSC agreed not to certify mobile payments until the appropriate standards are developed.
So what can merchants do in the mean time? One of the most important measures they can take is to use approved scanners and readers that encrypt the PAN or credit card information at the point of interaction, so even if the mobile device acting as a reader/scanner is stolen, the personal transaction data won’t be compromised.
In any case, the new guidelines are a good starting point for those looking to secure their systems and reduce the risks of a breach. I’ve listed some of the key points below:
Secure the device
Simply put: make sure the mobile device is in a physically secured location when not in use. As a consumer-level gadget, it’s more open to hacking threats, and one of the easiest is for unauthorized users to get actual access to the device and install malware.
Employ a PIN, pattern, or password that authorized users must enter to gain device access. Enforce re-authentication after a period of time.
Scan for malware
A key thing for merchants and vendors to remember is that a general purpose mobile computer can run more than just payment software. The PCI SSC guidelines not only recommend that merchants remove non-essential applications, but that they also install anti-malware and anti-virus software, as well as keeping it all up to date!
Prefer online transactions
Don’t store transactions on the mobile device for later transmission. This opens a potential security hole if the device is hacked or stolen.
Monitor logs and reports
Even if a merchant has taken all the steps in the guidelines, it’s still critical to detect for intrusions or other hacking exploits by scanning logs for unusual activity. This would typically be the responsibility of a service provider doing the back-end transaction processing. Merchants should make sure to ask their processors for activity reports or even, if available, real-time alerts.