Skip to content

PCI SECURITY STANDARDS COUNCIL RELEASES GUIDANCE FOR MERCHANTS ON MOBILE PAYMENT ACCEPTANCE SECURITY

February 14, 2013

— Merchant education tool aimed at driving demand for secure mobile payment
acceptance options —

WAKEFIELD, Mass., February 14, 2013 — Today the PCI Security Standards Council (PCI
SSC), an open, global forum for the development of payment card security standards published
the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The
guidance educates merchants on the factors and risks that need to be addressed in order to
protect card data when using mobile devices, such as smart phones and tablets, to accept
payments.
Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times
what it is today, as more and more businesses turn to consumer electronic handheld devices
(eg; smart phones, tablets or PDAs) for payment acceptance. As these devices are not solely
used as point of sale tools but also to carry out other functions, they introduce new security
risks. By design, almost any mobile application could access account data stored in or passing
through the mobile device.
The new guidance for merchants focuses on these scenarios and specifically the payment
software that operates on these devices. The PCI Mobile Payment Acceptance Security
Guidelines for Merchants as End-Users leverages industry best practices to educate merchants
on what is needed to isolate and prevent card data from exposure.
―Even with rapid adoption of mobile technology in payments, security still tops concerns for
merchants. It comes down to the basic element of trust. Consumers want to have confidence
that their information is protected – whether at their favorite restaurant, shopping online or
making a purchase using a mobile device in lieu of a traditional POS. Currently, it is challenging
to demonstrate a high level of confidence in the security of sensitive financial data in devices
that were designed for other consumer purposes. Which is why we encourage merchants to
consider encrypting cardholder data securely prior to using mobile devices to process
transactions, said Troy Leach, chief technology officer, PCI Security Standards Council. The guidance goes hand-in-hand with recommendations the Council published in September
2012 for mobile app developers and device vendors on designing appropriate security controls
that provide secure mobile payment acceptance solutions for merchants.
Added Leach, ―When considering mobile payment acceptance, merchants need to go in with
their eyes open. And that’s what the intent of this guidance is, to help merchants understand the
risks so that together with developers and device vendors they can safely implement a solution
that will enable mobile commerce to flourish.
The PCI Mobile Payment Acceptance Security Guidelines recognize payment security as a
shared responsibility. By providing a high level introduction and overview of the mobile
payments space and the security risks of mobile devices, the document outlines the unique,
complex and evolving mobile environment that underscores the need for all parties in the
payment chain to work together to ensure mobile acceptance solutions are deployed securely.
The guidance is organized around the following key areas and objectives:

  • Objectives and Guidance for the Security of a Payment Transaction – addresses

the three main risks associated with mobile payment transactions: account data
entering the device, account data residing in the device, and account data leaving the
device

  • Guidelines for Securing the Mobile Device – provides recommended measures for 

merchants regarding the physical and logical security of mobile devices used for
payment acceptance

  •  Guidelines for Securing the Payment Acceptance Solution – provides guidance 

for the different components of the payment acceptance solution; including the
hardware, software, the use of the payment acceptance solution, and the relationship
with the customer

A glossary of terms, chart to help determine responsibility for each best practice, checklist for
choosing a mobile solution provider, and further detail on additional risks associated with mobile
devices are included as appendices.
The document underscores that until mobile hardware and software implementations can meet
these guidelines, the best options for merchants is the use of a PCI-validated, Point-to-Point
Encryption (PCI P2PE) solution, as outlined in the Accepting Mobile Payments with a
Smartphone or Tablet fact sheet.
Merchants can download both the PCI Mobile Payment Acceptance Security Guidelines for
Merchants as End-Users and the Accepting Mobile Payments with a Smartphone or Tablet fact sheet from the PCI SSC website:
https://www.pcisecuritystandards.org/security_standards/documents.php.

Contact Tina for more information @ 888.413.9186

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: