The Payment Card Industry Security Standards Council is recommending the use of point-to-point encryption technology for the growing number of businesses accepting credit card payments using a credit card reader connected to their mobile device. But Bob Russo, general manager of the PCI SSC, insists the PCI Council is not endorsing the technology for mobile payment acceptance.
We want to make sure whatever data is going into that phone is going in encrypted.
Bob Russo, general manager, PCI SSC
“We’re not endorsing specific technology here other than to say, ‘If you are going to swipe your cards on a dongle, they need to be encrypted,’” said Russo in an interview with SearchSecurity.com. “That’s a recommendation; if you are going to be taking [cards] through a mobile phone or through a tablet, then certainly we want to make sure whatever data is going into that phone is going in encrypted.”
The PCI Council has made it clear that it would back off endorsing specific products within PCI DSS. In 2008, it was forced to issue a supplement clarifying PCI DSS requirement 6.6, which addresses protecting Web applications from attack. The standard requires code vulnerability reviews at least annually, or the installation of a Web application firewall (WAF). The requirement caused sales of WAFs to surge since merchants saw a cost savings in installing a WAF rather than conducting an annual review. The clarification recommended merchants do both to ensure compliance, but indicated a code review and proper WAF implementation would not be feasible for some merchants. It warned merchants against installing a WAF without properly configuring or monitoring it.
The two-page mobile payment acceptance report (.pdf) was issued May 16 and called for P2P encryption hardware – PCI Council-certified card readers – to ensure encryption at the point of capture. The recommendations are aimed at small businesses, including individuals, who plan to use card readers with their mobile device, Russo said. The document points merchants to the PCI point-to-point encryption report, which is serving as the basis for its encryption program. The PCI Council said it would release a list of certified P2P encryption hardware.
Listen to the PCI SSC interview
In this interview, Bob Russo, general manager of the PCI SSC discusses the state of the PCI special interest groups (SIGs), the latest PCI mobile report and addresses why no Mobile SIG exists.
“We’re opening up now a whole new area of merchant that we never had before,” Russo said, referring to credit card acceptance for bake sales, garage sales and other events where credit cards have never been accepted in the past. “We’ve got acquirers that are looking at adding hundreds of thousands of merchants.”
The PCI Council issued a statement last year on mobile payment acceptance applications (.pdf). The statement included a checklist to determine which mobile payment acceptance applications are eligible (.pdf) to be certified under its Payment Application Data Security Standard (PA DSS. A best practices document for securing mobile payment transactions is due out later this year.
PCI groups prep cloud, eCommerce, risk guidance
The PCI Council announced this week it will begin accepting proposals for the 2013 areas of study beginning on June 1. The PCI Council currently has three volunteer Special Interest Groups (SIGs) studying cloud computing, eCommerce applications and risk assessments. The groups are readying guidance documents due out later this year.
The Cloud SIG is examining the various cloud architecture models to come up with recommendations for securing payment data and reducing scope. The guidance will also address how to maintain and validate various cloud technologies against PCI DSS. The council issued a report last year on protecting payment data in virtualized systems. It warned that a public cloud, multitenant environment is challenging to validate PCI compliance because “physical isolation between tenants is not practical.” The group is expected to address the virtual components in scope for a PCI DSS assessment. Its report is due out in October.
The eCommerce SIG is examining common eCommerce payment application implementations to come up with recommendations on how to mitigate the risk of stolen credit card data, Russo said. The focus is also on the roles and responsibilities of both the merchant and its eCommerce service provider. Currently, some companies are integrating Web application payment function with a third-party payment processor to eliminate card storage and reduce PCI DSS scope. The group is scheduled to release a report in August.
“Basically this is addressing the challenges of operating in an online environment securely,” Russo said.
The Risk Assessment SIG is addressing questions about how to appropriately carry out and document an annual risk assessment. The group is addressing how to assess the impact of third parties such as business partners or hosting environments. Russo said the group has completed a first draft of its work developing a standard methodology for categorizing and recording assets and ways to evaluate them against threats and vulnerabilities. “This is from feedback from people having to deal with the PCI requirement 12.1.2,” Russo said. A report is also scheduled to be released in August.
Russo explained the approach the PCI Council is taking with mobile security, further explained recent guidance for mobile payment acceptance, and why no Special Interest Group is researching mobile security issues:
Last year I interviewed you about mobile, and you mentioned a mobile task force was going to be started.
Bob Russo: We just put out a mobile document. We’re opening up now a whole new area of merchant that we never had before. We’ve got acquirers that are looking at adding hundreds of thousands of merchants. People who have cookie businesses out of their kitchens and whatnot, and all of a sudden they are now able to take credit cards when they go to a flea market every weekend to sell their cookies. This is a document explaining to them the types of things they need to be looking for if they plan on taking credit cards.
I think that document almost endorsed point-to-point encryption. I know the PCI Council endorsed technologies in the past like Web application firewalls (WAFs) within PCI DSS, but after that drove up sales of WAFs, I thought the PCI Council was hesitant in endorsing specific kinds of technologies. Is that not the case?
Russo: It is the case. We’re not really endorsing a specific technology here, other than to say that, “If you are going to be swiping cards on a dongle they need to be encrypted.”
The document recommended point-to-point encryption and the certified hardware under the point-to-point encryption program.
Russo: Yes. That’s a recommendation. If you are going to be taking something through a mobile phone or through a tablet, then certainly we want to make sure whatever data is going into that phone is going in encrypted.
Mobile has been an issue for a number of years. Why has there not been a Special Interest Group for mobile? Is there a specific reason?
Russo: There are a lot of inherent security issues with mobile. From a convenience factor, people have wanted it and consumers certainly want it. But I think merchants have been somewhat cautious when it comes to mobile only because of the fact that it is so insecure. If it were an easy thing to do, you would probably see some sort of mobile security standard out there already by a myriad of people, not just the council. It’s just not an easy area to deal with. There are a lot of different factors from the devices themselves that are, to a certain extent, inherently insecure all the way up to protecting these cards.
With near field communications (NFC) technology, PayPal and Google have mobile payment technology, telecommunications providers are driving their technologies, and the card brands are rolling out a mobile payment solution themselves. Does that make it difficult for the PCI Council to properly address security of their products? It’s confusing because they’re the ones enforcing PCI DSS.
Russo: I have to go back to the old mantra: If you are storing, processing or transmitting credit card data, regardless of who you are, you are going to need to worry about security and dealing with these standards. Whether that’s an acquirer, a new vendor that is out there or whomever, if they are getting into the business they are going to have to be worried about security and therefore complying with our standard. Nobody gets a pass.