The PCI Security Standards Council has issued a new report aimed at software developers and device manufacturers advising them to create mobile applications that support encryption and other capabilities that protect credit card transactions.
The market is rapidly evolving and we're able to apply security in new ways.
Troy Leach, CTO, PCI SSC
The PCI Mobile Payment Acceptance Security Guidelines (.pdf) urge developers to support encryption of data being processed and stored in the device and ensure its protection when it is transmitted. It recommends mobile application developers password protect the application. Mobile apps that accept mobile payments should also contain functionality to detect and alert brute force attacks, invalid login attempts and cryptographic key changes, according to the report.
The document is meant to be the foundation of a number of guidance documents on securing mobile payment transactions that will be released around mobile, said Troy Leach, CTO of the PCI SSC. Security industry frameworks and models designed to address mobile application development are still in the early stages, Leach said.
"Every time we tried to frame some requirement a new exploit or attack was detected or new technologies for security were discovered," Leach said. "The market is rapidly evolving and we're able to apply security in new ways."
The PCI Council is racing to keep up with the huge adoption of smartphones transforming how businesses accept and transmit payments. The Council formed an industry taskforce in 2010 to address mobile payment acceptance security. The Payment Card Industry Data Security Standards (PCI DSS) was last updated in 2010 and no major update is expected when the document is revised at the end of 2013.
The report was released Thursday at the PCI Council's North America Community Meeting. In addition, the document requires applications support being disabled remotely in the event of a compromise and that appropriate server-side controls are in place.
In May guidelines urged merchants to use validated hardware that supports encryption to accept mobile payments. The mobile payment movement is being largely embraced by small and midsized transient businesses, although some retailers, including Apple, are embracing mobile payment acceptance in their stores. Smartphone compatible payment devices are provided by a variety of vendors, including San Francisco-based Square Inc., VeriFone, PayPal and SalesVu.
The PCI Council relied on a variety of organizations including experts from the Open Web Application Security Project (OWASP) to help create the guidance document that addresses mobile applications. The organization's volunteers have been producing documents outlining common mobile application vulnerabilities, mobile controls and design principles.
Leach said multiple mobile platforms, various smartphone manufacturers and carriers make creating highly secure mobile payment acceptance applications extremely difficult. Leach likened mobile application development to Web application security seven or eight years ago. The lack of best practices and support documentation made it difficult for software coders to know about their responsibility to protect sensitive data.
"We've identified the problems and have a collective agreement as to what priorities to address," Leach said.