ras-slava - Fotolia
The 2015 Mobile Payment Security Study from ISACA 2015 was released with some unsettling findings. Do you think the shortcomings of mobile payment security need to be addressed by PCI council? Are there other mobile payment regulations or standards that enterprises should be aware of?
Mobile payments are rapidly rising in popularity and major smartphone manufacturers now include payment technology in their devices as a matter of routine. With retailers rolling out new technology nationwide, expect to see a rapid uptick in the adoption of mobile payment systems. In fact, many organizations will likely deploy mobile payment technology as part of the equipment upgrades required to support Chip-and-PIN payments.
That said, I believe the 2015 Mobile Payment Security Study report released by ISACA is a little alarmist because it takes some basic questions about the state of mobile payment security and draws the conclusion that current security approaches are inadequate. For example, the study trumpets the fact that 87% of information security professionals surveyed expect to see an increase in mobile payment security breaches. I didn't participate in the survey, but I would have answered this question affirmatively also -- but not because the technology is insecure. It's a new technology that's rapidly rolling out and there have not been any high-profile mobile payment security breaches to date. The first incident to occur will be an increase on its own.
The major mobile payment providers are responsibly implementing security technology in their products. Consider for example, the use of tokenization in Apple Pay. This is the right approach and greatly reduces the likelihood of a breach. I don't feel that additional regulation is needed. The current PCI DSS standards on mobile payment security more than adequately safeguard payment card information and there's no reason to believe that mobile payment systems are not implementing those standards properly.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Find out if a state-sponsored attack on mobile devices can be traced
Learn about wearable device policies in enterprises
Discover whether analyzing motion for mobile malware detection works
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading