ras-slava - Fotolia

Manage Learn to apply best practices and optimize your operations.

Is mobile payment security regulated enough by PCI DSS?

PCI DSS is pretty specific about security, but does it do enough for mobile payment security? Expert Mike Chapple explains why he says yes.

The 2015 Mobile Payment Security Study from ISACA 2015 was released with some unsettling findings. Do you think the shortcomings of mobile payment security need to be addressed by PCI council? Are there other mobile payment regulations or standards that enterprises should be aware of?

Mobile payments are rapidly rising in popularity and major smartphone manufacturers now include payment technology in their devices as a matter of routine. With retailers rolling out new technology nationwide, expect to see a rapid uptick in the adoption of mobile payment systems. In fact, many organizations will likely deploy mobile payment technology as part of the equipment upgrades required to support Chip-and-PIN payments.

That said, I believe the 2015 Mobile Payment Security Study report released by ISACA is a little alarmist because it takes some basic questions about the state of mobile payment security and draws the conclusion that current security approaches are inadequate. For example, the study trumpets the fact that 87% of information security professionals surveyed expect to see an increase in mobile payment security breaches. I didn't participate in the survey, but I would have answered this question affirmatively also -- but not because the technology is insecure. It's a new technology that's rapidly rolling out and there have not been any high-profile mobile payment security breaches to date. The first incident to occur will be an increase on its own.

The major mobile payment providers are responsibly implementing security technology in their products. Consider for example, the use of tokenization in Apple Pay. This is the right approach and greatly reduces the likelihood of a breach. I don't feel that additional regulation is needed. The current PCI DSS standards on mobile payment security more than adequately safeguard payment card information and there's no reason to believe that mobile payment systems are not implementing those standards properly.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out if a state-sponsored attack on mobile devices can be traced

Learn about wearable device policies in enterprises

Discover whether analyzing motion for mobile malware detection works

This was last published in February 2016

Dig Deeper on PCI Data Security Standard