PCI Security Standards Council Issues Guidance for Mobile Payment Industry

The council's guidance on best practices is meant to improve security as the market for mobile payment solutions balloons.

The PCI Security Standards Council (PCI SSC) is unveiling a set of best practices for mobile payment acceptance security.

The standards, announced Sept. 13, follow predictions by analysts that the global mobile payment market will continue to grow. According to Gartner, worldwide mobile payment transaction values will surpass $171.5 billion in 2012, a roughly 62 percent increase from the $105.9 billion in 2011. The firm also predicts the number of mobile payment users will reach 212.2 million by the end of the year, up from 160.5 million in 2011.

"The trend in mobile payments is to utilize consumer grade devices for operations that were historically performed by hardened hardware terminals," Nicholas J. Percoco, senior vice president at Trustwave's SpiderLabs, told eWEEK. "The challenges are broad and many but some of the top issues revolve around management/control over the device, the integrity of the payment applications, and the security of the payment process."

The best practices were announced at the PCI SSC's North America Community Meeting. Dubbed the PCI Mobile Payment Acceptance Security Guidelines, the best practices are meant to offer software developers and mobile device manufacturers guidance on how to include security controls in solutions for merchants to accept mobile payments safely. The guidelines are focused on securing the payment transactions as well as the broader mobile application platform environment.

Recommendations include:

• Isolate sensitive functions and data in trusted environments

• Implement secure coding best practices

• Eliminate unnecessary third-party access and privilege escalation

• Create the ability to remotely disable payment applications

• Create server-side controls and report unauthorized access

According to the guidance, developers should ensure that a trusted path exists between the data-entry mechanism (e.g., manual key entry or entry via a card reader) and the mobile device so that account data cannot be intercepted by an unauthorized party. This can be accomplished using a trusted execution environment that restricts access between the mechanism receiving account data and secured memory located inside the device. As an alternative, account data can be encrypted appropriately before it is entered into the mobile device.

"Applications are going to market so quickly-anyone can design their own app today that can be used to accept payments tomorrow," PCI SSC CTO Troy Leach said in a statement. "It's our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we'll start to see the market drive more secure options for merchants to protect their customers' data."

In the short-term, security will probably not hurt the adoption of mobile payment technologies because many small businesses are not aware of the current risks, said Percoco.

"Long-term, as criminals begin to focus more on capitalizing on the flaw in current mobile solutions, there could be impacts to organization successfully utilizing mobile as a payment platform," he said. "PCI SCC rolled out their best practice guide as a step in the right direction for educating the mobile payment application development community."