The Green Sheet Online Edition
June 11, 2012 • Issue 12:06:01
PCI SSC issues mobile help, calls for SIG topics
The PCI Security Standards Council (PCI SSC) recently issued mobile payment security guidance and called for topic suggestions for its special interest groups (SIGs). Its two-page fact sheet, At a Glance: Mobile Payment Acceptance Security, was created by the council's Mobile Working Group with input from merchants, vendors and mobile payment organizations.
The document was released to help merchants understand their Payment Card Industry (PCI) Data Security Standard (DSS) responsibilities, benefit from the council's point-to-point encryption (P2PE) standard and choose a mobile payment solution that meets their needs. The fact sheet also has information on updates made to the council's PIN Transaction Security (PTS) Requirements.
Giving merchants a hand
Tony Leach, PCI SSC Chief Technology Officer, said, "With this fact sheet we hope to help merchants understand how these standards work and the options that are available to them for accepting mobile payments in a secure and PCI DSS compliant manner." The recommendations for merchants include partnering with a validated P2PE solution provider, using an approved PIN entry device or approved secure card reader, and complying with the PCI DSS.
David Abouchar, Senior Director of Product Management and Development for PCI compliance and security solutions provider ControlScan, said the fact sheet arrived at a "great time" when merchants are feeling the need to meet consumer mobile payment demands. "Until the industry finds a way to harden the security of mobile devices themselves, point-to-point encryption provides a viable way for merchants to accept mobile payments without fear of card data being compromised at the mobile device level," he said.
Greg Anderson, Senior Vice President, Product Development, at POS security provider Phoenix Managed Networks, added, "I think it is great that the PCI Security Standards Council continues to provide guidance to merchants regarding new acceptance technologies. It is incumbent upon the SSC to inform, educate and communicate the security risks of mobile payments and recommended technology options such as P2PE that can be implemented to minimize merchants' risk."
Topics for special interest groups needed
Bob Russo, PCI SSC General Manager, is asking for new topics for its Special Interest Group (SIG) projects. He also said the council created an enhanced web form this year to allow topic submissions online. As of June 1, 2012, submissions are being accepted at www.pcisecuritystandards.org/get_involved/special_interest_groups.php. The submission period will close July 31.
Russo stated council SIGs are wrapping up work on e-commerce and risk management, two topics suggested in 2011. The final discussion papers will be ready in August. A third SIG report on cloud computing is expected in October.
The PCI SSC also is granting an additional 30 days for proposals this year to allow more time for SIG proposers to be notified and prepare for the council's upcoming Community Meetings where a short list of proposed SIG topics will be discussed and voted on. Topics under consideration will be listed on the PCI SSC website.
"This year was the year of technology," Russo said when asked what topics he expects to see on the 2012 to 2013 list. "Actually it was the year of mobile. We saw the introduction of EMV, and we may see a desire for additional information on EMV even though we did have an EMV SIG a couple of years ago. I also think point-to-point encryption is a possible topic."
For additional news stories, please visit www.greensheet.com and click on "Read the Entire Story" in the center column below the latest news story excerpt. This will take you to the full text of that story, followed by all other news stories posted online.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.