The Green Sheet Online Edition
July 14, 2014 • Issue 14:07:01
Stop looking for a PCI mobile standard
Blaming the PCI Security Standards Council (PCI SSC) for the industry's confusion over mobile security has been the craze since the Payment Card Industry Data Security Standard (PCI DSS) 3.0 was released in 2014. "They forgot to include mobile in 3.0!" people rage. The truth is the council left it out on purpose.
We can't let mobile lower the bar
Merchants want cheap and secure in the same bite. They want to turn a $300 tablet device into a highly secure POS terminal – and use that same cheap piece of equipment as a multipurpose asset in their personal lives.
Most current mobile devices are mini computers that were never designed for secure processing. No matter how many mobile requirements the PCI SSC could add to the standard, the platform itself may not be able to be secure enough to process customer payments.
The council can't provide guidance on something that is inherently vulnerable, especially if the argument is, "But everyone is doing it!" By constantly asking for mobile PCI DSS requirements, acquirers, ISOs and merchants are asking the PCI SSC to accept an insecure processing practice. Why would the council lower the bar for mobile to squeak under? The PCI SSC won't add mobile PCI requirements until mobile devices are a worthy platform.
Mobile device manufacturers: 'Why should we care?'
The problem is phone manufacturers have no real motivation to make mobile devices a worthy platform. Even if the payment card industry's voice were heard among the noise, merchants aren't the main consumers of mobile devices. The general public is.
One piece of technology could be added to a personal smartphone to entice the PCI SSC to create a mobile requirement. A mobile device would need to incorporate secure element technology – for example, incorporating two chips in a single phone: one chip would run only payment processing, and the other chip would run all the apps, text messages, Internet browsing, etc.
If phone manufacturers were somehow persuaded to add secure element technologies into a smartphone, the PCI SSC could then address mobile payments through regulating the technology's attributes, communication and version.
Now, tell me the motivation for phone manufacturers to add new hardware to an already successful product. How much profit could they generate by adding a secure chip to new phones? Out of the 1.5 billion smartphones in the world, how many people actually use theirs for mobile processing? Securing hardware just isn't financially rewarding for phone manufacturers.
What to do with current mobile devices
It looks like we're on our own to secure mobile transactions. At least, for the foreseeable future. Luckily, the council hasn't left us in the dark. The PCI Mobile Payment Acceptance Security Guidelines, which the PCI SSC wrote for merchants in 2013, outlines best practices to enable some semblance of security to current mobile devices.
The following are two models the PCI SSC suggested to adequately secure a mobile device.
- Device is dedicated to the payment function: This tablet or smartphone is a purpose-driven device, dedicated exclusively to the store. That means it shouldn't be taken home at the end of the work day. It can't be used for anything but processing credit cards: no browsing the Internet, taking phone calls, texting or using any apps except the payment-processing app.
- Device uses encrypt-at-swipe technologies: If your merchants want to use a device personally and maintain the ability to securely take credit cards on that device, ask them to use encrypt-at-swipe payment processing technology and eliminate or minimize manually entered transactions. Most encrypt-at-swipe technologies are very secure and use strong algorithms to secure data before it reaches the device. Encrypt-at-swipe is as close as they will get to cheap and secure in the same solution.
The conversation you must have with merchants
Mobile processing is much too convenient to slow down anytime soon. If acquirers and ISOs are determined to provide mobile solutions, it is their responsibility to educate merchants, ensure the security of the solutions and ensure that merchants know the risk they're taking upon themselves.
When speaking at a Treasury Institute for Higher Education conference, Bob Russo, General Manager of the PCI SSC, explained that if acquirers want to say it's OK for a merchant to use mobile, the acquirer and merchant should assume the risk. It's completely up to the merchant and the acquirer, not the council.
At this point, allowing a merchant to mark a business as PCI compliant becomes a business decision between the merchant and Qualified Security Assessor, or the merchant and the acquiring bank. Is there a standard for mobile? No. Should that stop you from allowing your merchants to process via mobile devices? Well, that's entirely up to you.
Gary Glover (CISSP, CISA, QSA, PA-QSA) is the Director of Security Assessment at SecurityMetrics. Gary has worked in the IT security industry as a QSA for over nine years. For more information about SecurityMetrics, visit www.securitymetrics.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.