Mobile Processing and Security

The uniqueness of mobile devices introduces challenges in securing that environment. General-purpose mobile devices are often built with a goal of being easy to use by the consumer. These devices do not typically provide the same level of data security you would expect when using a payment card at a traditional retail store. Due to the design, almost any mobile application could access account data stored in or passing through the mobile device. This poses a challenge for merchants to demonstrate adherence to the PCI Data Security Standard.

The same PCI principles apply to mobile for secure coding best practices and protection of account data but the people doing the coding are often different. Developers writing applications for mobile devices may not be the same developers who were trained to code web applications or traditional POS applications. As such, they may not be aware of their responsibility to create a secure work environment with quality assurance for the security that others will rely on.

Users of those applications, such as a new merchant, may be unaware of their responsibilities for safely accepting payment cards. The more secure the solution is prior to entering the market, the less risk there is to the merchant accepting payments on mobile devices.

Security is about the people, processes, and technology. As you will see, this also holds true for mobile payment acceptance.

Processes

The business owner might use the mobile device both for accepting account data and for personal use; in which case, can the activities be segregated? What if the mobile device is owned by an individual and not the employer? This raises process challenges for updating the mobile device against malware and for other patch management as part of company procedure, as these processes may be deemed as invading the privacy of the device owner.

Similarly, applications may be downloaded for personal use, and an enterprise may be unable to prevent and/or monitor mobile activity leading to unauthorized access to the account data. These are just some examples of the processes introduced by mobile devices that previously may not have been an issue for merchants using traditional, trusted POS terminals.

Technology

Can the technology help detect fraudulent use of mobile devices? Can it also be designed to respond to tampering of the application or the mobile device? As the technology matures, solutions will emerge that provide confidence to merchants that they are securing their customers‘ data and preventing attacks against the powerful tool that they hold in their hand.

By following these guidelines, merchants can safely implement a mobile payment-acceptance solution that will enable mobile commerce to flourish. Allow us to instruct you on providing guidance to reduce security risks in otherwise noncompliant mobile devices.

BYOD: Bring Your Own Device

There is one scenario this document does not discuss, and that is the BYOD (bring your own device) scenario. This is the scenario where an employee brings a device to work that the employee (who is not the merchant) owns and controls. Since the BYOD scenario does not provide the merchant with control over the content and configuration of the device, it is not recommended as a best practice.

Mobile Security Risk

Any risk that exists on a standard desktop or laptop computer may also exist on a mobile device. In addition, mobile devices may have a broader set of functionalities than standard desktop and laptop computers, resulting in more security vulnerabilities. Along with the standard communication methods of traditional desktop and laptop computers, mobile devices may also include multiple cellular technologies (e.g., CDMA and GSM), GPS, Bluetooth, infrared (IR), and near-field communication (NFC) capabilities. Risk is further increased by removable media (e.g., SIM card and SD card), the internal electronics used for testing by the manufacturer, embedded sensors (e.g., tilt or motion sensors, thermal sensors, pressure sensors, and light sensors), and biometric readers. Furthermore, vendor and network operator-level logging and debugging configurations may introduce additional risks.

An inherent risk with mobile devices is the fact that they are mobile. A mobile device with wireless connectivity allows it to be removed from a merchant‘s location, which is usually assumed to be safe, and taken to a location that is convenient for the customer. This can provide benefits to the merchant but it also creates many security risks. One of the risks to the merchant is the ease for a criminal to steal such a terminal, modify it, and return it without anyone realizing it was gone. Since the mobile device has no fixed location, keeping track of it, a clear merchant responsibility, becomes more challenging. Remember, merchants are the first line of defense for POS fraud and are involved in the execution of the vast majority of controls suggested or required by PCI SSC.

For further information on Mobile Security and how to protect yourself please contact SmartPay Merchant Services. If other processors do not inform you on how to protect yourself, are they really interested in helping you?

• Prevent account data from being intercepted when entered into a mobile device.
• Prevent account data from compromise while processed or stored within the mobile device.
• Prevent account data from interception upon transmission out of the mobile device.
• Protect the mobile device from malware.
• Prevent unauthorized physical device access.
• Prevent unauthorized logical device access.
• Ensure the mobile device is in a secure state (No “Jailbreaking”).
• Inspect system logs and reports.