RBTE 2015: Secure mobile payments to maintain trust

It's official. There are now more mobile devices worldwide than there are people. According to the GSMA tracker, there are around 7.4 billion mobile devices versus 7.2 billion people noted by the World Population Clock. 

And it’s not just the increasing numbers of mobile and internet-enabled devices that’s significant. It’s what these devices can do. Who’d have thought 10 or even 15 years ago that we’d be using our phones to wake us up in the morning, take high resolution photos or navigate our way around foreign cities?

The m-present and m-future

Mobile devices offer huge opportunities for us to interact, react and transact. Just add an 'm-' for a new customer proposition or business model. Think: m-commerce, m-couponing, m-loyalty and so on. I’m looking forward to RBTE to see even more new uses for mobile devices. 

Whilst considering the opportunities, let’s also consider the risks. Most importantly let’s consider security, which is our focus at the PCI Security Standards Council, and in this case specifically the delivery of secure mobile payments. 

The key challenge around securing sensitive payment data with mobile devices is that fundamentally the mobile device itself is not secure. Mobile phones and tablets are designed for consumer use, not necessarily for card payment acceptance. Thus building and maintaining trust in this new way of paying to unlock its potential is a critical task for the council and the wider payments industry. So, we’d encourage anyone deploying mobile payment acceptance devices to consider security. The council has a list of approved secure card readers and MPoS PIN acceptance devices on its PIN Transaction Security (PTS) listing which enable both magnetic and chip card transactions.

Securing sensitive payment information

What's in scope? Well, if the mobile device is used for accepting payment, it's in scope of the Payment Card Industry Data Security Standard (PCI DSS) and if it uses a card and PIN then it is also in scope of the PCI PTS standard. This makes logical sense, after all, counter-top and unattended card acceptance devices in shops, stations or car parks have to comply with PCI PTS. 

If the mobile device is used for making payment either as a card or a mobile wallet, it's not currently within the scope of PCI DSS or in focus of the council. However other standards and protocols administered by other bodies, (e.g. EMV) may apply.

The PCI Council originally published guidelines and best practices on mobile payment acceptance in 2012-13 and revised these in the summer of 2014. Guidelines for developers and merchants as end-users can be found on our website, along with a factsheet on accepting mobile payments with a smartphone or tablet. As mobile acceptance is still evolving, it's somewhat premature for new PCI Standards.

Let's talk technical

There are already a number of approved mobile acceptance solutions on the market.  These tend to involve an application (app) loaded onto the mobile device, which acts as the till system, with additional hardware accessories to capture card and PIN data securely.

The hardware accessory, also known as PIN entry device (PED) or secure card reader (SCR), must be approved to safely capture and encrypt cardholder data before it is sent to the mobile device. Secondly, all sensitive data must remain encrypted from the moment it is captured until it reaches the secure environment of the acquirer or processor. This is where the council's point-to-point encryption (P2PE) programme comes in, enabling mobile acceptance solutions to be validated and listed as an approved P2PE solution.

In summary

It's an exciting time for mobile payments with new opportunities but new risks. The environment is complex and still evolving, but we'd advise anyone deploying or thinking of deploying a mobile acceptance solution to consider security carefully. 

The best way to do that is to download the guidance on our website as to how the PCI Standards apply. Work closely with your card acquirer, processor and card scheme as they may have particular requirements, too. 

Looking forward, the PCI Council is evaluating the security of environments that create tokens for mobile platforms, conducting mobile surveys, and engaging with all stakeholders from manufacturing to software development to financial services that may want to adopt new forms of accepting payment data. We will continue to promote the education and training of developers and implementers of this technology and provide a community where all these finance and technology leaders can come together to better define the role of security in this exciting new environment.

Visitors to RBTE 2015, which is taking place this week on 10-11 March at London's Olympia, can hear more from Jeremy King. He participates in a panel discussion called 'Improving The Customer Experience And Security Of Mobile Payments', at 11:25, in Theatre B.

What’s Hot on Essential Retail?