Three Mobile Security Must Haves Before PCI DSS 3.0
Whether it’s customers visiting an eCommerce site via their smartphone, or cashiers using a mobile device to accept payments, chances are mCommerce has played a big role in how retail transactions are carried out today.
However, despite the ubiquity, mobile devices also present a whole new array of security risks for both businesses and shoppers alike. Mobile devices are often built with convenience for the consumer in mind, and this can pose an issue for merchants trying to comply with the rules and regulations handed down by the PCI Security Standards Council.
With these new mobile challenges in mind, the council is preparing to release the latest installment of the Payment Card Industry Data Security Standards in October 2013. Version 3.0 is only 4 months away, and now is the time for merchants to ensure that they are following all of the current guidelines for mobile payment systems.
Mobile Security Policies
While businesses cannot control unforeseen threats on the consumer end, creating and enforcing stricter policies on the merchant-side can help avoid certain vulnerabilities. Below are some key mobile PCI compliance procedures to consider:
- Never store credit card data locally on the mobile device. Any data left unattended on the device, even if encrypted, is at risk.
- Avoid payments solutions that allow customers to enter a PIN directly into the mobile device.
- If possible, implement full-disk encryption on all mobile POS systems.
- Always update the operating system on mobile POS devices in order to ensure security.
Mobile payments encompass a wide variety of options, such as NFC (Near Field Communications), eWallets, or mobile POS systems. Increasingly, many small to medium sized merchants are turning to mobile POS solutions in order to streamline checkout.
However, along with the added convenience, there are many potential pitfalls that come from using mobile devices to accept payments. So, before ditching the cash register, make sure your business follows these rules:
- Know where the mobile POS device is at all times, as well as regulate who has access to the payment application.
- Always update network security parameters like wireless vendor default encryption keys, passwords, and SNMP community strings.
- Use a Point-to-Point Encryption (P2PE) solution to ensure that cardholder data is encrypted before as well as after it enters the device.
- Make sure that mobile POS devices are not connected to the Internet when accepting payments.
Secure Mobile Websites/Apps
Aside from the other forms of mobile payments mentioned above, perhaps the most common mobile shopping scenario is when consumers buy items directly on their smartphone or tablet. When customers access your site from a mobile website or native app, many of the same security risks and vulnerabilities still apply.
As more shoppers trade in desktops in favor of mobile devices, merchants must adjust their security tactics and PCI compliance requirements.
- All information shared between the end user and merchant must be secured with an SSL certificate.
- Write web pages and account access modules to protect sensitive data from Wi-Fi sniffers.
- Never store user passwords locally on the native mobile app and require customers to re-enter credentials every time by default.
Mobile payment security is going to be a much bigger priority in the months and years to come, and merchants must ensure that all solutions are deployed securely today.
Be sure to follow us on Twitter at @McAfeeSECURE for the latest in eCommerce news and events.