New mobile security standard looks beyond smartphones
Security wasn't easy years ago, but it became way more complicated when the iPhone sparked the consumer smartphone craze just over 10 years ago.
The Accredited Standards Committee X9 has been working on establishing wireless and mobile security guidelines ever since, starting with an overall wireless standard and expanding it to address wireless ATMs and point-of-sale terminals.
Now, stressing a need to address security in mobile payments and banking, ASC X9 has introduced a new standard — essentially part three of its wireless safety efforts, focusing on the management and security of mobile commerce implementations.
The new standard, called ASC X9.112-3, is designed to help companies or financial institutions assess their mobile apps, providing a baseline of security requirements for that process. In a similar vein, the standard also provides mobile device manufacturers or app developers a set of requirements to build against.
Finally, for financial services providers managing mobile apps after deployment, the standard helps define the operations of the app and what safety controls should be engaged at all times.
"Just because I have security controls in a product doesn't mean that someone has turned it on or I am using it properly," said Jeff Stapleton, chairman of the X9 F-4 working group that produced the standard. "If I build you a house and hand you the keys, I don't know for sure whether you are locking your front door or not. It's the same thing here."
The standard emphasizes the need for all methods and tools, from encryption to tokenization for data on the move and in storage. X9 identifies those requirements, without specifics as to how to use them, because every company or retailer has a different network or process.
"It says the data shall be encrypted for confidentiality using an X9 algorithm, and then when the company digs deeper, they are probably going to be using the Advanced Encryption Standard," Stapleton said.
The new standard covers security for all mobile payments, from P2P to payments at point of sale terminals, including use of credit, debit or gift cards, or electronic funds transfers. It also cites mobile banking, bill management or card portfolio management done through mobile.
It also addresses newer technologies like mobile browsers, apps and various channels such as cellular, wireless, Near Field Communication, radio frequency identification, Bluetooth, text and video messaging.
"In general, I think the movement toward standards in mobile commerce is a good thing," said Julie Conroy, research director and fraud expert with Boston-based Aite Group.
"Right now we have chaos at the edges of the payment ecosystem with the wide variety of mobile devices and operating systems in use," Conroy added, citing the "relatively insecure" Alexa ecosystem as an example.
"Standards will be important in reining in this chaos to create a common baseline for what is considered to be a secure mobile operating environment," she said. "This is critically important, since mobile is not only seeing increased use as a transactional channel, but often the mobile device itself is increasingly used to authenticate customers across all channels of interaction."
While it is not likely that major companies like Apple, Google or Samsung have overlooked a major gap in their mobile security networks, it does on occasion happen.
But it is more likely to occur with "all of the other people out there trying to provide services," said Steve Stevens, executive director of ASC X9.
"This standard provides the baseline to do audits on what you have and a guide to developing something new," Stevens said. "This puts everything in writing as a way to check and make sure about aspects you have in your mobile service. It will reveal shortcomings of your product."
ASC X9 has long worked toward establishing a tokenization process for stored data, emphasizing the need for data protection in various links along a payment chain.
At this point, the X9 standard provides the guidance for data at rest, while the card network operated EMVCo standards body's tokenization applies to data in transit.
More recently, ASC X9 and the Payment Card Industry Security Standards Council agreed to work together to create one unified PIN security standard for payments stakeholders.
Such collaboration could be beneficial for merchants seeking to simplify the compliance process and eliminate the separate PIN security standards.
ASC X9 is directed by the American National Standards Institute to develop standards for use in the U.S., but they are applicable to global markets. Through its work, various messaging standards like ISO 12812, the framework for mobile financial services, can eventually become an international standard.
"We have historically seen a bit of tension between X9 efforts and those of the payment networks and EMVCo," Aite's Conroy said. "I don’t expect this topic (of the new standard) to be any different."
While some areas of security strive for "neutral ground," there are others where the standard will be perceived to be a competitive enabler or barrier, depending on what side of the table you’re on, Conroy added.
That said, Visa, Mastercard, American Express and the PCI Security Standards Council are members of X9 and have input into standards development.
By the nature of the way the card brands operate, there may always be some differences in how compliance requirements are linked to standards.
"The card brands are very interested in standards and very active in X9, but there is always a huge difference in what a standard says and what the operating rules of a card brand are," X9's Stapleton said. "Even with PCI standards, they write the standards, but once it is written, the card brands actually run the compliance programs."
Generally, the card brand operating rules and how they apply to those standards will also differ, at least slightly. "One brand might say you have to do something to comply within 30 days, and another might say 60 days," Stapleton said.
Regardless of compliance rules and different versions of standards, there is always a motivating factor for companies to assure their mobile security.
"If you are at least trying to adhere to a minimum of a national standards body like X9, you can build your case that you are doing your best to provide security," X9's Stevens said. "If you are not doing that, you are leaving yourself open to lawsuits and other things showing you are not trying to provide basic security."