Each time the Payment Card Industry Security Standards Council felt it was ready to establish a written-in-stone requirement for securing mobile payments, the technology — and the fraud committed against it — changed.
"We felt like Charlie Brown with the football" in trying to keep up with the rapid changes, says Troy Leach, chief technology officer for the PCI council.
The council opted for the next best thing in announcing the PCI Mobile Payment Acceptance Security Guidelines for software developers and mobile device manufacturers today during its North American Community Meeting in Orlando, Fla.
"Setting guidelines, rather than requirements, at this time was an appropriate way to go because this is an awareness campaign as much as anything," Leach says.
The guidelines for compliant security measures when receiving or temporarily storing card data in a mobile device, or transmitting data to the cloud, are essential because of so many new players in the payments industry, Leach says.
"We are seeing a significant group of application developers who have never been involved in payments, as well as many new merchants who had never accepted credit cards prior to being able to do so with a mobile device," Leach says.
The council plans to "drive those best practices for security and compliance" to those creating mobile-pay technology, while also providing merchants with a document listing qualified application developers, he says.
Key facets of the guidelines include isolating sensitive functions and data in trusted environments; best practices for implementing secure coding; eliminating unnecessary third-party access and privileges; creating the ability to remotely disable payment applications; and creating server side controls and reporting unauthorized access.
The guidelines cover the key issues in broad strokes, so even if technology undergoes dramatic changes in the coming year, the PCI document will still apply, Leach says.
"We understand that technology is constantly evolving and changing," Leach says. "The rapid change highlights why we have had a cautious approach in listing on our website developers of mobile devices and card readers [approved by PCI]."
In illustrating the need for security guidance on the mobile front, Nicholas J. Percoco, senior vice president of security experts at Trustwave SpiderLabs, demonstrated to conference attendees how fraudsters launch attacks on mobile-payment acceptance devices.
Percoco described the use of malware, rootkits and other tools for fraud, as well as explaining vulnerabilities in "jailbroken" phones, or phones which have been modified by the user to run software other than the apps approved for sale on the Apple or Google app stores.
The council formed an industry task force in late 2010 to address topic of mobile payment acceptance. Since then, PCI has released guidance on how merchants can leverage PIN transaction security and advanced encryption standards to accept payments on mobile devices more securely.