New Standards for Accepting Payments with Mobile Devices

Mobile device security is a big topic these days.  As people are using their mobile devices more frequently for work-related purposes, then security for these devices has come to the forefront of the minds of many security experts.  One part of mobile device security that has also seen recent attention is using mobile devices as payment tools.  Commercial off-the-shelf (COTS) devices, such as tablets and smartphones, are in for some new regulations.  Recently, the Payment Card Industry Security Standards Council (PCI SSC) proposed a new standard for software-based PIN entry on COTS devices.

The reason for this new security standard has been explained by Aite Group’s senior analyst, Ron Van Wezel, in the statement, “Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency.  MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere.  However, some small merchants in markets that require EMV chip-and-PIN (personal identification number) acceptance may have found the costs of investing in hardware prohibitive.”

The main security principles are simply explained below:

  • Protection from threats during the payment process on the tablet or smartphone
  • Identifying a single PIN from other data accounts
  • On the COTS device, the ability to ensure integrity and security of the PIN entry application at all times
  • By using a PCI approved Secure Card Reader for PIN (SCRP), providing protection of the PIN and the data of the account

As our society becomes more mobile and uses their mobile devices more frequently as payment tools, then it is necessary that we work to provide a safe environment for all transactions.  The Chief Technology Officer (CTO) of PCI SSC, Troy Leach, sums this methodology up quite expertly in this statement, “This standard will give mobile payment solution providers and application developers a baseline of security requirements for how to enter PIN into a COTS device, as well as methods to test that security is working, even as updates to the mobile devices and applications occur frequently.  This will result in secure solutions that are independently tested to demonstrate PIN is isolated from the EMV data and will provide continuous protection, through ongoing monitoring and other controls.”