Today the Official Merchant Services Blog will examine the PCI Security Standards Council’s most recent guidelines, and their slow crawl towards comprehensive security requirements for mobile devices.
On Thursday, the PCI Security Standards Council released a set of best practices geared toward software developers of mobile devices. These guidelines come four months after they released some guidance about mobile payments for small businesses.
The PCI Council, based in Wakefield Massachusetts administers the Payment Card Industry data-security standard and affiliated standards for secure payments software and also PIN-based transaction devices. The guidelines were released during the Council’s annual North American meeting in Orlando, Florida on Thursday, after hinting at a possible PCI clarification in early September. Present at the gathering were security assessors, merchants, processors and vendors, all preparing for the update of the main PCI standard next year.
The Council announced that it is starting to approve hardware for mobile payments such as card readers that plug into smart phones or tablet computers. The Council has not delved into the approval of software for mobile payments and have they made it clear when that will happen. They have however, announced that more guidance for merchants will come next year and that they will continue to take input from the payments industry on the serious task of protecting card holder data when payments originate from mobile devices.
Correcting software vulnerabilities is the most important aim of the Council’s new guidelines, as app developers crank out new programs for processing payments on smart phones and tablets everyday. The guidance covers everything from the payment transaction, access protection, and remote disablement of a missing device.
The last point is arguably the most important aspect of a new mobile PCI security system. Since mobile payments are true to their name, mobile, the chance of someone running away with your credit card terminal is an increasingly possible risk. The same applies for any tablets acting as POS systems in a store. An unlucky shopkeeper may open up in the morning only to find part of his or her POS system missing, and all cardholder data inside compromised. This is what the PCI Security Standards Council seeks to avoid.