Meet the Bloggers Twitter BTSecureThinking YouTube Channel Blogroll About BT Looking for more?
BTSecureThinking Resources center

SecureThinking > SecureCompliance

Wednesday, July 27, 2011

Mobile Payments, Wallets and Standards

By Sushila Nair, Product Manager, BT Counterpane

Last month, the PCI Security Council released their first guidelines on mobile acceptance applications since announcing in November that they had finished the product review cycle. The guidelines define which mobile applications can be evaluated under the Payment Application Data Security Standard (PA DSS). 

However, the Council is still not including applications written for consumer handsets.  I find this really interesting since at every trade show I have attended recently, vendors seem to have embraced them. Currently, the Council is focused on dedicated payment devices and PTS devices which may include consumer handsets such as tablets and smartphones, but the devices must be locked down so they perform no other functions.  Once the Council has developed further guidance for these devices, it says it will then turn its attention to consumer hand-set mobile payment devices. 

Yet card companies have demonstrated support for wallet style applications on smartphones. MasterCard recently announced its Google Wallet partnership and the release in July of new mobile applications that will enable users with global vcards to make purchases using their mobile devices. 

So it seems that smartphones are secure enough to make payments but not secure enough to receive payments. 

Near Chip technology which is already built into some phones enable smartphones to make a purchase simply by swiping the phone near a specific type of terminal which picks up the card details over the air and completes the sale. 

The argument may be that the risk is lower when transmitting a single card’s worth of data, whereas the device that is processing millions of card payments is a more lucrative target and, therefore, more at risk. 

In the words of the Council “ [m]obile computing is complex and introduces a number of risks to the payments environment”. The Council has determined that at the moment the major risk is the environment that the application operates on.  How can one determine if a smartphone with apps loaded on it from numerous sources is really secure?

While we grapple with this issue, perhaps it is best that the Council sits back and gathers the right expertise, since I am not convinced right at this moment we have the expertise or the technology in place to turn smartphones into a secure enterprise payment acceptance device. 

Meanwhile merchants can celebrate that the Council is again validating payment applications for mobile devices and restricting it to those that are controlled in the same way that we would manage any high risk device.

  1. The Year of the Mobile Wallet
  2. PCI: A Year in Review
  3. No New Requirements for PCI-DSS: What is the Role of the Council?
  4. Missing elements in PCI DSS
  5. Security: Is the West Lagging Behind?

Posted at 11:18 AM
Tags: , , , , , , , ,

Bookmark and Share

Leave a Reply