If businesses are determined to provide mobile solutions, it is their responsibility to educate themselves, ensure the security of the solution, and know the risk they’re taking upon themselves.
This article was also featured in The Green Sheet.
Blaming the PCI Council for the industry’s confusion over mobile security has been the craze since the PCI DSS 3.0 standard was released earlier this year. “They forgot to include mobile in 3.0!” people rage. The truth is, they left it out on purpose.
See also: PCI 3.0 What You Need to Know
Businesses want cheap and secure in the same bite. They want to turn a $300 tablet into a highly secure POS terminal, and use that same cheap piece of equipment as a multi-purpose asset in their personal lives.
Most current mobile devices are mini computers that were never designed for secure processing. No matter how many mobile requirements the PCI Council could add to the standard, the platform itself may not be able to be secure enough to process customer payments.
The Council can’t provide guidance on something that is inherently vulnerable, especially if the argument is, ‘but everyone is doing it!’ By constantly asking for mobile PCI DSS requirements, acquirers, ISOs, and merchants are asking the Council to accept an insecure processing practice. Why would the PCI Council lower the bar for mobile to squeak under? They won’t add mobile PCI requirements until mobile devices are a worthy platform.
The problem is, there’s no real motivation for phone manufacturers to make mobile devices a worthy platform. Even if the payment card industry’s voice was heard among the noise, merchants aren’t the main consumers of mobile devices. The general public is.
One piece of technology could be added to a personal smartphone to entice the PCI Council to create a mobile requirement. A mobile device would need to incorporate secure element technology (e.g., incorporating two chips in a single phone. One chip solely runs payment processing and the other runs all the apps, text messages, Internet browsing, etc.)
If phone manufacturers were somehow persuaded to add secure element technologies into a smartphone, the PCI Council could then address mobile through regulating the technology’s attributes, communication, and version.
Now, tell me the motivation for phone manufacturers to add new hardware to an already successful product. How much profit could they generate by adding a secure chip to new phones? Out of the 1.5 billion smartphones in the world, how many people actually use theirs for mobile processing?
See also: SecurityMetrics PCI Guide
Securing hardware just isn’t financially rewarding for phone manufacturers.
Looks like we’re on our own to secure mobile transactions. At least, for the foreseeable future.
Luckily, the Council hasn’t left us in the dark. In the PCI Mobile Payment Acceptance Security Guidelines they wrote for merchants in 2013, the Council outlines some great best practices to enable some semblance of security to current mobile devices.
The following are two models that the PCI Council has suggested to adequately secure a mobile device.
Mobile processing is much too convenient to slow down anytime soon. If businesses are determined to provide mobile solutions, it is their responsibility to educate themselves, ensure the security of the solution, and know the risk they’re taking upon themselves.
When speaking at a Treasury Institute for Higher Education conference, Bob Russo, General Manager of the PCI SSC explained that if acquirers want to say it’s ok for a merchant to use mobile, the acquirer and merchant should be the one to assume the risk. It’s completely up to the merchant and the acquirer, not the Council.
At this point, allowing a merchant to mark their business as PCI compliant becomes a business decision between the merchant and Qualified Security Assessor (QSA), or the merchant and the acquiring bank.
.svg)
