Businesses that want to make use of consumer-grade smartphones and tablets as a point-of-sale device to process payment cards are being advised to only do so when appropriate encryption controls and other security measures are in place.
The PCI Security Standards Council has issued a 27-page recommendations document (within its "PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users") to address situations where merchants want to plug payment-card processing equipment into smartphones or tablets rather than use traditional terminals at checkout stations. The council emphasises that merchants are responsible for the mobile app, the back-end processes and the security of the device. The council also stresses that "Bring Your Own Device" (BYOD), where an employee brings a mobile device to use at work, is "not recommended as a best practice."
The council's guidance starts with the premise that mobile devices used by merchants for card processing will be multi-purpose and not solely dedicated to payment acceptance for transaction processing. It also starts from the premise that consumer-grade mobile devices are not particularly secure. And because these mobile devices will be taken to any number of places, the chances of them being stolen, lost or tampered with are considerable. The council wants merchants to make sure any mobile device used for card processing has an encrypting PIN pad and that the secure card reader used for account data entry is approved. "If you swipe the card, make sure it's going into that device encrypted," says Bob Russo, the council's general manager.
The council would like to see security controls, such as anti-virus, authentication and security scanning, applied to mobile devices used for payment processing. It wants to see equipment providers be required to communicate about vulnerabilities and make sure security updates are made. And in a clear allusion to Apple iOS equipment, the guidelines note that merchants that "deliberately subvert the native security controls of a mobile device by 'jailbreaking' or 'rooting' the device increase the risk of malware infection. Payment solutions should not be installed or used on any mobile device that is rooted or 'jailbroken,'" the council's document states.
The document notes that until mobile hardware and software implementations meet the guidelines, merchants should stick to the use of PCI-validated point-to-point encryption as outlined in another document, "Accepting Mobile Payments with a Smartphone or Tablet."
The rapid changes taking place to utilise consumer-grade mobile devices for card processing are also posing security challenges, Russo says. "It's an evolutionary period," he adds, noting that the council will have more to say on this topic in the future. The council anticipates aligning its technical recommendations with certain mobile guidelines now in draft stage at the National Institute of Standards and Technology (NIST). That draft document is NIST 800-164, "Guidelines for Hardware-Rooted Security in Mobile Devices".