New PCI Compliance Guidelines Issued for Mobile Payments

The latest prediction for the U.S. mobile payments industry is that growth will explode from $12.8 billion in 2012 to $90 billion in 2017, and much of that expansion is anticipated to come from among small businesses. In preparation for the seemingly inevitable, the Payment Card Industry Security Standards Council (PCI SSC) has announced new PCI compliance guidelines for merchants who accept payment via mobile devices not designed primarily as point-of-sale tools, including smartphones and tablets.

In its February 2013 release of the new data security guidelines, the PCI SSC underscores the fact that the uniqueness of mobile devices creates challenges in securing the mobile payments environment. “General-purpose mobile devices are often built with a goal of being easy to use by the consumer. These devices do not typically provide the same level of data security you would expect when using a payment card at a traditional retail store,” it states. “Due to the design, almost any mobile application could access account data stored in or passing through the mobile device. This poses a challenge for merchants to demonstrate adherence to the PCI Data Security Standard.”

The Council adds that the trust factor is even more significant for mobile payments because the environment is fragmented across device manufacturers, developers of operating systems, app designers, network carriers and various protocols used to connect them all. “Payment security has always been a shared responsibility,” it says. “Ensuring mobile acceptance solutions are deployed securely requires that all parties in the payment chain work together in this effort.”

The PCI DSS document focuses on guidance for merchants that plan to accept payments with a mobile device that is not solely dedicated to payment-acceptance transaction processing, such as a smartphone, tablet or PDA. It offers two scenarios:

1. The solution provider is responsible for the mobile app and for all the back-end processes, owns the device and has provides it to the merchant.
2. The solution provider is responsible for the mobile app and the back-end processes, and the merchant is the device owner.

It’s important to note that the document does not discuss the BYOD (bring your own device) scenario, which involves a merchant’s employee using a device that they own and control at work. The PCI SSC does not recommend this practice for mobile payment processing.

The document also identifies three main risks associated with mobile payment transactions — account data entering the device, account data residing in the device and account data leaving the device — and offers three sound objectives to address them:

1. Prevent account data from being intercepted when entered into a mobile device.
2. Prevent account data from compromise while processed or stored within the mobile device.
3. Prevent account data from interception upon transmission out of the mobile device.

As the PCI SSC notes, keeping all credit card processing secure is the responsibility of all parties involved — merchant services providers, merchants, and financial institutions. This is an area where you should work closely with your credit card processor to help ensure that there are no data breaches.

When you establish a merchant account with a reputable processor like Merchant Express®, you can expect their assistance in achieving and maintaining PCI compliance regardless of the processing solution(s) you choose for your small business needs. Talk to one of our representatives today about your options and the importance of complying with PCI DSS.