Archive Links

Consumer Archive
CU System Archive
Market Archive
Products Archive
Washington Archive

News Now

CU System
PCI Security Standards Council issues mobile guidance
WAKEFIELD, Mass. (9/19/12)--As credit unions prepare for a predicted explosion in the mobile payments markets by developing their own mobile apps--amid member concerns about the security of mobile transactions--the PCI Security Standards Council (PCI SSC) last week released best practices for mobile payment acceptance security.

PCI SSC is the standards body that oversees the Payment Card Industry Data Security Standard (PCI DSS). PCI is the standard that the major credit card companies--Visa MasterCard, Discovery and American Express--use to make consumers' credit and debit card payments secure.

The PCI Mobile Payment Acceptance Security Guidelines offer software developers and mobile device manufacturers guidance on designing appropriate security controls so merchants can accept mobile payments securely, the organization explained.

At a presentation to the industry in Orlando, Fla., Nicholas J. Percoco, senior vice president, Trustwave SpiderLabs demonstrated some of the top attacks that threaten the security of payments over mobile acceptance devices.

The document released by PCI organizes the mobile payment-acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices; and guidelines for securing the supporting environments, which addresses security measures essential to the integrity of the broader mobile application platform environment.

Among the recommendations:

  • Isolate sensitive functions and data in trusted environments;
  • Implement secure coding best practices;
  • Eliminate unnecessary third-party access and privilege escalation;
  • Create the ability to remotely disable payment applications; and
  • Create server-side controls and report unauthorized access.
"Applications are going to market so quickly--anyone can design their own app today that can be used to accept payments tomorrow," said PCI SSC Chief Technology Officer Troy Leach in his presentation to meeting attendees. "It's our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we'll start to see the market drive more secure options for merchants to protect their customers' data."

The council plans to release further guidance in 2013 to help merchants leverage mobile payment acceptance securely, while continuing to collaborate with industry subject matter experts to explore how card data security can be addressed.
Other Resources

RSS print
News Now LiveWire
Mich #creditunions encourage everyone to #CULunchLocal Oct 14 as part of #ICUDay http://t.co/NZp71fgr8Z
23 minutes ago
.@IllinoisLeague Hession: #HB5342 cause for celebration...will serve as a model across the country for state, fed regulators @GovernorQuinn
39 minutes ago
.@GovernorQuinn signs #HB5342 providing parity for state-chartered #creditunion examinations via @IllinoisLeague http://t.co/yrhoCkE4ER
1 hours ago
.@Walmart's US CEO Bill Simon to step down, Greg Foran moves up via http://t.co/WIqJbYcapL
1 hours ago
.@NCUA just releases 3 segments of new online series to help CU managers, volunteers detect/deter fraud http://t.co/JgyRHcfgit
1 hours ago