Privacy & Information Security Law Blog

On September 13, 2012, the PCI Security Standards Council (“PCI SSC”) issued new guidelines entitled “PCI Mobile Payment Acceptance Security Guidelines” (the “Guidelines”), which outline best practices for mobile payment acceptance security. As we reported in May, the PCI SSC Mobile Working Group published its “At a Glance: Mobile Payment Acceptance Security” fact sheet, detailing how merchants can more securely accept payments on mobile devices.

The Guidelines set forth guidance for securing the actual payment transaction and preserving the integrity of the broader mobile application platform environment. The Guidelines provide a number of recommendations intended to address the main risks associated with mobile payment transactions, including account data entering the device, account data residing in the device, and account data leaving the device. These recommendations include:

• Ensuring account data is appropriately encrypted before it enters the mobile device (e.g., via a validated PCI Point-to-Point Encryption (“P2PE”) solution);
• Ensuring a trusted path exists between the data entry mechanism and that mobile device to help prevent unauthorized parties from intercepting the data;
• Ensuring that account data is only processed within a “trusted execution environment” and adopting a data-leakage prevention methodology based on industry best practices; and
• Encrypting data in accordance with the Payment Card Industry Data Security Standard (“PCI DSS”) prior to transmitting the data outside of the trusted execution environment.

With respect to securing the mobile platform and application environment, the PCI SSC advises merchants to implement a number of security measures, including developing server-side controls and reporting unauthorized access attempts; implementing controls to prevent the escalation of device privileges; supporting a mechanism that permits the payment application to be disabled by the merchant or solution provider; developing a process for detecting and reporting device theft or loss; conforming mobile payment-acceptance applications to secure coding, engineering and testing conventions; and protecting against vulnerabilities through patch management and anti-malware products.

As we reported earlier this month, the Federal Trade Commission issued guidelines for mobile app developers. In addition, last month the National Telecommunications and Information Administration of the U.S. Department of Commerce initiated a multistakeholder process to develop guidance for transparency in the mobile environment.