Companies are always looking to make things more convenient for their customers. They are now leveraging mobile technologies to retain customers, obtain a competitive edge, increase profit and expand their customer base. Extending a business model to include mobile technology is typically done at the executive level and typically without security strategist insight. In the excitement of expanding business, leaders are often left scratching their heads or making decisions without taking security into consideration. Recently, I have heard a lot of buzz about accepting payments using mobile devices, such as smartphones and tablets. While mobile payments are a natural evolution in our fast paced society, which desires convenience and instant gratification, here are a few things to consider when implementing.
Who is processing the cards? Who may gain access to the sensitive financial data?
While on a mobile device, are you actually processing the card or just passing credit card information along for another entity to process? Is there data being stored on the mobile device or just entered? Are you willing to risk Payment Card Industry (PCI) noncompliance? You need these answers during design, especially if you are already PCI Data Security Standard (DSS) compliant.
Adding a new way of processing cards alters your PCI cardholder data environment (CDE) and could impact your compliance. Additionally, it would require a review of that portion of your CDE to ensure compliance. It won’t necessarily make you noncompliant, provided due diligence is performed and security of cardholder data protected. Accepting the risk of protecting cardholder data in a mobile application or transferring that risk is a decision that needs to be made early on in the process. Often transferring the risk is the most efficient choice from a business perspective. If you do not have the infrastructure or the knowledge internally, budgetary constraints may be a factor in your decision. Transferring the risk to a company that maintains mobile sites professionally may make sense. Using a third party payment processor that is already PCI compliant significantly limits your PCI scope. If you choose to process cardholder data internally, then design/implementation should include a PCI strategy. If your team lacks this expertise, consider hiring a PCI Quality Security Assessor (QSA). Designing the approach correctly will likely save money in the long run and improve compliance.
What device is being used to process mobile payments and how are they transmitting it?
If your business model requires processing credit card transactions remotely, such as processing payments at a trade show, accepting donations from alumni at a sports event, or a youth organization wanting to accept registration payment, it is important to review the mobile application’s security posture. There are many hardware and software options on the market today, including card readers and applications that can be installed on your mobile device. What device best suits your organization’s credit card processing needs while maintaining security and compliance? If it is a company device, ensure the Operating System is up to date and that there is a software firewall and antivirus installed and up to date, as a minimum. If it is a personal mobile device, the same minimum requirements should be agreed upon before accepting payment. Another consideration is how the data is transmitted. If it is transmitted via cellular technology, then verify with your QSA that it is secure. If it is over a wireless network, understand who owns the network and if the network is secure. You also need to know how you are transmitting the data (e.g., SSL, SSH). One way to add defense in depth is to invest in a card reader that attaches to your device and encrypts the cardholder data at the swipe. Assuming you have proper encryption key management, you significantly limit risk, PCI scope, and compliance issues.
Considering building your own mobile app?
In September 2012, PCI Security Standards Committee (SSC) released guidancefor developers of mobile payment applications. These guidelines include suggestions for secure coding practices and monitoring for emerging threats. If you choose to develop an application, ensure it is done in compliance with PCI DSS or Payment Application (PA)-DSS. The primary difference is where the cardholder data is processed. If you choose to outsource this process, it is still your responsibility per PCI DSS to verify your service provider’s compliance. The PCI SSC plans on releasing further guidance for merchants in 2013 after collaborating with subject matter experts and industry professionals to address data security in an evolving environment.
Tricky but navigable
We are in an age of unprecedented data breaches; raising 37% in a single year according to a Symantec/Ponemon Study. Hackers are changing tactics, such as building counterfeit apps based on popular apps, and configuring them to deploy malware; customers are demanding convenience and competitors are looking for ways to gain an advantage. Credit card data is a valuable target. Mobile payment technology provides hackers another avenue, and if not secure, an invitation to steal your data. If secure practices and compliance aren’t considered during design and implementation, companies are making themselves vulnerable to a data breach; but more importantly, loss of customer confidence and business reputation.