Mobile devices were never designed for secure payment processing.

Gary Glover, Director of Security Assessments
By: Gary Glover
This article was also featured in The Green Sheet.

Blaming the PCI Council for the industry’s confusion over mobile security has been the craze since the PCI DSS 3.0 standard was released earlier this year. “They forgot to include mobile in 3.0!” people rage. The truth is, they left it out on purpose.

SEE ALSO: PCI 3.0 What You Need to Know

We can’t let mobile lower the bar

Businesses want cheap and secure in the same bite. They want to turn a $300 tablet into a highly secure POS terminal, and use that same cheap piece of equipment as a multi-purpose asset in their personal lives.

Most current mobile devices are mini computers that were never designed for secure processing. No matter how many mobile requirements the PCI Council could add to the standard, the platform itself may not be able to be secure enough to process customer payments.

The Council can’t provide guidance on something that is inherently vulnerable, especially if the argument is, ‘but everyone is doing it!’ By constantly asking for mobile PCI DSS requirements, acquirers, ISOs, and merchants are asking the Council to accept an insecure processing practice. Why would the PCI Council lower the bar for mobile to squeak under? They won’t add mobile PCI requirements until mobile devices are a worthy platform.

Mobile device manufacturers: ‘Why should we care?’

The problem is, there’s no real motivation for phone manufacturers to make mobile devices a worthy platform. Even if the payment card industry’s voice was heard among the noise, merchants aren’t the main consumers of mobile devices. The general public is.
One piece of technology could be added to a personal smartphone to entice the PCI Council to create a mobile requirement. A mobile device would need to incorporate secure element technology (e.g., incorporating two chips in a single phone. One chip solely runs payment processing and the other runs all the apps, text messages, Internet browsing, etc.)

If phone manufacturers were somehow persuaded to add secure element technologies into a smartphone, the PCI Council could then address mobile through regulating the technology’s attributes, communication, and version.

Now, tell me the motivation for phone manufacturers to add new hardware to an already successful product. How much profit could they generate by adding a secure chip to new phones? Out of the 1.5 billion smartphones in the world, how many people actually use theirs for mobile processing?
Securing hardware just isn’t financially rewarding for phone manufacturers.

What to do with current mobile devices

Looks like we’re on our own to secure mobile transactions. At least, for the foreseeable future.

Luckily, the Council hasn’t left us in the dark. In the PCI Mobile Payment Acceptance Security Guidelines they wrote for merchants in 2013, the Council outlines some great best practices to enable some semblance of security to current mobile devices.

The following are two models that the PCI Council has suggested to adequately secure a mobile device.
  • Device is dedicated to the payment function.
    This tablet or smartphone is a purpose driven device, dedicated to the store. That means it shouldn’t be taken home at the end of the night to watch Netflix. The device can’t be used for any other purpose than processing credit cards. It can’t browse the Internet, take phone calls, text, or use any apps except the payment-processing app.
  • Device uses encrypt-at-swipe technologies. If your merchants want to use a device personally AND maintain the ability to securely take credit cards, ask them to use encrypt-at-swipe payment processing technology and eliminate or minimize manually entered transactions. Most encrypt-at-swipe technologies are very secure and use strong algorithms to secure data before it reaches the device. Encrypt-at-swipe is as close as they will get to cheap and secure in the same solution.

Think about this

Mobile processing is much too convenient to slow down anytime soon. If businesses are determined to provide mobile solutions, it is their responsibility to educate themselves, ensure the security of the solution, and know the risk they’re taking upon themselves.

When speaking at a Treasury Institute for Higher Education conference, Bob Russo, General Manager of the PCI SSC explained that if acquirers want to say it’s ok for a merchant to use mobile, the acquirer and merchant should be the one to assume the risk. It’s completely up to the merchant and the acquirer, not the Council.

At this point, allowing a merchant to mark their business as PCI compliant becomes a business decision between the merchant and Qualified Security Assessor (QSA), or the merchant and the acquiring bank.

Did you like this post? Please share!

Gary Glover (CISSP, CISA, QSA, PA-QSA) is Director of Security Assessment at SecurityMetrics with over 10 years of PCI audit experience and 25 years of Star Wars quoting skills. May the Force be with you as you visit his other blog posts.