PCI Council releases mobile appdev guidance
Security standards body releases mobile software best practice, highlighting need for more secure developmentAt its North America Community Meeting late last week, the PCI Security Standards Council (PCI SSC) released best practices for mobile payment acceptance security.
The PCI Mobile Payment Acceptance Security Guidelines are designed to offer software developers and mobile device manufacturers guidance on designing appropriate security controls to provide software for merchants to accept mobile payments securely.
Mobile attacks yet to reach maturity
The guidance supports the need for more secure development practices for mobile payment acceptance solutions. According to security experts Trustwave SpiderLabs, which specialises in data breach investigations and malware analysis, mobile computing, commerce, and malware are still in their infancy. Existing platforms limit users’ ability to ensure the security of transactions conducted on mobile technology.
At a presentation during the PCI Community Meeting in Orlando, Nicholas J. Percoco, Trustwave SpiderLabs senior vice president, demonstrated some of the top attacks that threaten the security of payments over mobile acceptance devices, including malware and rootkits, jailbreaking vulnerabilities and SSL-man-in-the-middle attacks.
“It is important that a best practice guide be developed, by the industry, to educate mobile app developers on methods of securing commerce transactions and risks of not doing so,” said Percoco.
Building on work of taskforce
The Council formed an industry taskforce in 2010 as part of a dedicated effort to address mobile payment acceptance security. Since then, the Council has released guidance on how merchants can apply its current standards to mobile payment acceptance – by addressing mobile applications with the Payment Application Data Security Standard (PA-DSS), and leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to accept payments on mobile devices more securely.
The guidance for developers is the next piece of the Council’s work in this area. The document organises the mobile payment acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices; and guidelines for securing the supporting environment, which addresses security measures essential to the integrity of the broader mobile application platform environment.
Key recommendations include:
Isolate sensitive functions and data in trusted environments
Implement secure coding best practices
Eliminate unnecessary third-party access and privilege escalation
Create the ability to remotely disable payment applications
Create server-side controls and report unauthorised access
Rapid speed to market
“Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said Troy Leach, PCI SSC chief technology officer, in his presentation to the meeting’s attendees. “It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”
In 2013, the council said it plans to release further guidance in 2013 to help merchants utilise mobile payment acceptance securely, while continuing to collaborate with industry subject matter experts to explore how card data security can be addressed in an evolving mobile acceptance environment, and whether additional guidance or requirements must be developed.