As more people start adopting mobile payment processing to buy or sell goods and services, concerns will be raised over transaction security. The PCI Council, which is a consortium of card companies, including American Express, Discover, JCB, MasterCard, and Visa, have recently issued guidelines on how to make mobile payments more secure. The PCI Mobile Payments Acceptance Security Guidelines spell out specific steps to ensure that mobile transactions are more secure and that apps don’t share data unnecessarily with third-parties. Since any risk that is already known on a desktop applies to mobile devices, the guidelines don’t have to list out new threats. They only have to address unique solutions given the platform.
New PCI Guidelines on Mobile Payments Acceptance
Preventing Data Interception When Entered Into a Mobile Device
Keyloggers and other malicious programs exploit the users at the device level by recording keystrokes. On mobile devices, the keystrokes could be captured and sent to third-party companies for malicious purposes. If user data is stolen, fraudulent charges could make online transactions unsafe and unappetizing for the user. Not only that, chargebacks could become an expensive part of doing business online for merchants.
Preventing Data From Being Compromised While Being Processed or Stored Within the Mobile Device
Encryption is always a concern when dealing with credit card information. Non-encrypted credit card numbers are an invitation for crooks. Developing stronger encryption and adhering to best practices would mitigate the this kind of threat. Secure connections are also an important part of the puzzle. Users must believe that it’s safe to send data over a WiFi, 3G, or the new 4GLTE network.
Preventing Data Interception Upon Transmission Out of the Mobile Device
PCI compliance includes making network connections more secure. Part of this responsibility falls on mobile carriers. However, users can do their part to ensure they are delivering their data over a secure network. One way is to use a VPN or “virtual private network.” A VPN creates a private network connection over a public network. Two computers are directly connected to each other without any other computers being allowed on the network.
Other Security Recommendations
The PCI guidelines also specify other examples of how to make other recommendations for enhanced security. For example, developers and merchants should isolate sensitive user data and functions in trusted environments. Developers should also eliminate any unnecessary third-party access and privilege escalation and always use secure coding and best practices. Users should be allowed to remotely disable payment applications and developers need to create server-side controls and report unauthorized access to user data.
These measures are not necessarily new for desktop applications, but they are not universally implemented for mobile transactions. Because the market for mobile transactions is still growing, many small business owners aren’t fully aware of the risks. Neither are users, for the most part. With the recent guidelines, the PCI Security Standards Council hopes to avert a disaster before it ever has a chance to manifest. If you are interested in getting set up with a mobile payments platform that is fully PCI compliant contact us at SwitchPay today.