The PCI SSC released the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users Information Supplement today.
These guidelines educate merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments.
The new guidance for merchants focuses on these scenarios and specifically the payment software that operates on these devices. The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users leverages industry best practices to educate merchants on what is needed to isolate and prevent card data from exposure.
The guidance is organized around the following key areas and objectives:
• Objectives and Guidance for the Security of a Payment Transaction - addresses the three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device
• Guidelines for Securing the Mobile Device – provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance
• Guidelines for Securing the Payment Acceptance Solution – provides guidance for the different components of the payment acceptance solution; including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer
A glossary of terms, chart to help determine responsibility for each best practice, checklist for choosing a mobile solution provider, and further detail on additional risks associated with mobile devices are included as appendices.
The document underscores that until mobile hardware and software implementations can meet these guidelines, the best options for merchants is the use of a PCI-validated, Point-to-Point Encryption (PCI P2PE) solution, as outlined in the Accepting Mobile Payments with a Smartphone or Tablet fact sheet
The guidelines can be found here - https://www.pcisecuritystandards.org/documents/Mobile_Payment_Security_Guidelines_Merchants_v1.pdf
For more details please visit www.pcisecuritystandards.org.
THESE ARE PCI SSC GUIDELINES. PLEASE DIRECT ANY QUESTIONS TO THE PCI SSC DIRECTLY.