E-Guide UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES

Transcription

1 E-Guide UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES

2 I n this E-Guide, Mike Chapple; a Search- Security.com expert discusses the new PCI Mobile Payment Acceptance Security Guidelines and how has become a part of our everyday lives and will continue to do so. PAGE 2 OF 10

3 UNDERSTANDING PCI MOBILE PAYMENT PROCESSING SECURITY GUIDELINES Mike Chapple, Enterprise Compliance The past few years have seen the rapid growth of credit card payment processing services among merchants. It's no longer uncommon to see a taxicab or restaurant that brings an iphone to a customer, equipped with a small credit card reader, accepting a payment without the need for the traditional, bulky, hard-wired register systems or a dedicated wireless credit card terminal. Mobile payment processing is a revolution for retailers, but a disaster for compliance. Until now, merchants that process payments using mobile devices did not have clear guidance regarding the compliance of these devices with the Payment Card Industry Data Security Standard (PCI DSS) and were left in a strange limbo where they might find themselves approached by the same banks that demand they maintain PCI compliance, offering to sell them products that might not be PCI-compliant. Fortunately, merchants, acquirers and everyone involved with PCI DSS compliance have more guidance to work with. In this tip, we take a look at the details of the recently released PCI Mobile PAGE 3 OF 10

4 Payment Acceptance Security Guidelines. This collection of best practices, released by the PCI Security Standards Council (SSC) in February 2013, describes the SSC's interpretation of how PCI DSS affects security and educates merchants on the risk factors of using mobile devices to accept credit card payments. SCOPE OF THE GUIDANCE The new guidance is meant to provide advice on how to handle situations where payment applications are running on, to quote from the guidance, "any consumer electronic handheld device (e.g., smartphone, tablet, or PDA) that is not solely dedicated to payment acceptance transaction processing and where the electronic handheld device has access to clear-text data." What does that mean? This guidance applies to situations where users accept credit cards on iphones, ipads, Android devices and other mobile platforms that are not dedicated to payment card processing. There are two important topics that aren't given much consideration (if any) within the scope of these. First, while many organizations are adopting bring your own device (BYOD) strategies for mobile computing, the PCI SSC is quite leery of BYOD PAGE 4 OF 10

5 in the, saying, "Since the BYOD scenario does not provide the merchant with control over the content and configuration of the device, it is not recommended as a best practice." So what does that mean? Is BYOD mobile payment processing allowed or not? The SSC seems to leave it up to oftensubjective QSAs to decide whether such a scenario would be PCI-compliant, meaning merchants are left to their own devices (perhaps both literally and figuratively) when determining their compliance posture. Second, the do not cover cases where a consumer is inputting a credit card number into his or her own device/application. For example, if you offer a mobile website or app that allows consumers to purchase products online using their own mobile devices, these do not apply. The parts of the ecosystem that the merchant controls (the mobile app, website and back-end systems, in most cases) are certainly subject to the normal PCI DSS requirements, but the consumer is responsible for maintaining the security of the mobile device itself. The only apply when the merchant is using a device at the point of sale. So what do the cover? They cover technologies like Square's mobile card reader and PayPal's PayPal Here reader, which are rapidly being adopted in retail environments. PAGE 5 OF 10

6 BEST PRACTICES FOR MOBILE PAYMENT ACCEPTANCE Any organization considering the adoption of a acceptance platform or already using this technology should read the carefully. They contain security best practices covering three major categories: transaction security, device security and application security. The contain three basic objectives for securing transactions: Prevent account data from being intercepted when entered into a mobile device; prevent account data from compromise while processed or stored within the mobile device; and prevent account data from interception upon transmission out of the mobile device. These objectives have shared responsibility between the merchant and the service provider. The service provider can ensure that the technology itself protects against these attacks, such as requiring the use of strong encryption for transmission of payment card transactions. However, the merchant must also take steps to ensure that the product is used in a manner consistent with secure operation, such as limiting device access to authorized users. Merchants bear a significant burden of responsibility when it comes to securing the mobile devices themselves. The contain six specific recommendations in this realm. While each is important in its own right, the PAGE 6 OF 10

7 most significant is the physical and logical security of mobile devices used for payment acceptance. Merchants must ensure that they have adequate controls in place to protect against theft or unauthorized access to devices used for s. Merchants must be certain that devices are securely stored when not in use by locking them in a cabinet, securing them to a wall or counter or placing them under constant surveillance. While this may limit the mobility of the device, it also guards against unwanted mobility -- namely, a device walking out the door in the hands of a stranger! Additionally, the application or device must be configured with strong authentication, such as a password or multifactor authentication. Other recommendations include: protecting the device from malware; ensuring the mobile device isn't "jailbroken"; disabling unnecessary device functions; installing device tracking software for use in case of loss or theft; and ensuring the secure disposal of old devices. For large enterprises, these may be fairly standard mobile device security processes, but smaller organizations will likely need to make a concerted effort to put these processes in place. The exact division of responsibility between the merchant and payment processing service provider will vary depending upon the specifics of the device types, software and services in use. For example, if the service provider owns PAGE 7 OF 10

8 and manages the mobile devices on behalf of the merchant, the merchant will have little room to alter the configuration of device functions, but will still bear the burden of protecting against loss, theft and unauthorized access. Controls in the final category, application security, also place responsibilities on both the merchant and service provider. These include: merchants implementing only those secure services that meet PCI DSS requirements; service providers ensuring merchants have clear instructions for the secure operation of the application; merchants avoiding offline transactions or authorizations; merchants preventing unauthorized usage of devices; and merchants reviewing logs for suspicious activity. Working through the mobile device can be a significant undertaking. As with the PCI standard itself, each of the major control areas is subdivided into up to seven specific control objectives, and those objectives may have multiple for merchants to follow. This all adds up to a 23-page document detailing a complex control environment for acceptance. Given this complexity, an organization should only adopt processing if there is a compelling business case for the technology -- this is not the area in which to experiment using a "gee whiz" solution. If the business case is justified, an organization's first step should be to sit down with the mobile PAGE 8 OF 10

9 payment and read through them line by line, just as you would the PCI DSS itself. Highlight the sections where it's unclear whether your technology or processes would be deemed compliant, and use that marked-up copy of the document to develop a list of action items for remediation. While the offer quite a few best practices, merchants should be relieved to find that they are mostly common-sense interpretations of the PCI DSS standards. Merchants using mobile devices for payment processing today likely won't need to implement radical changes in order to ensure PCI DSS compliance, if they've been applying a common-sense interpretation of PCI DSS all along. Those considering processing implementations in the future will find the documents a helpful resource. Without question, any merchant using or considering use of a application should review the in their entirety. MIKE CHAPPLE, Ph.D., CISA, CISSP, is an IT security manager with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor forinformation Securitymagazine and the author of several information security titles, includingcissp: Certified Information Systems Security Professional Study GuideandInformation Security Illuminated. PAGE 9 OF 10

10 FREE RESOURCES FOR TECHNOLOGY PROFESSIONALS TechTarget publishes targeted technology media that address your need for information and resources for researching products, developing strategy and making cost-effective purchase decisions. Our network of technology-specific Web sites gives you access to industry experts, independent content and analysis and the Web s largest library of vendor-provided white papers, webcasts, podcasts, videos, virtual trade shows, research reports and more drawing on the rich R&D resources of technology providers to address market trends, challenges and solutions. Our live events and virtual seminars give you access to vendor neutral, expert commentary and advice on the issues and challenges you face daily. Our social community IT Knowledge Exchange allows you to share real world information in real time with peers and experts. WHAT MAKES TECHTARGET UNIQUE? TechTarget is squarely focused on the enterprise IT space. Our team of editors and network of industry experts provide the richest, most relevant content to IT professionals and management. We leverage the immediacy of the Web, the networking and face-to-face opportunities of events and virtual events, and the ability to interact with peers all to create compelling and actionable information for enterprise IT professionals across all industries and markets. PAGE 10 OF 10