February 14, 2013, 4:03 PM — Businesses that want to make use of consumer-grade smartphones and tablets as a point-of-sale device to process payment cards are being advised to only do so when appropriate encryption controls and other security measures are in place.
The PCI Security Standards Council has issued a 27-page recommendations document (within its "PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users") to address situations where merchants want to plug payment-card processing equipment into smartphones or tablets rather than use traditional terminals at checkout stations. The council emphasizes that merchants are responsible for the mobile app, the back-end processes and the security of the device. The council also stresses that "Bring Your Own Device" (BYOD), where an employee brings a mobile device to use at work, is "not recommended as a best practice."
The council's guidance starts with the premise that mobile devices used by merchants for card processing will be multi-purpose and not solely dedicated to payment acceptance for transaction processing. It also starts from the premise that consumer-grade mobile devices are not particularly secure. And because these mobile devices will be taken to any number of places, the chances of them being stolen, lost or tampered with are considerable. The council wants merchants to make sure any mobile device used for card processing has an encrypting PIN pad and that the secure card reader used for account data entry is approved. "If you swipe the card, make sure it's going into that device encrypted," says Bob Russo, the council's general manager.
The council would like to see security controls, such as anti-virus, authentication and security scanning, applied to mobile devices used for payment processing. It wants to see equipment providers be required to communicate about vulnerabilities and make sure security updates are made. And in a clear allusion to Apple iOS equipment, the guidelines note that merchants that "deliberately subvert the native security controls of a mobile device by 'jailbreaking' or 'rooting' the device increase the risk of malware infection. Payment solutions should not be installed or used on any mobile device that is rooted or 'jailbroken,'" the council's document states.