While not providing the full guidance that many in the mobile payment space hope for, the Payment Card Industry Standards Security Council (PCI SSC) continues to make progress toward defining complete security standards for mobile point of sale devices.
In mid-October, and seemingly to little fanfare, the PCI SSC provided an updated version 3.1 to the security standards which cover hardware related to accepting credit cards, the PCI PIN Transaction Security (PIN PTS) program. The new version now includes for the first time the protection of account data on mobile devices that do not accept PINs.
According to PCI GM Bob Russo, the new guidance means that card acceptance devices can now be PTS tested and approved and eligible to deploy point-to-point encryption (P2PE) technology.
P2PE is a technology that secures data from the moment it is swiped all the way through the payment process and potentially reduces a merchant's PCI compliance obligations.
"Additionally, the requirements have been updated to address secure (encrypting) card readers (SCR), further facilitating the deployment of P2PE technology and the use of open platforms, such as mobile phones, to accept payments," Russo said.
The upshot of this development is that merchants who want to use a mag-stripe reader (MSR), or an MSR plug-in, can ensure these devices have been tested and approved to encrypt data on the reader before it reaches the device, Russo said.
"What this potentially allows for is for a secure card reader to be developed and submitted against the requirements that encrypts prior to input and transmission on the device," Russo explained.
In an earlier press release on the change to the PTS standard, Russo said, "We know how eager the market is to implement P2PE. By releasing these updated requirements now, merchants using any type of card acceptance device will have the ability to encrypt data at the point of interaction and ensure its protection."
"Additionally, we’ve opened the standard up to address mobile devices — another area of great interest to our stakeholders," Russo said in the earlier statement.
The new guidance does not cover mobile POS solutions on mobile devices that are not dedicated to processing payment transactions. That would include solutions for small businesses like those sold by Square or Intuit. According to PCI, additional guidance will be forthcoming that covers that category.
The PCI SSC was founded in 2006 by companies in the payment industry to develop and administer the data security standard that merchants and payment service providers must comply with to accept payment cards. It is comprised of more than 600 participating organizations around the world that include merchants, processors and payment vendors.
For background on PCI and mobile devices, please see: "PCI issues new guidance for mobile payment apps" and "Council takes wait-and-see approach to mobile payments."
For more stories on security in general, visit the Security research center.