The PCI Security Standards Council is in the constant position of having to keep up with the evolution of both payment fraud risk and the technology of payments. Mobile payments – from transaction origination to acceptance – are transforming how account holders and merchants interact. It is a complex domain. Software-based remote mobile payments are common. Square has rapidly expanded the mobile payment acceptance footprint. Customers of Square-accepting merchants can use Card Case to put payments “on their tab” without presenting a payment card. NFC proximity payments are on the horizon along with EMV smartcards to replace the magstripe payment card.
So, mobile has moved up in the PCI SSC’s priority list. And that’s a good thing. While start-ups and established entities will push and stretch mobile payments business and security models, the industry will need security fences around it, even while more than a few highly mobile horses are out loose on the security prairie. Eventually, they will be corralled by the PCI standards.
Because of its increasing adoption and anticipated growth, mobile poses increasing concern. Inevitably, the council will have to address security risks for payments, adds PCI SSC General Manager Bob Russo.
“The adoption of mobile is running rampant, and when it comes to using personal mobile devices, people have not thought about all of the security,” Russo says. “We have a task force looking at this, and in 2011 we issued some guidance. This year we will be issuing some best practices.”
Mobile payments have the potential to transform the industry. “But with that potential are increased risks and increased vulnerabilities,” Mitchell says. “We want security to remain at the center of the payments evolution,” which means organizations have to address mobile risks proactively.
Addressing security concerns surrounding mobile, and other emerging payments options, with risk in mind is a given. For the council, mobile security is requiring a deeper review of the security advantages provided by the Europay, MasterCard, Visa standard. How can EMV improve the security of mobile payments? The PCI SSC aims to find out.