In an online Op-Ed in SC Magazine UK, David Froud, Global Director of Practice Development at Trustwave, suggests the recent guidance on mobile payment security from the Payment Card Industry Security Standards Council will need to keep pace with market demands for evolving mobile technology. Froud identifies a “shift away from the credit card paradigm,” and points to Visa’s recent moves to incentivize EMV compliance through the Technology Innovation Program and secure more of the payment process through Point-to-Point Encryption as indicators of this shift.
…[N]ear field communication (NFC) and mobile payments (m-payments) have…opened the door for not only a more risk-based approach to PCI DSS, but for a total shift away from the credit card paradigm. Everyone from smartcard vendors, to mobile network operators (MNOs), to payment service providers (PSPs) and existing payments networks all want their piece of the pie. Combine this with the launch of services such as Google Wallet, the EU’s imminent approval of a mobile payment hub, and the raft of new handsets featuring NFC, and the question of how to protect the consumer from a security standpoint is brought into sharp focus.
Due to the nature of mobile devices today, any threat that exists for a computer will exist for a mobile device, resulting in a vastly increased exposure to data theft.
If m-payments are to take off as forecasted, the development focus needs to change so that security is ultimately part of the initial requirements analysis and that the use of customers data is either minimised, adequately encrypted or (preferably) both. This oversight needs to be addressed on two levels:
- With the PCI SSC leading the charge with a series of best practice guidelines and enforcing regulations (something that would be difficult to do and achieve).
- By educating and training developers on fundamental secure coding principles.
Ultimately, Froud echoes what seems to be the prevailing attitude among payment security experts, (and how Mercator concluded a recent report on Mobile Payment Security), when he says:
Currently there are few, if any, standard measurements for benchmarking application security during development. With the exception of the new, and granted, somewhat immature PCI SSC mobile recommendations, these will struggle to keep up with the developments in technology and security threats. The industry needs to come together to ensure that security is at the forefront of the development process with recommendations on topics such as outsourcing and controls to ensure that the authentication for transactions is secure.
Click here to read more from SC Magazine.