The 2014 holiday season is upon us and with it, the forecast of billions in retail sales. There are high expectations not only for record breaking retail revenues but also increased use of mobile payment solutions by consumers making holiday purchases – both online and at retail locations. The release of new mobile payment alternatives is at the forefront of expectations.
PCI DSS validation
The endorsement of these mobile technologies by many industry leaders would lead most to believe that these solutions are secure and have been validated by the applicable Payment Card Industry (PCI) or Payment Application (PA) Data Security Standards. But have they really been validated against PCI Data Security Standard (DSS)? More importantly are they secure?
Are the new payment technologies any more secure than older technologies?
Most security professionals will tell you that “compliance does not equal security” and that compliance standards such as PCI are a bare minimum or baseline set of standards that should be a starting point for any decent security program. New mobile payment systems/applications must be validated against the PCI DSS as an important first step towards security.
A rush to market
With these new payment technologies being promoted so heavily, how can we know if they are secure or not? Have they been independently tested, or are we left to rely solely on vendor claims?
I started asking myself some of these questions after a former client asked my opinion on what the PCI security standard states about mobile point of sale systems. He emailed me and said, "I am especially interested in category three mobile devices where a mobile app is taking a credit card. I can't seem to find any guidance from the PCI council or Qualified Security Assessors anywhere."
The short answer is that yes, the PCI Council has not released any kind of standard with regard to mobile payment systems. However, they have not been completely mute on the subject either. One of the Council’s concerns is that because the technology is evolving so quickly, any standard that they produce could be obsolete before it was ever released. You can find items such as the following on their website:
- Mobile Payment-Acceptance Applications and PA-DSS FAQs
- PCI PTS POI Modular Security Requirements, Version 3.1 (Category 1)
- PCI Payment Application Data Security Standard (PA-DSS), Version 2.0 (Category 2)
- Accepting Mobile Payments with a Smartphone or Tablet (Category 3, Scenario 1)
If you look through these documents, you will see a common mantra: "Use approved technologies, P2PE required." None of these offerings, to the best of my knowledge, has been approved in any authoritative way by being measured against any of the existing standards – particularly the PCI DSS.
So are the new payment technologies any more secure than older technologies? The fact is that they are generally less secure. New technologies are often rushed to production because of market forces and very often are not submitted to thorough security testing prior to release. Once hackers (good and bad) start to focus their attention on the new technologies, vulnerabilities are discovered. Often the vulnerabilities are not even directly associated with the technology itself but with the implementation of the technology. This is a very common method of exploitation, and new technologies are just as susceptible to this misuse and misapplication.
Old apps, new apps
The mobile apps that I had seen over the past couple years seem to fall into one of three categories:
- An app loaded on the mobile device that allows for a card swipe – most often used by taxi drivers
- An app that allows the user to enter payment data that the app would submit for authorization – a true mobile POS app
- An app that takes the same payment data but just passes the data through an existing "conventional" web-based payment application. In this case, the mobile app would just reformat the conventional page in a format that fits the mobile screen – almost like a wrapper around the existing e-commerce/payment application
And with technology evolving so quickly, now there is a fourth category:
- Alternative mobile payment technologies employing tokenization to process the payment without transmitting payment card data
So how are these solutions being endorsed by the PCI community for consumer use?
I believe many QSAs, attempting to do the right thing, look to the Payment Application Data Security Standard (PA-DSS) for answers. In most cases, PA-DSS would not apply, but many QSAs think, "Well, it’s an app, so it must be subject to PA-DSS." That is not necessarily true, because the qualifying requirements for PA-DSS have a couple of significant loopholes. The first being: if the app is homegrown and only used by the company that built it (in-house) then PA-DSS does not apply. The second is: even if the in-house app was contracted for and developed by a third party, as long as it's only used by the one client it is considered "bespoke" and PA-DSS does not apply. And finally: if the application is available using a SaaS model, then PA-DSS does not apply. These provisos actually disqualify most e-commerce applications from being subject to PA-DSS.
The best practice security principles that offer the best opportunity for preventing data compromise have not changed.
The best course of action is to apply the PCI DSS requirements to the payment app, and treat the mobile device as part of the services offered and part of the cardholder data environment (CDE). If you think of the mobile device as a typical, physical POS device – like one you’d find in a retail store – and then realize there are hundreds or thousands of them walking around and not owned by you, it will make you think twice about security. Chances are, all of the twelve PCI DSS categories cannot be met in such a scenario.
What should you do?
The good news is that for all the new technologies that are available today, the best practice security principles that offer the best opportunity for preventing data compromise have not changed.
You must be able to identify and track all the components of your network, particularly end points such as mobile devices. You must maintain security through an ongoing process of continuous monitoring to assure that systems are configured and maintained securely, patched when necessary, security protections are actively working, and most importantly the systems are generating event and audit logs for ongoing monitoring and review. Tenable’s SecurityCenter Continuous View™ is an excellent tool for this purpose.
My advice is to look for a payment solution that adheres to these basic security principles: protect the data in memory on the device, encrypt the data and/or use encrypted communications protocols for transmitting upstream, and by all means focus on the points of aggregation (where all the mobile app transactions come together) and protect them to the max – use PCI DSS requirements for starters.