Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Is Your Mobile POS Secure?

The 2014 holiday season is upon us and with it, the forecast of billions in retail sales. There are high expectations not only for record breaking retail revenues but also increased use of mobile payment solutions by consumers making holiday purchases – both online and at retail locations. The release of new mobile payment alternatives is at the forefront of expectations.

PCI DSS validation

The endorsement of these mobile technologies by many industry leaders would lead most to believe that these solutions are secure and have been validated by the applicable Payment Card Industry (PCI) or Payment Application (PA) Data Security Standards. But have they really been validated against PCI Data Security Standard (DSS)? More importantly are they secure?

Are the new payment technologies any more secure than older technologies?

Most security professionals will tell you that “compliance does not equal security” and that compliance standards such as PCI are a bare minimum or baseline set of standards that should be a starting point for any decent security program. New mobile payment systems/applications must be validated against the PCI DSS as an important first step towards security.

A rush to market

With these new payment technologies being promoted so heavily, how can we know if they are secure or not? Have they been independently tested, or are we left to rely solely on vendor claims?

I started asking myself some of these questions after a former client asked my opinion on what the PCI security standard states about mobile point of sale systems. He emailed me and said, "I am especially interested in category three mobile devices where a mobile app is taking a credit card. I can't seem to find any guidance from the PCI council or Qualified Security Assessors anywhere."

The short answer is that yes, the PCI Council has not released any kind of standard with regard to mobile payment systems. However, they have not been completely mute on the subject either. One of the Council’s concerns is that because the technology is evolving so quickly, any standard that they produce could be obsolete before it was ever released. You can find items such as the following on their website:

  • Mobile Payment-Acceptance Applications and PA-DSS FAQs
  • PCI PTS POI Modular Security Requirements, Version 3.1 (Category 1)
  • PCI Payment Application Data Security Standard (PA-DSS), Version 2.0 (Category 2)
  • Accepting Mobile Payments with a Smartphone or Tablet (Category 3, Scenario 1)

If you look through these documents, you will see a common mantra: "Use approved technologies, P2PE required." None of these offerings, to the best of my knowledge, has been approved in any authoritative way by being measured against any of the existing standards – particularly the PCI DSS.

So are the new payment technologies any more secure than older technologies? The fact is that they are generally less secure. New technologies are often rushed to production because of market forces and very often are not submitted to thorough security testing prior to release. Once hackers (good and bad) start to focus their attention on the new technologies, vulnerabilities are discovered. Often the vulnerabilities are not even directly associated with the technology itself but with the implementation of the technology. This is a very common method of exploitation, and new technologies are just as susceptible to this misuse and misapplication.

Old apps, new apps

The mobile apps that I had seen over the past couple years seem to fall into one of three categories:

  1. An app loaded on the mobile device that allows for a card swipe – most often used by taxi drivers
  2. An app that allows the user to enter payment data that the app would submit for authorization – a true mobile POS app
  3. An app that takes the same payment data but just passes the data through an existing "conventional" web-based payment application. In this case, the mobile app would just reformat the conventional page in a format that fits the mobile screen – almost like a wrapper around the existing e-commerce/payment application

And with technology evolving so quickly, now there is a fourth category:

  1. Alternative mobile payment technologies employing tokenization to process the payment without transmitting payment card data

So how are these solutions being endorsed by the PCI community for consumer use?

I believe many QSAs, attempting to do the right thing, look to the Payment Application Data Security Standard (PA-DSS) for answers. In most cases, PA-DSS would not apply, but many QSAs think, "Well, it’s an app, so it must be subject to PA-DSS." That is not necessarily true, because the qualifying requirements for PA-DSS have a couple of significant loopholes. The first being: if the app is homegrown and only used by the company that built it (in-house) then PA-DSS does not apply. The second is: even if the in-house app was contracted for and developed by a third party, as long as it's only used by the one client it is considered "bespoke" and PA-DSS does not apply. And finally: if the application is available using a SaaS model, then PA-DSS does not apply. These provisos actually disqualify most e-commerce applications from being subject to PA-DSS.

The best practice security principles that offer the best opportunity for preventing data compromise have not changed.

The best course of action is to apply the PCI DSS requirements to the payment app, and treat the mobile device as part of the services offered and part of the cardholder data environment (CDE). If you think of the mobile device as a typical, physical POS device – like one you’d find in a retail store – and then realize there are hundreds or thousands of them walking around and not owned by you, it will make you think twice about security. Chances are, all of the twelve PCI DSS categories cannot be met in such a scenario.

What should you do?

The good news is that for all the new technologies that are available today, the best practice security principles that offer the best opportunity for preventing data compromise have not changed.

You must be able to identify and track all the components of your network, particularly end points such as mobile devices. You must maintain security through an ongoing process of continuous monitoring to assure that systems are configured and maintained securely, patched when necessary, security protections are actively working, and most importantly the systems are generating event and audit logs for ongoing monitoring and review. Tenable’s SecurityCenter Continuous View™ is an excellent tool for this purpose.

My advice is to look for a payment solution that adheres to these basic security principles: protect the data in memory on the device, encrypt the data and/or use encrypted communications protocols for transmitting upstream, and by all means focus on the points of aggregation (where all the mobile app transactions come together) and protect them to the max – use PCI DSS requirements for starters.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training