Merchants urged to avoid BYOD gear, jailbroken smartphones/tablets for payment processing

BYOD "not recommended as a best practice" for merchants

Businesses that want to make use of consumer-grade smartphones and tablets as a point-of-sale device to process payment cards are being advised to only do so when appropriate encryption controls and other security measures are in place.

The PCI Security Standards Council has issued a 27-page recommendations document (within its "PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users") to address situations where merchants want to plug payment-card processing equipment into smartphones or tablets rather than use traditional terminals at checkout stations. The council emphasizes that merchants are responsible for the mobile app, the back-end processes and the security of the device. The council also stresses that "Bring Your Own Device" (BYOD), where an employee brings a mobile device to use at work, is "not recommended as a best practice."

[SECURITY: Sex sites out, IT sites in for cybercrooks planting malware]

The council's guidance starts with the premise that mobile devices used by merchants for card processing will be multi-purpose and not solely dedicated to payment acceptance for transaction processing. It also starts from the premise that consumer-grade mobile devices are not particularly secure. And because these mobile devices will be taken to any number of places, the chances of them being stolen, lost or tampered with are considerable. The council wants merchants to make sure any mobile device used for card processing has an encrypting PIN pad and that the secure card reader used for account data entry is approved. "If you swipe the card, make sure it's going into that device encrypted," says Bob Russo, the council's general manager.

The council would like to see security controls, such as anti-virus, authentication and security scanning, applied to mobile devices used for payment processing. It wants to see equipment providers be required to communicate about vulnerabilities and make sure security updates are made. And in a clear allusion to Apple iOS equipment, the guidelines note that merchants that "deliberately subvert the native security controls of a mobile device by 'jailbreaking' or 'rooting' the device increase the risk of malware infection. Payment solutions should not be installed or used on any mobile device that is rooted or 'jailbroken,'" the council's document states.

The document notes that until mobile hardware and software implementations meet the guidelines, merchants should stick to the use of PCI-validated point-to-point encryption as outlined in another document, "Accepting Mobile Payments with a Smartphone or Tablet."

The rapid changes taking place to utilize consumer-grade mobile devices for card processing are also posing security challenges, Russo says. "It's an evolutionary period," he adds, noting that the council will have more to say on this topic in the future. The council anticipates aligning its technical recommendations with certain mobile guidelines now in draft stage at the National Institute of Standards and Technology (NIST). That draft document is NIST 800-164, "Guidelines for Hardware-Rooted Security in Mobile Devices".

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Tags consumer electronicssecurityNetworkingsmartphoneswirelessWide Area NetworkPCI Security Standards Council

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?