Merchants urged to avoid BYOD gear, jailbroken smartphones/tablets for payment processing

BYOD "not recommended as a best practice" for merchants

Businesses that want to make use of consumer-grade smartphones and tablets as a point-of-sale device to process payment cards are being advised to only do so when appropriate encryption controls and other security measures are in place.

The PCI Security Standards Council has issued a 27-page recommendations document (within its "PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users") to address situations where merchants want to plug payment-card processing equipment into smartphones or tablets rather than use traditional terminals at checkout stations. The council emphasizes that merchants are responsible for the mobile app, the back-end processes and the security of the device. The council also stresses that "Bring Your Own Device" (BYOD), where an employee brings a mobile device to use at work, is "not recommended as a best practice."

[SECURITY: Sex sites out, IT sites in for cybercrooks planting malware]

The council's guidance starts with the premise that mobile devices used by merchants for card processing will be multi-purpose and not solely dedicated to payment acceptance for transaction processing. It also starts from the premise that consumer-grade mobile devices are not particularly secure. And because these mobile devices will be taken to any number of places, the chances of them being stolen, lost or tampered with are considerable. The council wants merchants to make sure any mobile device used for card processing has an encrypting PIN pad and that the secure card reader used for account data entry is approved. "If you swipe the card, make sure it's going into that device encrypted," says Bob Russo, the council's general manager.

The council would like to see security controls, such as anti-virus, authentication and security scanning, applied to mobile devices used for payment processing. It wants to see equipment providers be required to communicate about vulnerabilities and make sure security updates are made. And in a clear allusion to Apple iOS equipment, the guidelines note that merchants that "deliberately subvert the native security controls of a mobile device by 'jailbreaking' or 'rooting' the device increase the risk of malware infection. Payment solutions should not be installed or used on any mobile device that is rooted or 'jailbroken,'" the council's document states.

The document notes that until mobile hardware and software implementations meet the guidelines, merchants should stick to the use of PCI-validated point-to-point encryption as outlined in another document, "Accepting Mobile Payments with a Smartphone or Tablet."

The rapid changes taking place to utilize consumer-grade mobile devices for card processing are also posing security challenges, Russo says. "It's an evolutionary period," he adds, noting that the council will have more to say on this topic in the future. The council anticipates aligning its technical recommendations with certain mobile guidelines now in draft stage at the National Institute of Standards and Technology (NIST). That draft document is NIST 800-164, "Guidelines for Hardware-Rooted Security in Mobile Devices".

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitysmartphoneswirelessNetworkingconsumer electronicsPCI Security Standards CouncilWide Area Network

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ellen Messmer

Network World
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?