A few weeks ago there was a very public spat between Verifone, one of the leading providers of payments terminals, and new market entrant for mobile payments acceptance, Square, backed by Twitter founder Jack Dorsey. Verifone claimed Square was insecure and could be easily hacked. Square has subsequently announced that it is going to make all of its mobile payments dongles encrypt credit card data, and that it has the backing of Visa, which has invested an undisclosed sum in the company.
Square and Verifone are not the only companies with mobile payments acceptance devices (devices that enable a mobile phone to accept card payments). It’s a growing market, but one which so far has not had its security requirements spelled out for it in the way that exists for more conventional card networks and acceptance. Visa has now addressed that gap by issuing a new Visa Best Practices for Mobile Payment Acceptance Bulletin. These guidelines are what Square and other mobile payments acceptance vendors will now have to meet.
But what does the bulletin say about security? The guidelines state that mobile payments acceptance solution vendors should aim to do the following...
- Implement the use of encryption to protect the public transmission of account data
- Deploy Tokenisation or truncation to protect the PAN
- Protect encryption keys in accordance with industry standards
By referring to ‘industry standards’, this last bullet point ultimately means mobile payments acceptance devices must comply with PCI PTS-POI. Amongst other things, this includes the requirement for “tamper-detection and response mechanisms that cause it to become immediately inoperable and result in the automatic and immediate erasure of any sensitive data that may be stored in the device, such that it becomes infeasible to recover the sensitive data. These mechanisms protect against physical penetration of the device by means of (but not limited to) drills, lasers, chemical solvents, opening covers, splitting the casing (seams), and using ventilation openings…”
This starts to level the playing field greatly. Although there is no certification for mobile payments acceptance devices yet, the guidelines are saying that these devices must have the same physical and logical security as the POS terminals and the HSMs that secure the card networks are required to have.