dcsimg

PCI Compliance Comes to Mobile Devices

Sue Marquette Poremba

One of the components of governance, risk management and compliance, or GRC, is compliance. Because compliance regulations change so frequently, it is recommended that it is a shared responsibility as TechTarget explained:

The responsibility for compliance is shared by many executives, usually at the vice president level. Human resources, audit, corporate counsel and the CIO are all involved in understanding the compliance requirements. The aim in GRC is, first, to coordinate those compliance efforts and processes, and second, to move to a more risk-based approach to compliance.

For instance, the PCI Security Standards Council (PCI SSC) announced a new PCI Security Standard for software-based PIN entry on commercial off-the-shelf devices (COTS), such as smartphones and tablets. Aite Group Senior Analyst Ron van Wezel explained the reason for the new standard in a formal statement:

Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency. MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere. However, some small merchants in markets that require EMV chip-and-PIN acceptance may have found the costs of investing in hardware prohibitive.


The primary security principles in the standard’s security and test requirements are:

  • Active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet
  • Isolation of the PIN from other account data
  • Ensuring the software security and integrity of the PIN entry application on the COTS device
  • Protection of the PIN and account data using a PCI approved Secure Card Reader for PIN (SCRP)

Mobile payments are becoming ubiquitous as a payment option. It makes sense, then, as organizations put a focus on other areas of mobile security, that they are ensuring mobile payment options are equally secure. As PCI SSC CTO Troy Leach stated on a PCI blog post:

This standard will give mobile payment solution providers and application developers a baseline of security requirements for how to enter a PIN into a COTS device, as well as methods to test that security is working, even as updates to the mobile devices and applications occur frequently. This will result in secure solutions that are independently tested to demonstrate PIN is isolated from the EMV data and will provide continuous protection, through ongoing monitoring and other controls.

Is your GRC team prepared for this new PCI compliance?

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba

 


Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.




Add Comment      Leave a comment on this blog post
Mar 16, 2018 1:48 PM Bellathomas314 Bellathomas314  says:
Thanks, it’s very informative Compliance Reply
Apr 18, 2018 2:02 AM Data Sunrise Data Sunrise  says:
Thanks for writing this nice blog. Sql database security help to protect important data from the database and it barrier the harmful threat in the database. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

By submitting your information, you agree that itbusinessedge.com may send you ITBbusinessEdge offers via email, phone and text message, as well as email offers about other products and services that ITBbusinessEdge believes may be of interest to you. ITBbusinessEdge will process your information in accordance with the Quinstreet Privacy Policy.


×
We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.