Inside PCI's Mobile Payments GuidanceNew Guidelines Focus on Payment Acceptance Applications
The PCI Security Standards Council's PCI Mobile Payment Acceptance Security Guidelines target software developers and mobile device manufacturers with guidance on how to design appropriate security controls that can thwart growing threats such as malware and rootkits.
The council focused on two key objectives: securing the payments transaction itself and best practices for securing the supporting environment around it, says Troy Leach, the Council's CTO.
"We focused on how to secure the card data and how it's entered, stored and processed in that mobile environment," Leach says in an interview with Information Security Media Group's Tom Field [transcript below], "as well as how it leaves the device, both as it's intended or sometimes unintentionally."
Some of the council's primary concerns around mobile payments include card data being stored or processed in clear text and the relative ease of losing the mobile devices themselves, which led to the guidelines being issued.
And since the mobile landscape is constantly changing, the PCI Council will continually review and update its guidance. "We have an ongoing process for reviewing and updating our guidance information," says Bob Russo, council general manager. "In 2013, we're really focused on additional research to ensure we're staying on top of the changing landscape because it's changing literally every day."
In this interview, Russo and Leach discuss:
- Key recommendations of the mobile guidance;
- Top evolving threats to mobile payments;
- What to expect from the PCI Council re: mobile in 2013.
Russo brings more than 25 years of high-tech business management, operations and security experience to his role as the general manager of the PCI Security Standards Council. HE guides the organization through its crucial charter, which is focused on improving data security standards for merchants, banks and other key stakeholders involved in the global payment card transaction process.
Leach is the chief technology officer and lead security standards architect for the council. He has developed and implemented a comprehensive quality assurance program to promote consistency within the council's QSA, ASV, PA-DSS and PED programs. Before joining the council, Leach led the incident-response program at American Express, where he reviewed more than 300 cases of account data compromises.
Mobile Payment Guidelines
TOM FIELD: As we mentioned upfront, you've just announced these new mobile payment guidelines. What are the key recommendations?
TROY LEACH: The guidance's focus is on best practices for developing and implementing mobile payments applications in a secure payments environment. We know that people are excited about this new technology and the benefits are obvious to merchants and commerce in general. However, mobile computing is still in its infancy and needs to be approached with a certain amount of caution. We focused on two key objectives for this paper. One is the payments transaction itself - how to secure the card data and how it's entered, stored and processed in that mobile environment; as well as how it leaves the device, both potentially as it's intended or sometimes unintentionally. Also, the guidance offers best practices for securing the supporting environment around it, which addresses security measures essential to the integrity of the broader mobile application platform.
Some of the key recommendations that we've identified are to isolate the sensitive functions and data in the trusted environment along with the trusted path. Implement secure coding best practices. Eliminate unnecessary third-party access and privilege escalation. Create the ability to remove disabled payments applications and create service-side controls, and report on those unauthorized access points.
FIELD: Just to back up a little bit, how were the guidelines developed?
BOB RUSSO: The council formed an industry taskforce in 2010 as part of a dedicated effort to address mobile payments acceptance and security. These are the software developers, service providers, mobile carriers and all of the players that are really at the forefront of mobile technology and security. We rely on industry input to shape the work that we do here at the council.
Since organizing this taskforce, the council released guidance on how merchants can apply its current security standards in the mobile payments acceptance area by addressing mobile applications with the Payment Application Data Security Standard [PA-DSS], and leveraging the PIN Transaction Security standard [PTS] and Point-to-Point Encryption [P2PE] standards that accept payments on mobile devices more securely. This guidance is for developers and is the next piece in the council's work in this specific area.
FIELD: You've just anticipated my next question, which is who is your target audience. And you say it's the developers.
RUSSO: We previously put out merchant guidance on mobile acceptance and this next piece focuses on the development practices for creating secure applications in the payments process, as well as providing an understanding of how these interact with the operating system and the actual device itself. It's the software developer - the device vendor - who is building these solutions that are really going to benefit from this kind of guidance. That being said, we also hope that the merchants and the other organizations creating their own mobile payments acceptance solutions will also leverage this guidance to better understand the security challenges, because there are quite a few of them there and how they can be addressed.
In the end, this is going to help the merchant. It's going to help the bank, the end-user and any organization that's looking to use mobile solutions to accept and process payments securely. It's our hope that as we educate those that are building these solutions on how to do it securely, we'll also be educating the end-user, the financial institutions and the retailers on what they should expect and, more importantly, demand in these products so that they can protect the customer's data.
FIELD: One of the points when it comes to applications development in mobile is that it's the Wild West out there. You've got so many organizations and individuals developing applications and they're being adopted without any real security safeguards. As you prepare and issue these guidelines, what do you see as the top threats right now to mobile payments?
LEACH: You've identified it right; Wild West is correct. At this week's community meeting, we had Trustwave's SpiderLabs, which specializes in data breach investigations and malware analysis, and they demonstrated some of the top threats out there right now, which included rooting and jail-breaking vulnerabilities, focused stealing, and SSL man-in-the-middle attacks directly on some of these types of mobile devices. While we haven't seen a lot of data-stealing attacks over mobile yet, they do exist and we recognize they're being developed.
Our primarily concern though is any card data being stored on the device or processed on the device being intercepted in clear text, meaning it's exposed without any type of encryption; or being able to be read from a third-party that has access to the same mobile payments environment. Also, for these mobile devices, there's a way to simply make them more likely to be stolen or lost. There are challenges with monitoring for abnormal behavior on those types of mobile applications and devices.
Revisiting the Guidance
FIELD: One of things that you say in the guidelines is that the threats and the solutions are in their infancy. Are these guidelines then outdated as soon as they're issued?
LEACH: You're absolutely correct that the mobile transactions and threat landscape is changing rapidly. However, we built these guidelines with a certain amount of foresight, so the best practices in the guidance are based on the most up-to-date knowledge available and should be broad enough to continue to be effective until our next review of the guidance. Remember, we've got some serious threat experts within our PCI community right now and they've helped us assemble this guidance.
FIELD: When will the guidelines be revisited, given the transitory nature of what we're talking about?
RUSSO: You noticed that we listed these as version 1.0 and we have really an ongoing process for reviewing and updating our guidance information, so as part of our continued efforts with the mobile taskforce in 2013, we're really focused on additional research to ensure we're staying on top of the changing landscape because it's changing literally every day.
FIELD: You'd expect to see revisited guidelines sometime in 2013, or at least amendments?
RUSSO: Absolutely, there will be updates as we go through the year.
Conforming to the Standards
FIELD: One of the issues when you submit guidance or a guideline is they're exactly that. They're suggestions. Where were the teeth in the guidelines to really urge conformance with the standards you're recommending?
RUSSO: You have to remember that we're a standards body and we don't really have any enforcement responsibility. However, most organizations now fully realize that the PCI Security Standards guidance and documents provide the best resources for protecting your payment card data and reducing your chances of having a breach, a situation every professional is trying to avoid. It's really important to note that this document is really guidance only. It doesn't provide any kind of requirements, nor is it meant to replace or supersede any of the PCI standards. Our focus is really protecting the card data. Technology is just one piece of this security puzzle. Emerging technologies, like mobile, we've got to look at how our standards apply to these environments and how we can make sure that the card data is being kept safe.
FIELD: You've addressed the merchant. You're addressing the developer now. What do you see next for the council in the mobile space in 2013?
LEACH: In 2013, we'll release further guidance for merchants, help them leverage mobile payment acceptance securely and continue to explore how data security can be addressed in the evolving mobile acceptance environment, and whether or not we need to update or create additional guidance or requirements for mobile, whether that's for payment applications, mobile devices or other services that are associated with smart phones, PDAs, tablets, or what they invent next for mobile payment.
Response to Guidelines
FIELD: You just returned from the community meeting. What kind of response did you get to the mobile guidelines?
RUSSO: We got a tremendous response to the mobile guidelines. People are anxious for this kind of stuff. The appetite out there is insatiable at this point. Anything that we put out is something that they're looking for. We've got a packed house here, over 1100 people at the community meeting, and one of the things that we've told people, especially in light of what's going on in the mobile area, is that convenience always trumps security. We have to take a step back and really think about that because there are so many things coming out that are so convenient and that everybody wants to use, including the consumers out there. We have to think about the security. That's our job and I think everybody here realizes that and everybody's enthusiastic about everything that's being put out by the council.