In October 2012, the PCI Security Standards Council released the Mobile Payment-Acceptance Security Guidelines, seeking to increase awareness among the developers and to educate them on card holder data security, while they are designing mobile applications that comply with the Payment Application Data Security Standard (PA-DSS).
Given the fast-paced mobile shopping market, these guidelines were also developed to support the need for more secure development practices for mobile payment-acceptance solutions.
We, @Payvision, welcome this publication as there are increasing risks of seeing the devices hacked and data stolen or phished. We believe card holder data protection is a duty at every link in the payment chain and that the new set of rules actually extends the current PCI-DSS to increase risk control by broadening the scope of control.
More precisely, the Mobile Payment-Acceptance Security best practices will act as an eye-opener for app developers who are not always security experts and/or payment experts, but independent device vendors and App-store managers. By following these best practices, they are able to design mobile applications according to the PA-DSS standard, with appropriate security controls to provide solutions for merchants to accept mobile payments securely.
Mobile terminal smartphone, tablet & other devices are often seen as “riskless” although they are fully capable computers. They are built with features similar to PCs, except that they are lost or stolen more often, and are therefore more vulnerable to financial crime. That is why the regulatory framework has to be clearly defined in order to protect consumers and stakeholders from data hacking, by controlling the existing payment solutions on the market.
As we discussed a few months ago in our dedicated Mobile Payments White Paper, m-commerce is an extremely fast developing market, even though the public feels more protected when using cash (statistics revealed that 48% of people felt most protected when using cash, 37% when using a credit / debit card, 10% when using contactless cards, and only 4% when using contactless mobile payments) and remains skeptical of new payment technology. At the same time, the m-payment market offers great potential for innovative technologies and payment methods, regardless of the region and the level of technology development, even though it is already crowded by an abundance of mobile payment apps.
Because of the above-stated reluctance to use mobile payment, and taking into account that the number of mobile internet users is predicted to exceed the number of desktop users worldwide in the near future, we must be proactive in adhering to the guidelines and ensuring the highest security level possible when offering m-payments solutions if we want to ensure global consumer acceptance of mobile payments. We need to be concerned with providing an app that is secured against data being breached, stolen or phished, which are all common occurrences in today’s society.
In summary, finding solutions to mitigate risk is always better in our opinion than chasing the thieves, even if you’re in good shape!
The full guidelines are available for download from the PCI Security Standard Council web site here.