Merchants urged to avoid BYOD gear, jailbroken smartphones/tablets for payment processing

BYOD "not recommended as a best practice" for merchants

Businesses that want to make use of consumer-grade smartphones and tablets as a point-of-sale device to process payment cards are being advised to only do so when appropriate encryption controls and other security measures are in place.

The PCI Security Standards Council has issued a 27-page recommendations document (within its "PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users") to address situations where merchants want to plug payment-card processing equipment into smartphones or tablets rather than use traditional terminals at checkout stations. The council emphasizes that merchants are responsible for the mobile app, the back-end processes and the security of the device. The council also stresses that "Bring Your Own Device" (BYOD), where an employee brings a mobile device to use at work, is "not recommended as a best practice."

[SECURITY: Sex sites out, IT sites in for cybercrooks planting malware]

The council's guidance starts with the premise that mobile devices used by merchants for card processing will be multi-purpose and not solely dedicated to payment acceptance for transaction processing. It also starts from the premise that consumer-grade mobile devices are not particularly secure. And because these mobile devices will be taken to any number of places, the chances of them being stolen, lost or tampered with are considerable. The council wants merchants to make sure any mobile device used for card processing has an encrypting PIN pad and that the secure card reader used for account data entry is approved. "If you swipe the card, make sure it's going into that device encrypted," says Bob Russo, the council's general manager.

The council would like to see security controls, such as anti-virus, authentication and security scanning, applied to mobile devices used for payment processing. It wants to see equipment providers be required to communicate about vulnerabilities and make sure security updates are made. And in a clear allusion to Apple iOS equipment, the guidelines note that merchants that "deliberately subvert the native security controls of a mobile device by 'jailbreaking' or 'rooting' the device increase the risk of malware infection. Payment solutions should not be installed or used on any mobile device that is rooted or 'jailbroken,'" the council's document states.

The document notes that until mobile hardware and software implementations meet the guidelines, merchants should stick to the use of PCI-validated point-to-point encryption as outlined in another document, "Accepting Mobile Payments with a Smartphone or Tablet."

The rapid changes taking place to utilize consumer-grade mobile devices for card processing are also posing security challenges, Russo says. "It's an evolutionary period," he adds, noting that the council will have more to say on this topic in the future. The council anticipates aligning its technical recommendations with certain mobile guidelines now in draft stage at the National Institute of Standards and Technology (NIST). That draft document is NIST 800-164, "Guidelines for Hardware-Rooted Security in Mobile Devices".

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicsNetworkingsecuritywirelesssmartphonesWide Area NetworkPCI Security Standards Council

More about AppleIDGTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place