Security

Mobile point of sale gets a PCI security standard

Because crooks salivate when you punch a PIN into a smartmobe at a market stall

By Richard Chirgwin

4 SHARE

The advent of mobile point-of-sale (MPOS) systems has been a boon for consumers and retailers of modest means, but the Payment Card Industry Security Standards Council's security wonks worried that they can't adhere to the strict hardware standards that merchants' credit card merchant terminals.

Hence the announcement [PDF] of a new standard that aims to advise merchants on how they can let you pay with a PIN on a mobile device without letting crims steal creds.

The standard's four key principles are that a service has to be actively monitored, in case a device like a phone or tablet is compromised; the PIN has to be isolated from other account data; ensuring the “software and integrity of the PIN entry application” on common off-the-shelf (COTS) devices; and protecting both PIN and account data “using a PCI approved Secure Card Reader-PIN (SCRP).”

As the PCI SSC's Troy Leach explains in this blog post, the aim is to “mitigate risks associated with a software-centric solution”.

The all-important isolation of account data from the PIN, Leach said, “happens as the Primary Account Number (PAN) is never entered on the mobile device with the PIN. Instead that information is captured by an EMV Chip reader that is approved as a Secure Card Reader for PIN (SCRP) that encrypts the contact or contactless transaction.”

Back-end security controls include “attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies,” Leach said.

As well as security requirements, which apply to companies providing the payment solutions, the standard includes a test requirements document. Leach said the test requirements, which will be published in February, “create validation mechanisms for payment security laboratories to evaluate the security of a solution”.

As devices pass the Council's testing, they'll be listed on its Web site. ®

Sign up to our NewsletterGet IT in your inbox daily

4 Comments

More from The Register

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters

fg xjc dua ihut vyfq, xjc uih jci sfat jg mjggfa

Bad news, fandroids: Mobile banking malware now encrypts files

First Faketoken stole credentials, now it holds data to ransom

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Hey you smart, well-paid devs. Stop clicking on those phishing links and bringing in malware muck on your shoes

At Node Summit, coders served some humble pie

Black(out) Friday for HSBC: iOS and Android banking apps on the fritz

Christmas soon, probably best you don't look anyway

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors

Banking trojan-slingers slip past Google Play's malware defences

BankBot nestled within allegedly 'fun' mobile game

Black Horse slowed down: Lloyds Banking Group confirms problem with 'Faster' payments

Friday morning is an ideal time for transfers to have a glitch, agree customers

Please tighten your passwords and assume the brace position, says plane-tracking site

Data breach at Flightradar24 scored some email addresses and hashed passwords

UK banking TITSUP*: This time it's Clydesdale and Yorkshire banks

'Internal issue' blamed for morning's outage