Payment Card Industry Security Standards Council Releases New Guidance on Protecting Mobile Payment Data

The Payment Card Industry Data Security Standards (PCI DSS) Council, a global forum for the development of card security standards, recently released a set of best practices for merchants who process transactions involving card data from consumers using mobile devices. The Council's guidelines apply to "payment-acceptance applications that operate on any consumer electronic handheld device (e.g., smartphone, tablet, or PDA) that is not "solely dedicated" to processing such payment transactions and also has access to "clear-text data." In particular, the Council highlighted three primary security risks associated with such mobile payments: (1) "account data entering the device," (2) "account data residing in the device," and (3) "account data leaving the device." The guidelines recommend both traditional and less conventional mechanisms to isolate account data and protect it from exposure, including protection against theft – an inherent risk with a mobile device – as well as the use of approved PIN Entry devices and restricted access. These guidelines are intended to operate "hand-in-hand" with the Council's September 2012 mobile payment acceptance security guidelines, directed at mobile app developers and device vendors.

Tip: This additional guidance expands the PCI DSS Council's prior guidance in this area, and applies directly to merchants as end-users of mobile devices capable of accepting payment information. Compliance with these guidelines may help retailers maintain proper data security measures, thus avoiding fines or restrictions on their ability to process card payments.

This tip has been created for information and planning purposes. They are not intended to be, nor should they be substituted for, legal advice, which turns on specific facts.