New Mobile App Rules from the PCI Council
A new report from the PCI Security Standards Council (PCI SSC) is urging device manufacturers and software developers to only create applications that allow for encryption and other security features for payment processing services. The new report, entitled “PCI Mobile Payment Acceptance Security Guidelines” asks for mobile applications that are involved in payment processing services and hold other personal data that most consumers would prefer not be made public, to support encryption efforts such as password protection.
The hope is that this new report becomes the standard for encrypting mobile applications, especially when they feature wireless mobile credit card processing. They do recognize though that at this point in time the report is far from ready to withstand the test of time.
“Every time we tried to frame some requirement a new exploit or attack was detected or new technologies for security were discovered,” Troy Leach, CTO of PCI SSC said. “The market is rapidly evolving and we’re able to apply security in new ways.”
One of the biggest issues app makers face in regard to providing security standards for their creations is how Smartphones are rapidly changing and evolving. Encryption efforts become far more difficult to comply with when a new Smartphone comes out every other week.
Another area of the report that should be noted is the requirement that applications can be disabled remotely through the phone if there is a security compromise. Also appropriate server-side controls must be in place.
Leach does feel that now that they know more about what they are dealing with in regard to mobile applications, they will be better able to provide encryption standards that can stick. Say Leach, “We’ve identified the problems and have a collective agreement as to what priorities to address.”
As the report continues to evolve, it will hopefully prove mostly fruitful and weed out any loopholes.