Thursday, March 13, 2008

PCI compliance for mobile payments

Many research reports and experts warn about the risks of allowing fraudsters and criminals access to sensitive credit card details. It is especially operators of financial and payment services that tend to be the biggest targets. Quoting Jon Kerr from Verisign: "It's no surprise that online banks and retailers are some of the most popular targets for identity theft since so many personal details are required by users,... With the average UK consumer worth over £10,000 to criminals, it's clear that each of us is a target."

It is because of this threat that the industry decided to publish a standard that a bank or payment processor should adhere to in order to provide acceptable protection to cardholders. This certification is known as the PCI compliance and is being driven by the Credit Card Associations. The objective of PCI compliance - to protect the consumer - is commendable and should be accelerated. Customers should be educated and should take their business away from banks and payment operators that do not comply.

An interesting question is how the providers of mobile payment solutions should (or should not) comply with PCI standards. In as much as mobile payment solutions touches card information the application of the standard is clear: None of the card information must be in the clear and it must not be possible for an un-authorised person to get access to this information. But what if no credit card information is used? What if the routing of payments are made on the basis of a subscribers telephone-number (as is often the case)? What should the minimum conformance be.

This topic is much more complex to deal with in the space of a short blog, but it is clear that the mobile payment industry should develop unique compliance requirements. Obviously this would be very similar to Card PCI compliance (catering for instance for access, un-authorised actions, reporting, physical protection etc.). But what about not displaying a telephone number when you could potentially see phone numbers of some-one just call you? What about look-up tables and what should the controls be around security elements?

It could be worthwhile to develop some of these rules pro-actively.

No comments: