PCI’s New Mobile Guidelines Acknowledge Huge Hurdles

Written by Evan Schuman
February 15th, 2013

The PCI Council officially released its mobile payment guidelines Thursday (Feb. 14), a document that turned out to be anything other than a Valentine to retail IT execs who’d love to know the “all-clear” path to doing mobile payments and staying PCI compliant. Instead, it’s more of a pragmatic acknowledgement of the various mobile hurdles that the council sees as currently insurmountable.

The recommendations, of course, also offer the generic list of best practices for mobile device security (such as strongly encouraging full-disk encryption), which is certainly a handy checklist for chains just starting to seriously explore mobile payments.

One key point of the report is to acknowledge the very complex nature of mobile systems, which have far more players than traditional fixed POS systems. For example, the report speaks of the desirability of lab validation for mobile devices and why it’s simply—and regrettably—not practical.

“Numerous manufacturers, carriers, software developers, and vendors take part in developing a single mobile device. The various combinations of these entities result in an extremely large number of unique mobile devices. The resulting lack of vertical integration would make a lab validation program difficult,” the guidelines say. “All the intervening steps during the production of a mobile device build upon components of the previous steps. For instance, a mobile network operator sells a mobile device manufactured by a specific handset company that contains a chip manufactured by one of several chip-manufacturers and that runs an operating system created by another third party. At each layer, the components added can either increase or decrease the security of the device. For the devices to be adequately tested and validated, proprietary information would have to be shared among all the contributors. If a manufacturer, software developer, or carrier refused to share security-critical proprietary information, validation would be unrealizable. Consequently, the validating of these devices would be problematic.”

Therefore, that section concludes: “The unknown trustworthiness of mobile devices for which no independent, standardized security validation is done remains a residual risk.”

The report also speaks extensively about the attractiveness of remote wipe—also known as zeroizing—to negate security problems the instant it’s detected that a mobile payment device has gone missing. But it also concedes the limitations of such a strategy for many global chains.

“Preventative measures implemented in one jurisdiction may be unlawful to implement in another. For instance, remotely zeroizing a device (i.e., rendering it inoperative) may be legal in the U.S. but not in the European Union, since it may be unlawful to zeroize or otherwise do anything to a mobile device that would remove the user’s ability to make emergency calls,” the report says. “Adjustments made to accommodate jurisdictional legal issues may adversely affect security. This is likely to remain an intractable residual risk.”

Of greater concern, though, are efforts by cyberthieves to guard against such remote wipe efforts. “A mobile device may be shielded in such a way that it may not have the capability of being zeroized remotely (e.g., a Faraday cage). For instance, today mobile phones are being stolen and immediately put into metallic bags that shield them from sending/receiving commands, thereby removing the ability to zeroize the device remotely before the device can be used to divulge sensitive information,” the guidelines document says. “This type of attack could also remove the ability to track the device.”

Associates trying to steal data directly—or who act as an accomplice for external thieves—is an age-old retail problem. Unfortunately, the guidelines say, the mobile vendor community has no practical way of defending against this.

“At each step in the process of producing a mobile device, the potential exists for a renegade employee to introduce exploitable security vulnerabilities,” the report says. “Currently, no commercial vendors perform the level of hardware or software review necessary to assure detection of this kind of sabotage.”

And current anti-malware applications, which have become such a critical part of desktop security, are also not ready for primetime with mobile yet. “Current anti-malware products would be impractical to employ because of the tremendous amounts of resources required to run them (e.g., battery life significantly decreased),” the guidelines say. “Additionally, such products would have no assurance that they could complete their testing before being terminated by the OS to release resources for other tasks.”


Comments are closed.


StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

Most Recent Comments

Why Did Gonzales Hackers Like European Cards So Much Better?

I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
@David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.