Will P2PE Be PCI’s Answer to Mobile Payments Security?
September 5, 2013 | No Comments | Encryption, Mobile Payments, PCI Compliance
Yesterday on the blog we reported on recent information provided by the PCI Council regarding Version 3.0 of the standards. Many in the industry and writing about it, including the well-known blogger PCI Guru, who pointed out in this post the comments Bob Russo (General Manager of the PCI SSC) made with regard to mobile devices at the point-of-sale. Russo said:
“The fact is that many consumer mobile devices simply can’t provide the level of security needed to adequately protect payment card data. In other words, they cannot create a trusted environment equivalent to the PCI DSS compliant cardholder data environment. [...] We encourage merchants and others to understand the risk of using mobile, work with their acquirer and make their own decisions about whether they want to accept that risk. [...] We’re working with others in the industry including: standards bodies, vendors, banks and processors. But we are unwilling to lower the bar for security by writing a standard that current mobile devices could meet. If we wrote a secure standard for mobile now, no consumer devices would be able to meet it.”
In essence, Mr. Russo stated in no uncertain terms that the Council does not consider Android, IOS or other tablet environments to be secure or compliant at the present time. He recommends that merchants, if they are going to use these devices, work with their acquirer to ensure that both merchant and acquirer are aware of and accepting of the risk being presented.
When one looks at the Point-to-Point Encryption (P2PE) Solution Provider requirements, I see this as the logical point at which mobile devices will be deemed acceptable by the Council. While there are currently no validated P2PE solutions available today, such a solution would move the mobile device into Domain 4 as part of the segmentation between encryption and decryption environments. The Council already recommends P2PE for mobile environments in the document “Accepting Mobile Payments with a Smartphone or Tablet.”
It’s clear that the use of mobile devices as POS terminals is growing in demand. The Council will absolutely need to provide requirements about these devices in the near future. QSAs today are no doubt challenged by how they should respond to these devices being present in a merchant’s environment when preparing a ROC. A validated P2PE solution – including a point of interaction (POI) that meets all the PIN Transaction Security and Domain 1 P2PE requirements may be the final destination.
.