Friday, September 14, 2012

PCI has gone mobile -- is your app ready?

The folks over at the Payment Card Industry (PCI) security standards council have just published their "PCI Mobile Payment AcceptanceSecurity Guidelines for Developers" document. If you're doing anything in the mobile payment space, this document is a must read, of course. Even if you're not doing mobile payments, though, it's still a pretty worthwhile read overall. But be prepared, some of their security goals are quite high indeed.

For starters, they lay down three security objectives (or requirements, if you will) as follows:

  1. "Prevent account data from being intercepted when entered into a mobile device."
  2. "Prevent account data from compromise while processed or stored within the mobile device."
  3. "Prevent account data from interception upon transmission out of the mobile device." 
These seem pretty reasonable starting points. They're all motherhood and apple pie sorts of requirements that we shouldn't find too many disagreements with.

Next, they set out a series of guidelines that are "essential to the integrity of the mobile platform and associated application environment." Here's where things start to get pretty tough, from the standpoint of a mobile app developer, to achieve. For example, "Prevent unauthorized logical device access." Now, there's nothing wrong with wanting to prevent logical device access, but app developers don't have much input on, for example, the use of strong passcodes on iOS devices.

But it's likely the case that the PCI council has taken a broader view here than simply the app itself. That's evident in the very next guideline, which speaks to server side controls.

The rest of the guidelines too, are worth reading. Some are high targets, like protecting the device from malware. And, to be fair, this isn't a standards document per se -- like, say the PCI Data Security Standards (PCI-DSS) itself is. This document lays out guidelines, after all.

To be sure, though, if you're writing apps that involve mobile payment systems, you'd better be diving into this document and taking it seriously. We'll be delving into this document and its ramifications for mobile developers at our Mobile App Sec Triathlon in San Jose this November 5-7, so bring your questions with you and let's discuss what mobile developers need to know and do.


Ken van Wyk

No comments:

Post a Comment