Mobile Payments Security Standards Whitepaper: Executive Summary
Mobile payments are a relatively new aspect of the payments ecosystem, but they’re growing incredibly fast. Companies that want to develop a mobile payments solution must pay close attention to the industry-established rules and guidelines that will apply to their product. To help guide you through this process, ETA’s Mobile Payments Security Standards Working Group has developed an overview of the key standard- and specification-setting bodies that are relevant to the provision of mobile payments offerings. ETA members can read the full white paper by logging into the website here.
Who are the major compliance organizations involved in mobile payments?
1. The Payment Card Industry Data Security Standard Council (PCI-DSS or PCI-SSC) was formed by the major card brands in 2004 to establish requirements for the protection of cardholder data. PCI sets the standards for all entities that store, process, or transmit cardholder data. Its major areas of operation are:
- Payment Application Security (PA-DSS) — anyone who develops a payment application or software that stores, processes, or transmits cardholder data or other sensitive authentication data must be PA-DSS certified. You can find a full list of PCI-certified applications here. However, it’s difficult to apply this standard to a device that does other things besides store, process, or transmit cardholder data — such as a smartphone. To provide clarity on this growing issue, the PCI-SSC published the PCI Mobile Acceptance Security Guidelines.
- PIN Transaction Security (PCI-PTS) — these standards outline the requirements for devices that capture and authenticate cardholder data at the point of sale using a Personal Identification Number (PIN). Consequently, mobile payments solutions that rely on this type of authentication must be certified as well. You can find a full list of PCI-approved PIN Transaction Security (PTS) devices here.
- Point-to-Point Encryption (P2PE) — PCI requires that cardholder data transmitted over a public network (as during a mobile payment transaction) be secured, or encrypted, from start to finish. You can find a list of PCI-approved Point-to-Point Encryption Solutions here.
2. EMVCo was established in 1999 to develop specifications for EMV, or “chip,” transactions. EMVCo’s standards are widely adopted in Europe and the rest of the world, and they are quickly gaining momentum here in the United States as we migrate to safer chip cards. In addition to testing and reviewing chip cards and chip terminals, EMVCo has developed a set of specifications for contactless payments — including both solutions that use Near Field Communication (the wireless form of NFC) and those which do not. These specifications apply to hardware suppliers and software developers involved in deploying an EMV “chip card” acceptance solution, and are separate from the approval processes required by the card brands. You can learn more about EMVCo’s principles for developing mobile payments security standards on the EMVCo website.
Who else is involved in standards and specifications setting?
The two biggest card brands, Visa and MasterCard, have their own requirements for developing a mobile payment solution that operates on their network. The Visa Ready Program offers guidance to financial institutions, merchants, and developers building mobile payment solutions for the Visa network. MasterCard’s Mobile Point of Sale (mPOS) program aims to facilitate safe and convenient transactions at mobile points of sale, and includes a best practices guide for expanding the acceptance of mobile payments.
This white paper was created by the Mobile Payments Security Standards Working Group of the ETA Technology Council.
The authors of the white paper are:
Derek Webster, CardFlight; Barbara Mitchell, Verizon: Ryan Schneider, Integrity Payment Systems: Amy Zirkle, Electronic Transactions Association.