Friday, May 18, 2012

Guidance on Mobile POS Devices

The PCI Council has just released some very interesting (and brief, hence the "at a glance" designation) guidance on mobile payment devices and applications.  The document is quite interesting, and I recommend it to everyone who is looking at mobile devices for their campus for what it says and what it hints is coming.  I think that should include about every campus on the planet (and every retailer, too).

The Council acknowledges what we already know, namely that mobile payments are convenient and risky.  Therefore, the plan is to encrypt the card data at the swipe before it gets to the device so the phone is "out of scope."  To keep the phone out of scope, though, you need an "approved" card reader and a P2PE Solution Provider.

Er...an "approved secure card reader"and "P2PE solution provider"?

The problem, of course, is there are precious few (if any) approved card readers, and absolutely no approved P2PE solution providers.  Those P2PE solution providers won't be available until this fall at the earliest.  Nevertheless, the PCI Council has pointed the way forward: forget putting a payment app on your iPhone, iPad, Android, or other device; and forget a card swipe dongle (of any shape or make) unless and/or until it is on the PCI PTS list.  The idea seems to be that any smartphone is going to be too risky for a merchant to use as a POS (or Point of Interaction, POI, in P2PE-speak) device.  

I have to wonder whether the many "sleds" that encrypt card data and are PTS certified would still count.  They should qualify as secure readers, but the problem is they go to the processor, and none of them is "approved" yet.  Darn, just as I was really getting to be a fan of the sleds.

Reading the PCI tea leaves is always risky, but here goes...  I predict that any number of things are going to be focused on P2PE, including mobile payments and a re-thinking of the (famous) PCI Frequently Asked Question 10359.  That is the one that says encrypted data are out of your scope so long as the ability to decrypt exists with a separate entity.  This poor FAQ has been stretched beyond its original intent.  I predict P2PE is going to both (a) be the only -- only! -- way to handle mobile transactions using an i-device, and (b) that the FAQ is going to be re-written to specify the only way to keep encrypted data out of scope is to have an approved P2PE solution.

This whole P2PE situation will be interesting to observe, and I suggest everyone involved with PCI monitor developments closely.  At the recent PCI workshop, we had an outstanding presentation and extended discussion of how to handle the growing business need for mobile payments.  I only wish this document was available earlier.  It begins to bring together so much of what we heard, both on mobile and P2PE.

At the EDUCAUSE Security Professionals Conference this week, I did a half-day session on P2PE and tokenization.  We covered a lot, but we only touched on mobile payments.  I have to admit that I didn't see this coming, but I should have.  It is so logical and completely in line with the direction the PCI Council is going.  That is, that personal smartphones are inherently insecure, so merchants need to keep them out of scope.  We all know that.  Except in this case, it took a little PCI wake-up call for me to get it.

No comments:

Post a Comment