The September 2012 release of the Mobile Payment Acceptance Security Guidelines for
Developers (the "Guidelines") by the Payment Card Industry Security Standards
Council ("PCI SSC") should be of interest to
providers of mobile payments services or applications. Although the
Guidelines are directed to payment acceptance applications that
reside on mobile devices (i.e., that are used by merchants
to accept payment), they clearly indicate the PCI SSC's
approach to integrating mobile payments with the existing PCI Data
Security Standard ("PCI DSS") and the PCI Payment
Application Data Security Standard.
The Guidelines are intended to help payment application
developers and consumer electronic handheld device manufacturers
design appropriate security controls within their software and
hardware products. We've summarized a few important points
below (bear in mind the measures are directed at mobile devices in
the hands of merchants as payment acceptance devices –
Data should be encrypted prior to entry into the mobile device
and upon exit from the mobile device, e.g., if transmitted
to and from a card reader by a wireless connection.
Account data should only be process in the "trusted
execution environment;" as is the case for all payments
systems under PCI DSS, sensitive authentication data should not be
retained after authorization.
Each device should be protected by one or more secure lock
screens (face unlock, password, PIN or pattern) – not by
a slide lock.
Controls should be included to prevent escalation of
privileges, e.g., by "rooting" or
"jail-breaking" the device.
There should be an ability to disable the payment application
remotely in a way that does not interfere with the other
applications on the device.
Incidentally, the Guidelines include a useful Glossary of Terms
that are helpful in decoding the jargon surrounding mobile payments
Integration of mobile payments into existing payment
infrastructure and standards is gathering steam and standards
applicable to mobile payments will be in flux for some time. For
this reason, all players contracting in the area need to allow for
change and the advent of new standards within the agreements
entered into for mobile payment arrangements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Software license agreements generally require the customer to pay fees for the software license and related services, which fees are usually based upon the duration of the license and the manner in which the customer is allowed to use the software, together with applicable taxes and withholdings.
In less than nine months, on July 1, 2017, persons affected by a contravention of Canada's anti-spam legislation will be able to invoke a private right of action to sue for compensation and potentially substantial statutory damages.
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).