The September 2012 release of the Mobile Payment Acceptance Security Guidelines for
Developers (the "Guidelines") by the Payment Card Industry Security Standards
Council ("PCI SSC") should be of interest to
providers of mobile payments services or applications. Although the
Guidelines are directed to payment acceptance applications that
reside on mobile devices (i.e., that are used by merchants
to accept payment), they clearly indicate the PCI SSC's
approach to integrating mobile payments with the existing PCI Data
Security Standard ("PCI DSS") and the PCI Payment
Application Data Security Standard.
The Guidelines are intended to help payment application
developers and consumer electronic handheld device manufacturers
design appropriate security controls within their software and
hardware products. We've summarized a few important points
below (bear in mind the measures are directed at mobile devices in
the hands of merchants as payment acceptance devices –
Data should be encrypted prior to entry into the mobile device
and upon exit from the mobile device, e.g., if transmitted
to and from a card reader by a wireless connection.
Account data should only be process in the "trusted
execution environment;" as is the case for all payments
systems under PCI DSS, sensitive authentication data should not be
retained after authorization.
Each device should be protected by one or more secure lock
screens (face unlock, password, PIN or pattern) – not by
a slide lock.
Controls should be included to prevent escalation of
privileges, e.g., by "rooting" or
"jail-breaking" the device.
There should be an ability to disable the payment application
remotely in a way that does not interfere with the other
applications on the device.
Incidentally, the Guidelines include a useful Glossary of Terms
that are helpful in decoding the jargon surrounding mobile payments
Integration of mobile payments into existing payment
infrastructure and standards is gathering steam and standards
applicable to mobile payments will be in flux for some time. For
this reason, all players contracting in the area need to allow for
change and the advent of new standards within the agreements
entered into for mobile payment arrangements.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Specific Questions relating to this article should be addressed directly to the author.
The CRTC staff have recently held an informal consultation with industry and consumer groups following the October 2012 release of CRTC’s guidelines regarding the interpretation of its CASL regulations.
If passed, Bill C-290 would repeal paragraph 207(4)(b) of the Criminal Code and make it lawful for the government of a province, or a person or entity licensed by a province, to conduct and manage a lottery scheme that involves betting on a single sport event or athletic contest.