PCI guidelines issued for mobile apps

Powered by SC Magazine
 

Developers told to isolate sensitive functions, remove unnecessary access rights.

The Payment Card Industry Security Standards Council (PCI SSC), an industry body which manages payment data security guidelines, released best practices for mobile app developers and device manufacturers.

The main focus of the guidelines is to provide direction on securing mobile device payment processes, as well as the payment environment itself, by educating developers in the emerging mobile app market.

Bob Russo, the general manager of the PCI SSC, told SC the guidelines are particularly relevant today.

“I tell people that convenience trumps security all the time, and people are running quickly to use these new devices and technology, without even thinking about security,” Russo said. “This guidance is actually for the developers of those devices. We are purposely being cautious. It's such a changing market – you'll put something out today and tomorrow people are using it.”

Mobile devices have become payment vehicles and, accordingly, warrant strategies for security, he added.

Key recommendations of the report include isolating sensitive functions and data in trusted environments, implementing secure coding best practices and eliminating unnecessary third-party access and privilege escalation. Developing ways to remotely disable payment functions, in addition to creating tools for mobile apps to monitor and report suspicious activity were also among the recommendations.

The guidelines focus on ways to prevent account data from being intercepted while sent or received on mobile devices or from being compromised while being processed or stored on them.

Troy Leach, the chief technology officer of the council, told SCMagazine.com on Friday that the most recent guidelines reinforce the council's standard payment security goals, while applying them to a mobile space.

“We have a brand new group of developers that aren't of aware of their responsibility,” Leach said. “They are designing good code, but don't know all it's being used for.”

Malware, rootkits used by criminals and jailbreaking vulnerabilities are just some of the threats that can comprise the security of payments transmitted through mobile devices and apps.

David Thiel, the vice president for iSEC Partners, which provides mobile security consulting, told SCMagazine.com on Friday that a common problem in mobile app security is personal data being unintentionally leaked to local storage on devices, which can then be retrieved by attackers using malicious software on jailbroken phones.

“It's still a relatively immature field in terms of security development best practices, so its not quite to the level that a lot of big name software packages have been,” Thiel said of the app development market.  

PCI SSC also recently announced a new qualification program, called the PCI Professional (PCIP) Program, for IT professionals to receive certification for PCI payment security standards.

This article originally appeared at scmagazineus.com

Copyright © SC Magazine, US edition


PCI guidelines issued for mobile apps
 
 
 
Top Stories
Myer CIO named retailer's new chief executive
Richard Umbers to lead data-driven retail strategy.
 
Empty terminals and mountains of data
Qantas CIO Luc Hennekens says no-one is safe from digital disruption.
 
BoQ takes $10m hit on Salesforce CRM
Regulatory hurdles end cloud pilot.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest articles on BIT Latest Articles from BIT
Microsoft is offering Azure for Disaster Recovery to Australian SMBs
Feb 10, 2015
If you haven't talked to your IT provider about disaster recovery, it might be worth discussing ...
The 2015 Xero Roadshow is on: here are the locations and dates
Feb 6, 2015
The 2015 Xero Roadshow kicked off this week - see where you can attend at locations around ...
Microsoft Outlook is now on iPhone and iPad: why could this be useful?
Jan 30, 2015
Microsoft today released Office for Android and Outlook for iOS - complementing the other Office ...
Franchisees, here's something you should know about
Jan 23, 2015
You need to know the Code if you are a franchisee or franchisor as the penalties are significant.
Xero users rejoice! Quoting has finally arrived
Jan 23, 2015
It has taken years, but Xero has at last added integrated quoting to its online accounting software.
Latest Comments
Polls
Who do you trust most to protect your private data?







   |   View results
Your bank
  35%
 
Your insurance company
  5%
 
A technology company (Google, Facebook et al)
  9%
 
Your telco, ISP or utility
  8%
 
A retailer (Coles, Woolworths et al)
  4%
 
A Federal Government agency (ATO, Centrelink etc)
  18%
 
An Australian law enforcement agency (AFP, ASIO et al)
  15%
 
A State Government agency (Health dept, etc)
  7%
TOTAL VOTES: 4105

Vote
Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
  27%
 
I DON'T support shutting the OAIC.
  73%
TOTAL VOTES: 1399

Vote